7 Network Working Group D. Eastlake 3rd
8 Request for Comments: 4634 Motorola Labs
9 Updates: 3174 T. Hansen
10 Category: Informational AT&T Labs
14 US Secure Hash Algorithms (SHA and HMAC-SHA)
18 This memo provides information for the Internet community. It does
19 not specify an Internet standard of any kind. Distribution of this
24 Copyright (C) The Internet Society (2006).
28 The United States of America has adopted a suite of Secure Hash
29 Algorithms (SHAs), including four beyond SHA-1, as part of a Federal
30 Information Processing Standard (FIPS), specifically SHA-224 (RFC
31 3874), SHA-256, SHA-384, and SHA-512. The purpose of this document
32 is to make source code performing these hash functions conveniently
33 available to the Internet community. The sample code supports input
34 strings of arbitrary bit length. SHA-1's sample code from RFC 3174
35 has also been updated to handle input strings of arbitrary bit
36 length. Most of the text herein was adapted by the authors from FIPS
39 Code to perform SHA-based HMACs, with arbitrary bit length text, is
58 Eastlake 3rd & Hansen Informational [Page 1]
60 RFC 4634 SHAs and HMAC-SHAs July 2006
65 1. Overview of Contents ............................................3
66 1.1. License ....................................................4
67 2. Notation for Bit Strings and Integers ...........................4
68 3. Operations on Words .............................................5
69 4. Message Padding and Parsing .....................................6
70 4.1. SHA-224 and SHA-256 ........................................7
71 4.2. SHA-384 and SHA-512 ........................................8
72 5. Functions and Constants Used ....................................9
73 5.1. SHA-224 and SHA-256 ........................................9
74 5.2. SHA-384 and SHA-512 .......................................10
75 6. Computing the Message Digest ...................................11
76 6.1. SHA-224 and SHA-256 Initialization ........................11
77 6.2. SHA-224 and SHA-256 Processing ............................11
78 6.3. SHA-384 and SHA-512 Initialization ........................13
79 6.4. SHA-384 and SHA-512 Processing ............................14
80 7. SHA-Based HMACs ................................................15
81 8. C Code for SHAs ................................................15
82 8.1. The .h File ...............................................18
83 8.2. The SHA Code ..............................................24
84 8.2.1. sha1.c .............................................24
85 8.2.2. sha224-256.c .......................................33
86 8.2.3. sha384-512.c .......................................45
87 8.2.4. usha.c .............................................67
88 8.2.5. sha-private.h ......................................72
89 8.3. The HMAC Code .............................................73
90 8.4. The Test Driver ...........................................78
91 9. Security Considerations .......................................106
92 10. Normative References .........................................106
93 11. Informative References .......................................106
114 Eastlake 3rd & Hansen Informational [Page 2]
116 RFC 4634 SHAs and HMAC-SHAs July 2006
119 1. Overview of Contents
121 NOTE: Much of the text below is taken from [FIPS180-2] and assertions
122 therein of the security of the algorithms described are made by the
123 US Government, the author of [FIPS180-2], and not by the authors of
126 The text below specifies Secure Hash Algorithms, SHA-224 [RFC3874],
127 SHA-256, SHA-384, and SHA-512, for computing a condensed
128 representation of a message or a data file. (SHA-1 is specified in
129 [RFC3174].) When a message of any length < 2^64 bits (for SHA-224
130 and SHA-256) or < 2^128 bits (for SHA-384 and SHA-512) is input to
131 one of these algorithms, the result is an output called a message
132 digest. The message digests range in length from 224 to 512 bits,
133 depending on the algorithm. Secure hash algorithms are typically
134 used with other cryptographic algorithms, such as digital signature
135 algorithms and keyed hash authentication codes, or in the generation
136 of random numbers [RFC4086].
138 The four algorithms specified in this document are called secure
139 because it is computationally infeasible to (1) find a message that
140 corresponds to a given message digest, or (2) find two different
141 messages that produce the same message digest. Any change to a
142 message in transit will, with very high probability, result in a
143 different message digest. This will result in a verification failure
144 when the secure hash algorithm is used with a digital signature
145 algorithm or a keyed-hash message authentication algorithm.
147 The code provided herein supports input strings of arbitrary bit
148 length. SHA-1's sample code from [RFC3174] has also been updated to
149 handle input strings of arbitrary bit length. See Section 1.1 for
150 license information for this code.
152 Section 2 below defines the terminology and functions used as
153 building blocks to form these algorithms. Section 3 describes the
154 fundamental operations on words from which these algorithms are
155 built. Section 4 describes how messages are padded up to an integral
156 multiple of the required block size and then parsed into blocks.
157 Section 5 defines the constants and the composite functions used to
158 specify these algorithms. Section 6 gives the actual specification
159 for the SHA-224, SHA-256, SHA-384, and SHA-512 functions. Section 7
160 provides pointers to the specification of HMAC keyed message
161 authentication codes based on the SHA algorithms. Section 8 gives
162 sample code for the SHA algorithms and Section 9 code for SHA-based
163 HMACs. The SHA-based HMACs will accept arbitrary bit length text.
170 Eastlake 3rd & Hansen Informational [Page 3]
172 RFC 4634 SHAs and HMAC-SHAs July 2006
177 Permission is granted for all uses, commercial and non-commercial, of
178 the sample code found in Section 8. Royalty free license to use,
179 copy, modify and distribute the software found in Section 8 is
180 granted, provided that this document is identified in all material
181 mentioning or referencing this software, and provided that
182 redistributed derivative works do not contain misleading author or
185 The authors make no representations concerning either the
186 merchantability of this software or the suitability of this software
187 for any particular purpose. It is provided "as is" without express
188 or implied warranty of any kind.
190 2. Notation for Bit Strings and Integers
192 The following terminology related to bit strings and integers will be
195 a. A hex digit is an element of the set {0, 1, ... , 9, A, ... ,
196 F}. A hex digit is the representation of a 4-bit string.
197 Examples: 7 = 0111, A = 1010.
199 b. A word equals a 32-bit or 64-bit string, which may be
200 represented as a sequence of 8 or 16 hex digits, respectively.
201 To convert a word to hex digits, each 4-bit string is converted
202 to its hex equivalent as described in (a) above. Example:
204 1010 0001 0000 0011 1111 1110 0010 0011 = A103FE23.
206 Throughout this document, the "big-endian" convention is used
207 when expressing both 32-bit and 64-bit words, so that within
208 each word the most significant bit is shown in the left-most bit
211 c. An integer may be represented as a word or pair of words.
213 An integer between 0 and 2^32 - 1 inclusive may be represented
214 as a 32-bit word. The least significant four bits of the
215 integer are represented by the right-most hex digit of the word
216 representation. Example: the integer 291 = 2^8+2^5+2^1+2^0 =
217 256+32+2+1 is represented by the hex word 00000123.
219 The same holds true for an integer between 0 and 2^64-1
220 inclusive, which may be represented as a 64-bit word.
226 Eastlake 3rd & Hansen Informational [Page 4]
228 RFC 4634 SHAs and HMAC-SHAs July 2006
231 If Z is an integer, 0 <= z < 2^64, then z = (2^32)x + y where 0
232 <= x < 2^32 and 0 <= y < 2^32. Since x and y can be represented
233 as words X and Y, respectively, z can be represented as the pair
236 d. block = 512-bit or 1024-bit string. A block (e.g., B) may be
237 represented as a sequence of 32-bit or 64-bit words.
239 3. Operations on Words
241 The following logical operators will be applied to words in all four
242 hash operations specified herein. SHA-224 and SHA-256 operate on
243 32-bit words, while SHA-384 and SHA-512 operate on 64-bit words.
245 In the operations below, x<<n is obtained as follows: discard the
246 left-most n bits of x and then pad the result with n zeroed bits on
247 the right (the result will still be the same number of bits).
249 a. Bitwise logical word operations
251 X AND Y = bitwise logical "and" of X and Y.
253 X OR Y = bitwise logical "inclusive-or" of X and Y.
255 X XOR Y = bitwise logical "exclusive-or" of X and Y.
257 NOT X = bitwise logical "complement" of X.
260 01101100101110011101001001111011
261 XOR 01100101110000010110100110110111
262 --------------------------------
263 = 00001001011110001011101111001100
265 b. The operation X + Y is defined as follows: words X and Y
266 represent w-bit integers x and y, where 0 <= x < 2^w and
267 0 <= y < 2^w. For positive integers n and m, let
271 be the remainder upon dividing n by m. Compute
275 Then 0 <= z < 2^w. Convert z to a word, Z, and define Z = X +
282 Eastlake 3rd & Hansen Informational [Page 5]
284 RFC 4634 SHAs and HMAC-SHAs July 2006
287 c. The right shift operation SHR^n(x), where x is a w-bit word and
288 n is an integer with 0 <= n < w, is defined by
292 d. The rotate right (circular right shift) operation ROTR^n(x),
293 where x is a w-bit word and n is an integer with 0 <= n < w, is
296 ROTR^n(x) = (x>>n) OR (x<<(w-n))
298 e. The rotate left (circular left shift) operation ROTL^n(x), where
299 x is a w-bit word and n is an integer with 0 <= n < w, is
302 ROTL^n(X) = (x<<n) OR (x>>w-n)
304 Note the following equivalence relationships, where w is fixed
305 in each relationship:
307 ROTL^n(x) = ROTR^(w-x)(x)
309 ROTR^n(x) = ROTL^(w-n)(x)
311 4. Message Padding and Parsing
313 The hash functions specified herein are used to compute a message
314 digest for a message or data file that is provided as input. The
315 message or data file should be considered to be a bit string. The
316 length of the message is the number of bits in the message (the empty
317 message has length 0). If the number of bits in a message is a
318 multiple of 8, for compactness we can represent the message in hex.
319 The purpose of message padding is to make the total length of a
320 padded message a multiple of 512 for SHA-224 and SHA-256 or a
321 multiple of 1024 for SHA-384 and SHA-512.
323 The following specifies how this padding shall be performed. As a
324 summary, a "1" followed by a number of "0"s followed by a 64-bit or
325 128-bit integer are appended to the end of the message to produce a
326 padded message of length 512*n or 1024*n. The minimum number of "0"s
327 necessary to meet this criterion is used. The appended integer is
328 the length of the original message. The padded message is then
329 processed by the hash function as n 512-bit or 1024-bit blocks.
338 Eastlake 3rd & Hansen Informational [Page 6]
340 RFC 4634 SHAs and HMAC-SHAs July 2006
343 4.1. SHA-224 and SHA-256
345 Suppose a message has length L < 2^64. Before it is input to the
346 hash function, the message is padded on the right as follows:
348 a. "1" is appended. Example: if the original message is
349 "01010000", this is padded to "010100001".
351 b. K "0"s are appended where K is the smallest, non-negative
352 solution to the equation
354 L + 1 + K = 448 (mod 512)
356 c. Then append the 64-bit block that is L in binary representation.
357 After appending this block, the length of the message will be a
358 multiple of 512 bits.
360 Example: Suppose the original message is the bit string
362 01100001 01100010 01100011 01100100 01100101
364 After step (a), this gives
366 01100001 01100010 01100011 01100100 01100101 1
368 Since L = 40, the number of bits in the above is 41 and K = 407
369 "0"s are appended, making the total now 448. This gives the
372 61626364 65800000 00000000 00000000
373 00000000 00000000 00000000 00000000
374 00000000 00000000 00000000 00000000
377 The 64-bit representation of L = 40 is hex 00000000 00000028.
378 Hence the final padded message is the following hex:
380 61626364 65800000 00000000 00000000
381 00000000 00000000 00000000 00000000
382 00000000 00000000 00000000 00000000
383 00000000 00000000 00000000 00000028
394 Eastlake 3rd & Hansen Informational [Page 7]
396 RFC 4634 SHAs and HMAC-SHAs July 2006
399 4.2. SHA-384 and SHA-512
401 Suppose a message has length L < 2^128. Before it is input to the
402 hash function, the message is padded on the right as follows:
404 a. "1" is appended. Example: if the original message is
405 "01010000", this is padded to "010100001".
407 b. K "0"s are appended where K is the smallest, non-negative
408 solution to the equation
410 L + 1 + K = 896 (mod 1024)
412 c. Then append the 128-bit block that is L in binary
413 representation. After appending this block, the length of the
414 message will be a multiple of 1024 bits.
416 Example: Suppose the original message is the bit string
418 01100001 01100010 01100011 01100100 01100101
420 After step (a) this gives
422 01100001 01100010 01100011 01100100 01100101 1
424 Since L = 40, the number of bits in the above is 41 and K = 855
425 "0"s are appended, making the total now 896. This gives the
428 61626364 65800000 00000000 00000000
429 00000000 00000000 00000000 00000000
430 00000000 00000000 00000000 00000000
431 00000000 00000000 00000000 00000000
432 00000000 00000000 00000000 00000000
433 00000000 00000000 00000000 00000000
434 00000000 00000000 00000000 00000000
436 The 128-bit representation of L = 40 is hex 00000000 00000000
437 00000000 00000028. Hence the final padded message is the
440 61626364 65800000 00000000 00000000
441 00000000 00000000 00000000 00000000
442 00000000 00000000 00000000 00000000
443 00000000 00000000 00000000 00000000
444 00000000 00000000 00000000 00000000
450 Eastlake 3rd & Hansen Informational [Page 8]
452 RFC 4634 SHAs and HMAC-SHAs July 2006
455 00000000 00000000 00000000 00000000
456 00000000 00000000 00000000 00000000
457 00000000 00000000 00000000 00000028
459 5. Functions and Constants Used
461 The following subsections give the six logical functions and the
462 table of constants used in each of the hash functions.
464 5.1. SHA-224 and SHA-256
466 SHA-224 and SHA-256 use six logical functions, where each function
467 operates on 32-bit words, which are represented as x, y, and z. The
468 result of each function is a new 32-bit word.
470 CH( x, y, z) = (x AND y) XOR ( (NOT x) AND z)
472 MAJ( x, y, z) = (x AND y) XOR (x AND z) XOR (y AND z)
474 BSIG0(x) = ROTR^2(x) XOR ROTR^13(x) XOR ROTR^22(x)
476 BSIG1(x) = ROTR^6(x) XOR ROTR^11(x) XOR ROTR^25(x)
478 SSIG0(x) = ROTR^7(x) XOR ROTR^18(x) XOR SHR^3(x)
480 SSIG1(x) = ROTR^17(x) XOR ROTR^19(x) XOR SHR^10(x)
482 SHA-224 and SHA-256 use the same sequence of sixty-four constant
483 32-bit words, K0, K1, ..., K63. These words represent the first
484 thirty-two bits of the fractional parts of the cube roots of the
485 first sixty-four prime numbers. In hex, these constant words are as
486 follows (from left to right):
488 428a2f98 71374491 b5c0fbcf e9b5dba5
489 3956c25b 59f111f1 923f82a4 ab1c5ed5
490 d807aa98 12835b01 243185be 550c7dc3
491 72be5d74 80deb1fe 9bdc06a7 c19bf174
492 e49b69c1 efbe4786 0fc19dc6 240ca1cc
493 2de92c6f 4a7484aa 5cb0a9dc 76f988da
494 983e5152 a831c66d b00327c8 bf597fc7
495 c6e00bf3 d5a79147 06ca6351 14292967
496 27b70a85 2e1b2138 4d2c6dfc 53380d13
497 650a7354 766a0abb 81c2c92e 92722c85
498 a2bfe8a1 a81a664b c24b8b70 c76c51a3
499 d192e819 d6990624 f40e3585 106aa070
500 19a4c116 1e376c08 2748774c 34b0bcb5
506 Eastlake 3rd & Hansen Informational [Page 9]
508 RFC 4634 SHAs and HMAC-SHAs July 2006
511 391c0cb3 4ed8aa4a 5b9cca4f 682e6ff3
512 748f82ee 78a5636f 84c87814 8cc70208
513 90befffa a4506ceb bef9a3f7 c67178f2
515 5.2. SHA-384 and SHA-512
517 SHA-384 and SHA-512 each use six logical functions, where each
518 function operates on 64-bit words, which are represented as x, y, and
519 z. The result of each function is a new 64-bit word.
521 CH( x, y, z) = (x AND y) XOR ( (NOT x) AND z)
523 MAJ( x, y, z) = (x AND y) XOR (x AND z) XOR (y AND z)
525 BSIG0(x) = ROTR^28(x) XOR ROTR^34(x) XOR ROTR^39(x)
527 BSIG1(x) = ROTR^14(x) XOR ROTR^18(x) XOR ROTR^41(x)
529 SSIG0(x) = ROTR^1(x) XOR ROTR^8(x) XOR SHR^7(x)
531 SSIG1(x) = ROTR^19(x) XOR ROTR^61(x) XOR SHR^6(x)
533 SHA-384 and SHA-512 use the same sequence of eighty constant 64-bit
534 words, K0, K1, ... K79. These words represent the first sixty-four
535 bits of the fractional parts of the cube roots of the first eighty
536 prime numbers. In hex, these constant words are as follows (from
539 428a2f98d728ae22 7137449123ef65cd b5c0fbcfec4d3b2f e9b5dba58189dbbc
540 3956c25bf348b538 59f111f1b605d019 923f82a4af194f9b ab1c5ed5da6d8118
541 d807aa98a3030242 12835b0145706fbe 243185be4ee4b28c 550c7dc3d5ffb4e2
542 72be5d74f27b896f 80deb1fe3b1696b1 9bdc06a725c71235 c19bf174cf692694
543 e49b69c19ef14ad2 efbe4786384f25e3 0fc19dc68b8cd5b5 240ca1cc77ac9c65
544 2de92c6f592b0275 4a7484aa6ea6e483 5cb0a9dcbd41fbd4 76f988da831153b5
545 983e5152ee66dfab a831c66d2db43210 b00327c898fb213f bf597fc7beef0ee4
546 c6e00bf33da88fc2 d5a79147930aa725 06ca6351e003826f 142929670a0e6e70
547 27b70a8546d22ffc 2e1b21385c26c926 4d2c6dfc5ac42aed 53380d139d95b3df
548 650a73548baf63de 766a0abb3c77b2a8 81c2c92e47edaee6 92722c851482353b
549 a2bfe8a14cf10364 a81a664bbc423001 c24b8b70d0f89791 c76c51a30654be30
550 d192e819d6ef5218 d69906245565a910 f40e35855771202a 106aa07032bbd1b8
551 19a4c116b8d2d0c8 1e376c085141ab53 2748774cdf8eeb99 34b0bcb5e19b48a8
552 391c0cb3c5c95a63 4ed8aa4ae3418acb 5b9cca4f7763e373 682e6ff3d6b2b8a3
553 748f82ee5defb2fc 78a5636f43172f60 84c87814a1f0ab72 8cc702081a6439ec
554 90befffa23631e28 a4506cebde82bde9 bef9a3f7b2c67915 c67178f2e372532b
555 ca273eceea26619c d186b8c721c0c207 eada7dd6cde0eb1e f57d4f7fee6ed178
556 06f067aa72176fba 0a637dc5a2c898a6 113f9804bef90dae 1b710b35131c471b
557 28db77f523047d84 32caab7b40c72493 3c9ebe0a15c9bebc 431d67c49c100d4c
558 4cc5d4becb3e42b6 597f299cfc657e2a 5fcb6fab3ad6faec 6c44198c4a475817
562 Eastlake 3rd & Hansen Informational [Page 10]
564 RFC 4634 SHAs and HMAC-SHAs July 2006
567 6. Computing the Message Digest
569 The output of each of the secure hash functions, after being applied
570 to a message of N blocks, is the hash quantity H(N). For SHA-224 and
571 SHA-256, H(i) can be considered to be eight 32-bit words, H(i)0,
572 H(i)1, ... H(i)7. For SHA-384 and SHA-512, it can be considered to
573 be eight 64-bit words, H(i)0, H(i)1, ..., H(i)7.
575 As described below, the hash words are initialized, modified as each
576 message block is processed, and finally concatenated after processing
577 the last block to yield the output. For SHA-256 and SHA-512, all of
578 the H(N) variables are concatenated while the SHA-224 and SHA-384
579 hashes are produced by omitting some from the final concatenation.
581 6.1. SHA-224 and SHA-256 Initialization
583 For SHA-224, the initial hash value, H(0), consists of the following
595 For SHA-256, the initial hash value, H(0), consists of the following
596 eight 32-bit words, in hex. These words were obtained by taking the
597 first thirty-two bits of the fractional parts of the square roots of
598 the first eight prime numbers.
609 6.2. SHA-224 and SHA-256 Processing
611 SHA-224 and SHA-256 perform identical processing on messages blocks
612 and differ only in how H(0) is initialized and how they produce their
613 final output. They may be used to hash a message, M, having a length
614 of L bits, where 0 <= L < 2^64. The algorithm uses (1) a message
618 Eastlake 3rd & Hansen Informational [Page 11]
620 RFC 4634 SHAs and HMAC-SHAs July 2006
623 schedule of sixty-four 32-bit words, (2) eight working variables of
624 32 bits each, and (3) a hash value of eight 32-bit words.
626 The words of the message schedule are labeled W0, W1, ..., W63. The
627 eight working variables are labeled a, b, c, d, e, f, g, and h. The
628 words of the hash value are labeled H(i)0, H(i)1, ..., H(i)7, which
629 will hold the initial hash value, H(0), replaced by each successive
630 intermediate hash value (after each message block is processed),
631 H(i), and ending with the final hash value, H(N), after all N blocks
632 are processed. They also use two temporary words, T1 and T2.
634 The input message is padded as described in Section 4.1 above then
635 parsed into 512-bit blocks, which are considered to be composed of 16
636 32-bit words M(i)0, M(i)1, ..., M(i)15. The following computations
637 are then performed for each of the N message blocks. All addition is
638 performed modulo 2^32.
642 1. Prepare the message schedule W:
646 Wt = SSIG1(W(t-2)) + W(t-7) + SSIG0(t-15) + W(t-16)
648 2. Initialize the working variables:
658 3. Perform the main hash computation:
660 T1 = h + BSIG1(e) + CH(e,f,g) + Kt + Wt
661 T2 = BSIG0(a) + MAJ(a,b,c)
674 Eastlake 3rd & Hansen Informational [Page 12]
676 RFC 4634 SHAs and HMAC-SHAs July 2006
679 4. Compute the intermediate hash value H(i):
689 After the above computations have been sequentially performed for all
690 of the blocks in the message, the final output is calculated. For
691 SHA-256, this is the concatenation of all of H(N)0, H(N)1, through
692 H(N)7. For SHA-224, this is the concatenation of H(N)0, H(N)1,
695 6.3. SHA-384 and SHA-512 Initialization
697 For SHA-384, the initial hash value, H(0), consists of the following
698 eight 64-bit words, in hex. These words were obtained by taking the
699 first sixty-four bits of the fractional parts of the square roots of
700 the ninth through sixteenth prime numbers.
702 H(0)0 = cbbb9d5dc1059ed8
703 H(0)1 = 629a292a367cd507
704 H(0)2 = 9159015a3070dd17
705 H(0)3 = 152fecd8f70e5939
706 H(0)4 = 67332667ffc00b31
707 H(0)5 = 8eb44a8768581511
708 H(0)6 = db0c2e0d64f98fa7
709 H(0)7 = 47b5481dbefa4fa4
711 For SHA-512, the initial hash value, H(0), consists of the following
712 eight 64-bit words, in hex. These words were obtained by taking the
713 first sixty-four bits of the fractional parts of the square roots of
714 the first eight prime numbers.
716 H(0)0 = 6a09e667f3bcc908
717 H(0)1 = bb67ae8584caa73b
718 H(0)2 = 3c6ef372fe94f82b
719 H(0)3 = a54ff53a5f1d36f1
720 H(0)4 = 510e527fade682d1
721 H(0)5 = 9b05688c2b3e6c1f
722 H(0)6 = 1f83d9abfb41bd6b
723 H(0)7 = 5be0cd19137e2179
730 Eastlake 3rd & Hansen Informational [Page 13]
732 RFC 4634 SHAs and HMAC-SHAs July 2006
735 6.4. SHA-384 and SHA-512 Processing
737 SHA-384 and SHA-512 perform identical processing on message blocks
738 and differ only in how H(0) is initialized and how they produce their
739 final output. They may be used to hash a message, M, having a length
740 of L bits, where 0 <= L < 2^128. The algorithm uses (1) a message
741 schedule of eighty 64-bit words, (2) eight working variables of 64
742 bits each, and (3) a hash value of eight 64-bit words.
744 The words of the message schedule are labeled W0, W1, ..., W79. The
745 eight working variables are labeled a, b, c, d, e, f, g, and h. The
746 words of the hash value are labeled H(i)0, H(i)1, ..., H(i)7, which
747 will hold the initial hash value, H(0), replaced by each successive
748 intermediate hash value (after each message block is processed),
749 H(i), and ending with the final hash value, H(N) after all N blocks
752 The input message is padded as described in Section 4.2 above, then
753 parsed into 1024-bit blocks, which are considered to be composed of
754 16 64-bit words M(i)0, M(i)1, ..., M(i)15. The following
755 computations are then performed for each of the N message blocks.
756 All addition is performed modulo 2^64.
760 1. Prepare the message schedule W:
764 Wt = SSIG1(W(t-2)) + W(t-7) + SSIG0(t-15) + W(t-16)
766 2. Initialize the working variables:
776 3. Perform the main hash computation:
778 T1 = h + BSIG1(e) + CH(e,f,g) + Kt + Wt
779 T2 = BSIG0(a) + MAJ(a,b,c)
786 Eastlake 3rd & Hansen Informational [Page 14]
788 RFC 4634 SHAs and HMAC-SHAs July 2006
797 4. Compute the intermediate hash value H(i):
807 After the above computations have been sequentially performed for all
808 of the blocks in the message, the final output is calculated. For
809 SHA-512, this is the concatenation of all of H(N)0, H(N)1, through
810 H(N)7. For SHA-384, this is the concatenation of H(N)0, H(N)1,
815 HMAC is a method for computing a keyed MAC (message authentication
816 code) using a hash function as described in [RFC2104]. It uses a key
817 to mix in with the input text to produce the final hash.
819 Sample code is also provided, in Section 8.3 below, to perform HMAC
820 based on any of the SHA algorithms described herein. The sample code
821 found in [RFC2104] was written in terms of a specified text size.
822 Since SHA is defined in terms of an arbitrary number of bits, the
823 sample HMAC code has been written to allow the text input to HMAC to
824 have an arbitrary number of octets and bits. A fixed-length
825 interface is also provided.
829 Below is a demonstration implementation of these secure hash
830 functions in C. Section 8.1 contains the header file sha.h, which
831 declares all constants, structures, and functions used by the sha and
832 hmac functions. Section 8.2 contains the C code for sha1.c,
833 sha224-256.c, sha384-512.c, and usha.c along with sha-private.h,
834 which provides some declarations common to all the sha functions.
835 Section 8.3 contains the C code for the hmac functions. Section 8.4
836 contains a test driver to exercise the code.
842 Eastlake 3rd & Hansen Informational [Page 15]
844 RFC 4634 SHAs and HMAC-SHAs July 2006
847 For each of the digest length $$$, there is the following set of
848 constants, a structure, and functions:
851 SHA$$$HashSize number of octets in the hash
852 SHA$$$HashSizeBits number of bits in the hash
853 SHA$$$_Message_Block_Size
854 number of octets used in the intermediate
856 shaSuccess = 0 constant returned by each function on success
857 shaNull = 1 constant returned by each function when
858 presented with a null pointer parameter
859 shaInputTooLong = 2 constant returned by each function when the
860 input data is too long
861 shaStateError constant returned by each function when
862 SHA$$$Input is called after SHA$$$FinalBits or
866 typedef SHA$$$Context
867 an opaque structure holding the complete state
868 for producing the hash
871 int SHA$$$Reset(SHA$$$Context *);
872 Reset the hash context state
873 int SHA$$$Input(SHA$$$Context *, const uint8_t *octets,
874 unsigned int bytecount);
875 Incorporate bytecount octets into the hash.
876 int SHA$$$FinalBits(SHA$$$Context *, const uint8_t octet,
877 unsigned int bitcount);
878 Incorporate bitcount bits into the hash. The bits are in
879 the upper portion of the octet. SHA$$$Input() cannot be
881 int SHA$$$Result(SHA$$$Context *,
882 uint8_t Message_Digest[SHA$$$HashSize]);
883 Do the final calculations on the hash and copy the value
886 In addition, functions with the prefix USHA are provided that take a
887 SHAversion value (SHA$$$) to select the SHA function suite. They add
888 the following constants, structure, and functions:
891 shaBadParam constant returned by USHA functions when
892 presented with a bad SHAversion (SHA$$$)
898 Eastlake 3rd & Hansen Informational [Page 16]
900 RFC 4634 SHAs and HMAC-SHAs July 2006
903 SHA$$$ SHAversion enumeration values, used by usha
904 and hmac functions to select the SHA function
909 an opaque structure holding the complete state
910 for producing the hash
913 int USHAReset(USHAContext *, SHAversion whichSha);
914 Reset the hash context state.
915 int USHAInput(USHAContext *,
916 const uint8_t *bytes, unsigned int bytecount);
917 Incorporate bytecount octets into the hash.
918 int USHAFinalBits(USHAContext *,
919 const uint8_t bits, unsigned int bitcount);
920 Incorporate bitcount bits into the hash.
921 int USHAResult(USHAContext *,
922 uint8_t Message_Digest[USHAMaxHashSize]);
923 Do the final calculations on the hash and copy the value
924 into Message_Digest. Octets in Message_Digest beyond
925 USHAHashSize(whichSha) are left untouched.
926 int USHAHashSize(enum SHAversion whichSha);
927 The number of octets in the given hash.
928 int USHAHashSizeBits(enum SHAversion whichSha);
929 The number of bits in the given hash.
930 int USHABlockSize(enum SHAversion whichSha);
931 The internal block size for the given hash.
933 The hmac functions follow the same pattern to allow any length of
934 text input to be used.
937 typedef HMACContext an opaque structure holding the complete state
938 for producing the hash
941 int hmacReset(HMACContext *ctx, enum SHAversion whichSha,
942 const unsigned char *key, int key_len);
943 Reset the hash context state.
944 int hmacInput(HMACContext *ctx, const unsigned char *text,
946 Incorporate text_len octets into the hash.
947 int hmacFinalBits(HMACContext *ctx, const uint8_t bits,
948 unsigned int bitcount);
949 Incorporate bitcount bits into the hash.
954 Eastlake 3rd & Hansen Informational [Page 17]
956 RFC 4634 SHAs and HMAC-SHAs July 2006
959 int hmacResult(HMACContext *ctx,
960 uint8_t Message_Digest[USHAMaxHashSize]);
961 Do the final calculations on the hash and copy the value
962 into Message_Digest. Octets in Message_Digest beyond
963 USHAHashSize(whichSha) are left untouched.
965 In addition, a combined interface is provided, similar to that shown
966 in RFC 2104, that allows a fixed-length text input to be used.
968 int hmac(SHAversion whichSha,
969 const unsigned char *text, int text_len,
970 const unsigned char *key, int key_len,
971 uint8_t Message_Digest[USHAMaxHashSize]);
972 Calculate the given digest for the given text and key, and
973 return the resulting hash. Octets in Message_Digest beyond
974 USHAHashSize(whichSha) are left untouched.
978 /**************************** sha.h ****************************/
979 /******************* See RFC 4634 for details ******************/
985 * This file implements the Secure Hash Signature Standard
986 * algorithms as defined in the National Institute of Standards
987 * and Technology Federal Information Processing Standards
988 * Publication (FIPS PUB) 180-1 published on April 17, 1995, 180-2
989 * published on August 1, 2002, and the FIPS PUB 180-2 Change
990 * Notice published on February 28, 2004.
992 * A combined document showing all algorithms is available at
993 * http://csrc.nist.gov/publications/fips/
994 * fips180-2/fips180-2withchangenotice.pdf
996 * The five hashes are defined in these sizes:
997 * SHA-1 20 byte / 160 bit
998 * SHA-224 28 byte / 224 bit
999 * SHA-256 32 byte / 256 bit
1000 * SHA-384 48 byte / 384 bit
1001 * SHA-512 64 byte / 512 bit
1006 * If you do not have the ISO standard stdint.h header file, then you
1010 Eastlake 3rd & Hansen Informational [Page 18]
1012 RFC 4634 SHAs and HMAC-SHAs July 2006
1015 * must typedef the following:
1017 * uint64_t unsigned 64 bit integer
1018 * uint32_t unsigned 32 bit integer
1019 * uint8_t unsigned 8 bit integer (i.e., unsigned char)
1020 * int_least16_t integer of >= 16 bits
1027 * All SHA functions return one of these values.
1031 shaNull, /* Null pointer parameter */
1032 shaInputTooLong, /* input data too long */
1033 shaStateError, /* called Input after FinalBits or Result */
1034 shaBadParam /* passed a bad parameter */
1036 #endif /* _SHA_enum_ */
1039 * These constants hold size information for each of the SHA
1040 * hashing operations
1043 SHA1_Message_Block_Size = 64, SHA224_Message_Block_Size = 64,
1044 SHA256_Message_Block_Size = 64, SHA384_Message_Block_Size = 128,
1045 SHA512_Message_Block_Size = 128,
1046 USHA_Max_Message_Block_Size = SHA512_Message_Block_Size,
1048 SHA1HashSize = 20, SHA224HashSize = 28, SHA256HashSize = 32,
1049 SHA384HashSize = 48, SHA512HashSize = 64,
1050 USHAMaxHashSize = SHA512HashSize,
1052 SHA1HashSizeBits = 160, SHA224HashSizeBits = 224,
1053 SHA256HashSizeBits = 256, SHA384HashSizeBits = 384,
1054 SHA512HashSizeBits = 512, USHAMaxHashSizeBits = SHA512HashSizeBits
1058 * These constants are used in the USHA (unified sha) functions.
1060 typedef enum SHAversion {
1061 SHA1, SHA224, SHA256, SHA384, SHA512
1066 Eastlake 3rd & Hansen Informational [Page 19]
1068 RFC 4634 SHAs and HMAC-SHAs July 2006
1072 * This structure will hold context information for the SHA-1
1073 * hashing operation.
1075 typedef struct SHA1Context {
1076 uint32_t Intermediate_Hash[SHA1HashSize/4]; /* Message Digest */
1078 uint32_t Length_Low; /* Message length in bits */
1079 uint32_t Length_High; /* Message length in bits */
1081 int_least16_t Message_Block_Index; /* Message_Block array index */
1082 /* 512-bit message blocks */
1083 uint8_t Message_Block[SHA1_Message_Block_Size];
1085 int Computed; /* Is the digest computed? */
1086 int Corrupted; /* Is the digest corrupted? */
1090 * This structure will hold context information for the SHA-256
1091 * hashing operation.
1093 typedef struct SHA256Context {
1094 uint32_t Intermediate_Hash[SHA256HashSize/4]; /* Message Digest */
1096 uint32_t Length_Low; /* Message length in bits */
1097 uint32_t Length_High; /* Message length in bits */
1099 int_least16_t Message_Block_Index; /* Message_Block array index */
1100 /* 512-bit message blocks */
1101 uint8_t Message_Block[SHA256_Message_Block_Size];
1103 int Computed; /* Is the digest computed? */
1104 int Corrupted; /* Is the digest corrupted? */
1108 * This structure will hold context information for the SHA-512
1109 * hashing operation.
1111 typedef struct SHA512Context {
1112 #ifdef USE_32BIT_ONLY
1113 uint32_t Intermediate_Hash[SHA512HashSize/4]; /* Message Digest */
1114 uint32_t Length[4]; /* Message length in bits */
1115 #else /* !USE_32BIT_ONLY */
1116 uint64_t Intermediate_Hash[SHA512HashSize/8]; /* Message Digest */
1117 uint64_t Length_Low, Length_High; /* Message length in bits */
1118 #endif /* USE_32BIT_ONLY */
1122 Eastlake 3rd & Hansen Informational [Page 20]
1124 RFC 4634 SHAs and HMAC-SHAs July 2006
1127 int_least16_t Message_Block_Index; /* Message_Block array index */
1128 /* 1024-bit message blocks */
1129 uint8_t Message_Block[SHA512_Message_Block_Size];
1131 int Computed; /* Is the digest computed?*/
1132 int Corrupted; /* Is the digest corrupted? */
1136 * This structure will hold context information for the SHA-224
1137 * hashing operation. It uses the SHA-256 structure for computation.
1139 typedef struct SHA256Context SHA224Context;
1142 * This structure will hold context information for the SHA-384
1143 * hashing operation. It uses the SHA-512 structure for computation.
1145 typedef struct SHA512Context SHA384Context;
1148 * This structure holds context information for all SHA
1149 * hashing operations.
1151 typedef struct USHAContext {
1152 int whichSha; /* which SHA is being used */
1154 SHA1Context sha1Context;
1155 SHA224Context sha224Context; SHA256Context sha256Context;
1156 SHA384Context sha384Context; SHA512Context sha512Context;
1161 * This structure will hold context information for the HMAC
1162 * keyed hashing operation.
1164 typedef struct HMACContext {
1165 int whichSha; /* which SHA is being used */
1166 int hashSize; /* hash size of SHA being used */
1167 int blockSize; /* block size of SHA being used */
1168 USHAContext shaContext; /* SHA context */
1169 unsigned char k_opad[USHA_Max_Message_Block_Size];
1170 /* outer padding - key XORd with opad */
1178 Eastlake 3rd & Hansen Informational [Page 21]
1180 RFC 4634 SHAs and HMAC-SHAs July 2006
1184 * Function Prototypes
1188 extern int SHA1Reset(SHA1Context *);
1189 extern int SHA1Input(SHA1Context *, const uint8_t *bytes,
1190 unsigned int bytecount);
1191 extern int SHA1FinalBits(SHA1Context *, const uint8_t bits,
1192 unsigned int bitcount);
1193 extern int SHA1Result(SHA1Context *,
1194 uint8_t Message_Digest[SHA1HashSize]);
1197 extern int SHA224Reset(SHA224Context *);
1198 extern int SHA224Input(SHA224Context *, const uint8_t *bytes,
1199 unsigned int bytecount);
1200 extern int SHA224FinalBits(SHA224Context *, const uint8_t bits,
1201 unsigned int bitcount);
1202 extern int SHA224Result(SHA224Context *,
1203 uint8_t Message_Digest[SHA224HashSize]);
1206 extern int SHA256Reset(SHA256Context *);
1207 extern int SHA256Input(SHA256Context *, const uint8_t *bytes,
1208 unsigned int bytecount);
1209 extern int SHA256FinalBits(SHA256Context *, const uint8_t bits,
1210 unsigned int bitcount);
1211 extern int SHA256Result(SHA256Context *,
1212 uint8_t Message_Digest[SHA256HashSize]);
1215 extern int SHA384Reset(SHA384Context *);
1216 extern int SHA384Input(SHA384Context *, const uint8_t *bytes,
1217 unsigned int bytecount);
1218 extern int SHA384FinalBits(SHA384Context *, const uint8_t bits,
1219 unsigned int bitcount);
1220 extern int SHA384Result(SHA384Context *,
1221 uint8_t Message_Digest[SHA384HashSize]);
1224 extern int SHA512Reset(SHA512Context *);
1225 extern int SHA512Input(SHA512Context *, const uint8_t *bytes,
1226 unsigned int bytecount);
1227 extern int SHA512FinalBits(SHA512Context *, const uint8_t bits,
1228 unsigned int bitcount);
1229 extern int SHA512Result(SHA512Context *,
1230 uint8_t Message_Digest[SHA512HashSize]);
1234 Eastlake 3rd & Hansen Informational [Page 22]
1236 RFC 4634 SHAs and HMAC-SHAs July 2006
1239 /* Unified SHA functions, chosen by whichSha */
1240 extern int USHAReset(USHAContext *, SHAversion whichSha);
1241 extern int USHAInput(USHAContext *,
1242 const uint8_t *bytes, unsigned int bytecount);
1243 extern int USHAFinalBits(USHAContext *,
1244 const uint8_t bits, unsigned int bitcount);
1245 extern int USHAResult(USHAContext *,
1246 uint8_t Message_Digest[USHAMaxHashSize]);
1247 extern int USHABlockSize(enum SHAversion whichSha);
1248 extern int USHAHashSize(enum SHAversion whichSha);
1249 extern int USHAHashSizeBits(enum SHAversion whichSha);
1252 * HMAC Keyed-Hashing for Message Authentication, RFC2104,
1254 * This interface allows a fixed-length text input to be used.
1256 extern int hmac(SHAversion whichSha, /* which SHA algorithm to use */
1257 const unsigned char *text, /* pointer to data stream */
1258 int text_len, /* length of data stream */
1259 const unsigned char *key, /* pointer to authentication key */
1260 int key_len, /* length of authentication key */
1261 uint8_t digest[USHAMaxHashSize]); /* caller digest to fill in */
1264 * HMAC Keyed-Hashing for Message Authentication, RFC2104,
1266 * This interface allows any length of text input to be used.
1268 extern int hmacReset(HMACContext *ctx, enum SHAversion whichSha,
1269 const unsigned char *key, int key_len);
1270 extern int hmacInput(HMACContext *ctx, const unsigned char *text,
1273 extern int hmacFinalBits(HMACContext *ctx, const uint8_t bits,
1274 unsigned int bitcount);
1275 extern int hmacResult(HMACContext *ctx,
1276 uint8_t digest[USHAMaxHashSize]);
1278 #endif /* _SHA_H_ */
1290 Eastlake 3rd & Hansen Informational [Page 23]
1292 RFC 4634 SHAs and HMAC-SHAs July 2006
1297 This code is primarily intended as expository and could be optimized
1298 further. For example, the assignment rotations through the variables
1299 a, b, ..., h could be treated as a cycle and the loop unrolled,
1300 rather than doing the explicit copying.
1302 Note that there are alternative representations of the Ch() and Maj()
1303 functions controlled by an ifdef.
1307 /**************************** sha1.c ****************************/
1308 /******************** See RFC 4634 for details ******************/
1311 * This file implements the Secure Hash Signature Standard
1312 * algorithms as defined in the National Institute of Standards
1313 * and Technology Federal Information Processing Standards
1314 * Publication (FIPS PUB) 180-1 published on April 17, 1995, 180-2
1315 * published on August 1, 2002, and the FIPS PUB 180-2 Change
1316 * Notice published on February 28, 2004.
1318 * A combined document showing all algorithms is available at
1319 * http://csrc.nist.gov/publications/fips/
1320 * fips180-2/fips180-2withchangenotice.pdf
1322 * The SHA-1 algorithm produces a 160-bit message digest for a
1323 * given data stream. It should take about 2**n steps to find a
1324 * message with the same digest as a given message and
1325 * 2**(n/2) to find any two messages with the same digest,
1326 * when n is the digest size in bits. Therefore, this
1327 * algorithm can serve as a means of providing a
1328 * "fingerprint" for a message.
1330 * Portability Issues:
1331 * SHA-1 is defined in terms of 32-bit "words". This code
1332 * uses <stdint.h> (included via "sha.h") to define 32 and 8
1333 * bit unsigned integer types. If your C compiler does not
1334 * support 32 bit unsigned integers, this code is not
1338 * SHA-1 is designed to work with messages less than 2^64 bits
1339 * long. This implementation uses SHA1Input() to hash the bits
1340 * that are a multiple of the size of an 8-bit character, and then
1341 * uses SHA1FinalBits() to hash the final few bits of the input.
1346 Eastlake 3rd & Hansen Informational [Page 24]
1348 RFC 4634 SHAs and HMAC-SHAs July 2006
1352 #include "sha-private.h"
1355 * Define the SHA1 circular left shift macro
1357 #define SHA1_ROTL(bits,word) \
1358 (((word) << (bits)) | ((word) >> (32-(bits))))
1361 * add "length" to the length
1363 static uint32_t addTemp;
1364 #define SHA1AddLength(context, length) \
1365 (addTemp = (context)->Length_Low, \
1366 (context)->Corrupted = \
1367 (((context)->Length_Low += (length)) < addTemp) && \
1368 (++(context)->Length_High == 0) ? 1 : 0)
1370 /* Local Function Prototypes */
1371 static void SHA1Finalize(SHA1Context *context, uint8_t Pad_Byte);
1372 static void SHA1PadMessage(SHA1Context *, uint8_t Pad_Byte);
1373 static void SHA1ProcessMessageBlock(SHA1Context *);
1379 * This function will initialize the SHA1Context in preparation
1380 * for computing a new SHA1 message digest.
1384 * The context to reset.
1390 int SHA1Reset(SHA1Context *context)
1395 context->Length_Low = 0;
1396 context->Length_High = 0;
1397 context->Message_Block_Index = 0;
1402 Eastlake 3rd & Hansen Informational [Page 25]
1404 RFC 4634 SHAs and HMAC-SHAs July 2006
1407 /* Initial Hash Values: FIPS-180-2 section 5.3.1 */
1408 context->Intermediate_Hash[0] = 0x67452301;
1409 context->Intermediate_Hash[1] = 0xEFCDAB89;
1410 context->Intermediate_Hash[2] = 0x98BADCFE;
1411 context->Intermediate_Hash[3] = 0x10325476;
1412 context->Intermediate_Hash[4] = 0xC3D2E1F0;
1414 context->Computed = 0;
1415 context->Corrupted = 0;
1424 * This function accepts an array of octets as the next portion
1429 * The SHA context to update
1430 * message_array: [in]
1431 * An array of characters representing the next portion of
1434 * The length of the message in message_array
1440 int SHA1Input(SHA1Context *context,
1441 const uint8_t *message_array, unsigned length)
1446 if (!context || !message_array)
1449 if (context->Computed) {
1450 context->Corrupted = shaStateError;
1451 return shaStateError;
1454 if (context->Corrupted)
1458 Eastlake 3rd & Hansen Informational [Page 26]
1460 RFC 4634 SHAs and HMAC-SHAs July 2006
1463 return context->Corrupted;
1465 while (length-- && !context->Corrupted) {
1466 context->Message_Block[context->Message_Block_Index++] =
1467 (*message_array & 0xFF);
1469 if (!SHA1AddLength(context, 8) &&
1470 (context->Message_Block_Index == SHA1_Message_Block_Size))
1471 SHA1ProcessMessageBlock(context);
1483 * This function will add in any final bits of the message.
1487 * The SHA context to update
1488 * message_bits: [in]
1489 * The final bits of the message, in the upper portion of the
1490 * byte. (Use 0b###00000 instead of 0b00000### to input the
1493 * The number of bits in message_bits, between 1 and 7.
1498 int SHA1FinalBits(SHA1Context *context, const uint8_t message_bits,
1499 unsigned int length)
1501 uint8_t masks[8] = {
1502 /* 0 0b00000000 */ 0x00, /* 1 0b10000000 */ 0x80,
1503 /* 2 0b11000000 */ 0xC0, /* 3 0b11100000 */ 0xE0,
1504 /* 4 0b11110000 */ 0xF0, /* 5 0b11111000 */ 0xF8,
1505 /* 6 0b11111100 */ 0xFC, /* 7 0b11111110 */ 0xFE
1507 uint8_t markbit[8] = {
1508 /* 0 0b10000000 */ 0x80, /* 1 0b01000000 */ 0x40,
1509 /* 2 0b00100000 */ 0x20, /* 3 0b00010000 */ 0x10,
1510 /* 4 0b00001000 */ 0x08, /* 5 0b00000100 */ 0x04,
1514 Eastlake 3rd & Hansen Informational [Page 27]
1516 RFC 4634 SHAs and HMAC-SHAs July 2006
1519 /* 6 0b00000010 */ 0x02, /* 7 0b00000001 */ 0x01
1528 if (context->Computed || (length >= 8) || (length == 0)) {
1529 context->Corrupted = shaStateError;
1530 return shaStateError;
1533 if (context->Corrupted)
1534 return context->Corrupted;
1536 SHA1AddLength(context, length);
1537 SHA1Finalize(context,
1538 (uint8_t) ((message_bits & masks[length]) | markbit[length]));
1547 * This function will return the 160-bit message digest into the
1548 * Message_Digest array provided by the caller.
1549 * NOTE: The first octet of hash is stored in the 0th element,
1550 * the last octet of hash in the 19th element.
1554 * The context to use to calculate the SHA-1 hash.
1555 * Message_Digest: [out]
1556 * Where the digest is returned.
1562 int SHA1Result(SHA1Context *context,
1563 uint8_t Message_Digest[SHA1HashSize])
1570 Eastlake 3rd & Hansen Informational [Page 28]
1572 RFC 4634 SHAs and HMAC-SHAs July 2006
1575 if (!context || !Message_Digest)
1578 if (context->Corrupted)
1579 return context->Corrupted;
1581 if (!context->Computed)
1582 SHA1Finalize(context, 0x80);
1584 for (i = 0; i < SHA1HashSize; ++i)
1585 Message_Digest[i] = (uint8_t) (context->Intermediate_Hash[i>>2]
1586 >> 8 * ( 3 - ( i & 0x03 ) ));
1595 * This helper function finishes off the digest calculations.
1599 * The SHA context to update
1601 * The last byte to add to the digest before the 0-padding
1602 * and length. This will contain the last bits of the message
1603 * followed by another single bit. If the message was an
1604 * exact multiple of 8-bits long, Pad_Byte will be 0x80.
1610 static void SHA1Finalize(SHA1Context *context, uint8_t Pad_Byte)
1613 SHA1PadMessage(context, Pad_Byte);
1614 /* message may be sensitive, clear it out */
1615 for (i = 0; i < SHA1_Message_Block_Size; ++i)
1616 context->Message_Block[i] = 0;
1617 context->Length_Low = 0; /* and clear length */
1618 context->Length_High = 0;
1619 context->Computed = 1;
1626 Eastlake 3rd & Hansen Informational [Page 29]
1628 RFC 4634 SHAs and HMAC-SHAs July 2006
1634 * According to the standard, the message must be padded to an
1635 * even 512 bits. The first padding bit must be a '1'. The last
1636 * 64 bits represent the length of the original message. All bits
1637 * in between should be 0. This helper function will pad the
1638 * message according to those rules by filling the Message_Block
1639 * array accordingly. When it returns, it can be assumed that the
1640 * message digest has been computed.
1644 * The context to pad
1646 * The last byte to add to the digest before the 0-padding
1647 * and length. This will contain the last bits of the message
1648 * followed by another single bit. If the message was an
1649 * exact multiple of 8-bits long, Pad_Byte will be 0x80.
1654 static void SHA1PadMessage(SHA1Context *context, uint8_t Pad_Byte)
1657 * Check to see if the current message block is too small to hold
1658 * the initial padding bits and length. If so, we will pad the
1659 * block, process it, and then continue padding into a second
1662 if (context->Message_Block_Index >= (SHA1_Message_Block_Size - 8)) {
1663 context->Message_Block[context->Message_Block_Index++] = Pad_Byte;
1664 while (context->Message_Block_Index < SHA1_Message_Block_Size)
1665 context->Message_Block[context->Message_Block_Index++] = 0;
1667 SHA1ProcessMessageBlock(context);
1669 context->Message_Block[context->Message_Block_Index++] = Pad_Byte;
1671 while (context->Message_Block_Index < (SHA1_Message_Block_Size - 8))
1672 context->Message_Block[context->Message_Block_Index++] = 0;
1675 * Store the message length as the last 8 octets
1677 context->Message_Block[56] = (uint8_t) (context->Length_High >> 24);
1678 context->Message_Block[57] = (uint8_t) (context->Length_High >> 16);
1682 Eastlake 3rd & Hansen Informational [Page 30]
1684 RFC 4634 SHAs and HMAC-SHAs July 2006
1687 context->Message_Block[58] = (uint8_t) (context->Length_High >> 8);
1688 context->Message_Block[59] = (uint8_t) (context->Length_High);
1689 context->Message_Block[60] = (uint8_t) (context->Length_Low >> 24);
1690 context->Message_Block[61] = (uint8_t) (context->Length_Low >> 16);
1691 context->Message_Block[62] = (uint8_t) (context->Length_Low >> 8);
1692 context->Message_Block[63] = (uint8_t) (context->Length_Low);
1694 SHA1ProcessMessageBlock(context);
1698 * SHA1ProcessMessageBlock
1701 * This helper function will process the next 512 bits of the
1702 * message stored in the Message_Block array.
1711 * Many of the variable names in this code, especially the
1712 * single character names, were used because those were the
1713 * names used in the publication.
1715 static void SHA1ProcessMessageBlock(SHA1Context *context)
1717 /* Constants defined in FIPS-180-2, section 4.2.1 */
1718 const uint32_t K[4] = {
1719 0x5A827999, 0x6ED9EBA1, 0x8F1BBCDC, 0xCA62C1D6
1721 int t; /* Loop counter */
1722 uint32_t temp; /* Temporary word value */
1723 uint32_t W[80]; /* Word sequence */
1724 uint32_t A, B, C, D, E; /* Word buffers */
1727 * Initialize the first 16 words in the array W
1729 for (t = 0; t < 16; t++) {
1730 W[t] = ((uint32_t)context->Message_Block[t * 4]) << 24;
1731 W[t] |= ((uint32_t)context->Message_Block[t * 4 + 1]) << 16;
1732 W[t] |= ((uint32_t)context->Message_Block[t * 4 + 2]) << 8;
1733 W[t] |= ((uint32_t)context->Message_Block[t * 4 + 3]);
1738 Eastlake 3rd & Hansen Informational [Page 31]
1740 RFC 4634 SHAs and HMAC-SHAs July 2006
1743 for (t = 16; t < 80; t++)
1744 W[t] = SHA1_ROTL(1, W[t-3] ^ W[t-8] ^ W[t-14] ^ W[t-16]);
1746 A = context->Intermediate_Hash[0];
1747 B = context->Intermediate_Hash[1];
1748 C = context->Intermediate_Hash[2];
1749 D = context->Intermediate_Hash[3];
1750 E = context->Intermediate_Hash[4];
1752 for (t = 0; t < 20; t++) {
1753 temp = SHA1_ROTL(5,A) + SHA_Ch(B, C, D) + E + W[t] + K[0];
1756 C = SHA1_ROTL(30,B);
1761 for (t = 20; t < 40; t++) {
1762 temp = SHA1_ROTL(5,A) + SHA_Parity(B, C, D) + E + W[t] + K[1];
1765 C = SHA1_ROTL(30,B);
1770 for (t = 40; t < 60; t++) {
1771 temp = SHA1_ROTL(5,A) + SHA_Maj(B, C, D) + E + W[t] + K[2];
1774 C = SHA1_ROTL(30,B);
1779 for (t = 60; t < 80; t++) {
1780 temp = SHA1_ROTL(5,A) + SHA_Parity(B, C, D) + E + W[t] + K[3];
1783 C = SHA1_ROTL(30,B);
1788 context->Intermediate_Hash[0] += A;
1789 context->Intermediate_Hash[1] += B;
1790 context->Intermediate_Hash[2] += C;
1794 Eastlake 3rd & Hansen Informational [Page 32]
1796 RFC 4634 SHAs and HMAC-SHAs July 2006
1799 context->Intermediate_Hash[3] += D;
1800 context->Intermediate_Hash[4] += E;
1802 context->Message_Block_Index = 0;
1807 /*************************** sha224-256.c ***************************/
1808 /********************* See RFC 4634 for details *********************/
1811 * This file implements the Secure Hash Signature Standard
1812 * algorithms as defined in the National Institute of Standards
1813 * and Technology Federal Information Processing Standards
1814 * Publication (FIPS PUB) 180-1 published on April 17, 1995, 180-2
1815 * published on August 1, 2002, and the FIPS PUB 180-2 Change
1816 * Notice published on February 28, 2004.
1818 * A combined document showing all algorithms is available at
1819 * http://csrc.nist.gov/publications/fips/
1820 * fips180-2/fips180-2withchangenotice.pdf
1822 * The SHA-224 and SHA-256 algorithms produce 224-bit and 256-bit
1823 * message digests for a given data stream. It should take about
1824 * 2**n steps to find a message with the same digest as a given
1825 * message and 2**(n/2) to find any two messages with the same
1826 * digest, when n is the digest size in bits. Therefore, this
1827 * algorithm can serve as a means of providing a
1828 * "fingerprint" for a message.
1830 * Portability Issues:
1831 * SHA-224 and SHA-256 are defined in terms of 32-bit "words".
1832 * This code uses <stdint.h> (included via "sha.h") to define 32
1833 * and 8 bit unsigned integer types. If your C compiler does not
1834 * support 32 bit unsigned integers, this code is not
1838 * SHA-224 and SHA-256 are designed to work with messages less
1839 * than 2^64 bits long. This implementation uses SHA224/256Input()
1840 * to hash the bits that are a multiple of the size of an 8-bit
1841 * character, and then uses SHA224/256FinalBits() to hash the
1842 * final few bits of the input.
1846 #include "sha-private.h"
1850 Eastlake 3rd & Hansen Informational [Page 33]
1852 RFC 4634 SHAs and HMAC-SHAs July 2006
1855 /* Define the SHA shift, rotate left and rotate right macro */
1856 #define SHA256_SHR(bits,word) ((word) >> (bits))
1857 #define SHA256_ROTL(bits,word) \
1858 (((word) << (bits)) | ((word) >> (32-(bits))))
1859 #define SHA256_ROTR(bits,word) \
1860 (((word) >> (bits)) | ((word) << (32-(bits))))
1862 /* Define the SHA SIGMA and sigma macros */
1863 #define SHA256_SIGMA0(word) \
1864 (SHA256_ROTR( 2,word) ^ SHA256_ROTR(13,word) ^ SHA256_ROTR(22,word))
1865 #define SHA256_SIGMA1(word) \
1866 (SHA256_ROTR( 6,word) ^ SHA256_ROTR(11,word) ^ SHA256_ROTR(25,word))
1867 #define SHA256_sigma0(word) \
1868 (SHA256_ROTR( 7,word) ^ SHA256_ROTR(18,word) ^ SHA256_SHR( 3,word))
1869 #define SHA256_sigma1(word) \
1870 (SHA256_ROTR(17,word) ^ SHA256_ROTR(19,word) ^ SHA256_SHR(10,word))
1873 * add "length" to the length
1875 static uint32_t addTemp;
1876 #define SHA224_256AddLength(context, length) \
1877 (addTemp = (context)->Length_Low, (context)->Corrupted = \
1878 (((context)->Length_Low += (length)) < addTemp) && \
1879 (++(context)->Length_High == 0) ? 1 : 0)
1881 /* Local Function Prototypes */
1882 static void SHA224_256Finalize(SHA256Context *context,
1884 static void SHA224_256PadMessage(SHA256Context *context,
1886 static void SHA224_256ProcessMessageBlock(SHA256Context *context);
1887 static int SHA224_256Reset(SHA256Context *context, uint32_t *H0);
1888 static int SHA224_256ResultN(SHA256Context *context,
1889 uint8_t Message_Digest[], int HashSize);
1891 /* Initial Hash Values: FIPS-180-2 Change Notice 1 */
1892 static uint32_t SHA224_H0[SHA256HashSize/4] = {
1893 0xC1059ED8, 0x367CD507, 0x3070DD17, 0xF70E5939,
1894 0xFFC00B31, 0x68581511, 0x64F98FA7, 0xBEFA4FA4
1897 /* Initial Hash Values: FIPS-180-2 section 5.3.2 */
1898 static uint32_t SHA256_H0[SHA256HashSize/4] = {
1899 0x6A09E667, 0xBB67AE85, 0x3C6EF372, 0xA54FF53A,
1900 0x510E527F, 0x9B05688C, 0x1F83D9AB, 0x5BE0CD19
1906 Eastlake 3rd & Hansen Informational [Page 34]
1908 RFC 4634 SHAs and HMAC-SHAs July 2006
1915 * This function will initialize the SHA384Context in preparation
1916 * for computing a new SHA224 message digest.
1920 * The context to reset.
1925 int SHA224Reset(SHA224Context *context)
1927 return SHA224_256Reset(context, SHA224_H0);
1934 * This function accepts an array of octets as the next portion
1939 * The SHA context to update
1940 * message_array: [in]
1941 * An array of characters representing the next portion of
1944 * The length of the message in message_array
1950 int SHA224Input(SHA224Context *context, const uint8_t *message_array,
1951 unsigned int length)
1953 return SHA256Input(context, message_array, length);
1962 Eastlake 3rd & Hansen Informational [Page 35]
1964 RFC 4634 SHAs and HMAC-SHAs July 2006
1968 * This function will add in any final bits of the message.
1972 * The SHA context to update
1973 * message_bits: [in]
1974 * The final bits of the message, in the upper portion of the
1975 * byte. (Use 0b###00000 instead of 0b00000### to input the
1978 * The number of bits in message_bits, between 1 and 7.
1983 int SHA224FinalBits( SHA224Context *context,
1984 const uint8_t message_bits, unsigned int length)
1986 return SHA256FinalBits(context, message_bits, length);
1993 * This function will return the 224-bit message
1994 * digest into the Message_Digest array provided by the caller.
1995 * NOTE: The first octet of hash is stored in the 0th element,
1996 * the last octet of hash in the 28th element.
2000 * The context to use to calculate the SHA hash.
2001 * Message_Digest: [out]
2002 * Where the digest is returned.
2007 int SHA224Result(SHA224Context *context,
2008 uint8_t Message_Digest[SHA224HashSize])
2010 return SHA224_256ResultN(context, Message_Digest, SHA224HashSize);
2018 Eastlake 3rd & Hansen Informational [Page 36]
2020 RFC 4634 SHAs and HMAC-SHAs July 2006
2025 * This function will initialize the SHA256Context in preparation
2026 * for computing a new SHA256 message digest.
2030 * The context to reset.
2035 int SHA256Reset(SHA256Context *context)
2037 return SHA224_256Reset(context, SHA256_H0);
2044 * This function accepts an array of octets as the next portion
2049 * The SHA context to update
2050 * message_array: [in]
2051 * An array of characters representing the next portion of
2054 * The length of the message in message_array
2059 int SHA256Input(SHA256Context *context, const uint8_t *message_array,
2060 unsigned int length)
2065 if (!context || !message_array)
2068 if (context->Computed) {
2069 context->Corrupted = shaStateError;
2070 return shaStateError;
2074 Eastlake 3rd & Hansen Informational [Page 37]
2076 RFC 4634 SHAs and HMAC-SHAs July 2006
2081 if (context->Corrupted)
2082 return context->Corrupted;
2084 while (length-- && !context->Corrupted) {
2085 context->Message_Block[context->Message_Block_Index++] =
2086 (*message_array & 0xFF);
2088 if (!SHA224_256AddLength(context, 8) &&
2089 (context->Message_Block_Index == SHA256_Message_Block_Size))
2090 SHA224_256ProcessMessageBlock(context);
2103 * This function will add in any final bits of the message.
2107 * The SHA context to update
2108 * message_bits: [in]
2109 * The final bits of the message, in the upper portion of the
2110 * byte. (Use 0b###00000 instead of 0b00000### to input the
2113 * The number of bits in message_bits, between 1 and 7.
2118 int SHA256FinalBits(SHA256Context *context,
2119 const uint8_t message_bits, unsigned int length)
2121 uint8_t masks[8] = {
2122 /* 0 0b00000000 */ 0x00, /* 1 0b10000000 */ 0x80,
2123 /* 2 0b11000000 */ 0xC0, /* 3 0b11100000 */ 0xE0,
2124 /* 4 0b11110000 */ 0xF0, /* 5 0b11111000 */ 0xF8,
2125 /* 6 0b11111100 */ 0xFC, /* 7 0b11111110 */ 0xFE
2130 Eastlake 3rd & Hansen Informational [Page 38]
2132 RFC 4634 SHAs and HMAC-SHAs July 2006
2135 uint8_t markbit[8] = {
2136 /* 0 0b10000000 */ 0x80, /* 1 0b01000000 */ 0x40,
2137 /* 2 0b00100000 */ 0x20, /* 3 0b00010000 */ 0x10,
2138 /* 4 0b00001000 */ 0x08, /* 5 0b00000100 */ 0x04,
2139 /* 6 0b00000010 */ 0x02, /* 7 0b00000001 */ 0x01
2148 if ((context->Computed) || (length >= 8) || (length == 0)) {
2149 context->Corrupted = shaStateError;
2150 return shaStateError;
2153 if (context->Corrupted)
2154 return context->Corrupted;
2156 SHA224_256AddLength(context, length);
2157 SHA224_256Finalize(context, (uint8_t)
2158 ((message_bits & masks[length]) | markbit[length]));
2167 * This function will return the 256-bit message
2168 * digest into the Message_Digest array provided by the caller.
2169 * NOTE: The first octet of hash is stored in the 0th element,
2170 * the last octet of hash in the 32nd element.
2174 * The context to use to calculate the SHA hash.
2175 * Message_Digest: [out]
2176 * Where the digest is returned.
2181 int SHA256Result(SHA256Context *context, uint8_t Message_Digest[])
2186 Eastlake 3rd & Hansen Informational [Page 39]
2188 RFC 4634 SHAs and HMAC-SHAs July 2006
2191 return SHA224_256ResultN(context, Message_Digest, SHA256HashSize);
2195 * SHA224_256Finalize
2198 * This helper function finishes off the digest calculations.
2202 * The SHA context to update
2204 * The last byte to add to the digest before the 0-padding
2205 * and length. This will contain the last bits of the message
2206 * followed by another single bit. If the message was an
2207 * exact multiple of 8-bits long, Pad_Byte will be 0x80.
2212 static void SHA224_256Finalize(SHA256Context *context,
2216 SHA224_256PadMessage(context, Pad_Byte);
2217 /* message may be sensitive, so clear it out */
2218 for (i = 0; i < SHA256_Message_Block_Size; ++i)
2219 context->Message_Block[i] = 0;
2220 context->Length_Low = 0; /* and clear length */
2221 context->Length_High = 0;
2222 context->Computed = 1;
2226 * SHA224_256PadMessage
2229 * According to the standard, the message must be padded to an
2230 * even 512 bits. The first padding bit must be a '1'. The
2231 * last 64 bits represent the length of the original message.
2232 * All bits in between should be 0. This helper function will pad
2233 * the message according to those rules by filling the
2234 * Message_Block array accordingly. When it returns, it can be
2235 * assumed that the message digest has been computed.
2242 Eastlake 3rd & Hansen Informational [Page 40]
2244 RFC 4634 SHAs and HMAC-SHAs July 2006
2247 * The context to pad
2249 * The last byte to add to the digest before the 0-padding
2250 * and length. This will contain the last bits of the message
2251 * followed by another single bit. If the message was an
2252 * exact multiple of 8-bits long, Pad_Byte will be 0x80.
2257 static void SHA224_256PadMessage(SHA256Context *context,
2261 * Check to see if the current message block is too small to hold
2262 * the initial padding bits and length. If so, we will pad the
2263 * block, process it, and then continue padding into a second
2266 if (context->Message_Block_Index >= (SHA256_Message_Block_Size-8)) {
2267 context->Message_Block[context->Message_Block_Index++] = Pad_Byte;
2268 while (context->Message_Block_Index < SHA256_Message_Block_Size)
2269 context->Message_Block[context->Message_Block_Index++] = 0;
2270 SHA224_256ProcessMessageBlock(context);
2272 context->Message_Block[context->Message_Block_Index++] = Pad_Byte;
2274 while (context->Message_Block_Index < (SHA256_Message_Block_Size-8))
2275 context->Message_Block[context->Message_Block_Index++] = 0;
2278 * Store the message length as the last 8 octets
2280 context->Message_Block[56] = (uint8_t)(context->Length_High >> 24);
2281 context->Message_Block[57] = (uint8_t)(context->Length_High >> 16);
2282 context->Message_Block[58] = (uint8_t)(context->Length_High >> 8);
2283 context->Message_Block[59] = (uint8_t)(context->Length_High);
2284 context->Message_Block[60] = (uint8_t)(context->Length_Low >> 24);
2285 context->Message_Block[61] = (uint8_t)(context->Length_Low >> 16);
2286 context->Message_Block[62] = (uint8_t)(context->Length_Low >> 8);
2287 context->Message_Block[63] = (uint8_t)(context->Length_Low);
2289 SHA224_256ProcessMessageBlock(context);
2293 * SHA224_256ProcessMessageBlock
2298 Eastlake 3rd & Hansen Informational [Page 41]
2300 RFC 4634 SHAs and HMAC-SHAs July 2006
2304 * This function will process the next 512 bits of the message
2305 * stored in the Message_Block array.
2309 * The SHA context to update
2315 * Many of the variable names in this code, especially the
2316 * single character names, were used because those were the
2317 * names used in the publication.
2319 static void SHA224_256ProcessMessageBlock(SHA256Context *context)
2321 /* Constants defined in FIPS-180-2, section 4.2.2 */
2322 static const uint32_t K[64] = {
2323 0x428a2f98, 0x71374491, 0xb5c0fbcf, 0xe9b5dba5, 0x3956c25b,
2324 0x59f111f1, 0x923f82a4, 0xab1c5ed5, 0xd807aa98, 0x12835b01,
2325 0x243185be, 0x550c7dc3, 0x72be5d74, 0x80deb1fe, 0x9bdc06a7,
2326 0xc19bf174, 0xe49b69c1, 0xefbe4786, 0x0fc19dc6, 0x240ca1cc,
2327 0x2de92c6f, 0x4a7484aa, 0x5cb0a9dc, 0x76f988da, 0x983e5152,
2328 0xa831c66d, 0xb00327c8, 0xbf597fc7, 0xc6e00bf3, 0xd5a79147,
2329 0x06ca6351, 0x14292967, 0x27b70a85, 0x2e1b2138, 0x4d2c6dfc,
2330 0x53380d13, 0x650a7354, 0x766a0abb, 0x81c2c92e, 0x92722c85,
2331 0xa2bfe8a1, 0xa81a664b, 0xc24b8b70, 0xc76c51a3, 0xd192e819,
2332 0xd6990624, 0xf40e3585, 0x106aa070, 0x19a4c116, 0x1e376c08,
2333 0x2748774c, 0x34b0bcb5, 0x391c0cb3, 0x4ed8aa4a, 0x5b9cca4f,
2334 0x682e6ff3, 0x748f82ee, 0x78a5636f, 0x84c87814, 0x8cc70208,
2335 0x90befffa, 0xa4506ceb, 0xbef9a3f7, 0xc67178f2
2337 int t, t4; /* Loop counter */
2338 uint32_t temp1, temp2; /* Temporary word value */
2339 uint32_t W[64]; /* Word sequence */
2340 uint32_t A, B, C, D, E, F, G, H; /* Word buffers */
2343 * Initialize the first 16 words in the array W
2345 for (t = t4 = 0; t < 16; t++, t4 += 4)
2346 W[t] = (((uint32_t)context->Message_Block[t4]) << 24) |
2347 (((uint32_t)context->Message_Block[t4 + 1]) << 16) |
2348 (((uint32_t)context->Message_Block[t4 + 2]) << 8) |
2349 (((uint32_t)context->Message_Block[t4 + 3]));
2354 Eastlake 3rd & Hansen Informational [Page 42]
2356 RFC 4634 SHAs and HMAC-SHAs July 2006
2359 for (t = 16; t < 64; t++)
2360 W[t] = SHA256_sigma1(W[t-2]) + W[t-7] +
2361 SHA256_sigma0(W[t-15]) + W[t-16];
2363 A = context->Intermediate_Hash[0];
2364 B = context->Intermediate_Hash[1];
2365 C = context->Intermediate_Hash[2];
2366 D = context->Intermediate_Hash[3];
2367 E = context->Intermediate_Hash[4];
2368 F = context->Intermediate_Hash[5];
2369 G = context->Intermediate_Hash[6];
2370 H = context->Intermediate_Hash[7];
2372 for (t = 0; t < 64; t++) {
2373 temp1 = H + SHA256_SIGMA1(E) + SHA_Ch(E,F,G) + K[t] + W[t];
2374 temp2 = SHA256_SIGMA0(A) + SHA_Maj(A,B,C);
2385 context->Intermediate_Hash[0] += A;
2386 context->Intermediate_Hash[1] += B;
2387 context->Intermediate_Hash[2] += C;
2388 context->Intermediate_Hash[3] += D;
2389 context->Intermediate_Hash[4] += E;
2390 context->Intermediate_Hash[5] += F;
2391 context->Intermediate_Hash[6] += G;
2392 context->Intermediate_Hash[7] += H;
2394 context->Message_Block_Index = 0;
2401 * This helper function will initialize the SHA256Context in
2402 * preparation for computing a new SHA256 message digest.
2406 * The context to reset.
2410 Eastlake 3rd & Hansen Informational [Page 43]
2412 RFC 4634 SHAs and HMAC-SHAs July 2006
2416 * The initial hash value to use.
2421 static int SHA224_256Reset(SHA256Context *context, uint32_t *H0)
2426 context->Length_Low = 0;
2427 context->Length_High = 0;
2428 context->Message_Block_Index = 0;
2430 context->Intermediate_Hash[0] = H0[0];
2431 context->Intermediate_Hash[1] = H0[1];
2432 context->Intermediate_Hash[2] = H0[2];
2433 context->Intermediate_Hash[3] = H0[3];
2434 context->Intermediate_Hash[4] = H0[4];
2435 context->Intermediate_Hash[5] = H0[5];
2436 context->Intermediate_Hash[6] = H0[6];
2437 context->Intermediate_Hash[7] = H0[7];
2439 context->Computed = 0;
2440 context->Corrupted = 0;
2449 * This helper function will return the 224-bit or 256-bit message
2450 * digest into the Message_Digest array provided by the caller.
2451 * NOTE: The first octet of hash is stored in the 0th element,
2452 * the last octet of hash in the 28th/32nd element.
2456 * The context to use to calculate the SHA hash.
2457 * Message_Digest: [out]
2458 * Where the digest is returned.
2460 * The size of the hash, either 28 or 32.
2466 Eastlake 3rd & Hansen Informational [Page 44]
2468 RFC 4634 SHAs and HMAC-SHAs July 2006
2473 static int SHA224_256ResultN(SHA256Context *context,
2474 uint8_t Message_Digest[], int HashSize)
2478 if (!context || !Message_Digest)
2481 if (context->Corrupted)
2482 return context->Corrupted;
2484 if (!context->Computed)
2485 SHA224_256Finalize(context, 0x80);
2487 for (i = 0; i < HashSize; ++i)
2488 Message_Digest[i] = (uint8_t)
2489 (context->Intermediate_Hash[i>>2] >> 8 * ( 3 - ( i & 0x03 ) ));
2496 /*************************** sha384-512.c ***************************/
2497 /********************* See RFC 4634 for details *********************/
2500 * This file implements the Secure Hash Signature Standard
2501 * algorithms as defined in the National Institute of Standards
2502 * and Technology Federal Information Processing Standards
2503 * Publication (FIPS PUB) 180-1 published on April 17, 1995, 180-2
2504 * published on August 1, 2002, and the FIPS PUB 180-2 Change
2505 * Notice published on February 28, 2004.
2507 * A combined document showing all algorithms is available at
2508 * http://csrc.nist.gov/publications/fips/
2509 * fips180-2/fips180-2withchangenotice.pdf
2511 * The SHA-384 and SHA-512 algorithms produce 384-bit and 512-bit
2512 * message digests for a given data stream. It should take about
2513 * 2**n steps to find a message with the same digest as a given
2514 * message and 2**(n/2) to find any two messages with the same
2515 * digest, when n is the digest size in bits. Therefore, this
2516 * algorithm can serve as a means of providing a
2517 * "fingerprint" for a message.
2522 Eastlake 3rd & Hansen Informational [Page 45]
2524 RFC 4634 SHAs and HMAC-SHAs July 2006
2527 * Portability Issues:
2528 * SHA-384 and SHA-512 are defined in terms of 64-bit "words",
2529 * but if USE_32BIT_ONLY is #defined, this code is implemented in
2530 * terms of 32-bit "words". This code uses <stdint.h> (included
2531 * via "sha.h") to define the 64, 32 and 8 bit unsigned integer
2532 * types. If your C compiler does not support 64 bit unsigned
2533 * integers, and you do not #define USE_32BIT_ONLY, this code is
2537 * SHA-384 and SHA-512 are designed to work with messages less
2538 * than 2^128 bits long. This implementation uses
2539 * SHA384/512Input() to hash the bits that are a multiple of the
2540 * size of an 8-bit character, and then uses SHA384/256FinalBits()
2541 * to hash the final few bits of the input.
2546 #include "sha-private.h"
2548 #ifdef USE_32BIT_ONLY
2550 * Define 64-bit arithmetic in terms of 32-bit arithmetic.
2551 * Each 64-bit number is represented in a 2-word array.
2552 * All macros are defined such that the result is the last parameter.
2556 * Define shift, rotate left and rotate right functions
2558 #define SHA512_SHR(bits, word, ret) ( \
2559 /* (((uint64_t)((word))) >> (bits)) */ \
2560 (ret)[0] = (((bits) < 32) && ((bits) >= 0)) ? \
2561 ((word)[0] >> (bits)) : 0, \
2562 (ret)[1] = ((bits) > 32) ? ((word)[0] >> ((bits) - 32)) : \
2563 ((bits) == 32) ? (word)[0] : \
2565 (((word)[0] << (32 - (bits))) | \
2566 ((word)[1] >> (bits))) : 0 )
2568 #define SHA512_SHL(bits, word, ret) ( \
2569 /* (((uint64_t)(word)) << (bits)) */ \
2570 (ret)[0] = ((bits) > 32) ? ((word)[1] << ((bits) - 32)) : \
2571 ((bits) == 32) ? (word)[1] : \
2573 (((word)[0] << (bits)) | \
2574 ((word)[1] >> (32 - (bits)))) : \
2578 Eastlake 3rd & Hansen Informational [Page 46]
2580 RFC 4634 SHAs and HMAC-SHAs July 2006
2584 (ret)[1] = (((bits) < 32) && ((bits) >= 0)) ? \
2585 ((word)[1] << (bits)) : 0 )
2590 #define SHA512_OR(word1, word2, ret) ( \
2591 (ret)[0] = (word1)[0] | (word2)[0], \
2592 (ret)[1] = (word1)[1] | (word2)[1] )
2597 #define SHA512_XOR(word1, word2, ret) ( \
2598 (ret)[0] = (word1)[0] ^ (word2)[0], \
2599 (ret)[1] = (word1)[1] ^ (word2)[1] )
2604 #define SHA512_AND(word1, word2, ret) ( \
2605 (ret)[0] = (word1)[0] & (word2)[0], \
2606 (ret)[1] = (word1)[1] & (word2)[1] )
2609 * Define 64-bit TILDA
2611 #define SHA512_TILDA(word, ret) \
2612 ( (ret)[0] = ~(word)[0], (ret)[1] = ~(word)[1] )
2617 #define SHA512_ADD(word1, word2, ret) ( \
2618 (ret)[1] = (word1)[1], (ret)[1] += (word2)[1], \
2619 (ret)[0] = (word1)[0] + (word2)[0] + ((ret)[1] < (word1)[1]) )
2622 * Add the 4word value in word2 to word1.
2624 static uint32_t ADDTO4_temp, ADDTO4_temp2;
2625 #define SHA512_ADDTO4(word1, word2) ( \
2626 ADDTO4_temp = (word1)[3], \
2627 (word1)[3] += (word2)[3], \
2628 ADDTO4_temp2 = (word1)[2], \
2629 (word1)[2] += (word2)[2] + ((word1)[3] < ADDTO4_temp), \
2630 ADDTO4_temp = (word1)[1], \
2634 Eastlake 3rd & Hansen Informational [Page 47]
2636 RFC 4634 SHAs and HMAC-SHAs July 2006
2639 (word1)[1] += (word2)[1] + ((word1)[2] < ADDTO4_temp2), \
2640 (word1)[0] += (word2)[0] + ((word1)[1] < ADDTO4_temp) )
2643 * Add the 2word value in word2 to word1.
2645 static uint32_t ADDTO2_temp;
2646 #define SHA512_ADDTO2(word1, word2) ( \
2647 ADDTO2_temp = (word1)[1], \
2648 (word1)[1] += (word2)[1], \
2649 (word1)[0] += (word2)[0] + ((word1)[1] < ADDTO2_temp) )
2652 * SHA rotate ((word >> bits) | (word << (64-bits)))
2654 static uint32_t ROTR_temp1[2], ROTR_temp2[2];
2655 #define SHA512_ROTR(bits, word, ret) ( \
2656 SHA512_SHR((bits), (word), ROTR_temp1), \
2657 SHA512_SHL(64-(bits), (word), ROTR_temp2), \
2658 SHA512_OR(ROTR_temp1, ROTR_temp2, (ret)) )
2661 * Define the SHA SIGMA and sigma macros
2662 * SHA512_ROTR(28,word) ^ SHA512_ROTR(34,word) ^ SHA512_ROTR(39,word)
2664 static uint32_t SIGMA0_temp1[2], SIGMA0_temp2[2],
2665 SIGMA0_temp3[2], SIGMA0_temp4[2];
2666 #define SHA512_SIGMA0(word, ret) ( \
2667 SHA512_ROTR(28, (word), SIGMA0_temp1), \
2668 SHA512_ROTR(34, (word), SIGMA0_temp2), \
2669 SHA512_ROTR(39, (word), SIGMA0_temp3), \
2670 SHA512_XOR(SIGMA0_temp2, SIGMA0_temp3, SIGMA0_temp4), \
2671 SHA512_XOR(SIGMA0_temp1, SIGMA0_temp4, (ret)) )
2674 * SHA512_ROTR(14,word) ^ SHA512_ROTR(18,word) ^ SHA512_ROTR(41,word)
2676 static uint32_t SIGMA1_temp1[2], SIGMA1_temp2[2],
2677 SIGMA1_temp3[2], SIGMA1_temp4[2];
2678 #define SHA512_SIGMA1(word, ret) ( \
2679 SHA512_ROTR(14, (word), SIGMA1_temp1), \
2680 SHA512_ROTR(18, (word), SIGMA1_temp2), \
2681 SHA512_ROTR(41, (word), SIGMA1_temp3), \
2682 SHA512_XOR(SIGMA1_temp2, SIGMA1_temp3, SIGMA1_temp4), \
2683 SHA512_XOR(SIGMA1_temp1, SIGMA1_temp4, (ret)) )
2686 * (SHA512_ROTR( 1,word) ^ SHA512_ROTR( 8,word) ^ SHA512_SHR( 7,word))
2690 Eastlake 3rd & Hansen Informational [Page 48]
2692 RFC 4634 SHAs and HMAC-SHAs July 2006
2696 static uint32_t sigma0_temp1[2], sigma0_temp2[2],
2697 sigma0_temp3[2], sigma0_temp4[2];
2698 #define SHA512_sigma0(word, ret) ( \
2699 SHA512_ROTR( 1, (word), sigma0_temp1), \
2700 SHA512_ROTR( 8, (word), sigma0_temp2), \
2701 SHA512_SHR( 7, (word), sigma0_temp3), \
2702 SHA512_XOR(sigma0_temp2, sigma0_temp3, sigma0_temp4), \
2703 SHA512_XOR(sigma0_temp1, sigma0_temp4, (ret)) )
2706 * (SHA512_ROTR(19,word) ^ SHA512_ROTR(61,word) ^ SHA512_SHR( 6,word))
2708 static uint32_t sigma1_temp1[2], sigma1_temp2[2],
2709 sigma1_temp3[2], sigma1_temp4[2];
2710 #define SHA512_sigma1(word, ret) ( \
2711 SHA512_ROTR(19, (word), sigma1_temp1), \
2712 SHA512_ROTR(61, (word), sigma1_temp2), \
2713 SHA512_SHR( 6, (word), sigma1_temp3), \
2714 SHA512_XOR(sigma1_temp2, sigma1_temp3, sigma1_temp4), \
2715 SHA512_XOR(sigma1_temp1, sigma1_temp4, (ret)) )
2720 #ifndef USE_MODIFIED_MACROS
2722 * These definitions are the ones used in FIPS-180-2, section 4.1.3
2723 * Ch(x,y,z) ((x & y) ^ (~x & z))
2725 static uint32_t Ch_temp1[2], Ch_temp2[2], Ch_temp3[2];
2726 #define SHA_Ch(x, y, z, ret) ( \
2727 SHA512_AND(x, y, Ch_temp1), \
2728 SHA512_TILDA(x, Ch_temp2), \
2729 SHA512_AND(Ch_temp2, z, Ch_temp3), \
2730 SHA512_XOR(Ch_temp1, Ch_temp3, (ret)) )
2732 * Maj(x,y,z) (((x)&(y)) ^ ((x)&(z)) ^ ((y)&(z)))
2734 static uint32_t Maj_temp1[2], Maj_temp2[2],
2735 Maj_temp3[2], Maj_temp4[2];
2736 #define SHA_Maj(x, y, z, ret) ( \
2737 SHA512_AND(x, y, Maj_temp1), \
2738 SHA512_AND(x, z, Maj_temp2), \
2739 SHA512_AND(y, z, Maj_temp3), \
2740 SHA512_XOR(Maj_temp2, Maj_temp3, Maj_temp4), \
2741 SHA512_XOR(Maj_temp1, Maj_temp4, (ret)) )
2746 Eastlake 3rd & Hansen Informational [Page 49]
2748 RFC 4634 SHAs and HMAC-SHAs July 2006
2751 #else /* !USE_32BIT_ONLY */
2753 * These definitions are potentially faster equivalents for the ones
2754 * used in FIPS-180-2, section 4.1.3.
2755 * ((x & y) ^ (~x & z)) becomes
2756 * ((x & (y ^ z)) ^ z)
2758 #define SHA_Ch(x, y, z, ret) ( \
2759 (ret)[0] = (((x)[0] & ((y)[0] ^ (z)[0])) ^ (z)[0]), \
2760 (ret)[1] = (((x)[1] & ((y)[1] ^ (z)[1])) ^ (z)[1]) )
2763 * ((x & y) ^ (x & z) ^ (y & z)) becomes
2764 * ((x & (y | z)) | (y & z))
2766 #define SHA_Maj(x, y, z, ret) ( \
2767 ret[0] = (((x)[0] & ((y)[0] | (z)[0])) | ((y)[0] & (z)[0])), \
2768 ret[1] = (((x)[1] & ((y)[1] | (z)[1])) | ((y)[1] & (z)[1])) )
2769 #endif /* USE_MODIFIED_MACROS */
2772 * add "length" to the length
2774 static uint32_t addTemp[4] = { 0, 0, 0, 0 };
2775 #define SHA384_512AddLength(context, length) ( \
2776 addTemp[3] = (length), SHA512_ADDTO4((context)->Length, addTemp), \
2777 (context)->Corrupted = (((context)->Length[3] == 0) && \
2778 ((context)->Length[2] == 0) && ((context)->Length[1] == 0) && \
2779 ((context)->Length[0] < 8)) ? 1 : 0 )
2781 /* Local Function Prototypes */
2782 static void SHA384_512Finalize(SHA512Context *context,
2784 static void SHA384_512PadMessage(SHA512Context *context,
2786 static void SHA384_512ProcessMessageBlock(SHA512Context *context);
2787 static int SHA384_512Reset(SHA512Context *context, uint32_t H0[]);
2788 static int SHA384_512ResultN( SHA512Context *context,
2789 uint8_t Message_Digest[], int HashSize);
2791 /* Initial Hash Values: FIPS-180-2 sections 5.3.3 and 5.3.4 */
2792 static uint32_t SHA384_H0[SHA512HashSize/4] = {
2793 0xCBBB9D5D, 0xC1059ED8, 0x629A292A, 0x367CD507, 0x9159015A,
2794 0x3070DD17, 0x152FECD8, 0xF70E5939, 0x67332667, 0xFFC00B31,
2795 0x8EB44A87, 0x68581511, 0xDB0C2E0D, 0x64F98FA7, 0x47B5481D,
2802 Eastlake 3rd & Hansen Informational [Page 50]
2804 RFC 4634 SHAs and HMAC-SHAs July 2006
2807 static uint32_t SHA512_H0[SHA512HashSize/4] = {
2808 0x6A09E667, 0xF3BCC908, 0xBB67AE85, 0x84CAA73B, 0x3C6EF372,
2809 0xFE94F82B, 0xA54FF53A, 0x5F1D36F1, 0x510E527F, 0xADE682D1,
2810 0x9B05688C, 0x2B3E6C1F, 0x1F83D9AB, 0xFB41BD6B, 0x5BE0CD19,
2814 #else /* !USE_32BIT_ONLY */
2816 /* Define the SHA shift, rotate left and rotate right macro */
2817 #define SHA512_SHR(bits,word) (((uint64_t)(word)) >> (bits))
2818 #define SHA512_ROTR(bits,word) ((((uint64_t)(word)) >> (bits)) | \
2819 (((uint64_t)(word)) << (64-(bits))))
2821 /* Define the SHA SIGMA and sigma macros */
2822 #define SHA512_SIGMA0(word) \
2823 (SHA512_ROTR(28,word) ^ SHA512_ROTR(34,word) ^ SHA512_ROTR(39,word))
2824 #define SHA512_SIGMA1(word) \
2825 (SHA512_ROTR(14,word) ^ SHA512_ROTR(18,word) ^ SHA512_ROTR(41,word))
2826 #define SHA512_sigma0(word) \
2827 (SHA512_ROTR( 1,word) ^ SHA512_ROTR( 8,word) ^ SHA512_SHR( 7,word))
2828 #define SHA512_sigma1(word) \
2829 (SHA512_ROTR(19,word) ^ SHA512_ROTR(61,word) ^ SHA512_SHR( 6,word))
2832 * add "length" to the length
2834 static uint64_t addTemp;
2835 #define SHA384_512AddLength(context, length) \
2836 (addTemp = context->Length_Low, context->Corrupted = \
2837 ((context->Length_Low += length) < addTemp) && \
2838 (++context->Length_High == 0) ? 1 : 0)
2840 /* Local Function Prototypes */
2841 static void SHA384_512Finalize(SHA512Context *context,
2843 static void SHA384_512PadMessage(SHA512Context *context,
2845 static void SHA384_512ProcessMessageBlock(SHA512Context *context);
2846 static int SHA384_512Reset(SHA512Context *context, uint64_t H0[]);
2847 static int SHA384_512ResultN(SHA512Context *context,
2848 uint8_t Message_Digest[], int HashSize);
2850 /* Initial Hash Values: FIPS-180-2 sections 5.3.3 and 5.3.4 */
2851 static uint64_t SHA384_H0[] = {
2852 0xCBBB9D5DC1059ED8ll, 0x629A292A367CD507ll, 0x9159015A3070DD17ll,
2853 0x152FECD8F70E5939ll, 0x67332667FFC00B31ll, 0x8EB44A8768581511ll,
2854 0xDB0C2E0D64F98FA7ll, 0x47B5481DBEFA4FA4ll
2858 Eastlake 3rd & Hansen Informational [Page 51]
2860 RFC 4634 SHAs and HMAC-SHAs July 2006
2864 static uint64_t SHA512_H0[] = {
2865 0x6A09E667F3BCC908ll, 0xBB67AE8584CAA73Bll, 0x3C6EF372FE94F82Bll,
2866 0xA54FF53A5F1D36F1ll, 0x510E527FADE682D1ll, 0x9B05688C2B3E6C1Fll,
2867 0x1F83D9ABFB41BD6Bll, 0x5BE0CD19137E2179ll
2870 #endif /* USE_32BIT_ONLY */
2876 * This function will initialize the SHA384Context in preparation
2877 * for computing a new SHA384 message digest.
2881 * The context to reset.
2887 int SHA384Reset(SHA384Context *context)
2889 return SHA384_512Reset(context, SHA384_H0);
2896 * This function accepts an array of octets as the next portion
2901 * The SHA context to update
2902 * message_array: [in]
2903 * An array of characters representing the next portion of
2906 * The length of the message in message_array
2914 Eastlake 3rd & Hansen Informational [Page 52]
2916 RFC 4634 SHAs and HMAC-SHAs July 2006
2920 int SHA384Input(SHA384Context *context,
2921 const uint8_t *message_array, unsigned int length)
2923 return SHA512Input(context, message_array, length);
2930 * This function will add in any final bits of the message.
2934 * The SHA context to update
2935 * message_bits: [in]
2936 * The final bits of the message, in the upper portion of the
2937 * byte. (Use 0b###00000 instead of 0b00000### to input the
2940 * The number of bits in message_bits, between 1 and 7.
2946 int SHA384FinalBits(SHA384Context *context,
2947 const uint8_t message_bits, unsigned int length)
2949 return SHA512FinalBits(context, message_bits, length);
2956 * This function will return the 384-bit message
2957 * digest into the Message_Digest array provided by the caller.
2958 * NOTE: The first octet of hash is stored in the 0th element,
2959 * the last octet of hash in the 48th element.
2963 * The context to use to calculate the SHA hash.
2964 * Message_Digest: [out]
2965 * Where the digest is returned.
2970 Eastlake 3rd & Hansen Informational [Page 53]
2972 RFC 4634 SHAs and HMAC-SHAs July 2006
2979 int SHA384Result(SHA384Context *context,
2980 uint8_t Message_Digest[SHA384HashSize])
2982 return SHA384_512ResultN(context, Message_Digest, SHA384HashSize);
2989 * This function will initialize the SHA512Context in preparation
2990 * for computing a new SHA512 message digest.
2994 * The context to reset.
3000 int SHA512Reset(SHA512Context *context)
3002 return SHA384_512Reset(context, SHA512_H0);
3009 * This function accepts an array of octets as the next portion
3014 * The SHA context to update
3015 * message_array: [in]
3016 * An array of characters representing the next portion of
3019 * The length of the message in message_array
3026 Eastlake 3rd & Hansen Informational [Page 54]
3028 RFC 4634 SHAs and HMAC-SHAs July 2006
3033 int SHA512Input(SHA512Context *context,
3034 const uint8_t *message_array,
3035 unsigned int length)
3040 if (!context || !message_array)
3043 if (context->Computed) {
3044 context->Corrupted = shaStateError;
3045 return shaStateError;
3048 if (context->Corrupted)
3049 return context->Corrupted;
3051 while (length-- && !context->Corrupted) {
3052 context->Message_Block[context->Message_Block_Index++] =
3053 (*message_array & 0xFF);
3055 if (!SHA384_512AddLength(context, 8) &&
3056 (context->Message_Block_Index == SHA512_Message_Block_Size))
3057 SHA384_512ProcessMessageBlock(context);
3069 * This function will add in any final bits of the message.
3073 * The SHA context to update
3074 * message_bits: [in]
3075 * The final bits of the message, in the upper portion of the
3076 * byte. (Use 0b###00000 instead of 0b00000### to input the
3082 Eastlake 3rd & Hansen Informational [Page 55]
3084 RFC 4634 SHAs and HMAC-SHAs July 2006
3087 * The number of bits in message_bits, between 1 and 7.
3093 int SHA512FinalBits(SHA512Context *context,
3094 const uint8_t message_bits, unsigned int length)
3096 uint8_t masks[8] = {
3097 /* 0 0b00000000 */ 0x00, /* 1 0b10000000 */ 0x80,
3098 /* 2 0b11000000 */ 0xC0, /* 3 0b11100000 */ 0xE0,
3099 /* 4 0b11110000 */ 0xF0, /* 5 0b11111000 */ 0xF8,
3100 /* 6 0b11111100 */ 0xFC, /* 7 0b11111110 */ 0xFE
3102 uint8_t markbit[8] = {
3103 /* 0 0b10000000 */ 0x80, /* 1 0b01000000 */ 0x40,
3104 /* 2 0b00100000 */ 0x20, /* 3 0b00010000 */ 0x10,
3105 /* 4 0b00001000 */ 0x08, /* 5 0b00000100 */ 0x04,
3106 /* 6 0b00000010 */ 0x02, /* 7 0b00000001 */ 0x01
3115 if ((context->Computed) || (length >= 8) || (length == 0)) {
3116 context->Corrupted = shaStateError;
3117 return shaStateError;
3120 if (context->Corrupted)
3121 return context->Corrupted;
3123 SHA384_512AddLength(context, length);
3124 SHA384_512Finalize(context, (uint8_t)
3125 ((message_bits & masks[length]) | markbit[length]));
3131 * SHA384_512Finalize
3134 * This helper function finishes off the digest calculations.
3138 Eastlake 3rd & Hansen Informational [Page 56]
3140 RFC 4634 SHAs and HMAC-SHAs July 2006
3146 * The SHA context to update
3148 * The last byte to add to the digest before the 0-padding
3149 * and length. This will contain the last bits of the message
3150 * followed by another single bit. If the message was an
3151 * exact multiple of 8-bits long, Pad_Byte will be 0x80.
3157 static void SHA384_512Finalize(SHA512Context *context,
3161 SHA384_512PadMessage(context, Pad_Byte);
3162 /* message may be sensitive, clear it out */
3163 for (i = 0; i < SHA512_Message_Block_Size; ++i)
3164 context->Message_Block[i] = 0;
3165 #ifdef USE_32BIT_ONLY /* and clear length */
3166 context->Length[0] = context->Length[1] = 0;
3167 context->Length[2] = context->Length[3] = 0;
3168 #else /* !USE_32BIT_ONLY */
3169 context->Length_Low = 0;
3170 context->Length_High = 0;
3171 #endif /* USE_32BIT_ONLY */
3172 context->Computed = 1;
3179 * This function will return the 512-bit message
3180 * digest into the Message_Digest array provided by the caller.
3181 * NOTE: The first octet of hash is stored in the 0th element,
3182 * the last octet of hash in the 64th element.
3186 * The context to use to calculate the SHA hash.
3187 * Message_Digest: [out]
3188 * Where the digest is returned.
3194 Eastlake 3rd & Hansen Informational [Page 57]
3196 RFC 4634 SHAs and HMAC-SHAs July 2006
3202 int SHA512Result(SHA512Context *context,
3203 uint8_t Message_Digest[SHA512HashSize])
3205 return SHA384_512ResultN(context, Message_Digest, SHA512HashSize);
3209 * SHA384_512PadMessage
3212 * According to the standard, the message must be padded to an
3213 * even 1024 bits. The first padding bit must be a '1'. The
3214 * last 128 bits represent the length of the original message.
3215 * All bits in between should be 0. This helper function will
3216 * pad the message according to those rules by filling the
3217 * Message_Block array accordingly. When it returns, it can be
3218 * assumed that the message digest has been computed.
3222 * The context to pad
3224 * The last byte to add to the digest before the 0-padding
3225 * and length. This will contain the last bits of the message
3226 * followed by another single bit. If the message was an
3227 * exact multiple of 8-bits long, Pad_Byte will be 0x80.
3233 static void SHA384_512PadMessage(SHA512Context *context,
3237 * Check to see if the current message block is too small to hold
3238 * the initial padding bits and length. If so, we will pad the
3239 * block, process it, and then continue padding into a second
3242 if (context->Message_Block_Index >= (SHA512_Message_Block_Size-16)) {
3243 context->Message_Block[context->Message_Block_Index++] = Pad_Byte;
3244 while (context->Message_Block_Index < SHA512_Message_Block_Size)
3245 context->Message_Block[context->Message_Block_Index++] = 0;
3250 Eastlake 3rd & Hansen Informational [Page 58]
3252 RFC 4634 SHAs and HMAC-SHAs July 2006
3255 SHA384_512ProcessMessageBlock(context);
3257 context->Message_Block[context->Message_Block_Index++] = Pad_Byte;
3259 while (context->Message_Block_Index < (SHA512_Message_Block_Size-16))
3260 context->Message_Block[context->Message_Block_Index++] = 0;
3263 * Store the message length as the last 16 octets
3265 #ifdef USE_32BIT_ONLY
3266 context->Message_Block[112] = (uint8_t)(context->Length[0] >> 24);
3267 context->Message_Block[113] = (uint8_t)(context->Length[0] >> 16);
3268 context->Message_Block[114] = (uint8_t)(context->Length[0] >> 8);
3269 context->Message_Block[115] = (uint8_t)(context->Length[0]);
3270 context->Message_Block[116] = (uint8_t)(context->Length[1] >> 24);
3271 context->Message_Block[117] = (uint8_t)(context->Length[1] >> 16);
3272 context->Message_Block[118] = (uint8_t)(context->Length[1] >> 8);
3273 context->Message_Block[119] = (uint8_t)(context->Length[1]);
3275 context->Message_Block[120] = (uint8_t)(context->Length[2] >> 24);
3276 context->Message_Block[121] = (uint8_t)(context->Length[2] >> 16);
3277 context->Message_Block[122] = (uint8_t)(context->Length[2] >> 8);
3278 context->Message_Block[123] = (uint8_t)(context->Length[2]);
3279 context->Message_Block[124] = (uint8_t)(context->Length[3] >> 24);
3280 context->Message_Block[125] = (uint8_t)(context->Length[3] >> 16);
3281 context->Message_Block[126] = (uint8_t)(context->Length[3] >> 8);
3282 context->Message_Block[127] = (uint8_t)(context->Length[3]);
3283 #else /* !USE_32BIT_ONLY */
3284 context->Message_Block[112] = (uint8_t)(context->Length_High >> 56);
3285 context->Message_Block[113] = (uint8_t)(context->Length_High >> 48);
3286 context->Message_Block[114] = (uint8_t)(context->Length_High >> 40);
3287 context->Message_Block[115] = (uint8_t)(context->Length_High >> 32);
3288 context->Message_Block[116] = (uint8_t)(context->Length_High >> 24);
3289 context->Message_Block[117] = (uint8_t)(context->Length_High >> 16);
3290 context->Message_Block[118] = (uint8_t)(context->Length_High >> 8);
3291 context->Message_Block[119] = (uint8_t)(context->Length_High);
3293 context->Message_Block[120] = (uint8_t)(context->Length_Low >> 56);
3294 context->Message_Block[121] = (uint8_t)(context->Length_Low >> 48);
3295 context->Message_Block[122] = (uint8_t)(context->Length_Low >> 40);
3296 context->Message_Block[123] = (uint8_t)(context->Length_Low >> 32);
3297 context->Message_Block[124] = (uint8_t)(context->Length_Low >> 24);
3298 context->Message_Block[125] = (uint8_t)(context->Length_Low >> 16);
3299 context->Message_Block[126] = (uint8_t)(context->Length_Low >> 8);
3300 context->Message_Block[127] = (uint8_t)(context->Length_Low);
3301 #endif /* USE_32BIT_ONLY */
3306 Eastlake 3rd & Hansen Informational [Page 59]
3308 RFC 4634 SHAs and HMAC-SHAs July 2006
3311 SHA384_512ProcessMessageBlock(context);
3315 * SHA384_512ProcessMessageBlock
3318 * This helper function will process the next 1024 bits of the
3319 * message stored in the Message_Block array.
3323 * The SHA context to update
3329 * Many of the variable names in this code, especially the
3330 * single character names, were used because those were the
3331 * names used in the publication.
3335 static void SHA384_512ProcessMessageBlock(SHA512Context *context)
3337 /* Constants defined in FIPS-180-2, section 4.2.3 */
3338 #ifdef USE_32BIT_ONLY
3339 static const uint32_t K[80*2] = {
3340 0x428A2F98, 0xD728AE22, 0x71374491, 0x23EF65CD, 0xB5C0FBCF,
3341 0xEC4D3B2F, 0xE9B5DBA5, 0x8189DBBC, 0x3956C25B, 0xF348B538,
3342 0x59F111F1, 0xB605D019, 0x923F82A4, 0xAF194F9B, 0xAB1C5ED5,
3343 0xDA6D8118, 0xD807AA98, 0xA3030242, 0x12835B01, 0x45706FBE,
3344 0x243185BE, 0x4EE4B28C, 0x550C7DC3, 0xD5FFB4E2, 0x72BE5D74,
3345 0xF27B896F, 0x80DEB1FE, 0x3B1696B1, 0x9BDC06A7, 0x25C71235,
3346 0xC19BF174, 0xCF692694, 0xE49B69C1, 0x9EF14AD2, 0xEFBE4786,
3347 0x384F25E3, 0x0FC19DC6, 0x8B8CD5B5, 0x240CA1CC, 0x77AC9C65,
3348 0x2DE92C6F, 0x592B0275, 0x4A7484AA, 0x6EA6E483, 0x5CB0A9DC,
3349 0xBD41FBD4, 0x76F988DA, 0x831153B5, 0x983E5152, 0xEE66DFAB,
3350 0xA831C66D, 0x2DB43210, 0xB00327C8, 0x98FB213F, 0xBF597FC7,
3351 0xBEEF0EE4, 0xC6E00BF3, 0x3DA88FC2, 0xD5A79147, 0x930AA725,
3352 0x06CA6351, 0xE003826F, 0x14292967, 0x0A0E6E70, 0x27B70A85,
3353 0x46D22FFC, 0x2E1B2138, 0x5C26C926, 0x4D2C6DFC, 0x5AC42AED,
3354 0x53380D13, 0x9D95B3DF, 0x650A7354, 0x8BAF63DE, 0x766A0ABB,
3355 0x3C77B2A8, 0x81C2C92E, 0x47EDAEE6, 0x92722C85, 0x1482353B,
3356 0xA2BFE8A1, 0x4CF10364, 0xA81A664B, 0xBC423001, 0xC24B8B70,
3357 0xD0F89791, 0xC76C51A3, 0x0654BE30, 0xD192E819, 0xD6EF5218,
3358 0xD6990624, 0x5565A910, 0xF40E3585, 0x5771202A, 0x106AA070,
3362 Eastlake 3rd & Hansen Informational [Page 60]
3364 RFC 4634 SHAs and HMAC-SHAs July 2006
3367 0x32BBD1B8, 0x19A4C116, 0xB8D2D0C8, 0x1E376C08, 0x5141AB53,
3368 0x2748774C, 0xDF8EEB99, 0x34B0BCB5, 0xE19B48A8, 0x391C0CB3,
3369 0xC5C95A63, 0x4ED8AA4A, 0xE3418ACB, 0x5B9CCA4F, 0x7763E373,
3370 0x682E6FF3, 0xD6B2B8A3, 0x748F82EE, 0x5DEFB2FC, 0x78A5636F,
3371 0x43172F60, 0x84C87814, 0xA1F0AB72, 0x8CC70208, 0x1A6439EC,
3372 0x90BEFFFA, 0x23631E28, 0xA4506CEB, 0xDE82BDE9, 0xBEF9A3F7,
3373 0xB2C67915, 0xC67178F2, 0xE372532B, 0xCA273ECE, 0xEA26619C,
3374 0xD186B8C7, 0x21C0C207, 0xEADA7DD6, 0xCDE0EB1E, 0xF57D4F7F,
3375 0xEE6ED178, 0x06F067AA, 0x72176FBA, 0x0A637DC5, 0xA2C898A6,
3376 0x113F9804, 0xBEF90DAE, 0x1B710B35, 0x131C471B, 0x28DB77F5,
3377 0x23047D84, 0x32CAAB7B, 0x40C72493, 0x3C9EBE0A, 0x15C9BEBC,
3378 0x431D67C4, 0x9C100D4C, 0x4CC5D4BE, 0xCB3E42B6, 0x597F299C,
3379 0xFC657E2A, 0x5FCB6FAB, 0x3AD6FAEC, 0x6C44198C, 0x4A475817
3381 int t, t2, t8; /* Loop counter */
3382 uint32_t temp1[2], temp2[2], /* Temporary word values */
3383 temp3[2], temp4[2], temp5[2];
3384 uint32_t W[2*80]; /* Word sequence */
3385 uint32_t A[2], B[2], C[2], D[2], /* Word buffers */
3386 E[2], F[2], G[2], H[2];
3388 /* Initialize the first 16 words in the array W */
3389 for (t = t2 = t8 = 0; t < 16; t++, t8 += 8) {
3390 W[t2++] = ((((uint32_t)context->Message_Block[t8 ])) << 24) |
3391 ((((uint32_t)context->Message_Block[t8 + 1])) << 16) |
3392 ((((uint32_t)context->Message_Block[t8 + 2])) << 8) |
3393 ((((uint32_t)context->Message_Block[t8 + 3])));
3394 W[t2++] = ((((uint32_t)context->Message_Block[t8 + 4])) << 24) |
3395 ((((uint32_t)context->Message_Block[t8 + 5])) << 16) |
3396 ((((uint32_t)context->Message_Block[t8 + 6])) << 8) |
3397 ((((uint32_t)context->Message_Block[t8 + 7])));
3400 for (t = 16; t < 80; t++, t2 += 2) {
3401 /* W[t] = SHA512_sigma1(W[t-2]) + W[t-7] +
3402 SHA512_sigma0(W[t-15]) + W[t-16]; */
3403 uint32_t *Wt2 = &W[t2-2*2];
3404 uint32_t *Wt7 = &W[t2-7*2];
3405 uint32_t *Wt15 = &W[t2-15*2];
3406 uint32_t *Wt16 = &W[t2-16*2];
3407 SHA512_sigma1(Wt2, temp1);
3408 SHA512_ADD(temp1, Wt7, temp2);
3409 SHA512_sigma0(Wt15, temp1);
3410 SHA512_ADD(temp1, Wt16, temp3);
3411 SHA512_ADD(temp2, temp3, &W[t2]);
3414 A[0] = context->Intermediate_Hash[0];
3418 Eastlake 3rd & Hansen Informational [Page 61]
3420 RFC 4634 SHAs and HMAC-SHAs July 2006
3423 A[1] = context->Intermediate_Hash[1];
3424 B[0] = context->Intermediate_Hash[2];
3425 B[1] = context->Intermediate_Hash[3];
3426 C[0] = context->Intermediate_Hash[4];
3427 C[1] = context->Intermediate_Hash[5];
3428 D[0] = context->Intermediate_Hash[6];
3429 D[1] = context->Intermediate_Hash[7];
3430 E[0] = context->Intermediate_Hash[8];
3431 E[1] = context->Intermediate_Hash[9];
3432 F[0] = context->Intermediate_Hash[10];
3433 F[1] = context->Intermediate_Hash[11];
3434 G[0] = context->Intermediate_Hash[12];
3435 G[1] = context->Intermediate_Hash[13];
3436 H[0] = context->Intermediate_Hash[14];
3437 H[1] = context->Intermediate_Hash[15];
3439 for (t = t2 = 0; t < 80; t++, t2 += 2) {
3441 * temp1 = H + SHA512_SIGMA1(E) + SHA_Ch(E,F,G) + K[t] + W[t];
3443 SHA512_SIGMA1(E,temp1);
3444 SHA512_ADD(H, temp1, temp2);
3445 SHA_Ch(E,F,G,temp3);
3446 SHA512_ADD(temp2, temp3, temp4);
3447 SHA512_ADD(&K[t2], &W[t2], temp5);
3448 SHA512_ADD(temp4, temp5, temp1);
3450 * temp2 = SHA512_SIGMA0(A) + SHA_Maj(A,B,C);
3452 SHA512_SIGMA0(A,temp3);
3453 SHA_Maj(A,B,C,temp4);
3454 SHA512_ADD(temp3, temp4, temp2);
3455 H[0] = G[0]; H[1] = G[1];
3456 G[0] = F[0]; G[1] = F[1];
3457 F[0] = E[0]; F[1] = E[1];
3458 SHA512_ADD(D, temp1, E);
3459 D[0] = C[0]; D[1] = C[1];
3460 C[0] = B[0]; C[1] = B[1];
3461 B[0] = A[0]; B[1] = A[1];
3462 SHA512_ADD(temp1, temp2, A);
3465 SHA512_ADDTO2(&context->Intermediate_Hash[0], A);
3466 SHA512_ADDTO2(&context->Intermediate_Hash[2], B);
3467 SHA512_ADDTO2(&context->Intermediate_Hash[4], C);
3468 SHA512_ADDTO2(&context->Intermediate_Hash[6], D);
3469 SHA512_ADDTO2(&context->Intermediate_Hash[8], E);
3470 SHA512_ADDTO2(&context->Intermediate_Hash[10], F);
3474 Eastlake 3rd & Hansen Informational [Page 62]
3476 RFC 4634 SHAs and HMAC-SHAs July 2006
3479 SHA512_ADDTO2(&context->Intermediate_Hash[12], G);
3480 SHA512_ADDTO2(&context->Intermediate_Hash[14], H);
3482 #else /* !USE_32BIT_ONLY */
3483 static const uint64_t K[80] = {
3484 0x428A2F98D728AE22ll, 0x7137449123EF65CDll, 0xB5C0FBCFEC4D3B2Fll,
3485 0xE9B5DBA58189DBBCll, 0x3956C25BF348B538ll, 0x59F111F1B605D019ll,
3486 0x923F82A4AF194F9Bll, 0xAB1C5ED5DA6D8118ll, 0xD807AA98A3030242ll,
3487 0x12835B0145706FBEll, 0x243185BE4EE4B28Cll, 0x550C7DC3D5FFB4E2ll,
3488 0x72BE5D74F27B896Fll, 0x80DEB1FE3B1696B1ll, 0x9BDC06A725C71235ll,
3489 0xC19BF174CF692694ll, 0xE49B69C19EF14AD2ll, 0xEFBE4786384F25E3ll,
3490 0x0FC19DC68B8CD5B5ll, 0x240CA1CC77AC9C65ll, 0x2DE92C6F592B0275ll,
3491 0x4A7484AA6EA6E483ll, 0x5CB0A9DCBD41FBD4ll, 0x76F988DA831153B5ll,
3492 0x983E5152EE66DFABll, 0xA831C66D2DB43210ll, 0xB00327C898FB213Fll,
3493 0xBF597FC7BEEF0EE4ll, 0xC6E00BF33DA88FC2ll, 0xD5A79147930AA725ll,
3494 0x06CA6351E003826Fll, 0x142929670A0E6E70ll, 0x27B70A8546D22FFCll,
3495 0x2E1B21385C26C926ll, 0x4D2C6DFC5AC42AEDll, 0x53380D139D95B3DFll,
3496 0x650A73548BAF63DEll, 0x766A0ABB3C77B2A8ll, 0x81C2C92E47EDAEE6ll,
3497 0x92722C851482353Bll, 0xA2BFE8A14CF10364ll, 0xA81A664BBC423001ll,
3498 0xC24B8B70D0F89791ll, 0xC76C51A30654BE30ll, 0xD192E819D6EF5218ll,
3499 0xD69906245565A910ll, 0xF40E35855771202All, 0x106AA07032BBD1B8ll,
3500 0x19A4C116B8D2D0C8ll, 0x1E376C085141AB53ll, 0x2748774CDF8EEB99ll,
3501 0x34B0BCB5E19B48A8ll, 0x391C0CB3C5C95A63ll, 0x4ED8AA4AE3418ACBll,
3502 0x5B9CCA4F7763E373ll, 0x682E6FF3D6B2B8A3ll, 0x748F82EE5DEFB2FCll,
3503 0x78A5636F43172F60ll, 0x84C87814A1F0AB72ll, 0x8CC702081A6439ECll,
3504 0x90BEFFFA23631E28ll, 0xA4506CEBDE82BDE9ll, 0xBEF9A3F7B2C67915ll,
3505 0xC67178F2E372532Bll, 0xCA273ECEEA26619Cll, 0xD186B8C721C0C207ll,
3506 0xEADA7DD6CDE0EB1Ell, 0xF57D4F7FEE6ED178ll, 0x06F067AA72176FBAll,
3507 0x0A637DC5A2C898A6ll, 0x113F9804BEF90DAEll, 0x1B710B35131C471Bll,
3508 0x28DB77F523047D84ll, 0x32CAAB7B40C72493ll, 0x3C9EBE0A15C9BEBCll,
3509 0x431D67C49C100D4Cll, 0x4CC5D4BECB3E42B6ll, 0x597F299CFC657E2All,
3510 0x5FCB6FAB3AD6FAECll, 0x6C44198C4A475817ll
3512 int t, t8; /* Loop counter */
3513 uint64_t temp1, temp2; /* Temporary word value */
3514 uint64_t W[80]; /* Word sequence */
3515 uint64_t A, B, C, D, E, F, G, H; /* Word buffers */
3518 * Initialize the first 16 words in the array W
3520 for (t = t8 = 0; t < 16; t++, t8 += 8)
3521 W[t] = ((uint64_t)(context->Message_Block[t8 ]) << 56) |
3522 ((uint64_t)(context->Message_Block[t8 + 1]) << 48) |
3523 ((uint64_t)(context->Message_Block[t8 + 2]) << 40) |
3524 ((uint64_t)(context->Message_Block[t8 + 3]) << 32) |
3525 ((uint64_t)(context->Message_Block[t8 + 4]) << 24) |
3526 ((uint64_t)(context->Message_Block[t8 + 5]) << 16) |
3530 Eastlake 3rd & Hansen Informational [Page 63]
3532 RFC 4634 SHAs and HMAC-SHAs July 2006
3535 ((uint64_t)(context->Message_Block[t8 + 6]) << 8) |
3536 ((uint64_t)(context->Message_Block[t8 + 7]));
3538 for (t = 16; t < 80; t++)
3539 W[t] = SHA512_sigma1(W[t-2]) + W[t-7] +
3540 SHA512_sigma0(W[t-15]) + W[t-16];
3542 A = context->Intermediate_Hash[0];
3543 B = context->Intermediate_Hash[1];
3544 C = context->Intermediate_Hash[2];
3545 D = context->Intermediate_Hash[3];
3546 E = context->Intermediate_Hash[4];
3547 F = context->Intermediate_Hash[5];
3548 G = context->Intermediate_Hash[6];
3549 H = context->Intermediate_Hash[7];
3551 for (t = 0; t < 80; t++) {
3552 temp1 = H + SHA512_SIGMA1(E) + SHA_Ch(E,F,G) + K[t] + W[t];
3553 temp2 = SHA512_SIGMA0(A) + SHA_Maj(A,B,C);
3564 context->Intermediate_Hash[0] += A;
3565 context->Intermediate_Hash[1] += B;
3566 context->Intermediate_Hash[2] += C;
3567 context->Intermediate_Hash[3] += D;
3568 context->Intermediate_Hash[4] += E;
3569 context->Intermediate_Hash[5] += F;
3570 context->Intermediate_Hash[6] += G;
3571 context->Intermediate_Hash[7] += H;
3572 #endif /* USE_32BIT_ONLY */
3574 context->Message_Block_Index = 0;
3581 * This helper function will initialize the SHA512Context in
3582 * preparation for computing a new SHA384 or SHA512 message
3586 Eastlake 3rd & Hansen Informational [Page 64]
3588 RFC 4634 SHAs and HMAC-SHAs July 2006
3595 * The context to reset.
3597 * The initial hash value to use.
3603 #ifdef USE_32BIT_ONLY
3604 static int SHA384_512Reset(SHA512Context *context, uint32_t H0[])
3605 #else /* !USE_32BIT_ONLY */
3606 static int SHA384_512Reset(SHA512Context *context, uint64_t H0[])
3607 #endif /* USE_32BIT_ONLY */
3613 context->Message_Block_Index = 0;
3615 #ifdef USE_32BIT_ONLY
3616 context->Length[0] = context->Length[1] = 0;
3617 context->Length[2] = context->Length[3] = 0;
3619 for (i = 0; i < SHA512HashSize/4; i++)
3620 context->Intermediate_Hash[i] = H0[i];
3621 #else /* !USE_32BIT_ONLY */
3622 context->Length_High = context->Length_Low = 0;
3624 for (i = 0; i < SHA512HashSize/8; i++)
3625 context->Intermediate_Hash[i] = H0[i];
3626 #endif /* USE_32BIT_ONLY */
3628 context->Computed = 0;
3629 context->Corrupted = 0;
3638 * This helper function will return the 384-bit or 512-bit message
3642 Eastlake 3rd & Hansen Informational [Page 65]
3644 RFC 4634 SHAs and HMAC-SHAs July 2006
3647 * digest into the Message_Digest array provided by the caller.
3648 * NOTE: The first octet of hash is stored in the 0th element,
3649 * the last octet of hash in the 48th/64th element.
3653 * The context to use to calculate the SHA hash.
3654 * Message_Digest: [out]
3655 * Where the digest is returned.
3657 * The size of the hash, either 48 or 64.
3663 static int SHA384_512ResultN(SHA512Context *context,
3664 uint8_t Message_Digest[], int HashSize)
3668 #ifdef USE_32BIT_ONLY
3670 #endif /* USE_32BIT_ONLY */
3672 if (!context || !Message_Digest)
3675 if (context->Corrupted)
3676 return context->Corrupted;
3678 if (!context->Computed)
3679 SHA384_512Finalize(context, 0x80);
3681 #ifdef USE_32BIT_ONLY
3682 for (i = i2 = 0; i < HashSize; ) {
3683 Message_Digest[i++]=(uint8_t)(context->Intermediate_Hash[i2]>>24);
3684 Message_Digest[i++]=(uint8_t)(context->Intermediate_Hash[i2]>>16);
3685 Message_Digest[i++]=(uint8_t)(context->Intermediate_Hash[i2]>>8);
3686 Message_Digest[i++]=(uint8_t)(context->Intermediate_Hash[i2++]);
3687 Message_Digest[i++]=(uint8_t)(context->Intermediate_Hash[i2]>>24);
3688 Message_Digest[i++]=(uint8_t)(context->Intermediate_Hash[i2]>>16);
3689 Message_Digest[i++]=(uint8_t)(context->Intermediate_Hash[i2]>>8);
3690 Message_Digest[i++]=(uint8_t)(context->Intermediate_Hash[i2++]);
3692 #else /* !USE_32BIT_ONLY */
3693 for (i = 0; i < HashSize; ++i)
3694 Message_Digest[i] = (uint8_t)
3698 Eastlake 3rd & Hansen Informational [Page 66]
3700 RFC 4634 SHAs and HMAC-SHAs July 2006
3703 (context->Intermediate_Hash[i>>3] >> 8 * ( 7 - ( i % 8 ) ));
3704 #endif /* USE_32BIT_ONLY */
3711 /**************************** usha.c ****************************/
3712 /******************** See RFC 4634 for details ******************/
3715 * This file implements a unified interface to the SHA algorithms.
3724 * This function will initialize the SHA Context in preparation
3725 * for computing a new SHA message digest.
3729 * The context to reset.
3731 * Selects which SHA reset to call
3737 int USHAReset(USHAContext *ctx, enum SHAversion whichSha)
3740 ctx->whichSha = whichSha;
3742 case SHA1: return SHA1Reset((SHA1Context*)&ctx->ctx);
3743 case SHA224: return SHA224Reset((SHA224Context*)&ctx->ctx);
3744 case SHA256: return SHA256Reset((SHA256Context*)&ctx->ctx);
3745 case SHA384: return SHA384Reset((SHA384Context*)&ctx->ctx);
3746 case SHA512: return SHA512Reset((SHA512Context*)&ctx->ctx);
3747 default: return shaBadParam;
3754 Eastlake 3rd & Hansen Informational [Page 67]
3756 RFC 4634 SHAs and HMAC-SHAs July 2006
3766 * This function accepts an array of octets as the next portion
3771 * The SHA context to update
3772 * message_array: [in]
3773 * An array of characters representing the next portion of
3776 * The length of the message in message_array
3782 int USHAInput(USHAContext *ctx,
3783 const uint8_t *bytes, unsigned int bytecount)
3786 switch (ctx->whichSha) {
3788 return SHA1Input((SHA1Context*)&ctx->ctx, bytes, bytecount);
3790 return SHA224Input((SHA224Context*)&ctx->ctx, bytes,
3793 return SHA256Input((SHA256Context*)&ctx->ctx, bytes,
3796 return SHA384Input((SHA384Context*)&ctx->ctx, bytes,
3799 return SHA512Input((SHA512Context*)&ctx->ctx, bytes,
3801 default: return shaBadParam;
3810 Eastlake 3rd & Hansen Informational [Page 68]
3812 RFC 4634 SHAs and HMAC-SHAs July 2006
3819 * This function will add in any final bits of the message.
3823 * The SHA context to update
3824 * message_bits: [in]
3825 * The final bits of the message, in the upper portion of the
3826 * byte. (Use 0b###00000 instead of 0b00000### to input the
3829 * The number of bits in message_bits, between 1 and 7.
3834 int USHAFinalBits(USHAContext *ctx,
3835 const uint8_t bits, unsigned int bitcount)
3838 switch (ctx->whichSha) {
3840 return SHA1FinalBits((SHA1Context*)&ctx->ctx, bits, bitcount);
3842 return SHA224FinalBits((SHA224Context*)&ctx->ctx, bits,
3845 return SHA256FinalBits((SHA256Context*)&ctx->ctx, bits,
3848 return SHA384FinalBits((SHA384Context*)&ctx->ctx, bits,
3851 return SHA512FinalBits((SHA512Context*)&ctx->ctx, bits,
3853 default: return shaBadParam;
3866 Eastlake 3rd & Hansen Informational [Page 69]
3868 RFC 4634 SHAs and HMAC-SHAs July 2006
3872 * This function will return the 160-bit message digest into the
3873 * Message_Digest array provided by the caller.
3874 * NOTE: The first octet of hash is stored in the 0th element,
3875 * the last octet of hash in the 19th element.
3879 * The context to use to calculate the SHA-1 hash.
3880 * Message_Digest: [out]
3881 * Where the digest is returned.
3887 int USHAResult(USHAContext *ctx,
3888 uint8_t Message_Digest[USHAMaxHashSize])
3891 switch (ctx->whichSha) {
3893 return SHA1Result((SHA1Context*)&ctx->ctx, Message_Digest);
3895 return SHA224Result((SHA224Context*)&ctx->ctx, Message_Digest);
3897 return SHA256Result((SHA256Context*)&ctx->ctx, Message_Digest);
3899 return SHA384Result((SHA384Context*)&ctx->ctx, Message_Digest);
3901 return SHA512Result((SHA512Context*)&ctx->ctx, Message_Digest);
3902 default: return shaBadParam;
3913 * This function will return the blocksize for the given SHA
3918 * which SHA algorithm to query
3922 Eastlake 3rd & Hansen Informational [Page 70]
3924 RFC 4634 SHAs and HMAC-SHAs July 2006
3932 int USHABlockSize(enum SHAversion whichSha)
3935 case SHA1: return SHA1_Message_Block_Size;
3936 case SHA224: return SHA224_Message_Block_Size;
3937 case SHA256: return SHA256_Message_Block_Size;
3938 case SHA384: return SHA384_Message_Block_Size;
3940 case SHA512: return SHA512_Message_Block_Size;
3948 * This function will return the hashsize for the given SHA
3953 * which SHA algorithm to query
3959 int USHAHashSize(enum SHAversion whichSha)
3962 case SHA1: return SHA1HashSize;
3963 case SHA224: return SHA224HashSize;
3964 case SHA256: return SHA256HashSize;
3965 case SHA384: return SHA384HashSize;
3967 case SHA512: return SHA512HashSize;
3978 Eastlake 3rd & Hansen Informational [Page 71]
3980 RFC 4634 SHAs and HMAC-SHAs July 2006
3983 * This function will return the hashsize for the given SHA
3984 * algorithm, expressed in bits.
3988 * which SHA algorithm to query
3994 int USHAHashSizeBits(enum SHAversion whichSha)
3997 case SHA1: return SHA1HashSizeBits;
3998 case SHA224: return SHA224HashSizeBits;
3999 case SHA256: return SHA256HashSizeBits;
4000 case SHA384: return SHA384HashSizeBits;
4002 case SHA512: return SHA512HashSizeBits;
4006 8.2.5. sha-private.h
4008 /*************************** sha-private.h ***************************/
4009 /********************** See RFC 4634 for details *********************/
4010 #ifndef _SHA_PRIVATE__H
4011 #define _SHA_PRIVATE__H
4013 * These definitions are defined in FIPS-180-2, section 4.1.
4014 * Ch() and Maj() are defined identically in sections 4.1.1,
4017 * The definitions used in FIPS-180-2 are as follows:
4020 #ifndef USE_MODIFIED_MACROS
4021 #define SHA_Ch(x,y,z) (((x) & (y)) ^ ((~(x)) & (z)))
4022 #define SHA_Maj(x,y,z) (((x) & (y)) ^ ((x) & (z)) ^ ((y) & (z)))
4024 #else /* USE_MODIFIED_MACROS */
4026 * The following definitions are equivalent and potentially faster.
4029 #define SHA_Ch(x, y, z) (((x) & ((y) ^ (z))) ^ (z))
4030 #define SHA_Maj(x, y, z) (((x) & ((y) | (z))) | ((y) & (z)))
4034 Eastlake 3rd & Hansen Informational [Page 72]
4036 RFC 4634 SHAs and HMAC-SHAs July 2006
4039 #endif /* USE_MODIFIED_MACROS */
4041 #define SHA_Parity(x, y, z) ((x) ^ (y) ^ (z))
4043 #endif /* _SHA_PRIVATE__H */
4047 /**************************** hmac.c ****************************/
4048 /******************** See RFC 4634 for details ******************/
4051 * This file implements the HMAC algorithm (Keyed-Hashing for
4052 * Message Authentication, RFC2104), expressed in terms of the
4053 * various SHA algorithms.
4062 * This function will compute an HMAC message digest.
4066 * One of SHA1, SHA224, SHA256, SHA384, SHA512
4068 * The secret shared key.
4070 * The length of the secret shared key.
4071 * message_array: [in]
4072 * An array of characters representing the message.
4074 * The length of the message in message_array
4076 * Where the digest is returned.
4077 * NOTE: The length of the digest is determined by
4078 * the value of whichSha.
4084 int hmac(SHAversion whichSha, const unsigned char *text, int text_len,
4085 const unsigned char *key, int key_len,
4086 uint8_t digest[USHAMaxHashSize])
4090 Eastlake 3rd & Hansen Informational [Page 73]
4092 RFC 4634 SHAs and HMAC-SHAs July 2006
4097 return hmacReset(&ctx, whichSha, key, key_len) ||
4098 hmacInput(&ctx, text, text_len) ||
4099 hmacResult(&ctx, digest);
4106 * This function will initialize the hmacContext in preparation
4107 * for computing a new HMAC message digest.
4111 * The context to reset.
4113 * One of SHA1, SHA224, SHA256, SHA384, SHA512
4115 * The secret shared key.
4117 * The length of the secret shared key.
4123 int hmacReset(HMACContext *ctx, enum SHAversion whichSha,
4124 const unsigned char *key, int key_len)
4126 int i, blocksize, hashsize;
4128 /* inner padding - key XORd with ipad */
4129 unsigned char k_ipad[USHA_Max_Message_Block_Size];
4131 /* temporary buffer when keylen > blocksize */
4132 unsigned char tempkey[USHAMaxHashSize];
4134 if (!ctx) return shaNull;
4136 blocksize = ctx->blockSize = USHABlockSize(whichSha);
4137 hashsize = ctx->hashSize = USHAHashSize(whichSha);
4139 ctx->whichSha = whichSha;
4142 * If key is longer than the hash blocksize,
4146 Eastlake 3rd & Hansen Informational [Page 74]
4148 RFC 4634 SHAs and HMAC-SHAs July 2006
4151 * reset it to key = HASH(key).
4153 if (key_len > blocksize) {
4155 int err = USHAReset(&tctx, whichSha) ||
4156 USHAInput(&tctx, key, key_len) ||
4157 USHAResult(&tctx, tempkey);
4158 if (err != shaSuccess) return err;
4165 * The HMAC transform looks like:
4167 * SHA(K XOR opad, SHA(K XOR ipad, text))
4169 * where K is an n byte key.
4170 * ipad is the byte 0x36 repeated blocksize times
4171 * opad is the byte 0x5c repeated blocksize times
4172 * and text is the data being protected.
4175 /* store key into the pads, XOR'd with ipad and opad values */
4176 for (i = 0; i < key_len; i++) {
4177 k_ipad[i] = key[i] ^ 0x36;
4178 ctx->k_opad[i] = key[i] ^ 0x5c;
4180 /* remaining pad bytes are '\0' XOR'd with ipad and opad values */
4181 for ( ; i < blocksize; i++) {
4183 ctx->k_opad[i] = 0x5c;
4186 /* perform inner hash */
4187 /* init context for 1st pass */
4188 return USHAReset(&ctx->shaContext, whichSha) ||
4189 /* and start with inner pad */
4190 USHAInput(&ctx->shaContext, k_ipad, blocksize);
4197 * This function accepts an array of octets as the next portion
4202 Eastlake 3rd & Hansen Informational [Page 75]
4204 RFC 4634 SHAs and HMAC-SHAs July 2006
4210 * The HMAC context to update
4211 * message_array: [in]
4212 * An array of characters representing the next portion of
4215 * The length of the message in message_array
4221 int hmacInput(HMACContext *ctx, const unsigned char *text,
4224 if (!ctx) return shaNull;
4225 /* then text of datagram */
4226 return USHAInput(&ctx->shaContext, text, text_len);
4233 * This function will add in any final bits of the message.
4237 * The HMAC context to update
4238 * message_bits: [in]
4239 * The final bits of the message, in the upper portion of the
4240 * byte. (Use 0b###00000 instead of 0b00000### to input the
4243 * The number of bits in message_bits, between 1 and 7.
4248 int hmacFinalBits(HMACContext *ctx,
4250 unsigned int bitcount)
4252 if (!ctx) return shaNull;
4253 /* then final bits of datagram */
4254 return USHAFinalBits(&ctx->shaContext, bits, bitcount);
4258 Eastlake 3rd & Hansen Informational [Page 76]
4260 RFC 4634 SHAs and HMAC-SHAs July 2006
4269 * This function will return the N-byte message digest into the
4270 * Message_Digest array provided by the caller.
4271 * NOTE: The first octet of hash is stored in the 0th element,
4272 * the last octet of hash in the Nth element.
4276 * The context to use to calculate the HMAC hash.
4278 * Where the digest is returned.
4279 * NOTE 2: The length of the hash is determined by the value of
4280 * whichSha that was passed to hmacReset().
4286 int hmacResult(HMACContext *ctx, uint8_t *digest)
4288 if (!ctx) return shaNull;
4290 /* finish up 1st pass */
4291 /* (Use digest here as a temporary buffer.) */
4292 return USHAResult(&ctx->shaContext, digest) ||
4294 /* perform outer SHA */
4295 /* init context for 2nd pass */
4296 USHAReset(&ctx->shaContext, ctx->whichSha) ||
4298 /* start with outer pad */
4299 USHAInput(&ctx->shaContext, ctx->k_opad, ctx->blockSize) ||
4301 /* then results of 1st hash */
4302 USHAInput(&ctx->shaContext, digest, ctx->hashSize) ||
4304 /* finish up 2nd pass */
4305 USHAResult(&ctx->shaContext, digest);
4314 Eastlake 3rd & Hansen Informational [Page 77]
4316 RFC 4634 SHAs and HMAC-SHAs July 2006
4319 8.4. The Test Driver
4321 The following code is a main program test driver to exercise the code
4322 in sha1.c, sha224-256.c, and sha384-512.c. The test driver can also
4323 be used as a stand-alone program for generating the hashes.
4325 See also [RFC2202], [RFC4231], and [SHAVS].
4327 /**************************** shatest.c ****************************/
4328 /********************* See RFC 4634 for details ********************/
4331 * This file will exercise the SHA code performing
4332 * the three tests documented in FIPS PUB 180-2
4333 * (http://csrc.nist.gov/publications/fips/
4334 * fips180-2/fips180-2withchangenotice.pdf)
4335 * one that calls SHAInput with an exact multiple of 512 bits
4336 * the seven tests documented for each algorithm in
4337 * "The Secure Hash Algorithm Validation System (SHAVS)",
4338 * three of which are bit-level tests
4339 * (http://csrc.nist.gov/cryptval/shs/SHAVS.pdf)
4341 * This file will exercise the HMAC SHA1 code performing
4342 * the seven tests documented in RFCs 2202 and 4231.
4344 * To run the tests and just see PASSED/FAILED, use the -p option.
4346 * Other options exercise:
4347 * hashing an arbitrary string
4348 * hashing a file's contents
4349 * a few error test checks
4350 * printing the results in raw format
4352 * Portability Issues:
4364 static int xgetopt(int argc, char **argv, const char *optstring);
4365 extern char *xoptarg;
4366 static int scasecmp(const char *s1, const char *s2);
4370 Eastlake 3rd & Hansen Informational [Page 78]
4372 RFC 4634 SHAs and HMAC-SHAs July 2006
4376 * Define patterns for testing
4380 "abcdbcdecdefdefgefghfghighijhijkijkljklmklmnlmnomnopnopq"
4382 "abcdefghbcdefghicdefghijdefghijkefghijklfghijklmghijklmn"
4384 "hijklmnoijklmnopjklmnopqklmnopqrlmnopqrsmnopqrstnopqrstu"
4385 #define TEST2_2 TEST2_2a TEST2_2b
4386 #define TEST3 "a" /* times 1000000 */
4387 #define TEST4a "01234567012345670123456701234567"
4388 #define TEST4b "01234567012345670123456701234567"
4389 /* an exact multiple of 512 bits */
4390 #define TEST4 TEST4a TEST4b /* times 10 */
4393 "\x49\xb2\xae\xc2\x59\x4b\xbe\x3a\x3b\x11\x75\x42\xd9\x4a\xc8"
4395 "\x9a\x7d\xfd\xf1\xec\xea\xd0\x6e\xd6\x46\xaa\x55\xfe\x75\x71\x46"
4397 "\x65\xf9\x32\x99\x5b\xa4\xce\x2c\xb1\xb4\xa2\xe7\x1a\xe7\x02\x20" \
4398 "\xaa\xce\xc8\x96\x2d\xd4\x49\x9c\xbd\x7c\x88\x7a\x94\xea\xaa\x10" \
4399 "\x1e\xa5\xaa\xbc\x52\x9b\x4e\x7e\x43\x66\x5a\x5a\xf2\xcd\x03\xfe" \
4400 "\x67\x8e\xa6\xa5\x00\x5b\xba\x3b\x08\x22\x04\xc2\x8b\x91\x09\xf4" \
4401 "\x69\xda\xc9\x2a\xaa\xb3\xaa\x7c\x11\xa1\xb3\x2a"
4403 "\xf7\x8f\x92\x14\x1b\xcd\x17\x0a\xe8\x9b\x4f\xba\x15\xa1\xd5\x9f" \
4404 "\x3f\xd8\x4d\x22\x3c\x92\x51\xbd\xac\xbb\xae\x61\xd0\x5e\xd1\x15" \
4405 "\xa0\x6a\x7c\xe1\x17\xb7\xbe\xea\xd2\x44\x21\xde\xd9\xc3\x25\x92" \
4406 "\xbd\x57\xed\xea\xe3\x9c\x39\xfa\x1f\xe8\x94\x6a\x84\xd0\xcf\x1f" \
4407 "\x7b\xee\xad\x17\x13\xe2\xe0\x95\x98\x97\x34\x7f\x67\xc8\x0b\x04" \
4408 "\x00\xc2\x09\x81\x5d\x6b\x10\xa6\x83\x83\x6f\xd5\x56\x2a\x56\xca" \
4409 "\xb1\xa2\x8e\x81\xb6\x57\x66\x54\x63\x1c\xf1\x65\x66\xb8\x6e\x3b" \
4410 "\x33\xa1\x08\xb0\x53\x07\xc0\x0a\xff\x14\xa7\x68\xed\x73\x50\x60" \
4411 "\x6a\x0f\x85\xe6\xa9\x1d\x39\x6f\x5b\x5c\xbe\x57\x7f\x9b\x38\x80" \
4412 "\x7c\x7d\x52\x3d\x6d\x79\x2f\x6e\xbc\x24\xa4\xec\xf2\xb3\xa4\x27" \
4415 "\xf0\x70\x06\xf2\x5a\x0b\xea\x68\xcd\x76\xa2\x95\x87\xc2\x8d"
4417 "\x18\x80\x40\x05\xdd\x4f\xbd\x15\x56\x29\x9d\x6f\x9d\x93\xdf\x62"
4419 "\xa2\xbe\x6e\x46\x32\x81\x09\x02\x94\xd9\xce\x94\x82\x65\x69\x42" \
4420 "\x3a\x3a\x30\x5e\xd5\xe2\x11\x6c\xd4\xa4\xc9\x87\xfc\x06\x57\x00" \
4421 "\x64\x91\xb1\x49\xcc\xd4\xb5\x11\x30\xac\x62\xb1\x9d\xc2\x48\xc7" \
4422 "\x44\x54\x3d\x20\xcd\x39\x52\xdc\xed\x1f\x06\xcc\x3b\x18\xb9\x1f" \
4426 Eastlake 3rd & Hansen Informational [Page 79]
4428 RFC 4634 SHAs and HMAC-SHAs July 2006
4431 "\x3f\x55\x63\x3e\xcc\x30\x85\xf4\x90\x70\x60\xd2"
4432 #define TEST10_224 \
4433 "\x55\xb2\x10\x07\x9c\x61\xb5\x3a\xdd\x52\x06\x22\xd1\xac\x97\xd5" \
4434 "\xcd\xbe\x8c\xb3\x3a\xa0\xae\x34\x45\x17\xbe\xe4\xd7\xba\x09\xab" \
4435 "\xc8\x53\x3c\x52\x50\x88\x7a\x43\xbe\xbb\xac\x90\x6c\x2e\x18\x37" \
4436 "\xf2\x6b\x36\xa5\x9a\xe3\xbe\x78\x14\xd5\x06\x89\x6b\x71\x8b\x2a" \
4437 "\x38\x3e\xcd\xac\x16\xb9\x61\x25\x55\x3f\x41\x6f\xf3\x2c\x66\x74" \
4438 "\xc7\x45\x99\xa9\x00\x53\x86\xd9\xce\x11\x12\x24\x5f\x48\xee\x47" \
4439 "\x0d\x39\x6c\x1e\xd6\x3b\x92\x67\x0c\xa5\x6e\xc8\x4d\xee\xa8\x14" \
4440 "\xb6\x13\x5e\xca\x54\x39\x2b\xde\xdb\x94\x89\xbc\x9b\x87\x5a\x8b" \
4441 "\xaf\x0d\xc1\xae\x78\x57\x36\x91\x4a\xb7\xda\xa2\x64\xbc\x07\x9d" \
4442 "\x26\x9f\x2c\x0d\x7e\xdd\xd8\x10\xa4\x26\x14\x5a\x07\x76\xf6\x7c" \
4445 "\xbe\x27\x46\xc6\xdb\x52\x76\x5f\xdb\x2f\x88\x70\x0f\x9a\x73"
4447 "\xe3\xd7\x25\x70\xdc\xdd\x78\x7c\xe3\x88\x7a\xb2\xcd\x68\x46\x52"
4449 "\x3e\x74\x03\x71\xc8\x10\xc2\xb9\x9f\xc0\x4e\x80\x49\x07\xef\x7c" \
4450 "\xf2\x6b\xe2\x8b\x57\xcb\x58\xa3\xe2\xf3\xc0\x07\x16\x6e\x49\xc1" \
4451 "\x2e\x9b\xa3\x4c\x01\x04\x06\x91\x29\xea\x76\x15\x64\x25\x45\x70" \
4452 "\x3a\x2b\xd9\x01\xe1\x6e\xb0\xe0\x5d\xeb\xa0\x14\xeb\xff\x64\x06" \
4453 "\xa0\x7d\x54\x36\x4e\xff\x74\x2d\xa7\x79\xb0\xb3"
4454 #define TEST10_256 \
4455 "\x83\x26\x75\x4e\x22\x77\x37\x2f\x4f\xc1\x2b\x20\x52\x7a\xfe\xf0" \
4456 "\x4d\x8a\x05\x69\x71\xb1\x1a\xd5\x71\x23\xa7\xc1\x37\x76\x00\x00" \
4457 "\xd7\xbe\xf6\xf3\xc1\xf7\xa9\x08\x3a\xa3\x9d\x81\x0d\xb3\x10\x77" \
4458 "\x7d\xab\x8b\x1e\x7f\x02\xb8\x4a\x26\xc7\x73\x32\x5f\x8b\x23\x74" \
4459 "\xde\x7a\x4b\x5a\x58\xcb\x5c\x5c\xf3\x5b\xce\xe6\xfb\x94\x6e\x5b" \
4460 "\xd6\x94\xfa\x59\x3a\x8b\xeb\x3f\x9d\x65\x92\xec\xed\xaa\x66\xca" \
4461 "\x82\xa2\x9d\x0c\x51\xbc\xf9\x33\x62\x30\xe5\xd7\x84\xe4\xc0\xa4" \
4462 "\x3f\x8d\x79\xa3\x0a\x16\x5c\xba\xbe\x45\x2b\x77\x4b\x9c\x71\x09" \
4463 "\xa9\x7d\x13\x8f\x12\x92\x28\x96\x6f\x6c\x0a\xdc\x10\x6a\xad\x5a" \
4464 "\x9f\xdd\x30\x82\x57\x69\xb2\xc6\x71\xaf\x67\x59\xdf\x28\xeb\x39" \
4467 "\x8b\xc5\x00\xc7\x7c\xee\xd9\x87\x9d\xa9\x89\x10\x7c\xe0\xaa"
4469 "\xa4\x1c\x49\x77\x79\xc0\x37\x5f\xf1\x0a\x7f\x4e\x08\x59\x17\x39"
4471 "\x68\xf5\x01\x79\x2d\xea\x97\x96\x76\x70\x22\xd9\x3d\xa7\x16\x79" \
4472 "\x30\x99\x20\xfa\x10\x12\xae\xa3\x57\xb2\xb1\x33\x1d\x40\xa1\xd0" \
4473 "\x3c\x41\xc2\x40\xb3\xc9\xa7\x5b\x48\x92\xf4\xc0\x72\x4b\x68\xc8" \
4474 "\x75\x32\x1a\xb8\xcf\xe5\x02\x3b\xd3\x75\xbc\x0f\x94\xbd\x89\xfe" \
4475 "\x04\xf2\x97\x10\x5d\x7b\x82\xff\xc0\x02\x1a\xeb\x1c\xcb\x67\x4f" \
4476 "\x52\x44\xea\x34\x97\xde\x26\xa4\x19\x1c\x5f\x62\xe5\xe9\xa2\xd8" \
4477 "\x08\x2f\x05\x51\xf4\xa5\x30\x68\x26\xe9\x1c\xc0\x06\xce\x1b\xf6" \
4478 "\x0f\xf7\x19\xd4\x2f\xa5\x21\xc8\x71\xcd\x23\x94\xd9\x6e\xf4\x46" \
4482 Eastlake 3rd & Hansen Informational [Page 80]
4484 RFC 4634 SHAs and HMAC-SHAs July 2006
4487 "\x8f\x21\x96\x6b\x41\xf2\xba\x80\xc2\x6e\x83\xa9"
4488 #define TEST10_384 \
4489 "\x39\x96\x69\xe2\x8f\x6b\x9c\x6d\xbc\xbb\x69\x12\xec\x10\xff\xcf" \
4490 "\x74\x79\x03\x49\xb7\xdc\x8f\xbe\x4a\x8e\x7b\x3b\x56\x21\xdb\x0f" \
4491 "\x3e\x7d\xc8\x7f\x82\x32\x64\xbb\xe4\x0d\x18\x11\xc9\xea\x20\x61" \
4492 "\xe1\xc8\x4a\xd1\x0a\x23\xfa\xc1\x72\x7e\x72\x02\xfc\x3f\x50\x42" \
4493 "\xe6\xbf\x58\xcb\xa8\xa2\x74\x6e\x1f\x64\xf9\xb9\xea\x35\x2c\x71" \
4494 "\x15\x07\x05\x3c\xf4\xe5\x33\x9d\x52\x86\x5f\x25\xcc\x22\xb5\xe8" \
4495 "\x77\x84\xa1\x2f\xc9\x61\xd6\x6c\xb6\xe8\x95\x73\x19\x9a\x2c\xe6" \
4496 "\x56\x5c\xbd\xf1\x3d\xca\x40\x38\x32\xcf\xcb\x0e\x8b\x72\x11\xe8" \
4497 "\x3a\xf3\x2a\x11\xac\x17\x92\x9f\xf1\xc0\x73\xa5\x1c\xc0\x27\xaa" \
4498 "\xed\xef\xf8\x5a\xad\x7c\x2b\x7c\x5a\x80\x3e\x24\x04\xd9\x6d\x2a" \
4499 "\x77\x35\x7b\xda\x1a\x6d\xae\xed\x17\x15\x1c\xb9\xbc\x51\x25\xa4" \
4500 "\x22\xe9\x41\xde\x0c\xa0\xfc\x50\x11\xc2\x3e\xcf\xfe\xfd\xd0\x96" \
4501 "\x76\x71\x1c\xf3\xdb\x0a\x34\x40\x72\x0e\x16\x15\xc1\xf2\x2f\xbc" \
4502 "\x3c\x72\x1d\xe5\x21\xe1\xb9\x9b\xa1\xbd\x55\x77\x40\x86\x42\x14" \
4505 "\x08\xec\xb5\x2e\xba\xe1\xf7\x42\x2d\xb6\x2b\xcd\x54\x26\x70"
4507 "\x8d\x4e\x3c\x0e\x38\x89\x19\x14\x91\x81\x6e\x9d\x98\xbf\xf0\xa0"
4509 "\x3a\xdd\xec\x85\x59\x32\x16\xd1\x61\x9a\xa0\x2d\x97\x56\x97\x0b" \
4510 "\xfc\x70\xac\xe2\x74\x4f\x7c\x6b\x27\x88\x15\x10\x28\xf7\xb6\xa2" \
4511 "\x55\x0f\xd7\x4a\x7e\x6e\x69\xc2\xc9\xb4\x5f\xc4\x54\x96\x6d\xc3" \
4512 "\x1d\x2e\x10\xda\x1f\x95\xce\x02\xbe\xb4\xbf\x87\x65\x57\x4c\xbd" \
4513 "\x6e\x83\x37\xef\x42\x0a\xdc\x98\xc1\x5c\xb6\xd5\xe4\xa0\x24\x1b" \
4514 "\xa0\x04\x6d\x25\x0e\x51\x02\x31\xca\xc2\x04\x6c\x99\x16\x06\xab" \
4515 "\x4e\xe4\x14\x5b\xee\x2f\xf4\xbb\x12\x3a\xab\x49\x8d\x9d\x44\x79" \
4516 "\x4f\x99\xcc\xad\x89\xa9\xa1\x62\x12\x59\xed\xa7\x0a\x5b\x6d\xd4" \
4517 "\xbd\xd8\x77\x78\xc9\x04\x3b\x93\x84\xf5\x49\x06"
4518 #define TEST10_512 \
4519 "\xa5\x5f\x20\xc4\x11\xaa\xd1\x32\x80\x7a\x50\x2d\x65\x82\x4e\x31" \
4520 "\xa2\x30\x54\x32\xaa\x3d\x06\xd3\xe2\x82\xa8\xd8\x4e\x0d\xe1\xde" \
4521 "\x69\x74\xbf\x49\x54\x69\xfc\x7f\x33\x8f\x80\x54\xd5\x8c\x26\xc4" \
4522 "\x93\x60\xc3\xe8\x7a\xf5\x65\x23\xac\xf6\xd8\x9d\x03\xe5\x6f\xf2" \
4523 "\xf8\x68\x00\x2b\xc3\xe4\x31\xed\xc4\x4d\xf2\xf0\x22\x3d\x4b\xb3" \
4524 "\xb2\x43\x58\x6e\x1a\x7d\x92\x49\x36\x69\x4f\xcb\xba\xf8\x8d\x95" \
4525 "\x19\xe4\xeb\x50\xa6\x44\xf8\xe4\xf9\x5e\xb0\xea\x95\xbc\x44\x65" \
4526 "\xc8\x82\x1a\xac\xd2\xfe\x15\xab\x49\x81\x16\x4b\xbb\x6d\xc3\x2f" \
4527 "\x96\x90\x87\xa1\x45\xb0\xd9\xcc\x9c\x67\xc2\x2b\x76\x32\x99\x41" \
4528 "\x9c\xc4\x12\x8b\xe9\xa0\x77\xb3\xac\xe6\x34\x06\x4e\x6d\x99\x28" \
4529 "\x35\x13\xdc\x06\xe7\x51\x5d\x0d\x73\x13\x2e\x9a\x0d\xc6\xd3\xb1" \
4530 "\xf8\xb2\x46\xf1\xa9\x8a\x3f\xc7\x29\x41\xb1\xe3\xbb\x20\x98\xe8" \
4531 "\xbf\x16\xf2\x68\xd6\x4f\x0b\x0f\x47\x07\xfe\x1e\xa1\xa1\x79\x1b" \
4532 "\xa2\xf3\xc0\xc7\x58\xe5\xf5\x51\x86\x3a\x96\xc9\x49\xad\x47\xd7" \
4534 #define SHA1_SEED "\xd0\x56\x9c\xb3\x66\x5a\x8a\x43\xeb\x6e\xa2\x3d" \
4538 Eastlake 3rd & Hansen Informational [Page 81]
4540 RFC 4634 SHAs and HMAC-SHAs July 2006
4543 "\x75\xa3\xc4\xd2\x05\x4a\x0d\x7d"
4544 #define SHA224_SEED "\xd0\x56\x9c\xb3\x66\x5a\x8a\x43\xeb\x6e\xa2" \
4545 "\x3d\x75\xa3\xc4\xd2\x05\x4a\x0d\x7d\x66\xa9\xca\x99\xc9\xce\xb0" \
4547 #define SHA256_SEED "\xf4\x1e\xce\x26\x13\xe4\x57\x39\x15\x69\x6b" \
4548 "\x5a\xdc\xd5\x1c\xa3\x28\xbe\x3b\xf5\x66\xa9\xca\x99\xc9\xce\xb0" \
4549 "\x27\x9c\x1c\xb0\xa7"
4550 #define SHA384_SEED "\x82\x40\xbc\x51\xe4\xec\x7e\xf7\x6d\x18\xe3" \
4551 "\x52\x04\xa1\x9f\x51\xa5\x21\x3a\x73\xa8\x1d\x6f\x94\x46\x80\xd3" \
4552 "\x07\x59\x48\xb7\xe4\x63\x80\x4e\xa3\xd2\x6e\x13\xea\x82\x0d\x65" \
4553 "\xa4\x84\xbe\x74\x53"
4554 #define SHA512_SEED "\x47\x3f\xf1\xb9\xb3\xff\xdf\xa1\x26\x69\x9a" \
4555 "\xc7\xef\x9e\x8e\x78\x77\x73\x09\x58\x24\xc6\x42\x55\x7c\x13\x99" \
4556 "\xd9\x8e\x42\x20\x44\x8d\xc3\x5b\x99\xbf\xdd\x44\x77\x95\x43\x92" \
4557 "\x4c\x1c\xe9\x3b\xc5\x94\x15\x38\x89\x5d\xb9\x88\x26\x1b\x00\x77" \
4558 "\x4b\x12\x27\x20\x39"
4560 #define TESTCOUNT 10
4562 #define RANDOMCOUNT 4
4563 #define HMACTESTCOUNT 7
4569 #define PRINTBASE64 4
4571 #define PRINTPASSFAIL 1
4574 #define length(x) (sizeof(x)-1)
4576 /* Test arrays for hashes. */
4579 SHAversion whichSha;
4582 const char *testarray;
4586 int numberExtrabits;
4587 const char *resultarray;
4589 const char *randomtest;
4590 const char *randomresults[RANDOMCOUNT];
4594 Eastlake 3rd & Hansen Informational [Page 82]
4596 RFC 4634 SHAs and HMAC-SHAs July 2006
4599 } hashes[HASHCOUNT] = {
4600 { "SHA1", SHA1, SHA1HashSize,
4602 /* 1 */ { TEST1, length(TEST1), 1, 0, 0,
4603 "A9993E364706816ABA3E25717850C26C9CD0D89D" },
4604 /* 2 */ { TEST2_1, length(TEST2_1), 1, 0, 0,
4605 "84983E441C3BD26EBAAE4AA1F95129E5E54670F1" },
4606 /* 3 */ { TEST3, length(TEST3), 1000000, 0, 0,
4607 "34AA973CD4C4DAA4F61EEB2BDBAD27316534016F" },
4608 /* 4 */ { TEST4, length(TEST4), 10, 0, 0,
4609 "DEA356A2CDDD90C7A7ECEDC5EBB563934F460452" },
4610 /* 5 */ { "", 0, 0, 0x98, 5,
4611 "29826B003B906E660EFF4027CE98AF3531AC75BA" },
4612 /* 6 */ { "\x5e", 1, 1, 0, 0,
4613 "5E6F80A34A9798CAFC6A5DB96CC57BA4C4DB59C2" },
4614 /* 7 */ { TEST7_1, length(TEST7_1), 1, 0x80, 3,
4615 "6239781E03729919C01955B3FFA8ACB60B988340" },
4616 /* 8 */ { TEST8_1, length(TEST8_1), 1, 0, 0,
4617 "82ABFF6605DBE1C17DEF12A394FA22A82B544A35" },
4618 /* 9 */ { TEST9_1, length(TEST9_1), 1, 0xE0, 3,
4619 "8C5B2A5DDAE5A97FC7F9D85661C672ADBF7933D4" },
4620 /* 10 */ { TEST10_1, length(TEST10_1), 1, 0, 0,
4621 "CB0082C8F197D260991BA6A460E76E202BAD27B3" }
4622 }, SHA1_SEED, { "E216836819477C7F78E0D843FE4FF1B6D6C14CD4",
4623 "A2DBC7A5B1C6C0A8BCB7AAA41252A6A7D0690DBC",
4624 "DB1F9050BB863DFEF4CE37186044E2EEB17EE013",
4625 "127FDEDF43D372A51D5747C48FBFFE38EF6CDF7B"
4627 { "SHA224", SHA224, SHA224HashSize,
4629 /* 1 */ { TEST1, length(TEST1), 1, 0, 0,
4630 "23097D223405D8228642A477BDA255B32AADBCE4BDA0B3F7E36C9DA7" },
4631 /* 2 */ { TEST2_1, length(TEST2_1), 1, 0, 0,
4632 "75388B16512776CC5DBA5DA1FD890150B0C6455CB4F58B1952522525" },
4633 /* 3 */ { TEST3, length(TEST3), 1000000, 0, 0,
4634 "20794655980C91D8BBB4C1EA97618A4BF03F42581948B2EE4EE7AD67" },
4635 /* 4 */ { TEST4, length(TEST4), 10, 0, 0,
4636 "567F69F168CD7844E65259CE658FE7AADFA25216E68ECA0EB7AB8262" },
4637 /* 5 */ { "", 0, 0, 0x68, 5,
4638 "E3B048552C3C387BCAB37F6EB06BB79B96A4AEE5FF27F51531A9551C" },
4639 /* 6 */ { "\x07", 1, 1, 0, 0,
4640 "00ECD5F138422B8AD74C9799FD826C531BAD2FCABC7450BEE2AA8C2A" },
4641 /* 7 */ { TEST7_224, length(TEST7_224), 1, 0xA0, 3,
4642 "1B01DB6CB4A9E43DED1516BEB3DB0B87B6D1EA43187462C608137150" },
4643 /* 8 */ { TEST8_224, length(TEST8_224), 1, 0, 0,
4644 "DF90D78AA78821C99B40BA4C966921ACCD8FFB1E98AC388E56191DB1" },
4645 /* 9 */ { TEST9_224, length(TEST9_224), 1, 0xE0, 3,
4646 "54BEA6EAB8195A2EB0A7906A4B4A876666300EEFBD1F3B8474F9CD57" },
4650 Eastlake 3rd & Hansen Informational [Page 83]
4652 RFC 4634 SHAs and HMAC-SHAs July 2006
4655 /* 10 */ { TEST10_224, length(TEST10_224), 1, 0, 0,
4656 "0B31894EC8937AD9B91BDFBCBA294D9ADEFAA18E09305E9F20D5C3A4" }
4657 }, SHA224_SEED, { "100966A5B4FDE0B42E2A6C5953D4D7F41BA7CF79FD"
4658 "2DF431416734BE", "1DCA396B0C417715DEFAAE9641E10A2E99D55A"
4659 "BCB8A00061EB3BE8BD", "1864E627BDB2319973CD5ED7D68DA71D8B"
4660 "F0F983D8D9AB32C34ADB34", "A2406481FC1BCAF24DD08E6752E844"
4661 "709563FB916227FED598EB621F"
4663 { "SHA256", SHA256, SHA256HashSize,
4665 /* 1 */ { TEST1, length(TEST1), 1, 0, 0, "BA7816BF8F01CFEA4141"
4666 "40DE5DAE2223B00361A396177A9CB410FF61F20015AD" },
4667 /* 2 */ { TEST2_1, length(TEST2_1), 1, 0, 0, "248D6A61D20638B8"
4668 "E5C026930C3E6039A33CE45964FF2167F6ECEDD419DB06C1" },
4669 /* 3 */ { TEST3, length(TEST3), 1000000, 0, 0, "CDC76E5C9914FB92"
4670 "81A1C7E284D73E67F1809A48A497200E046D39CCC7112CD0" },
4671 /* 4 */ { TEST4, length(TEST4), 10, 0, 0, "594847328451BDFA"
4672 "85056225462CC1D867D877FB388DF0CE35F25AB5562BFBB5" },
4673 /* 5 */ { "", 0, 0, 0x68, 5, "D6D3E02A31A84A8CAA9718ED6C2057BE"
4674 "09DB45E7823EB5079CE7A573A3760F95" },
4675 /* 6 */ { "\x19", 1, 1, 0, 0, "68AA2E2EE5DFF96E3355E6C7EE373E3D"
4676 "6A4E17F75F9518D843709C0C9BC3E3D4" },
4677 /* 7 */ { TEST7_256, length(TEST7_256), 1, 0x60, 3, "77EC1DC8"
4678 "9C821FF2A1279089FA091B35B8CD960BCAF7DE01C6A7680756BEB972" },
4679 /* 8 */ { TEST8_256, length(TEST8_256), 1, 0, 0, "175EE69B02BA"
4680 "9B58E2B0A5FD13819CEA573F3940A94F825128CF4209BEABB4E8" },
4681 /* 9 */ { TEST9_256, length(TEST9_256), 1, 0xA0, 3, "3E9AD646"
4682 "8BBBAD2AC3C2CDC292E018BA5FD70B960CF1679777FCE708FDB066E9" },
4683 /* 10 */ { TEST10_256, length(TEST10_256), 1, 0, 0, "97DBCA7D"
4684 "F46D62C8A422C941DD7E835B8AD3361763F7E9B2D95F4F0DA6E1CCBC" },
4685 }, SHA256_SEED, { "83D28614D49C3ADC1D6FC05DB5F48037C056F8D2A4CE44"
4686 "EC6457DEA5DD797CD1", "99DBE3127EF2E93DD9322D6A07909EB33B6399"
4687 "5E529B3F954B8581621BB74D39", "8D4BE295BB64661CA3C7EFD129A2F7"
4688 "25B33072DBDDE32385B9A87B9AF88EA76F", "40AF5D3F9716B040DF9408"
4689 "E31536B70FF906EC51B00447CA97D7DD97C12411F4"
4691 { "SHA384", SHA384, SHA384HashSize,
4693 /* 1 */ { TEST1, length(TEST1), 1, 0, 0,
4694 "CB00753F45A35E8BB5A03D699AC65007272C32AB0EDED163"
4695 "1A8B605A43FF5BED8086072BA1E7CC2358BAECA134C825A7" },
4696 /* 2 */ { TEST2_2, length(TEST2_2), 1, 0, 0,
4697 "09330C33F71147E83D192FC782CD1B4753111B173B3B05D2"
4698 "2FA08086E3B0F712FCC7C71A557E2DB966C3E9FA91746039" },
4699 /* 3 */ { TEST3, length(TEST3), 1000000, 0, 0,
4700 "9D0E1809716474CB086E834E310A4A1CED149E9C00F24852"
4701 "7972CEC5704C2A5B07B8B3DC38ECC4EBAE97DDD87F3D8985" },
4702 /* 4 */ { TEST4, length(TEST4), 10, 0, 0,
4706 Eastlake 3rd & Hansen Informational [Page 84]
4708 RFC 4634 SHAs and HMAC-SHAs July 2006
4711 "2FC64A4F500DDB6828F6A3430B8DD72A368EB7F3A8322A70"
4712 "BC84275B9C0B3AB00D27A5CC3C2D224AA6B61A0D79FB4596" },
4713 /* 5 */ { "", 0, 0, 0x10, 5,
4714 "8D17BE79E32B6718E07D8A603EB84BA0478F7FCFD1BB9399"
4715 "5F7D1149E09143AC1FFCFC56820E469F3878D957A15A3FE4" },
4716 /* 6 */ { "\xb9", 1, 1, 0, 0,
4717 "BC8089A19007C0B14195F4ECC74094FEC64F01F90929282C"
4718 "2FB392881578208AD466828B1C6C283D2722CF0AD1AB6938" },
4719 /* 7 */ { TEST7_384, length(TEST7_384), 1, 0xA0, 3,
4720 "D8C43B38E12E7C42A7C9B810299FD6A770BEF30920F17532"
4721 "A898DE62C7A07E4293449C0B5FA70109F0783211CFC4BCE3" },
4722 /* 8 */ { TEST8_384, length(TEST8_384), 1, 0, 0,
4723 "C9A68443A005812256B8EC76B00516F0DBB74FAB26D66591"
4724 "3F194B6FFB0E91EA9967566B58109CBC675CC208E4C823F7" },
4725 /* 9 */ { TEST9_384, length(TEST9_384), 1, 0xE0, 3,
4726 "5860E8DE91C21578BB4174D227898A98E0B45C4C760F0095"
4727 "49495614DAEDC0775D92D11D9F8CE9B064EEAC8DAFC3A297" },
4728 /* 10 */ { TEST10_384, length(TEST10_384), 1, 0, 0,
4729 "4F440DB1E6EDD2899FA335F09515AA025EE177A79F4B4AAF"
4730 "38E42B5C4DE660F5DE8FB2A5B2FBD2A3CBFFD20CFF1288C0" }
4731 }, SHA384_SEED, { "CE44D7D63AE0C91482998CF662A51EC80BF6FC68661A3C"
4732 "57F87566112BD635A743EA904DEB7D7A42AC808CABE697F38F", "F9C6D2"
4733 "61881FEE41ACD39E67AA8D0BAD507C7363EB67E2B81F45759F9C0FD7B503"
4734 "DF1A0B9E80BDE7BC333D75B804197D", "D96512D8C9F4A7A4967A366C01"
4735 "C6FD97384225B58343A88264847C18E4EF8AB7AEE4765FFBC3E30BD485D3"
4736 "638A01418F", "0CA76BD0813AF1509E170907A96005938BC985628290B2"
4737 "5FEF73CF6FAD68DDBA0AC8920C94E0541607B0915A7B4457F7"
4739 { "SHA512", SHA512, SHA512HashSize,
4741 /* 1 */ { TEST1, length(TEST1), 1, 0, 0,
4742 "DDAF35A193617ABACC417349AE20413112E6FA4E89A97EA2"
4743 "0A9EEEE64B55D39A2192992A274FC1A836BA3C23A3FEEBBD"
4744 "454D4423643CE80E2A9AC94FA54CA49F" },
4745 /* 2 */ { TEST2_2, length(TEST2_2), 1, 0, 0,
4746 "8E959B75DAE313DA8CF4F72814FC143F8F7779C6EB9F7FA1"
4747 "7299AEADB6889018501D289E4900F7E4331B99DEC4B5433A"
4748 "C7D329EEB6DD26545E96E55B874BE909" },
4749 /* 3 */ { TEST3, length(TEST3), 1000000, 0, 0,
4750 "E718483D0CE769644E2E42C7BC15B4638E1F98B13B204428"
4751 "5632A803AFA973EBDE0FF244877EA60A4CB0432CE577C31B"
4752 "EB009C5C2C49AA2E4EADB217AD8CC09B" },
4753 /* 4 */ { TEST4, length(TEST4), 10, 0, 0,
4754 "89D05BA632C699C31231DED4FFC127D5A894DAD412C0E024"
4755 "DB872D1ABD2BA8141A0F85072A9BE1E2AA04CF33C765CB51"
4756 "0813A39CD5A84C4ACAA64D3F3FB7BAE9" },
4757 /* 5 */ { "", 0, 0, 0xB0, 5,
4758 "D4EE29A9E90985446B913CF1D1376C836F4BE2C1CF3CADA0"
4762 Eastlake 3rd & Hansen Informational [Page 85]
4764 RFC 4634 SHAs and HMAC-SHAs July 2006
4767 "720A6BF4857D886A7ECB3C4E4C0FA8C7F95214E41DC1B0D2"
4768 "1B22A84CC03BF8CE4845F34DD5BDBAD4" },
4769 /* 6 */ { "\xD0", 1, 1, 0, 0,
4770 "9992202938E882E73E20F6B69E68A0A7149090423D93C81B"
4771 "AB3F21678D4ACEEEE50E4E8CAFADA4C85A54EA8306826C4A"
4772 "D6E74CECE9631BFA8A549B4AB3FBBA15" },
4773 /* 7 */ { TEST7_512, length(TEST7_512), 1, 0x80, 3,
4774 "ED8DC78E8B01B69750053DBB7A0A9EDA0FB9E9D292B1ED71"
4775 "5E80A7FE290A4E16664FD913E85854400C5AF05E6DAD316B"
4776 "7359B43E64F8BEC3C1F237119986BBB6" },
4777 /* 8 */ { TEST8_512, length(TEST8_512), 1, 0, 0,
4778 "CB0B67A4B8712CD73C9AABC0B199E9269B20844AFB75ACBD"
4779 "D1C153C9828924C3DDEDAAFE669C5FDD0BC66F630F677398"
4780 "8213EB1B16F517AD0DE4B2F0C95C90F8" },
4781 /* 9 */ { TEST9_512, length(TEST9_512), 1, 0x80, 3,
4782 "32BA76FC30EAA0208AEB50FFB5AF1864FDBF17902A4DC0A6"
4783 "82C61FCEA6D92B783267B21080301837F59DE79C6B337DB2"
4784 "526F8A0A510E5E53CAFED4355FE7C2F1" },
4785 /* 10 */ { TEST10_512, length(TEST10_512), 1, 0, 0,
4786 "C665BEFB36DA189D78822D10528CBF3B12B3EEF726039909"
4787 "C1A16A270D48719377966B957A878E720584779A62825C18"
4788 "DA26415E49A7176A894E7510FD1451F5" }
4789 }, SHA512_SEED, { "2FBB1E7E00F746BA514FBC8C421F36792EC0E11FF5EFC3"
4790 "78E1AB0C079AA5F0F66A1E3EDBAEB4F9984BE14437123038A452004A5576"
4791 "8C1FD8EED49E4A21BEDCD0", "25CBE5A4F2C7B1D7EF07011705D50C62C5"
4792 "000594243EAFD1241FC9F3D22B58184AE2FEE38E171CF8129E29459C9BC2"
4793 "EF461AF5708887315F15419D8D17FE7949", "5B8B1F2687555CE2D7182B"
4794 "92E5C3F6C36547DA1C13DBB9EA4F73EA4CBBAF89411527906D35B1B06C1B"
4795 "6A8007D05EC66DF0A406066829EAB618BDE3976515AAFC", "46E36B007D"
4796 "19876CDB0B29AD074FE3C08CDD174D42169D6ABE5A1414B6E79707DF5877"
4797 "6A98091CF431854147BB6D3C66D43BFBC108FD715BDE6AA127C2B0E79F"
4802 /* Test arrays for HMAC. */
4804 const char *keyarray[5];
4806 const char *dataarray[5];
4808 const char *resultarray[5];
4809 int resultlength[5];
4810 } hmachashes[HMACTESTCOUNT] = {
4812 "\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b"
4813 "\x0b\x0b\x0b\x0b\x0b"
4818 Eastlake 3rd & Hansen Informational [Page 86]
4820 RFC 4634 SHAs and HMAC-SHAs July 2006
4823 "\x48\x69\x20\x54\x68\x65\x72\x65" /* "Hi There" */
4826 "B617318655057264E28BC0B6FB378C8EF146BE00",
4828 "896FB1128ABBDF196832107CD49DF33F47B4B1169912BA4F53684B22",
4830 "B0344C61D8DB38535CA8AFCEAF0BF12B881DC200C9833DA726E9376C2E32"
4833 "AFD03944D84895626B0825F4AB46907F15F9DADBE4101EC682AA034C7CEB"
4834 "C59CFAEA9EA9076EDE7F4AF152E8B2FA9CB6",
4836 "87AA7CDEA5EF619D4FF0B4241A1D6CB02379F4E2CE4EC2787AD0B30545E1"
4837 "7CDEDAA833B7D6B8A702038B274EAEA3F4E4BE9D914EEB61F1702E696C20"
4839 }, { SHA1HashSize, SHA224HashSize, SHA256HashSize,
4840 SHA384HashSize, SHA512HashSize }
4843 "\x4a\x65\x66\x65" /* "Jefe" */
4845 "\x77\x68\x61\x74\x20\x64\x6f\x20\x79\x61\x20\x77\x61\x6e\x74"
4846 "\x20\x66\x6f\x72\x20\x6e\x6f\x74\x68\x69\x6e\x67\x3f"
4847 /* "what do ya want for nothing?" */
4850 "EFFCDF6AE5EB2FA2D27416D5F184DF9C259A7C79",
4852 "A30E01098BC6DBBF45690F3A7E9E6D0F8BBEA2A39E6148008FD05E44",
4854 "5BDCC146BF60754E6A042426089575C75A003F089D2739839DEC58B964EC"
4857 "AF45D2E376484031617F78D2B58A6B1B9C7EF464F5A01B47E42EC3736322"
4858 "445E8E2240CA5E69E2C78B3239ECFAB21649",
4860 "164B7A7BFCF819E2E395FBE73B56E0A387BD64222E831FD610270CD7EA25"
4861 "05549758BF75C05A994A6D034F65F8F0E6FDCAEAB1A34D4A6B4B636E070A"
4863 }, { SHA1HashSize, SHA224HashSize, SHA256HashSize,
4864 SHA384HashSize, SHA512HashSize }
4868 "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa"
4869 "\xaa\xaa\xaa\xaa\xaa"
4874 Eastlake 3rd & Hansen Informational [Page 87]
4876 RFC 4634 SHAs and HMAC-SHAs July 2006
4879 "\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd"
4880 "\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd"
4881 "\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd"
4882 "\xdd\xdd\xdd\xdd\xdd"
4885 "125D7342B9AC11CD91A39AF48AA17B4F63F175D3",
4887 "7FB3CB3588C6C1F6FFA9694D7D6AD2649365B0C1F65D69D1EC8333EA",
4889 "773EA91E36800E46854DB8EBD09181A72959098B3EF8C122D9635514CED5"
4892 "88062608D3E6AD8A0AA2ACE014C8A86F0AA635D947AC9FEBE83EF4E55966"
4893 "144B2A5AB39DC13814B94E3AB6E101A34F27",
4895 "FA73B0089D56A284EFB0F0756C890BE9B1B5DBDD8EE81A3655F83E33B227"
4896 "9D39BF3E848279A722C806B485A47E67C807B946A337BEE8942674278859"
4898 }, { SHA1HashSize, SHA224HashSize, SHA256HashSize,
4899 SHA384HashSize, SHA512HashSize }
4902 "\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f"
4903 "\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19"
4905 "\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd"
4906 "\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd"
4907 "\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd"
4908 "\xcd\xcd\xcd\xcd\xcd"
4911 "4C9007F4026250C6BC8414F9BF50C86C2D7235DA",
4913 "6C11506874013CAC6A2ABC1BB382627CEC6A90D86EFC012DE7AFEC5A",
4915 "82558A389A443C0EA4CC819899F2083A85F0FAA3E578F8077A2E3FF46729"
4918 "3E8A69B7783C25851933AB6290AF6CA77A9981480850009CC5577C6E1F57"
4919 "3B4E6801DD23C4A7D679CCF8A386C674CFFB",
4921 "B0BA465637458C6990E5A8C5F61D4AF7E576D97FF94B872DE76F8050361E"
4922 "E3DBA91CA5C11AA25EB4D679275CC5788063A5F19741120C4F2DE2ADEBEB"
4924 }, { SHA1HashSize, SHA224HashSize, SHA256HashSize,
4925 SHA384HashSize, SHA512HashSize }
4930 Eastlake 3rd & Hansen Informational [Page 88]
4932 RFC 4634 SHAs and HMAC-SHAs July 2006
4936 "\x0c\x0c\x0c\x0c\x0c\x0c\x0c\x0c\x0c\x0c\x0c\x0c\x0c\x0c\x0c"
4937 "\x0c\x0c\x0c\x0c\x0c"
4939 "Test With Truncation"
4942 "4C1A03424B55E07FE7F27BE1",
4944 "0E2AEA68A90C8D37C988BCDB9FCA6FA8",
4946 "A3B6167473100EE06E0C796C2955552B",
4948 "3ABF34C3503B2A23A46EFC619BAEF897",
4950 "415FAD6271580A531D4179BC891D87A6"
4951 }, { 12, 16, 16, 16, 16 }
4954 "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa"
4955 "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa"
4956 "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa"
4957 "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa"
4958 "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa"
4959 "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa"
4960 "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa"
4961 "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa"
4962 "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa"
4964 "Test Using Larger Than Block-Size Key - Hash Key First"
4967 "AA4AE5E15272D00E95705637CE8A3B55ED402112",
4969 "95E9A0DB962095ADAEBE9B2D6F0DBCE2D499F112F2D2B7273FA6870E",
4971 "60E431591EE0B67F0D8A26AACBF5B77F8E0BC6213728C5140546040F0EE3"
4974 "4ECE084485813E9088D2C63A041BC5B44F9EF1012A2B588F3CD11F05033A"
4975 "C4C60C2EF6AB4030FE8296248DF163F44952",
4977 "80B24263C7C1A3EBB71493C1DD7BE8B49B46D1F41B4AEEC1121B013783F8"
4978 "F3526B56D037E05F2598BD0FD2215D6A1E5295E64F73F63F0AEC8B915A98"
4980 }, { SHA1HashSize, SHA224HashSize, SHA256HashSize,
4981 SHA384HashSize, SHA512HashSize }
4986 Eastlake 3rd & Hansen Informational [Page 89]
4988 RFC 4634 SHAs and HMAC-SHAs July 2006
4992 "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa"
4993 "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa"
4994 "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa"
4995 "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa"
4996 "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa"
4997 "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa"
4998 "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa"
4999 "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa"
5000 "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa"
5002 "Test Using Larger Than Block-Size Key and "
5003 "Larger Than One Block-Size Data",
5004 "\x54\x68\x69\x73\x20\x69\x73\x20\x61\x20\x74\x65\x73\x74\x20"
5005 "\x75\x73\x69\x6e\x67\x20\x61\x20\x6c\x61\x72\x67\x65\x72\x20"
5006 "\x74\x68\x61\x6e\x20\x62\x6c\x6f\x63\x6b\x2d\x73\x69\x7a\x65"
5007 "\x20\x6b\x65\x79\x20\x61\x6e\x64\x20\x61\x20\x6c\x61\x72\x67"
5008 "\x65\x72\x20\x74\x68\x61\x6e\x20\x62\x6c\x6f\x63\x6b\x2d\x73"
5009 "\x69\x7a\x65\x20\x64\x61\x74\x61\x2e\x20\x54\x68\x65\x20\x6b"
5010 "\x65\x79\x20\x6e\x65\x65\x64\x73\x20\x74\x6f\x20\x62\x65\x20"
5011 "\x68\x61\x73\x68\x65\x64\x20\x62\x65\x66\x6f\x72\x65\x20\x62"
5012 "\x65\x69\x6e\x67\x20\x75\x73\x65\x64\x20\x62\x79\x20\x74\x68"
5013 "\x65\x20\x48\x4d\x41\x43\x20\x61\x6c\x67\x6f\x72\x69\x74\x68"
5015 /* "This is a test using a larger than block-size key and a "
5016 "larger than block-size data. The key needs to be hashed "
5017 "before being used by the HMAC algorithm." */
5020 "E8E99D0F45237D786D6BBAA7965C7808BBFF1A91",
5022 "3A854166AC5D9F023F54D517D0B39DBD946770DB9C2B95C9F6F565D1",
5024 "9B09FFA71B942FCB27635FBCD5B0E944BFDC63644F0713938A7F51535C3A"
5027 "6617178E941F020D351E2F254E8FD32C602420FEB0B8FB9ADCCEBB82461E"
5028 "99C5A678CC31E799176D3860E6110C46523E",
5030 "E37B6A775DC87DBAA4DFA9F96E5E3FFDDEBD71F8867289865DF5A32D20CD"
5031 "C944B6022CAC3C4982B10D5EEB55C3E4DE15134676FB6DE0446065C97440"
5033 }, { SHA1HashSize, SHA224HashSize, SHA256HashSize,
5034 SHA384HashSize, SHA512HashSize }
5042 Eastlake 3rd & Hansen Informational [Page 90]
5044 RFC 4634 SHAs and HMAC-SHAs July 2006
5047 * Check the hash value against the expected string, expressed in hex
5049 static const char hexdigits[] = "0123456789ABCDEF";
5050 int checkmatch(const unsigned char *hashvalue,
5051 const char *hexstr, int hashsize)
5054 for (i = 0; i < hashsize; ++i) {
5055 if (*hexstr++ != hexdigits[(hashvalue[i] >> 4) & 0xF])
5057 if (*hexstr++ != hexdigits[hashvalue[i] & 0xF]) return 0;
5063 * Print the string, converting non-printable characters to "."
5065 void printstr(const char *str, int len)
5067 for ( ; len-- > 0; str++)
5068 putchar(isprint((unsigned char)*str) ? *str : '.');
5072 * Print the string, converting non-printable characters to hex "## ".
5074 void printxstr(const char *str, int len)
5076 for ( ; len-- > 0; str++)
5077 printf("%c%c ", hexdigits[(*str >> 4) & 0xF],
5078 hexdigits[*str & 0xF]);
5082 * Print a usage message.
5084 void usage(const char *argv0)
5088 "Common options: [-h hash] [-w|-x] [-H]\n"
5090 "\t%s [-m] [-l loopcount] [-t test#] [-e]\n"
5091 "\t\t[-r randomseed] [-R randomloop-count] "
5094 "\t%s [-S expectedresult] -s hashstr [-k key]\n"
5098 Eastlake 3rd & Hansen Informational [Page 91]
5100 RFC 4634 SHAs and HMAC-SHAs July 2006
5104 "\t%s [-S expectedresult] -f file [-k key]\n"
5105 "Hash a file, ignoring whitespace:\n"
5106 "\t%s [-S expectedresult] -F file [-k key]\n"
5107 "Additional bits to add in: [-B bitcount -b bits]\n"
5108 "-h\thash to test: "
5109 "0|SHA1, 1|SHA224, 2|SHA256, 3|SHA384, 4|SHA512\n"
5110 "-m\tperform hmac test\n"
5111 "-k\tkey for hmac test\n"
5112 "-t\ttest case to run, 1-10\n"
5113 "-l\thow many times to run the test\n"
5114 "-e\ttest error returns\n"
5115 "-p\tdo not print results\n"
5116 "-P\tdo not print PASSED/FAILED\n"
5117 "-X\tprint FAILED, but not PASSED\n"
5118 "-r\tseed for random test\n"
5119 "-R\thow many times to run random test\n"
5120 "-s\tstring to hash\n"
5121 "-S\texpected result of hashed string, in hex\n"
5122 "-w\toutput hash in raw format\n"
5123 "-x\toutput hash in hex format\n"
5124 "-B\t# extra bits to add in after string or file input\n"
5125 "-b\textra bits to add (high order bits of #, 0# or 0x#)\n"
5126 "-H\tinput hashstr or randomseed is in hex\n"
5127 , argv0, argv0, argv0, argv0);
5132 * Print the results and PASS/FAIL.
5134 void printResult(uint8_t *Message_Digest, int hashsize,
5135 const char *hashname, const char *testtype, const char *testname,
5136 const char *resultarray, int printResults, int printPassFail)
5139 if (printResults == PRINTTEXT) {
5141 for (i = 0; i < hashsize ; ++i) {
5142 putchar(hexdigits[(Message_Digest[i] >> 4) & 0xF]);
5143 putchar(hexdigits[Message_Digest[i] & 0xF]);
5147 } else if (printResults == PRINTRAW) {
5148 fwrite(Message_Digest, 1, hashsize, stdout);
5149 } else if (printResults == PRINTHEX) {
5150 for (i = 0; i < hashsize ; ++i) {
5154 Eastlake 3rd & Hansen Informational [Page 92]
5156 RFC 4634 SHAs and HMAC-SHAs July 2006
5159 putchar(hexdigits[(Message_Digest[i] >> 4) & 0xF]);
5160 putchar(hexdigits[Message_Digest[i] & 0xF]);
5165 if (printResults && resultarray) {
5166 printf(" Should match:\n\t");
5167 for (i = 0, k = 0; i < hashsize; i++, k += 2) {
5168 putchar(resultarray[k]);
5169 putchar(resultarray[k+1]);
5175 if (printPassFail && resultarray) {
5176 int ret = checkmatch(Message_Digest, resultarray, hashsize);
5177 if ((printPassFail == PRINTPASSFAIL) || !ret)
5178 printf("%s %s %s: %s\n", hashname, testtype, testname,
5179 ret ? "PASSED" : "FAILED");
5184 * Exercise a hash series of functions. The input is the testarray,
5185 * repeated repeatcount times, followed by the extrabits. If the
5186 * result is known, it is in resultarray in uppercase hex.
5188 int hash(int testno, int loopno, int hashno,
5189 const char *testarray, int length, long repeatcount,
5190 int numberExtrabits, int extrabits, const unsigned char *keyarray,
5191 int keylen, const char *resultarray, int hashsize, int printResults,
5197 uint8_t Message_Digest[USHAMaxHashSize];
5200 if (printResults == PRINTTEXT) {
5201 printf("\nTest %d: Iteration %d, Repeat %ld\n\t'", testno+1,
5202 loopno, repeatcount);
5203 printstr(testarray, length);
5205 printxstr(testarray, length);
5210 Eastlake 3rd & Hansen Informational [Page 93]
5212 RFC 4634 SHAs and HMAC-SHAs July 2006
5215 printf(" Length=%d bytes (%d bits), ", length, length * 8);
5216 printf("ExtraBits %d: %2.2x\n", numberExtrabits, extrabits);
5219 memset(&sha, '\343', sizeof(sha)); /* force bad data into struct */
5220 memset(&hmac, '\343', sizeof(hmac));
5221 err = keyarray ? hmacReset(&hmac, hashes[hashno].whichSha,
5223 USHAReset(&sha, hashes[hashno].whichSha);
5224 if (err != shaSuccess) {
5225 fprintf(stderr, "hash(): %sReset Error %d.\n",
5226 keyarray ? "hmac" : "sha", err);
5230 for (i = 0; i < repeatcount; ++i) {
5231 err = keyarray ? hmacInput(&hmac, (const uint8_t *) testarray,
5233 USHAInput(&sha, (const uint8_t *) testarray,
5235 if (err != shaSuccess) {
5236 fprintf(stderr, "hash(): %sInput Error %d.\n",
5237 keyarray ? "hmac" : "sha", err);
5242 if (numberExtrabits > 0) {
5243 err = keyarray ? hmacFinalBits(&hmac, (uint8_t) extrabits,
5245 USHAFinalBits(&sha, (uint8_t) extrabits,
5247 if (err != shaSuccess) {
5248 fprintf(stderr, "hash(): %sFinalBits Error %d.\n",
5249 keyarray ? "hmac" : "sha", err);
5254 err = keyarray ? hmacResult(&hmac, Message_Digest) :
5255 USHAResult(&sha, Message_Digest);
5256 if (err != shaSuccess) {
5257 fprintf(stderr, "hash(): %s Result Error %d, could not "
5258 "compute message digest.\n", keyarray ? "hmac" : "sha", err);
5262 sprintf(buf, "%d", testno+1);
5266 Eastlake 3rd & Hansen Informational [Page 94]
5268 RFC 4634 SHAs and HMAC-SHAs July 2006
5271 printResult(Message_Digest, hashsize, hashes[hashno].name,
5272 keyarray ? "hmac standard test" : "sha standard test", buf,
5273 resultarray, printResults, printPassFail);
5279 * Exercise a hash series of functions. The input is a filename.
5280 * If the result is known, it is in resultarray in uppercase hex.
5282 int hashfile(int hashno, const char *hashfilename, int bits,
5283 int bitcount, int skipSpaces, const unsigned char *keyarray,
5284 int keylen, const char *resultarray, int hashsize,
5285 int printResults, int printPassFail)
5290 unsigned char buf[4096];
5291 uint8_t Message_Digest[USHAMaxHashSize];
5293 FILE *hashfp = (strcmp(hashfilename, "-") == 0) ? stdin :
5294 fopen(hashfilename, "r");
5297 fprintf(stderr, "cannot open file '%s'\n", hashfilename);
5298 return shaStateError;
5301 memset(&sha, '\343', sizeof(sha)); /* force bad data into struct */
5302 memset(&hmac, '\343', sizeof(hmac));
5303 err = keyarray ? hmacReset(&hmac, hashes[hashno].whichSha,
5305 USHAReset(&sha, hashes[hashno].whichSha);
5307 if (err != shaSuccess) {
5308 fprintf(stderr, "hashfile(): %sReset Error %d.\n",
5309 keyarray ? "hmac" : "sha", err);
5314 while ((c = getc(hashfp)) != EOF) {
5316 cc = (unsigned char)c;
5317 err = keyarray ? hmacInput(&hmac, &cc, 1) :
5318 USHAInput(&sha, &cc, 1);
5322 Eastlake 3rd & Hansen Informational [Page 95]
5324 RFC 4634 SHAs and HMAC-SHAs July 2006
5327 if (err != shaSuccess) {
5328 fprintf(stderr, "hashfile(): %sInput Error %d.\n",
5329 keyarray ? "hmac" : "sha", err);
5330 if (hashfp != stdin) fclose(hashfp);
5336 while ((nread = fread(buf, 1, sizeof(buf), hashfp)) > 0) {
5337 err = keyarray ? hmacInput(&hmac, buf, nread) :
5338 USHAInput(&sha, buf, nread);
5339 if (err != shaSuccess) {
5340 fprintf(stderr, "hashfile(): %s Error %d.\n",
5341 keyarray ? "hmacInput" : "shaInput", err);
5342 if (hashfp != stdin) fclose(hashfp);
5348 err = keyarray ? hmacFinalBits(&hmac, bits, bitcount) :
5349 USHAFinalBits(&sha, bits, bitcount);
5350 if (err != shaSuccess) {
5351 fprintf(stderr, "hashfile(): %s Error %d.\n",
5352 keyarray ? "hmacResult" : "shaResult", err);
5353 if (hashfp != stdin) fclose(hashfp);
5357 err = keyarray ? hmacResult(&hmac, Message_Digest) :
5358 USHAResult(&sha, Message_Digest);
5359 if (err != shaSuccess) {
5360 fprintf(stderr, "hashfile(): %s Error %d.\n",
5361 keyarray ? "hmacResult" : "shaResult", err);
5362 if (hashfp != stdin) fclose(hashfp);
5366 printResult(Message_Digest, hashsize, hashes[hashno].name, "file",
5367 hashfilename, resultarray, printResults, printPassFail);
5369 if (hashfp != stdin) fclose(hashfp);
5374 * Exercise a hash series of functions through multiple permutations.
5378 Eastlake 3rd & Hansen Informational [Page 96]
5380 RFC 4634 SHAs and HMAC-SHAs July 2006
5383 * The input is an initial seed. That seed is replicated 3 times.
5384 * For 1000 rounds, the previous three results are used as the input.
5385 * This result is then checked, and used to seed the next cycle.
5386 * If the result is known, it is in resultarrays in uppercase hex.
5388 void randomtest(int hashno, const char *seed, int hashsize,
5389 const char **resultarrays, int randomcount,
5390 int printResults, int printPassFail)
5392 int i, j; char buf[20];
5393 unsigned char SEED[USHAMaxHashSize], MD[1003][USHAMaxHashSize];
5395 /* INPUT: Seed - A random seed n bits long */
5396 memcpy(SEED, seed, hashsize);
5397 if (printResults == PRINTTEXT) {
5398 printf("%s random test seed= '", hashes[hashno].name);
5399 printxstr(seed, hashsize);
5403 for (j = 0; j < randomcount; j++) {
5404 /* MD0 = MD1 = MD2 = Seed; */
5405 memcpy(MD[0], SEED, hashsize);
5406 memcpy(MD[1], SEED, hashsize);
5407 memcpy(MD[2], SEED, hashsize);
5408 for (i=3; i<1003; i++) {
5409 /* Mi = MDi-3 || MDi-2 || MDi-1; */
5411 memset(&Mi, '\343', sizeof(Mi)); /* force bad data into struct */
5412 USHAReset(&Mi, hashes[hashno].whichSha);
5413 USHAInput(&Mi, MD[i-3], hashsize);
5414 USHAInput(&Mi, MD[i-2], hashsize);
5415 USHAInput(&Mi, MD[i-1], hashsize);
5416 /* MDi = SHA(Mi); */
5417 USHAResult(&Mi, MD[i]);
5420 /* MDj = Seed = MDi; */
5421 memcpy(SEED, MD[i-1], hashsize);
5424 sprintf(buf, "%d", j);
5425 printResult(SEED, hashsize, hashes[hashno].name, "random test",
5426 buf, resultarrays ? resultarrays[j] : 0, printResults,
5427 (j < RANDOMCOUNT) ? printPassFail : 0);
5434 Eastlake 3rd & Hansen Informational [Page 97]
5436 RFC 4634 SHAs and HMAC-SHAs July 2006
5440 * Look up a hash name.
5442 int findhash(const char *argv0, const char *opt)
5445 const char *names[HASHCOUNT][2] = {
5446 { "0", "sha1" }, { "1", "sha224" }, { "2", "sha256" },
5447 { "3", "sha384" }, { "4", "sha512" }
5450 for (i = 0; i < HASHCOUNT; i++)
5451 if ((strcmp(opt, names[i][0]) == 0) ||
5452 (scasecmp(opt, names[i][1]) == 0))
5455 fprintf(stderr, "%s: Unknown hash name: '%s'\n", argv0, opt);
5461 * Run some tests that should invoke errors.
5463 void testErrors(int hashnolow, int hashnohigh, int printResults,
5467 uint8_t Message_Digest[USHAMaxHashSize];
5470 for (hashno = hashnolow; hashno <= hashnohigh; hashno++) {
5471 memset(&usha, '\343', sizeof(usha)); /* force bad data */
5472 USHAReset(&usha, hashno);
5473 USHAResult(&usha, Message_Digest);
5474 err = USHAInput(&usha, (const unsigned char *)"foo", 3);
5475 if (printResults == PRINTTEXT)
5476 printf ("\nError %d. Should be %d.\n", err, shaStateError);
5477 if ((printPassFail == PRINTPASSFAIL) ||
5478 ((printPassFail == PRINTFAIL) && (err != shaStateError)))
5479 printf("%s se: %s\n", hashes[hashno].name,
5480 (err == shaStateError) ? "PASSED" : "FAILED");
5482 err = USHAFinalBits(&usha, 0x80, 3);
5483 if (printResults == PRINTTEXT)
5484 printf ("\nError %d. Should be %d.\n", err, shaStateError);
5485 if ((printPassFail == PRINTPASSFAIL) ||
5486 ((printPassFail == PRINTFAIL) && (err != shaStateError)))
5490 Eastlake 3rd & Hansen Informational [Page 98]
5492 RFC 4634 SHAs and HMAC-SHAs July 2006
5495 printf("%s se: %s\n", hashes[hashno].name,
5496 (err == shaStateError) ? "PASSED" : "FAILED");
5498 err = USHAReset(0, hashes[hashno].whichSha);
5499 if (printResults == PRINTTEXT)
5500 printf("\nError %d. Should be %d.\n", err, shaNull);
5501 if ((printPassFail == PRINTPASSFAIL) ||
5502 ((printPassFail == PRINTFAIL) && (err != shaNull)))
5503 printf("%s usha null: %s\n", hashes[hashno].name,
5504 (err == shaNull) ? "PASSED" : "FAILED");
5507 case SHA1: err = SHA1Reset(0); break;
5508 case SHA224: err = SHA224Reset(0); break;
5509 case SHA256: err = SHA256Reset(0); break;
5510 case SHA384: err = SHA384Reset(0); break;
5511 case SHA512: err = SHA512Reset(0); break;
5513 if (printResults == PRINTTEXT)
5514 printf("\nError %d. Should be %d.\n", err, shaNull);
5515 if ((printPassFail == PRINTPASSFAIL) ||
5516 ((printPassFail == PRINTFAIL) && (err != shaNull)))
5517 printf("%s sha null: %s\n", hashes[hashno].name,
5518 (err == shaNull) ? "PASSED" : "FAILED");
5522 /* replace a hex string in place with its value */
5523 int unhexStr(char *hexstr)
5526 int len = 0, nibble1 = 0, nibble2 = 0;
5527 if (!hexstr) return 0;
5528 for ( ; *hexstr; hexstr++) {
5529 if (isalpha((int)(unsigned char)(*hexstr))) {
5530 nibble1 = tolower(*hexstr) - 'a' + 10;
5531 } else if (isdigit((int)(unsigned char)(*hexstr))) {
5532 nibble1 = *hexstr - '0';
5534 printf("\nError: bad hex character '%c'\n", *hexstr);
5536 if (!*++hexstr) break;
5537 if (isalpha((int)(unsigned char)(*hexstr))) {
5538 nibble2 = tolower(*hexstr) - 'a' + 10;
5539 } else if (isdigit((int)(unsigned char)(*hexstr))) {
5540 nibble2 = *hexstr - '0';
5542 printf("\nError: bad hex character '%c'\n", *hexstr);
5546 Eastlake 3rd & Hansen Informational [Page 99]
5548 RFC 4634 SHAs and HMAC-SHAs July 2006
5552 *o++ = (char)((nibble1 << 4) | nibble2);
5558 int main(int argc, char **argv)
5561 int loopno, loopnohigh = 1;
5562 int hashno, hashnolow = 0, hashnohigh = HASHCOUNT - 1;
5563 int testno, testnolow = 0, testnohigh;
5564 int ntestnohigh = 0;
5565 int printResults = PRINTTEXT;
5566 int printPassFail = 1;
5567 int checkErrors = 0;
5570 const char *resultstr = 0;
5571 char *randomseedstr = 0;
5572 int runHmacTests = 0;
5575 int randomcount = RANDOMCOUNT;
5576 const char *hashfilename = 0;
5577 const char *hashFilename = 0;
5578 int extrabits = 0, numberExtrabits = 0;
5581 while ((i = xgetopt(argc, argv, "b:B:ef:F:h:Hk:l:mpPr:R:s:S:t:wxX"))
5584 case 'b': extrabits = strtol(xoptarg, 0, 0); break;
5585 case 'B': numberExtrabits = atoi(xoptarg); break;
5586 case 'e': checkErrors = 1; break;
5587 case 'f': hashfilename = xoptarg; break;
5588 case 'F': hashFilename = xoptarg; break;
5589 case 'h': hashnolow = hashnohigh = findhash(argv[0], xoptarg);
5591 case 'H': strIsHex = 1; break;
5592 case 'k': hmacKey = xoptarg; hmaclen = strlen(xoptarg); break;
5593 case 'l': loopnohigh = atoi(xoptarg); break;
5594 case 'm': runHmacTests = 1; break;
5595 case 'P': printPassFail = 0; break;
5596 case 'p': printResults = PRINTNONE; break;
5597 case 'R': randomcount = atoi(xoptarg); break;
5598 case 'r': randomseedstr = xoptarg; break;
5602 Eastlake 3rd & Hansen Informational [Page 100]
5604 RFC 4634 SHAs and HMAC-SHAs July 2006
5607 case 's': hashstr = xoptarg; hashlen = strlen(hashstr); break;
5608 case 'S': resultstr = xoptarg; break;
5609 case 't': testnolow = ntestnohigh = atoi(xoptarg) - 1; break;
5610 case 'w': printResults = PRINTRAW; break;
5611 case 'x': printResults = PRINTHEX; break;
5612 case 'X': printPassFail = 2; break;
5613 default: usage(argv[0]);
5617 hashlen = unhexStr(hashstr);
5618 unhexStr(randomseedstr);
5619 hmaclen = unhexStr(hmacKey);
5621 testnohigh = (ntestnohigh != 0) ? ntestnohigh:
5622 runHmacTests ? (HMACTESTCOUNT-1) : (TESTCOUNT-1);
5623 if ((testnolow < 0) ||
5624 (testnohigh >= (runHmacTests ? HMACTESTCOUNT : TESTCOUNT)) ||
5625 (hashnolow < 0) || (hashnohigh >= HASHCOUNT) ||
5626 (hashstr && (testnolow == testnohigh)) ||
5627 (randomcount < 0) ||
5628 (resultstr && (!hashstr && !hashfilename && !hashFilename)) ||
5629 ((runHmacTests || hmacKey) && randomseedstr) ||
5630 (hashfilename && hashFilename))
5634 * Perform SHA/HMAC tests
5636 for (hashno = hashnolow; hashno <= hashnohigh; ++hashno) {
5637 if (printResults == PRINTTEXT)
5638 printf("Hash %s\n", hashes[hashno].name);
5641 for (loopno = 1; (loopno <= loopnohigh) && (err == shaSuccess);
5644 err = hash(0, loopno, hashno, hashstr, hashlen, 1,
5645 numberExtrabits, extrabits, (const unsigned char *)hmacKey,
5646 hmaclen, resultstr, hashes[hashno].hashsize, printResults,
5649 else if (randomseedstr)
5650 randomtest(hashno, randomseedstr, hashes[hashno].hashsize, 0,
5651 randomcount, printResults, printPassFail);
5653 else if (hashfilename)
5654 err = hashfile(hashno, hashfilename, extrabits,
5658 Eastlake 3rd & Hansen Informational [Page 101]
5660 RFC 4634 SHAs and HMAC-SHAs July 2006
5664 (const unsigned char *)hmacKey, hmaclen,
5665 resultstr, hashes[hashno].hashsize,
5666 printResults, printPassFail);
5668 else if (hashFilename)
5669 err = hashfile(hashno, hashFilename, extrabits,
5671 (const unsigned char *)hmacKey, hmaclen,
5672 resultstr, hashes[hashno].hashsize,
5673 printResults, printPassFail);
5675 else /* standard tests */ {
5676 for (testno = testnolow;
5677 (testno <= testnohigh) && (err == shaSuccess); ++testno) {
5679 err = hash(testno, loopno, hashno,
5680 hmachashes[testno].dataarray[hashno] ?
5681 hmachashes[testno].dataarray[hashno] :
5682 hmachashes[testno].dataarray[1] ?
5683 hmachashes[testno].dataarray[1] :
5684 hmachashes[testno].dataarray[0],
5685 hmachashes[testno].datalength[hashno] ?
5686 hmachashes[testno].datalength[hashno] :
5687 hmachashes[testno].datalength[1] ?
5688 hmachashes[testno].datalength[1] :
5689 hmachashes[testno].datalength[0],
5691 (const unsigned char *)(
5692 hmachashes[testno].keyarray[hashno] ?
5693 hmachashes[testno].keyarray[hashno] :
5694 hmachashes[testno].keyarray[1] ?
5695 hmachashes[testno].keyarray[1] :
5696 hmachashes[testno].keyarray[0]),
5697 hmachashes[testno].keylength[hashno] ?
5698 hmachashes[testno].keylength[hashno] :
5699 hmachashes[testno].keylength[1] ?
5700 hmachashes[testno].keylength[1] :
5701 hmachashes[testno].keylength[0],
5702 hmachashes[testno].resultarray[hashno],
5703 hmachashes[testno].resultlength[hashno],
5704 printResults, printPassFail);
5706 err = hash(testno, loopno, hashno,
5707 hashes[hashno].tests[testno].testarray,
5708 hashes[hashno].tests[testno].length,
5709 hashes[hashno].tests[testno].repeatcount,
5710 hashes[hashno].tests[testno].numberExtrabits,
5714 Eastlake 3rd & Hansen Informational [Page 102]
5716 RFC 4634 SHAs and HMAC-SHAs July 2006
5719 hashes[hashno].tests[testno].extrabits, 0, 0,
5720 hashes[hashno].tests[testno].resultarray,
5721 hashes[hashno].hashsize,
5722 printResults, printPassFail);
5726 if (!runHmacTests) {
5727 randomtest(hashno, hashes[hashno].randomtest,
5728 hashes[hashno].hashsize, hashes[hashno].randomresults,
5729 RANDOMCOUNT, printResults, printPassFail);
5735 /* Test some error returns */
5737 testErrors(hashnolow, hashnohigh, printResults, printPassFail);
5744 * Compare two strings, case independently.
5745 * Equivalent to strcasecmp() found on some systems.
5747 int scasecmp(const char *s1, const char *s2)
5750 char u1 = tolower(*s1++);
5751 char u2 = tolower(*s2++);
5760 * This is a copy of getopt provided for those systems that do not
5761 * have it. The name was changed to xgetopt to not conflict on those
5762 * systems that do have it. Similarly, optarg, optind and opterr
5763 * were renamed to xoptarg, xoptind and xopterr.
5765 * Copyright 1990, 1991, 1992 by the Massachusetts Institute of
5766 * Technology and UniSoft Group Limited.
5770 Eastlake 3rd & Hansen Informational [Page 103]
5772 RFC 4634 SHAs and HMAC-SHAs July 2006
5776 * Permission to use, copy, modify, distribute, and sell this software
5777 * and its documentation for any purpose is hereby granted without fee,
5778 * provided that the above copyright notice appear in all copies and
5779 * that both that copyright notice and this permission notice appear in
5780 * supporting documentation, and that the names of MIT and UniSoft not
5781 * be used in advertising or publicity pertaining to distribution of
5782 * the software without specific, written prior permission. MIT and
5783 * UniSoft make no representations about the suitability of this
5784 * software for any purpose. It is provided "as is" without express
5785 * or implied warranty.
5787 * $XConsortium: getopt.c,v 1.2 92/07/01 11:59:04 rws Exp $
5788 * NB: Reformatted to match above style.
5795 static int xgetopt(int argc, char **argv, const char *optstring)
5802 if (xoptind >= argc)
5805 ap = argv[xoptind] + avplace;
5807 /* At beginning of arg but not an option */
5811 else if (ap[1] == '-') {
5812 /* Special end of options option */
5815 } else if (ap[1] == '\0')
5816 return EOF; /* single '-' is not allowed */
5819 /* Get next letter */
5826 Eastlake 3rd & Hansen Informational [Page 104]
5828 RFC 4634 SHAs and HMAC-SHAs July 2006
5831 cp = strchr(optstring, c);
5832 if (cp == NULL || c == ':') {
5834 fprintf(stderr, "Unrecognised option -- %c\n", c);
5839 /* There should be an option arg */
5841 if (ap[1] == '\0') {
5842 /* It is a separate arg */
5843 if (++xoptind >= argc) {
5845 fprintf(stderr, "Option requires an argument\n");
5848 xoptarg = argv[xoptind++];
5850 /* is attached to option letter */
5855 /* If we are out of letters then go to next arg */
5856 if (ap[1] == '\0') {
5882 Eastlake 3rd & Hansen Informational [Page 105]
5884 RFC 4634 SHAs and HMAC-SHAs July 2006
5887 9. Security Considerations
5889 This document is intended to provides the Internet community
5890 convenient access to source code that implements the United States of
5891 America Federal Information Processing Standard Secure Hash
5892 Algorithms (SHAs) [FIPS180-2] and HMACs based upon these one-way hash
5893 functions. See license in Section 1.1. No independent assertion of
5894 the security of this hash function by the authors for any particular
5897 10. Normative References
5899 [FIPS180-2] "Secure Hash Standard", United States of America,
5900 National Institute of Standards and Technology, Federal
5901 Information Processing Standard (FIPS) 180-2,
5902 http://csrc.nist.gov/publications/fips/fips180-2/
5903 fips180-2withchangenotice.pdf.
5905 [RFC2104] Krawczyk, H., Bellare, M., and R. Canetti, "HMAC: Keyed-
5906 Hashing for Message Authentication", RFC 2104, February
5909 11. Informative References
5911 [RFC2202] Cheng, P. and R. Glenn, "Test Cases for HMAC-MD5 and
5912 HMAC-SHA-1", RFC 2202, September 1997.
5914 [RFC3174] Eastlake 3rd, D. and P. Jones, "US Secure Hash Algorithm
5915 1 (SHA1)", RFC 3174, September 2001.
5917 [RFC3874] Housley, R., "A 224-bit One-way Hash Function: SHA-224",
5918 RFC 3874, September 2004.
5920 [RFC4086] Eastlake, D., 3rd, Schiller, J., and S. Crocker,
5921 "Randomness Requirements for Security", BCP 106, RFC
5924 [RFC4231] Nystrom, M., "Identifiers and Test Vectors for HMAC-SHA-
5925 224, HMAC-SHA-256, HMAC-SHA-384, and HMAC-SHA-512", RFC
5926 4231, December 2005.
5928 [SHAVS] "The Secure Hash Algorithm Validation System (SHAVS)",
5929 http://csrc.nist.gov/cryptval/shs/SHAVS.pdf.
5938 Eastlake 3rd & Hansen Informational [Page 106]
5940 RFC 4634 SHAs and HMAC-SHAs July 2006
5945 Donald E. Eastlake, 3rd
5946 Motorola Laboratories
5948 Milford, MA 01757 USA
5950 Phone: +1-508-786-7554 (w)
5951 EMail: donald.eastlake@motorola.com
5957 Middletown, NJ 07748 USA
5959 Phone: +1-732-420-8934 (w)
5960 EMail: tony+shs@maillennium.att.com
5994 Eastlake 3rd & Hansen Informational [Page 107]
5996 RFC 4634 SHAs and HMAC-SHAs July 2006
5999 Full Copyright Statement
6001 Copyright (C) The Internet Society (2006).
6003 This document is subject to the rights, licenses and restrictions
6004 contained in BCP 78, and except as set forth therein, the authors
6005 retain all their rights.
6007 This document and the information contained herein are provided on an
6008 "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS
6009 OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE INTERNET
6010 ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED,
6011 INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE
6012 INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED
6013 WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
6015 Intellectual Property
6017 The IETF takes no position regarding the validity or scope of any
6018 Intellectual Property Rights or other rights that might be claimed to
6019 pertain to the implementation or use of the technology described in
6020 this document or the extent to which any license under such rights
6021 might or might not be available; nor does it represent that it has
6022 made any independent effort to identify any such rights. Information
6023 on the procedures with respect to rights in RFC documents can be
6024 found in BCP 78 and BCP 79.
6026 Copies of IPR disclosures made to the IETF Secretariat and any
6027 assurances of licenses to be made available, or the result of an
6028 attempt made to obtain a general license or permission for the use of
6029 such proprietary rights by implementers or users of this
6030 specification can be obtained from the IETF on-line IPR repository at
6031 http://www.ietf.org/ipr.
6033 The IETF invites any interested party to bring to its attention any
6034 copyrights, patents or patent applications, or other proprietary
6035 rights that may cover technology that may be required to implement
6036 this standard. Please address the information to the IETF at
6041 Funding for the RFC Editor function is provided by the IETF
6042 Administrative Support Activity (IASA).
6050 Eastlake 3rd & Hansen Informational [Page 108]
projects / FreeBSD / releng / 7.2.git / blob