From 4bfd864f10b68b71482b35c818559068ef8d5797 Mon Sep 17 00:00:00 2001 From: Thomas Voss Date: Wed, 27 Nov 2024 20:54:24 +0100 Subject: doc: Add RFC documents --- doc/rfc/rfc3174.txt | 1235 +++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 1235 insertions(+) create mode 100644 doc/rfc/rfc3174.txt (limited to 'doc/rfc/rfc3174.txt') diff --git a/doc/rfc/rfc3174.txt b/doc/rfc/rfc3174.txt new file mode 100644 index 0000000..ebe515d --- /dev/null +++ b/doc/rfc/rfc3174.txt @@ -0,0 +1,1235 @@ + + + + + + +Network Working Group D. Eastlake, 3rd +Request for Comments: 3174 Motorola +Category: Informational P. Jones + Cisco Systems + September 2001 + + + US Secure Hash Algorithm 1 (SHA1) + +Status of this Memo + + This memo provides information for the Internet community. It does + not specify an Internet standard of any kind. Distribution of this + memo is unlimited. + +Copyright Notice + + Copyright (C) The Internet Society (2001). All Rights Reserved. + +Abstract + + The purpose of this document is to make the SHA-1 (Secure Hash + Algorithm 1) hash algorithm conveniently available to the Internet + community. The United States of America has adopted the SHA-1 hash + algorithm described herein as a Federal Information Processing + Standard. Most of the text herein was taken by the authors from FIPS + 180-1. Only the C code implementation is "original". + +Acknowledgements + + Most of the text herein was taken from [FIPS 180-1]. Only the C code + implementation is "original" but its style is similar to the + previously published MD4 and MD5 RFCs [RFCs 1320, 1321]. + + The SHA-1 is based on principles similar to those used by Professor + Ronald L. Rivest of MIT when designing the MD4 message digest + algorithm [MD4] and is modeled after that algorithm [RFC 1320]. + + Useful comments from the following, which have been incorporated + herein, are gratefully acknowledged: + + Tony Hansen + Garrett Wollman + + + + + + + + +Eastlake & Jones Informational [Page 1] + +RFC 3174 US Secure Hash Algorithm 1 (SHA1) September 2001 + + +Table of Contents + + 1. Overview of Contents........................................... 2 + 2. Definitions of Bit Strings and Integers........................ 3 + 3. Operations on Words............................................ 3 + 4. Message Padding................................................ 4 + 5. Functions and Constants Used................................... 6 + 6. Computing the Message Digest................................... 6 + 6.1 Method 1...................................................... 6 + 6.2 Method 2...................................................... 7 + 7. C Code......................................................... 8 + 7.1 .h file....................................................... 8 + 7.2 .c file....................................................... 10 + 7.3 Test Driver................................................... 18 + 8. Security Considerations........................................ 20 + References........................................................ 21 + Authors' Addresses................................................ 21 + Full Copyright Statement.......................................... 22 + +1. Overview of Contents + + NOTE: The text below is mostly taken from [FIPS 180-1] and assertions + therein of the security of SHA-1 are made by the US Government, the + author of [FIPS 180-1], and not by the authors of this document. + + This document specifies a Secure Hash Algorithm, SHA-1, for computing + a condensed representation of a message or a data file. When a + message of any length < 2^64 bits is input, the SHA-1 produces a + 160-bit output called a message digest. The message digest can then, + for example, be input to a signature algorithm which generates or + verifies the signature for the message. Signing the message digest + rather than the message often improves the efficiency of the process + because the message digest is usually much smaller in size than the + message. The same hash algorithm must be used by the verifier of a + digital signature as was used by the creator of the digital + signature. Any change to the message in transit will, with very high + probability, result in a different message digest, and the signature + will fail to verify. + + The SHA-1 is called secure because it is computationally infeasible + to find a message which corresponds to a given message digest, or to + find two different messages which produce the same message digest. + Any change to a message in transit will, with very high probability, + result in a different message digest, and the signature will fail to + verify. + + + + + + +Eastlake & Jones Informational [Page 2] + +RFC 3174 US Secure Hash Algorithm 1 (SHA1) September 2001 + + + Section 2 below defines the terminology and functions used as + building blocks to form SHA-1. + +2. Definitions of Bit Strings and Integers + + The following terminology related to bit strings and integers will be + used: + + a. A hex digit is an element of the set {0, 1, ... , 9, A, ... , F}. + A hex digit is the representation of a 4-bit string. Examples: 7 + = 0111, A = 1010. + + b. A word equals a 32-bit string which may be represented as a + sequence of 8 hex digits. To convert a word to 8 hex digits each + 4-bit string is converted to its hex equivalent as described in + (a) above. Example: + + 1010 0001 0000 0011 1111 1110 0010 0011 = A103FE23. + + c. An integer between 0 and 2^32 - 1 inclusive may be represented as + a word. The least significant four bits of the integer are + represented by the right-most hex digit of the word + representation. Example: the integer 291 = 2^8+2^5+2^1+2^0 = + 256+32+2+1 is represented by the hex word, 00000123. + + If z is an integer, 0 <= z < 2^64, then z = (2^32)x + y where 0 <= + x < 2^32 and 0 <= y < 2^32. Since x and y can be represented as + words X and Y, respectively, z can be represented as the pair of + words (X,Y). + + d. block = 512-bit string. A block (e.g., B) may be represented as a + sequence of 16 words. + +3. Operations on Words + + The following logical operators will be applied to words: + + a. Bitwise logical word operations + + X AND Y = bitwise logical "and" of X and Y. + + X OR Y = bitwise logical "inclusive-or" of X and Y. + + X XOR Y = bitwise logical "exclusive-or" of X and Y. + + NOT X = bitwise logical "complement" of X. + + + + + +Eastlake & Jones Informational [Page 3] + +RFC 3174 US Secure Hash Algorithm 1 (SHA1) September 2001 + + + Example: + + 01101100101110011101001001111011 + XOR 01100101110000010110100110110111 + -------------------------------- + = 00001001011110001011101111001100 + + b. The operation X + Y is defined as follows: words X and Y + represent integers x and y, where 0 <= x < 2^32 and 0 <= y < 2^32. + For positive integers n and m, let n mod m be the remainder upon + dividing n by m. Compute + + z = (x + y) mod 2^32. + + Then 0 <= z < 2^32. Convert z to a word, Z, and define Z = X + + Y. + + c. The circular left shift operation S^n(X), where X is a word and n + is an integer with 0 <= n < 32, is defined by + + S^n(X) = (X << n) OR (X >> 32-n). + + In the above, X << n is obtained as follows: discard the left-most + n bits of X and then pad the result with n zeroes on the right + (the result will still be 32 bits). X >> n is obtained by + discarding the right-most n bits of X and then padding the result + with n zeroes on the left. Thus S^n(X) is equivalent to a + circular shift of X by n positions to the left. + +4. Message Padding + + SHA-1 is used to compute a message digest for a message or data file + that is provided as input. The message or data file should be + considered to be a bit string. The length of the message is the + number of bits in the message (the empty message has length 0). If + the number of bits in a message is a multiple of 8, for compactness + we can represent the message in hex. The purpose of message padding + is to make the total length of a padded message a multiple of 512. + SHA-1 sequentially processes blocks of 512 bits when computing the + message digest. The following specifies how this padding shall be + performed. As a summary, a "1" followed by m "0"s followed by a 64- + bit integer are appended to the end of the message to produce a + padded message of length 512 * n. The 64-bit integer is the length + of the original message. The padded message is then processed by the + SHA-1 as n 512-bit blocks. + + + + + + +Eastlake & Jones Informational [Page 4] + +RFC 3174 US Secure Hash Algorithm 1 (SHA1) September 2001 + + + Suppose a message has length l < 2^64. Before it is input to the + SHA-1, the message is padded on the right as follows: + + a. "1" is appended. Example: if the original message is "01010000", + this is padded to "010100001". + + b. "0"s are appended. The number of "0"s will depend on the original + length of the message. The last 64 bits of the last 512-bit block + are reserved + + for the length l of the original message. + + Example: Suppose the original message is the bit string + + 01100001 01100010 01100011 01100100 01100101. + + After step (a) this gives + + 01100001 01100010 01100011 01100100 01100101 1. + + Since l = 40, the number of bits in the above is 41 and 407 "0"s + are appended, making the total now 448. This gives (in hex) + + 61626364 65800000 00000000 00000000 + 00000000 00000000 00000000 00000000 + 00000000 00000000 00000000 00000000 + 00000000 00000000. + + c. Obtain the 2-word representation of l, the number of bits in the + original message. If l < 2^32 then the first word is all zeroes. + Append these two words to the padded message. + + Example: Suppose the original message is as in (b). Then l = 40 + (note that l is computed before any padding). The two-word + representation of 40 is hex 00000000 00000028. Hence the final + padded message is hex + + 61626364 65800000 00000000 00000000 + 00000000 00000000 00000000 00000000 + 00000000 00000000 00000000 00000000 + 00000000 00000000 00000000 00000028. + + The padded message will contain 16 * n words for some n > 0. + The padded message is regarded as a sequence of n blocks M(1) , + M(2), first characters (or bits) of the message. + + + + + + +Eastlake & Jones Informational [Page 5] + +RFC 3174 US Secure Hash Algorithm 1 (SHA1) September 2001 + + +5. Functions and Constants Used + + A sequence of logical functions f(0), f(1),..., f(79) is used in + SHA-1. Each f(t), 0 <= t <= 79, operates on three 32-bit words B, C, + D and produces a 32-bit word as output. f(t;B,C,D) is defined as + follows: for words B, C, D, + + f(t;B,C,D) = (B AND C) OR ((NOT B) AND D) ( 0 <= t <= 19) + + f(t;B,C,D) = B XOR C XOR D (20 <= t <= 39) + + f(t;B,C,D) = (B AND C) OR (B AND D) OR (C AND D) (40 <= t <= 59) + + f(t;B,C,D) = B XOR C XOR D (60 <= t <= 79). + + A sequence of constant words K(0), K(1), ... , K(79) is used in the + SHA-1. In hex these are given by + + K(t) = 5A827999 ( 0 <= t <= 19) + + K(t) = 6ED9EBA1 (20 <= t <= 39) + + K(t) = 8F1BBCDC (40 <= t <= 59) + + K(t) = CA62C1D6 (60 <= t <= 79). + +6. Computing the Message Digest + + The methods given in 6.1 and 6.2 below yield the same message digest. + Although using method 2 saves sixty-four 32-bit words of storage, it + is likely to lengthen execution time due to the increased complexity + of the address computations for the { W[t] } in step (c). There are + other computation methods which give identical results. + +6.1 Method 1 + + The message digest is computed using the message padded as described + in section 4. The computation is described using two buffers, each + consisting of five 32-bit words, and a sequence of eighty 32-bit + words. The words of the first 5-word buffer are labeled A,B,C,D,E. + The words of the second 5-word buffer are labeled H0, H1, H2, H3, H4. + The words of the 80-word sequence are labeled W(0), W(1),..., W(79). + A single word buffer TEMP is also employed. + + To generate the message digest, the 16-word blocks M(1), M(2),..., + M(n) defined in section 4 are processed in order. The processing of + each M(i) involves 80 steps. + + + + +Eastlake & Jones Informational [Page 6] + +RFC 3174 US Secure Hash Algorithm 1 (SHA1) September 2001 + + + Before processing any blocks, the H's are initialized as follows: in + hex, + + H0 = 67452301 + + H1 = EFCDAB89 + + H2 = 98BADCFE + + H3 = 10325476 + + H4 = C3D2E1F0. + + Now M(1), M(2), ... , M(n) are processed. To process M(i), we + proceed as follows: + + a. Divide M(i) into 16 words W(0), W(1), ... , W(15), where W(0) + is the left-most word. + + b. For t = 16 to 79 let + + W(t) = S^1(W(t-3) XOR W(t-8) XOR W(t-14) XOR W(t-16)). + + c. Let A = H0, B = H1, C = H2, D = H3, E = H4. + + d. For t = 0 to 79 do + + TEMP = S^5(A) + f(t;B,C,D) + E + W(t) + K(t); + + E = D; D = C; C = S^30(B); B = A; A = TEMP; + + e. Let H0 = H0 + A, H1 = H1 + B, H2 = H2 + C, H3 = H3 + D, H4 = H4 + + E. + + After processing M(n), the message digest is the 160-bit string + represented by the 5 words + + H0 H1 H2 H3 H4. + +6.2 Method 2 + + The method above assumes that the sequence W(0), ... , W(79) is + implemented as an array of eighty 32-bit words. This is efficient + from the standpoint of minimization of execution time, since the + addresses of W(t-3), ... ,W(t-16) in step (b) are easily computed. + If space is at a premium, an alternative is to regard { W(t) } as a + + + + + +Eastlake & Jones Informational [Page 7] + +RFC 3174 US Secure Hash Algorithm 1 (SHA1) September 2001 + + + circular queue, which may be implemented using an array of sixteen + 32-bit words W[0], ... W[15]. In this case, in hex let + + MASK = 0000000F. Then processing of M(i) is as follows: + + a. Divide M(i) into 16 words W[0], ... , W[15], where W[0] is the + left-most word. + + b. Let A = H0, B = H1, C = H2, D = H3, E = H4. + + c. For t = 0 to 79 do + + s = t AND MASK; + + if (t >= 16) W[s] = S^1(W[(s + 13) AND MASK] XOR W[(s + 8) AND + MASK] XOR W[(s + 2) AND MASK] XOR W[s]); + + TEMP = S^5(A) + f(t;B,C,D) + E + W[s] + K(t); + + E = D; D = C; C = S^30(B); B = A; A = TEMP; + + d. Let H0 = H0 + A, H1 = H1 + B, H2 = H2 + C, H3 = H3 + D, H4 = H4 + + E. + +7. C Code + + Below is a demonstration implementation of SHA-1 in C. Section 7.1 + contains the header file, 7.2 the C code, and 7.3 a test driver. + +7.1 .h file + +/* + * sha1.h + * + * Description: + * This is the header file for code which implements the Secure + * Hashing Algorithm 1 as defined in FIPS PUB 180-1 published + * April 17, 1995. + * + * Many of the variable names in this code, especially the + * single character names, were used because those were the names + * used in the publication. + * + * Please read the file sha1.c for more information. + * + */ + + + + + +Eastlake & Jones Informational [Page 8] + +RFC 3174 US Secure Hash Algorithm 1 (SHA1) September 2001 + + +#ifndef _SHA1_H_ +#define _SHA1_H_ + +#include +/* + * If you do not have the ISO standard stdint.h header file, then you + * must typdef the following: + * name meaning + * uint32_t unsigned 32 bit integer + * uint8_t unsigned 8 bit integer (i.e., unsigned char) + * int_least16_t integer of >= 16 bits + * + */ + +#ifndef _SHA_enum_ +#define _SHA_enum_ +enum +{ + shaSuccess = 0, + shaNull, /* Null pointer parameter */ + shaInputTooLong, /* input data too long */ + shaStateError /* called Input after Result */ +}; +#endif +#define SHA1HashSize 20 + +/* + * This structure will hold context information for the SHA-1 + * hashing operation + */ +typedef struct SHA1Context +{ + uint32_t Intermediate_Hash[SHA1HashSize/4]; /* Message Digest */ + + uint32_t Length_Low; /* Message length in bits */ + uint32_t Length_High; /* Message length in bits */ + + /* Index into message block array */ + int_least16_t Message_Block_Index; + uint8_t Message_Block[64]; /* 512-bit message blocks */ + + int Computed; /* Is the digest computed? */ + int Corrupted; /* Is the message digest corrupted? */ +} SHA1Context; + +/* + * Function Prototypes + */ + + + +Eastlake & Jones Informational [Page 9] + +RFC 3174 US Secure Hash Algorithm 1 (SHA1) September 2001 + + +int SHA1Reset( SHA1Context *); +int SHA1Input( SHA1Context *, + const uint8_t *, + unsigned int); +int SHA1Result( SHA1Context *, + uint8_t Message_Digest[SHA1HashSize]); + +#endif + +7.2 .c file + +/* + * sha1.c + * + * Description: + * This file implements the Secure Hashing Algorithm 1 as + * defined in FIPS PUB 180-1 published April 17, 1995. + * + * The SHA-1, produces a 160-bit message digest for a given + * data stream. It should take about 2**n steps to find a + * message with the same digest as a given message and + * 2**(n/2) to find any two messages with the same digest, + * when n is the digest size in bits. Therefore, this + * algorithm can serve as a means of providing a + * "fingerprint" for a message. + * + * Portability Issues: + * SHA-1 is defined in terms of 32-bit "words". This code + * uses (included via "sha1.h" to define 32 and 8 + * bit unsigned integer types. If your C compiler does not + * support 32 bit unsigned integers, this code is not + * appropriate. + * + * Caveats: + * SHA-1 is designed to work with messages less than 2^64 bits + * long. Although SHA-1 allows a message digest to be generated + * for messages of any number of bits less than 2^64, this + * implementation only works with messages with a length that is + * a multiple of the size of an 8-bit character. + * + */ + + + + + + + + + + +Eastlake & Jones Informational [Page 10] + +RFC 3174 US Secure Hash Algorithm 1 (SHA1) September 2001 + + +#include "sha1.h" + +/* + * Define the SHA1 circular left shift macro + */ +#define SHA1CircularShift(bits,word) \ + (((word) << (bits)) | ((word) >> (32-(bits)))) + +/* Local Function Prototyptes */ +void SHA1PadMessage(SHA1Context *); +void SHA1ProcessMessageBlock(SHA1Context *); + +/* + * SHA1Reset + * + * Description: + * This function will initialize the SHA1Context in preparation + * for computing a new SHA1 message digest. + * + * Parameters: + * context: [in/out] + * The context to reset. + * + * Returns: + * sha Error Code. + * + */ +int SHA1Reset(SHA1Context *context) +{ + if (!context) + { + return shaNull; + } + + context->Length_Low = 0; + context->Length_High = 0; + context->Message_Block_Index = 0; + + context->Intermediate_Hash[0] = 0x67452301; + context->Intermediate_Hash[1] = 0xEFCDAB89; + context->Intermediate_Hash[2] = 0x98BADCFE; + context->Intermediate_Hash[3] = 0x10325476; + context->Intermediate_Hash[4] = 0xC3D2E1F0; + + context->Computed = 0; + context->Corrupted = 0; + + + + + +Eastlake & Jones Informational [Page 11] + +RFC 3174 US Secure Hash Algorithm 1 (SHA1) September 2001 + + + return shaSuccess; +} + +/* + * SHA1Result + * + * Description: + * This function will return the 160-bit message digest into the + * Message_Digest array provided by the caller. + * NOTE: The first octet of hash is stored in the 0th element, + * the last octet of hash in the 19th element. + * + * Parameters: + * context: [in/out] + * The context to use to calculate the SHA-1 hash. + * Message_Digest: [out] + * Where the digest is returned. + * + * Returns: + * sha Error Code. + * + */ +int SHA1Result( SHA1Context *context, + uint8_t Message_Digest[SHA1HashSize]) +{ + int i; + + if (!context || !Message_Digest) + { + return shaNull; + } + + if (context->Corrupted) + { + return context->Corrupted; + } + + if (!context->Computed) + { + SHA1PadMessage(context); + for(i=0; i<64; ++i) + { + /* message may be sensitive, clear it out */ + context->Message_Block[i] = 0; + } + context->Length_Low = 0; /* and clear length */ + context->Length_High = 0; + context->Computed = 1; + + + +Eastlake & Jones Informational [Page 12] + +RFC 3174 US Secure Hash Algorithm 1 (SHA1) September 2001 + + + } + + for(i = 0; i < SHA1HashSize; ++i) + { + Message_Digest[i] = context->Intermediate_Hash[i>>2] + >> 8 * ( 3 - ( i & 0x03 ) ); + } + + return shaSuccess; +} + +/* + * SHA1Input + * + * Description: + * This function accepts an array of octets as the next portion + * of the message. + * + * Parameters: + * context: [in/out] + * The SHA context to update + * message_array: [in] + * An array of characters representing the next portion of + * the message. + * length: [in] + * The length of the message in message_array + * + * Returns: + * sha Error Code. + * + */ +int SHA1Input( SHA1Context *context, + const uint8_t *message_array, + unsigned length) +{ + if (!length) + { + return shaSuccess; + } + + if (!context || !message_array) + { + return shaNull; + } + + if (context->Computed) + { + context->Corrupted = shaStateError; + + + +Eastlake & Jones Informational [Page 13] + +RFC 3174 US Secure Hash Algorithm 1 (SHA1) September 2001 + + + return shaStateError; + } + + if (context->Corrupted) + { + return context->Corrupted; + } + while(length-- && !context->Corrupted) + { + context->Message_Block[context->Message_Block_Index++] = + (*message_array & 0xFF); + + context->Length_Low += 8; + if (context->Length_Low == 0) + { + context->Length_High++; + if (context->Length_High == 0) + { + /* Message is too long */ + context->Corrupted = 1; + } + } + + if (context->Message_Block_Index == 64) + { + SHA1ProcessMessageBlock(context); + } + + message_array++; + } + + return shaSuccess; +} + +/* + * SHA1ProcessMessageBlock + * + * Description: + * This function will process the next 512 bits of the message + * stored in the Message_Block array. + * + * Parameters: + * None. + * + * Returns: + * Nothing. + * + * Comments: + + + +Eastlake & Jones Informational [Page 14] + +RFC 3174 US Secure Hash Algorithm 1 (SHA1) September 2001 + + + * Many of the variable names in this code, especially the + * single character names, were used because those were the + * names used in the publication. + * + * + */ +void SHA1ProcessMessageBlock(SHA1Context *context) +{ + const uint32_t K[] = { /* Constants defined in SHA-1 */ + 0x5A827999, + 0x6ED9EBA1, + 0x8F1BBCDC, + 0xCA62C1D6 + }; + int t; /* Loop counter */ + uint32_t temp; /* Temporary word value */ + uint32_t W[80]; /* Word sequence */ + uint32_t A, B, C, D, E; /* Word buffers */ + + /* + * Initialize the first 16 words in the array W + */ + for(t = 0; t < 16; t++) + { + W[t] = context->Message_Block[t * 4] << 24; + W[t] |= context->Message_Block[t * 4 + 1] << 16; + W[t] |= context->Message_Block[t * 4 + 2] << 8; + W[t] |= context->Message_Block[t * 4 + 3]; + } + + for(t = 16; t < 80; t++) + { + W[t] = SHA1CircularShift(1,W[t-3] ^ W[t-8] ^ W[t-14] ^ W[t-16]); + } + + A = context->Intermediate_Hash[0]; + B = context->Intermediate_Hash[1]; + C = context->Intermediate_Hash[2]; + D = context->Intermediate_Hash[3]; + E = context->Intermediate_Hash[4]; + + for(t = 0; t < 20; t++) + { + temp = SHA1CircularShift(5,A) + + ((B & C) | ((~B) & D)) + E + W[t] + K[0]; + E = D; + D = C; + C = SHA1CircularShift(30,B); + + + +Eastlake & Jones Informational [Page 15] + +RFC 3174 US Secure Hash Algorithm 1 (SHA1) September 2001 + + + B = A; + A = temp; + } + + for(t = 20; t < 40; t++) + { + temp = SHA1CircularShift(5,A) + (B ^ C ^ D) + E + W[t] + K[1]; + E = D; + D = C; + C = SHA1CircularShift(30,B); + B = A; + A = temp; + } + + for(t = 40; t < 60; t++) + { + temp = SHA1CircularShift(5,A) + + ((B & C) | (B & D) | (C & D)) + E + W[t] + K[2]; + E = D; + D = C; + C = SHA1CircularShift(30,B); + B = A; + A = temp; + } + + for(t = 60; t < 80; t++) + { + temp = SHA1CircularShift(5,A) + (B ^ C ^ D) + E + W[t] + K[3]; + E = D; + D = C; + C = SHA1CircularShift(30,B); + B = A; + A = temp; + } + + context->Intermediate_Hash[0] += A; + context->Intermediate_Hash[1] += B; + context->Intermediate_Hash[2] += C; + context->Intermediate_Hash[3] += D; + context->Intermediate_Hash[4] += E; + + context->Message_Block_Index = 0; +} + + +/* + * SHA1PadMessage + * + + + +Eastlake & Jones Informational [Page 16] + +RFC 3174 US Secure Hash Algorithm 1 (SHA1) September 2001 + + + * Description: + * According to the standard, the message must be padded to an even + * 512 bits. The first padding bit must be a '1'. The last 64 + * bits represent the length of the original message. All bits in + * between should be 0. This function will pad the message + * according to those rules by filling the Message_Block array + * accordingly. It will also call the ProcessMessageBlock function + * provided appropriately. When it returns, it can be assumed that + * the message digest has been computed. + * + * Parameters: + * context: [in/out] + * The context to pad + * ProcessMessageBlock: [in] + * The appropriate SHA*ProcessMessageBlock function + * Returns: + * Nothing. + * + */ + +void SHA1PadMessage(SHA1Context *context) +{ + /* + * Check to see if the current message block is too small to hold + * the initial padding bits and length. If so, we will pad the + * block, process it, and then continue padding into a second + * block. + */ + if (context->Message_Block_Index > 55) + { + context->Message_Block[context->Message_Block_Index++] = 0x80; + while(context->Message_Block_Index < 64) + { + context->Message_Block[context->Message_Block_Index++] = 0; + } + + SHA1ProcessMessageBlock(context); + + while(context->Message_Block_Index < 56) + { + context->Message_Block[context->Message_Block_Index++] = 0; + } + } + else + { + context->Message_Block[context->Message_Block_Index++] = 0x80; + while(context->Message_Block_Index < 56) + { + + + +Eastlake & Jones Informational [Page 17] + +RFC 3174 US Secure Hash Algorithm 1 (SHA1) September 2001 + + + context->Message_Block[context->Message_Block_Index++] = 0; + } + } + + /* + * Store the message length as the last 8 octets + */ + context->Message_Block[56] = context->Length_High >> 24; + context->Message_Block[57] = context->Length_High >> 16; + context->Message_Block[58] = context->Length_High >> 8; + context->Message_Block[59] = context->Length_High; + context->Message_Block[60] = context->Length_Low >> 24; + context->Message_Block[61] = context->Length_Low >> 16; + context->Message_Block[62] = context->Length_Low >> 8; + context->Message_Block[63] = context->Length_Low; + + SHA1ProcessMessageBlock(context); +} + +7.3 Test Driver + + The following code is a main program test driver to exercise the code + in sha1.c. + +/* + * sha1test.c + * + * Description: + * This file will exercise the SHA-1 code performing the three + * tests documented in FIPS PUB 180-1 plus one which calls + * SHA1Input with an exact multiple of 512 bits, plus a few + * error test checks. + * + * Portability Issues: + * None. + * + */ + +#include +#include +#include +#include "sha1.h" + +/* + * Define patterns for testing + */ +#define TEST1 "abc" +#define TEST2a "abcdbcdecdefdefgefghfghighijhi" + + + +Eastlake & Jones Informational [Page 18] + +RFC 3174 US Secure Hash Algorithm 1 (SHA1) September 2001 + + +#define TEST2b "jkijkljklmklmnlmnomnopnopq" +#define TEST2 TEST2a TEST2b +#define TEST3 "a" +#define TEST4a "01234567012345670123456701234567" +#define TEST4b "01234567012345670123456701234567" + /* an exact multiple of 512 bits */ +#define TEST4 TEST4a TEST4b +char *testarray[4] = +{ + TEST1, + TEST2, + TEST3, + TEST4 +}; +long int repeatcount[4] = { 1, 1, 1000000, 10 }; +char *resultarray[4] = +{ + "A9 99 3E 36 47 06 81 6A BA 3E 25 71 78 50 C2 6C 9C D0 D8 9D", + "84 98 3E 44 1C 3B D2 6E BA AE 4A A1 F9 51 29 E5 E5 46 70 F1", + "34 AA 97 3C D4 C4 DA A4 F6 1E EB 2B DB AD 27 31 65 34 01 6F", + "DE A3 56 A2 CD DD 90 C7 A7 EC ED C5 EB B5 63 93 4F 46 04 52" +}; + +int main() +{ + SHA1Context sha; + int i, j, err; + uint8_t Message_Digest[20]; + + /* + * Perform SHA-1 tests + */ + for(j = 0; j < 4; ++j) + { + printf( "\nTest %d: %d, '%s'\n", + j+1, + repeatcount[j], + testarray[j]); + + err = SHA1Reset(&sha); + if (err) + { + fprintf(stderr, "SHA1Reset Error %d.\n", err ); + break; /* out of for j loop */ + } + + for(i = 0; i < repeatcount[j]; ++i) + { + + + +Eastlake & Jones Informational [Page 19] + +RFC 3174 US Secure Hash Algorithm 1 (SHA1) September 2001 + + + err = SHA1Input(&sha, + (const unsigned char *) testarray[j], + strlen(testarray[j])); + if (err) + { + fprintf(stderr, "SHA1Input Error %d.\n", err ); + break; /* out of for i loop */ + } + } + + err = SHA1Result(&sha, Message_Digest); + if (err) + { + fprintf(stderr, + "SHA1Result Error %d, could not compute message digest.\n", + err ); + } + else + { + printf("\t"); + for(i = 0; i < 20 ; ++i) + { + printf("%02X ", Message_Digest[i]); + } + printf("\n"); + } + printf("Should match:\n"); + printf("\t%s\n", resultarray[j]); + } + + /* Test some error returns */ + err = SHA1Input(&sha,(const unsigned char *) testarray[1], 1); + printf ("\nError %d. Should be %d.\n", err, shaStateError ); + err = SHA1Reset(0); + printf ("\nError %d. Should be %d.\n", err, shaNull ); + return 0; +} + +8. Security Considerations + + This document is intended to provide convenient open source access by + the Internet community to the United States of America Federal + Information Processing Standard Secure Hash Function SHA-1 [FIPS + 180-1]. No independent assertion of the security of this hash + function by the authors for any particular use is intended. + + + + + + +Eastlake & Jones Informational [Page 20] + +RFC 3174 US Secure Hash Algorithm 1 (SHA1) September 2001 + + +References + + [FIPS 180-1] "Secure Hash Standard", United States of American, + National Institute of Science and Technology, Federal + Information Processing Standard (FIPS) 180-1, April + 1993. + + [MD4] "The MD4 Message Digest Algorithm," Advances in + Cryptology - CRYPTO '90 Proceedings, Springer-Verlag, + 1991, pp. 303-311. + + [RFC 1320] Rivest, R., "The MD4 Message-Digest Algorithm", RFC + 1320, April 1992. + + [RFC 1321] Rivest, R., "The MD5 Message-Digest Algorithm", RFC + 1321, April 1992. + + [RFC 1750] Eastlake, D., Crocker, S. and J. Schiller, "Randomness + Requirements for Security", RFC 1750, December 1994. + +Authors' Addresses + + Donald E. Eastlake, 3rd + Motorola + 155 Beaver Street + Milford, MA 01757 USA + + Phone: +1 508-634-2066 (h) + +1 508-261-5434 (w) + Fax: +1 508-261-4777 + EMail: Donald.Eastlake@motorola.com + + + Paul E. Jones + Cisco Systems, Inc. + 7025 Kit Creek Road + Research Triangle Park, NC 27709 USA + + Phone: +1 919 392 6948 + EMail: paulej@packetizer.com + + + + + + + + + + + +Eastlake & Jones Informational [Page 21] + +RFC 3174 US Secure Hash Algorithm 1 (SHA1) September 2001 + + +Full Copyright Statement + + Copyright (C) The Internet Society (2001). All Rights Reserved. + + This document and translations of it may be copied and furnished to + others, and derivative works that comment on or otherwise explain it + or assist in its implementation may be prepared, copied, published + and distributed, in whole or in part, without restriction of any + kind, provided that the above copyright notice and this paragraph are + included on all such copies and derivative works. However, this + document itself may not be modified in any way, such as by removing + the copyright notice or references to the Internet Society or other + Internet organizations, except as needed for the purpose of + developing Internet standards in which case the procedures for + copyrights defined in the Internet Standards process must be + followed, or as required to translate it into languages other than + English. + + The limited permissions granted above are perpetual and will not be + revoked by the Internet Society or its successors or assigns. + + This document and the information contained herein is provided on an + "AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING + TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING + BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION + HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF + MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. + +Acknowledgement + + Funding for the RFC Editor function is currently provided by the + Internet Society. + + + + + + + + + + + + + + + + + + + +Eastlake & Jones Informational [Page 22] + -- cgit v1.2.3