[Docs] [txt|pdf] [Tracker] [Email] [Nits] [IPR]

Versions: 00 01 02 RFC 4634

Network Working Group                             Donald E. Eastlake 3rd
INTERNET-DRAFT                                             Motorola Labs
Updates RFC 3174                                             Tony Hansen
                                                               AT&T Labs
Expires: December 2005                                         June 2005



                    US Secure Hash Algorithms (SHA)
                    -- ------ ---- ---------- -----
                      <draft-eastlake-sha2-00.txt>



Status of This Document

   By submitting this Internet-Draft, each author represents that any
   applicable patent or other IPR claims of which he or she is aware
   have been or will be disclosed, and any of which he or she becomes
   aware will be disclosed, in accordance with Section 6 of BCP 79.

   Distribution of this document is unlimited. Comments should be sent
   to the authors.

   Internet-Drafts are working documents of the Internet Engineering
   Task Force (IETF), its areas, and its working groups.  Note that
   other groups may also distribute working documents as Internet-
   Drafts.

   Internet-Drafts are draft documents valid for a maximum of six months
   and may be updated, replaced, or obsoleted by other documents at any
   time.  It is inappropriate to use Internet-Drafts as reference
   material or to cite them other than a "work in progress."

   The list of current Internet-Drafts can be accessed at
   http://www.ietf.org/1id-abstracts.html

   The list of Internet-Draft Shadow Directories can be accessed at
   http://www.ietf.org/shadow.html



Abstract

   The United States of America has adopted a suite of secure hash
   algorithms (SHAs), including four beyond SHA-1, as part of a Federal
   Information Processing Standard (FIPS), specifically SHA-224 [RFC
   3874], SHA-256, SHA-384, and SHA-512.  The purpose of this document
   is to make code performing these hash functions conveniently
   available to the Internet community. The sample code supports input
   strings of arbitrary bit length. SHA-1's sample code from [RFC 3174]
   has also been updated to handle an input string of arbitrary length.
   Most of the text herein was adapted by the authors from FIPS 180-2.


D. Eastlake 3rd, T. Hansen                                      [Page 1]

INTERNET-DRAFT                   US SHAs                       June 2005


Table of Contents

      Status of This Document....................................1
      Abstract...................................................1

      Table of Contents..........................................2

      1. Overview of Contents....................................3
      2. Definitions.............................................3
      2.1  Bit Strings and Integers..............................4
      3. Operations on Words.....................................4
      4. Message Padding and Parsing.............................6
      4.1 SHA-224 and SHA-256....................................6
      4.2 SHA-384 and SHA-512....................................7
      5. Functions and Constants Used............................8
      5.1 SHA-224 and SHA-256....................................8
      5.2 SHA-384 and SHA-512....................................9
      6. Computing the Message Digest...........................10
      6.1 SHA-224 and SHA-256 Initialization....................10
      6.2 SHA-224 and SHA-256 Processing........................11
      6.3 SHA-384 and SHA-512 Initialization....................12
      6.4 SHA-384 and SHA-512 Processing........................13

      7. C Code.................................................15
      7.1 The .h file...........................................15
      7.2 The .c files..........................................19
      7.2.1 sha1.c..............................................19
      7.2.2 sha224-256.c........................................28
      7.2.3 sha384-512.c........................................40
      7.2.4 sha-private.h.......................................61
      7.3 The Test Driver.......................................61

      8. IANA Considerations....................................81
      9. Security Considerations................................81

      Copyright and Disclaimer..................................82
      Normative References......................................82
      Informative References....................................82

      Author's Address..........................................83
      Expiration and File Name..................................83











D. Eastlake 3rd, T. Hansen                                      [Page 2]

INTERNET-DRAFT                   US SHAs                       June 2005


1. Overview of Contents

   NOTE: Much of the text below is taken from [FIPS 180-2] and
   assertions therein of the security of the algorithms described are
   made by the US Government, the author of [FIPS 180-2], and not by the
   authors of this document.

   This document specifies four Secure Hash Algorithms, SHA-224 [RFC
   3874], SHA-256, SHA-384, and SHA-512, for computing a condensed
   representation of a message or a data file. (SHA-1 is specified in
   [RFC 3174].) When a message of any length < 2^64 bits (for SHA-224
   and SHA-256) or < 2^128 bits (for SHA-384 and SHA-512) is input to
   one of these algorithms, the result is an output called a message
   digest.  The message digests range in length from 224 to 512 bits,
   depending on the algorithm.  Secure hash algorithms are typically
   used with other cryptographic algorithms, such as digital signature
   algorithms and keyed hash authentication codes, or in the generation
   or random numbers [RFC 4086].

   The four algorithms specified in this document are called secure
   because it is computationally infeasible to (1) find a message which
   corresponds to a given message digest, or (2) to find two different
   messages which produce the same message digest.  Any change to a
   message in transit will, with very high probability, result in a
   different message digest. This will result in a verification failure
   when the secure hash algorithm is used with a digital signature
   algorithm or a keyed-hash message authentication algorithm.

   The code provided herein supports input strings of arbitrary bit
   length. SHA-1's sample code from [RFC 3174] has also been updated to
   handle input strings of arbitrary bit length. Permission is granted
   for all uses, commercial and non-commercial, of this code.

   Section 2 below defines the terminology and functions used as
   building blocks to form these algorithms. Section 3 described the
   fundamental operations on words from which these algorithms are
   built. Section 4 described how messages are padded up to an integral
   multiple of the required block size and then parsed into blocks.
   Section 5 defines the constants and the composite functions used to
   specify these algorithms. Section 6 gives the actual specfication for
   the SHA-224, SHA-256, SHA-384, and SHA-512 functions. And Section 7
   gives sample code.



2. Definitions






D. Eastlake 3rd, T. Hansen                                      [Page 3]

INTERNET-DRAFT                   US SHAs                       June 2005


2.1  Bit Strings and Integers

   The following terminology related to bit strings and integers will be
   used:

   a.  A hex digit is an element of the set {0, 1, ... , 9, A, ... , F}.
        A hex digit is the representation of a 4-bit string.  Examples:
        7 = 0111, A = 1010.

   b.  A word equals a 32-bit or 64-bit string which may be represented
        as a sequence of 8 or 16 hex digits, respectively.  To convert a
        word to hex digits, each 4-bit string is converted to its hex
        equivalent as described in (a) above.  Example:

    1010 0001 0000 0011 1111 1110 0010 0011 = A103FE23.

        Throughout this document, the "big-endian" convention is used
        when expressing both 32-bit and 64-bit words, so that within
        each word the most significant bit is shown in the left-most bit
        position.

   c.  An integer may be represented as a word or pair of words.

        An integer between 0 and 2^32 - 1 inclusive may be represented
        as a 32-bit word.  The least significant four bits of the
        integer are represented by the right-most hex digit of the word
        representation.  Example: the integer 291 = 2^8+2^5+2^1+2^0 =
        256+32+2+1 is represented by the hex word, 00000123.

        The same holds true  for an integer between 0 and 2^64-1
        inclusive, which may be represented as a 64-bit word.

        If Z is an integer, 0 <= z < 2^64, then z = (2^32)x + y where 0
        <= x < 2^32 and 0 <= y < 2^32.  Since x and y can be represented
        as words X and Y, respectively, z can be represented as the pair
        of words (X,Y).

   d.  block = 512-bit or 1024-bit string.  A block (e.g., B) may be
        represented as a sequence of 32-bit or 64-bit words.



3. Operations on Words

   The following logical operators will be applied to words in all four
   hash operations specified herein. SHA-224 and SHA-256 operate on
   32-bit words while SHA-384 and SHA-512 operate on 64-bit words.

   In the operations below, x<<n is obtained as follows: discard the
   left-most n bits of x and then pad the result with n zeroes on the


D. Eastlake 3rd, T. Hansen                                      [Page 4]

INTERNET-DRAFT                   US SHAs                       June 2005


   right (the result will still be the same number of bits).

   a.  Bitwise logical word operations

        X AND Y  =  bitwise logical "and" of  X and Y.

        X OR Y   =  bitwise logical "inclusive-or" of X and Y.

        X XOR Y  =  bitwise logical "exclusive-or" of X and Y.

        NOT X    =  bitwise logical "complement" of X.

        Example:
                 01101100101110011101001001111011
           XOR   01100101110000010110100110110111
                 --------------------------------
             =   00001001011110001011101111001100

   b.  The operation X + Y is defined as follows: words X and Y
        represent w-bit integers x and y, where 0 <= x < 2^w and 0 <= y
        < 2^w.  For positive integers n and m, let

             n mod m

        be the remainder upon dividing n by m. Compute

             z  =  (x + y) mod 2^w.

        Then 0 <= z < 2^w.  Convert z to a word,  Z, and define Z = X +
        Y.

   c.  The right shift operation SHR^n(x), where x is a w-bit word and n
        is an integer with 0 <= n < w, is defined by

             SHR^n(x) = x>>n

   d. The rotate right (circular right shift) operation ROTR^n(x), where
        x is a w-bit word and n is an integer with 0 <= n < w, is
        defined by

             ROTR^n(x) = (x>>n) OR (x<<(w-n))

   e. The rotate left (circular left shift) operation ROTL^n(x), where x
        is a w-bit word and n is an integer with 0 <= n < w, is defined
        by

             ROTL^n(X)  =  (x<<n) OR (x>>w-n)

        Note the following equivalence relationships, where w is fixed
        in each relationship:


D. Eastlake 3rd, T. Hansen                                      [Page 5]

INTERNET-DRAFT                   US SHAs                       June 2005


             ROTL^n(x) = ROTR^(w-x)(x)

             ROTR^n(x) = ROTL^(w-n)(x)



4. Message Padding and Parsing

   The hash functions specified herein are used to compute a message
   digest for a message or data file that is provided as input.  The
   message or data file should be considered to be a bit string.  The
   length of the message is the number of bits in the message (the empty
   message has length 0).  If the number of bits in a message is a
   multiple of 8, for compactness we can represent the message in hex.
   The purpose of message padding is to make the total length of a
   padded message a multiple of 512 for SHA-224 and SHA-256 or a
   multiple of 1024 for SHA-384 and SHA-512.

   The following specifies how this padding shall be performed.  As a
   summary, a "1" followed by m "0"s followed by a 64-bit or 128-bit
   integer are appended to the end of the message to produce a padded
   message of length 512*n or 1024*n.  The appended integer is the
   length of the original message.  The padded message is then processed
   by the hash function as n 512-bit or 1024-bit blocks.



4.1 SHA-224 and SHA-256

   Suppose a message has length L < 2^64.  Before it is input to the
   hash function, the message is padded on the right as follows:

   a.  "1" is appended.  Example: if the original message is "01010000",
        this is padded to "010100001".

   b.  K "0"s are appended where K is the smallest, non-negative
        solution to the equation

             L + 1 + K = 448 (mod 512)

   c. Then append the 64-bit block which is L in binary representation.
        After appending this block, the length of the message will be a
        multiple of 512 bits.

        Example:  Suppose the original message is the bit string

             01100001 01100010 01100011 01100100 01100101

        After step (a) this gives



D. Eastlake 3rd, T. Hansen                                      [Page 6]

INTERNET-DRAFT                   US SHAs                       June 2005


             01100001 01100010 01100011 01100100 01100101 1

        Since L = 40, the number of bits in the above is 41 and K = 407
        "0"s are appended, making the total now 448. This gives the
        following in hex:

             61626364 65800000 00000000 00000000
             00000000 00000000 00000000 00000000
             00000000 00000000 00000000 00000000
             00000000 00000000

        The 64-bit representation of L = 40 is hex 00000000 00000028.
        Hence the final padded message is the following hex

             61626364 65800000 00000000 00000000
             00000000 00000000 00000000 00000000
             00000000 00000000 00000000 00000000
             00000000 00000000 00000000 00000028



4.2 SHA-384 and SHA-512

   Suppose a message has length L < 2^128.  Before it is input to the
   hash function, the message is padded on the right as follows:

   a.  "1" is appended.  Example: if the original message is "01010000",
        this is padded to "010100001".

   b.  K "0"s are appended where K is the smallest, non-negative
        solution to the equation

             L + 1 + K = 896 (mod 1024)

   c. Then append the 128-bit block which is L in binary representation.
        After appending this block, the length of the message will be a
        multiple of 1024 bits.

        Example:  Suppose the original message is the bit string

             01100001 01100010 01100011 01100100 01100101

        After step (a) this gives

             01100001 01100010 01100011 01100100 01100101 1

        Since L = 40, the number of bits in the above is 41 and K = 855
        "0"s are appended, making the total now 896. This gives the
        following in hex:



D. Eastlake 3rd, T. Hansen                                      [Page 7]

INTERNET-DRAFT                   US SHAs                       June 2005


             61626364 65800000 00000000 00000000
             00000000 00000000 00000000 00000000
             00000000 00000000 00000000 00000000
             00000000 00000000 00000000 00000000
             00000000 00000000 00000000 00000000
             00000000 00000000 00000000 00000000
             00000000 00000000 00000000 00000000

        The 128-bit representation of L = 40 is hex 00000000 00000000
        00000000 00000028.  Hence the final padded message is the
        following hex:

             61626364 65800000 00000000 00000000
             00000000 00000000 00000000 00000000
             00000000 00000000 00000000 00000000
             00000000 00000000 00000000 00000000
             00000000 00000000 00000000 00000000
             00000000 00000000 00000000 00000000
             00000000 00000000 00000000 00000000
             00000000 00000000 00000000 00000028



5. Functions and Constants Used

   The following subsections give the six logical functions and the
   table of constants used in each of the hash functions.



5.1 SHA-224 and SHA-256

   SHA-224 and SHA-256 use six logical functions, where each function
   operates on 32-bit words, which are represented as x, y, and z. The
   result of each function is a new 32-bit word.

        CH( x, y, z) = (x AND y) XOR ( (NOT x) AND z)

        MAJ( x, y, z) = (x AND y) XOR (x AND z) XOR (y AND z)

        BSIG0(x) = ROTR^2(x) XOR ROTR^13(x) XOR ROTR^22(x)

        BSIG1(x) = ROTR^6(x) XOR ROTR^11(x) XOR ROTR^25(x)

        SSIG0(x) = ROTR^7(x) XOR ROTR^18(x) XOR SHR^3(x)

        SSIG1(x) = ROTR^17(x) XOR ROTR^19(x) XOR SHR^10(x)

   SHA-224 and SHA-256 use the same sequence of sixty-four constant
   32-bit words, K0, K1, ..., K63. These words represent the first


D. Eastlake 3rd, T. Hansen                                      [Page 8]

INTERNET-DRAFT                   US SHAs                       June 2005


   thirty-two bits of the fractional parts of the cube roots of the
   first sixty-four prime numbers. In hex, these constant words are as
   follows (from left to right):

        428a2f98 71374491 b5c0fbcf e9b5dba5
        3956c25b 59f111f1 923f82a4 ab1c5ed5
        d807aa98 12835b01 243185be 550c7dc3
        72be5d74 80deb1fe 9bdc06a7 c19bf174
        e49b69c1 efbe4786 0fc19dc6 240ca1cc
        2de92c6f 4a7484aa 5cb0a9dc 76f988da
        983e5152 a831c66d b00327c8 bf597fc7
        c6e00bf3 d5a79147 06ca6351 14292967
        27b70a85 2e1b2138 4d2c6dfc 53380d13
        650a7354 766a0abb 81c2c92e 92722c85
        a2bfe8a1 a81a664b c24b8b70 c76c51a3
        d192e819 d6990624 f40e3585 106aa070
        19a4c116 1e376c08 2748774c 34b0bcb5
        391c0cb3 4ed8aa4a 5b9cca4f 682e6ff3
        748f82ee 78a5636f 84c87814 8cc70208
        90befffa a4506ceb bef9a3f7 c67178f2



5.2 SHA-384 and SHA-512

   SHA-384 and SHA-512 each use six logical functions, where each
   function operates on 64-bit words, which are represented as x, y, and
   z.  The result of each function is a new 64-bit word.

        CH( x, y, z) = (x AND y) XOR ( (NOT x) AND z)

        MAJ( x, y, z) = (x AND y) XOR (x AND z) XOR (y AND z)

        BSIG0(x) = ROTR^28(x) XOR ROTR^34(x) XOR ROTR^39(x)

        BSIG1(x) = ROTR^14(x) XOR ROTR^18(x) XOR ROTR^41(x)

        SSIG0(x) = ROTR^1(x) XOR ROTR^8(x) XOR SHR^7(x)

        SSIG1(x) = ROTR^19(x) XOR ROTR^61(x) XOR SHR^6(x)

   SHA-384 and SHA-512 use the same sequence of eighty constant 64-bit
   words, K0, K1, ... K79.  These words represent the first sixty-four
   bits of the fractional parts of the cube roots of the first eighty
   prime numbers.  In hex, these constant words are as follows (from
   left to right):

   428a2f98d728ae22 7137449123ef65cd b5c0fbcfec4d3b2f e9b5dba58189dbbc
   3956c25bf348b538 59f111f1b605d019 923f82a4af194f9b ab1c5ed5da6d8118
   d807aa98a3030242 12835b0145706fbe 243185be4ee4b28c 550c7dc3d5ffb4e2


D. Eastlake 3rd, T. Hansen                                      [Page 9]

INTERNET-DRAFT                   US SHAs                       June 2005


   72be5d74f27b896f 80deb1fe3b1696b1 9bdc06a725c71235 c19bf174cf692694
   e49b69c19ef14ad2 efbe4786384f25e3 0fc19dc68b8cd5b5 240ca1cc77ac9c65
   2de92c6f592b0275 4a7484aa6ea6e483 5cb0a9dcbd41fbd4 76f988da831153b5
   983e5152ee66dfab a831c66d2db43210 b00327c898fb213f bf597fc7beef0ee4
   c6e00bf33da88fc2 d5a79147930aa725 06ca6351e003826f 142929670a0e6e70
   27b70a8546d22ffc 2e1b21385c26c926 4d2c6dfc5ac42aed 53380d139d95b3df
   650a73548baf63de 766a0abb3c77b2a8 81c2c92e47edaee6 92722c851482353b
   a2bfe8a14cf10364 a81a664bbc423001 c24b8b70d0f89791 c76c51a30654be30
   d192e819d6ef5218 d69906245565a910 f40e35855771202a 106aa07032bbd1b8
   19a4c116b8d2d0c8 1e376c085141ab53 2748774cdf8eeb99 34b0bcb5e19b48a8
   391c0cb3c5c95a63 4ed8aa4ae3418acb 5b9cca4f7763e373 682e6ff3d6b2b8a3
   748f82ee5defb2fc 78a5636f43172f60 84c87814a1f0ab72 8cc702081a6439ec
   90befffa23631e28 a4506cebde82bde9 bef9a3f7b2c67915 c67178f2e372532b
   ca273eceea26619c d186b8c721c0c207 eada7dd6cde0eb1e f57d4f7fee6ed178
   06f067aa72176fba 0a637dc5a2c898a6 113f9804bef90dae 1b710b35131c471b
   28db77f523047d84 32caab7b40c72493 3c9ebe0a15c9bebc 431d67c49c100d4c
   4cc5d4becb3e42b6 597f299cfc657e2a 5fcb6fab3ad6faec 6c44198c4a475817



6. Computing the Message Digest

   The output of each of the secure hash functions, after being applied
   to a message of N blocks, is the hash quantity H(N). For SHA-224 and
   SHA-256, H(i) can be considered to be eight 32-bit words, H(i)0,
   H(i)1, ... H(i)7. For SHA-384 and SHA-512, it can be considered to be
   eight 64-bit words, H(i)0, H(i)1, ..., H(i)7.

   As described below, the hash words are initialized, modified as each
   message block is processed, and finally concatenated after processing
   the last block to yield the output. For SHA-256 and SHA-512, all of
   the H(N) variables are concatenated while the SHA-224 and SHA-384
   hashes are produced by omitting some from the final concatenation.



6.1 SHA-224 and SHA-256 Initialization

   For SHA-224, the initial hash value, H(0), consists of the following
   32-bit words in hex:

        H(0)0 = c1059ed8
        H(0)1 = 367cd507
        H(0)2 = 3070dd17
        H(0)3 = f70e5939
        H(0)4 = ffc00b31
        H(0)5 = 68581511
        H(0)6 = 64f98fa7
        H(0)7 = befa4fa4



D. Eastlake 3rd, T. Hansen                                     [Page 10]

INTERNET-DRAFT                   US SHAs                       June 2005


   For SHA-256, the initial hash value, H(0), consists of the following
   eight 32-bit words, in hex.  These words were obtained by taking the
   first thirty-two bits of the fractional parts of the square roots of
   the first eight prime numbers.

        H(0)0 = 6a09e667
        H(0)1 = bb67ae85
        H(0)2 = 3c6ef372
        H(0)3 = a54ff53a
        H(0)4 = 510e527f
        H(0)5 = 9b05688c
        H(0)6 = 1f83d9ab
        H(0)7 = 5be0cd19



6.2 SHA-224 and SHA-256 Processing

   SHA-224 and SHA-256 perform identical processing on messages blocks
   and differ only in how H(0) is initialized and how they produce their
   final output. They may be used to hash a message, M, having a length
   of L bits, where 0 <= L < 2^64. The algorithm uses (1) a message
   schedule of sixty-four 32-bit words, (2) eight working variables of
   32 bits each, and (3) a hash value of eight 32-bit words.

   The words of the message schedule are labeled W0, W1, ..., W63. The
   eight working variables are labeled a, b, c, d, e, f, g, and h. The
   words of the hash value are labeled H(i)0, H(i)1, ..., H(i)7, which
   will hold the initial hash value, H(0), replaced by each successive
   intermediate hash value (after each message block is processed),
   H(i), and ending with the final hash value, H(N), after all N blocks
   are processed.  They also use two temporary words, T1 and T2.

   The input message is padded as described in Section 4.1 above then
   parsed into 512-bit blocks which are considered to be composed of 16
   32-bit words M(i)0, M(i)1, ..., M(i)15.  The following computations
   are then performed for each of the N message blocks. All addition is
   performed modulo 2^32.

   For i = 1 to N

      1. Prepare the message schedule W:
         For t = 0 to 15
            Wt = M(i)t
         For t = 16 to 63
            Wt = SSIG1(W(t-2)) + W(t-7) + SSIG0(t-15) + W(t-16)

      2. Initialize the working variables:
         a = H(i-1)0
         b = H(i-1)1


D. Eastlake 3rd, T. Hansen                                     [Page 11]

INTERNET-DRAFT                   US SHAs                       June 2005


         c = H(i-1)2
         d = H(i-1)3
         e = H(i-1)4
         f = H(i-1)5
         g = H(i-1)6
         h = H(i-1)7

      3. Perform the main hash computation:
         For t = 0 to 63
            T1 = h + BSIG1(e) + CH(e,f,g) + Kt + Wt
            T2 = BSIG0(a) + MAJ(a,b,c)
            h = g
            g = f
            f = e
            e = d + T1
            d = c
            c = b
            b = a
            a = T1 + T2

      4. Compute the intermediate hash value H(i)
         H(i)0 = a + H(i-1)0
         H(i)1 = b + H(i-1)1
         H(i)2 = c + H(i-1)2
         H(i)3 = d + H(i-1)3
         H(i)4 = e + H(i-1)4
         H(i)5 = f + H(i-1)5
         H(i)6 = g + H(i-1)6
         H(i)7 = h + H(i-1)7

   After the above computations have been sequentially performed for all
   of the blocks in the message, the final output is calculated. For
   SHA-256, this is the concatenation of all of H(N)0, H(N)1, through
   H(N)7. For SHA-224, this is the concatenation of H(N)0, H(N)1,
   through H(N)6.



6.3 SHA-384 and SHA-512 Initialization

   For SHA-384, the initial hash value, H(0), consists of the following
   eight 64-bit words, in hex. These words were obtained by taking the
   first sixty-four bits of the fractional parts of the square roots of
   the ninth through sixteenth prime numbers.

        H(0)0 = cbbb9d5dc1059ed8
        H(0)1 = 629a292a367cd507
        H(0)2 = 9159015a3070dd17
        H(0)3 = 152fecd8f70e5939
        H(0)4 = 67332667ffc00b31


D. Eastlake 3rd, T. Hansen                                     [Page 12]

INTERNET-DRAFT                   US SHAs                       June 2005


        H(0)5 = 8eb44a8768581511
        H(0)6 = db0c2e0d64f98fa7
        H(0)7 = 47b5481dbefa4fa4

   For SHA-512, the initial hash value, H(0), consists of the following
   eight 64-bit words, in hex. These words were obtained by taking the
   first sixty-four bits of the fractional parts of the square roots of
   the first eight prime numbers.

        H(0)0 = 6a09e667f3bcc908
        H(0)1 = bb67ae8584caa73b
        H(0)2 = 3c6ef372fe94f82b
        H(0)3 = a54ff53a5f1d36f1
        H(0)4 = 510e527fade682d1
        H(0)5 = 9b05688c2b3e6c1f
        H(0)6 = 1f83d9abfb41bd6b
        H(0)7 = 5be0cd19137e2179



6.4 SHA-384 and SHA-512 Processing

   SHA-384 and SHA-512 perform identical processing on message blocks
   and differ only in how H(0) is initialized and how they produce thier
   final output.  They may be used to hash a message, M, having a length
   of L bits, where 0 <= L < 2^128. The algorithm uses (1) a message
   schedule of eighty 64-bit words, (2) eight working variables of 64
   bits each, and (3) a hash value of eight 64-bit words.

   The words of the message schedule are labeled W0, W1, ..., W79. The
   eight working variables are labeled a, b, c, d, e, f, g, and h.  The
   words of the hash value are labeled H(i)0, H(i)1, ..., H(i)7 which
   will hold the initial hash value, H(0), replaced by each successive
   intermediate hash value (after each message block is processed),
   H(i), and ending with the final hash value, H(N) after all N blocks
   are processed.

   The input message is padded as described in Section 4.2 above, then
   parsed into 1024-bit blocks which are considered to be composed of 16
   64-bit words M(i)0, M(i)1, ..., M(i)15. The following computations
   are then performed for each of the N message blocks.  All addition is
   performed modulo 2^64.

   For i = 1 to N

      1. Prepare the message schedule W:
         For t = 0 to 15
            Wt = M(i)t
         For t = 16 to 79
            Wt = SSIG1(W(t-2)) + W(t-7) + SSIG0(t-15) + W(t-16)


D. Eastlake 3rd, T. Hansen                                     [Page 13]

INTERNET-DRAFT                   US SHAs                       June 2005


      2. Initialize the working variables:
         a = H(i-1)0
         b = H(i-1)1
         c = H(i-1)2
         d = H(i-1)3
         e = H(i-1)4
         f = H(i-1)5
         g = H(i-1)6
         h = H(i-1)7

      3. Perform the main hash computation:
         For t = 0 to 79
            T1 = h + BSIG1(e) + CH(e,f,g) + Kt + Wt
            T2 = BSIG0(a) + MAJ(a,b,c)
            h = g
            g = f
            f = e
            e = d + T1
            d = c
            c = b
            b = a
            a = T1 + T2

      4. Compute the intermediate hash value H(i)
         H(i)0 = a + H(i-1)0
         H(i)1 = b + H(i-1)1
         H(i)2 = c + H(i-1)2
         H(i)3 = d + H(i-1)3
         H(i)4 = e + H(i-1)4
         H(i)5 = f + H(i-1)5
         H(i)6 = g + H(i-1)6
         H(i)7 = h + H(i-1)7

   After the above computations have been sequentially performed for all
   of the blocks in the message, the final output is calculated. For
   SHA-512, this is the concatenation of all of H(N)0, H(N)1, through
   H(N)7. For SHA-384, this is the concatenation of H(N)0, H(N)1,
   through H(N)5.














D. Eastlake 3rd, T. Hansen                                     [Page 14]

INTERNET-DRAFT                   US SHAs                       June 2005


7. C Code

   Below is a demonstration implementation of these secure hash
   functions in C.  Section 7.1 contains the header file sha.h. Section
   7.2 contains the C code for sha1.c, sha224-256.c, and sha384-512.c,
   along with sha-private.h which provides some declarations common to
   all the functions. Section 7.3 contains a test driver to exercise the
   code.

   For each of the digest length $$$, there are the following set of
   constants, a structure, and functions:

   Constants:
        SHA$$$HashSize      number of bytes in the hash
        shaSuccess = 0      constant returned by each function on
                            success
        shaNull = 1         constant returned by each function when
                            presented with a null pointer parameter
        shaInputTooLong = 2  constant returned by each function when the
                            input data is too long
        shaStateError       constant returned by each function when
                            SHA$$$Input is called after SHA$$$FinalBits
                            or SHA$$$Result.

   Structure:
        typedef SHA$$$Context  an opaque structure holding the complete
                               state for producing the hash

   Functions:
        int SHA$$$Reset(SHA$$$Context *);
             Reset the hash context state
        int SHA$$$Input(SHA$$$Context *, const uint8_t *bytes,
             unsigned int bytecount);
             Add bytecount bytes to the hash.
        int SHA$$$FinalBits(SHA$$$Context *, const uint8_t byte,
             unsigned int bitcount);
             Add bitcount bits to the hash. The bits are in the upper
             portion of the byte. SHA$$$Input() cannot be called after
             this.
        int SHA$$$Result(SHA$$$Context *,
             uint8_t Message_Digest[SHA$$$HashSize]);
             Do the final calculations on the hash and copy the value
             into Message_Digest.



7.1 The .h file

/**************************** sha.h ****************************/
#ifndef _SHA_H_


D. Eastlake 3rd, T. Hansen                                     [Page 15]

INTERNET-DRAFT                   US SHAs                       June 2005


#define _SHA_H_

/*
 *  Description:
 *      This file implements the Secure Hash Signature Standard
 *      algorithms as defined in the National Institute of Standards
 *      and Technology Federal Information Processing Standards
 *      Publication (FIPS PUB) 180-1 published on April 17, 1995, 180-2
 *      published on August 1, 2002, and the FIPS PUB 180-2 Change
 *      Notice published on February 28, 2004.
 *
 *      A combined document showing all algorithms is available at
 *              http://csrc.nist.gov/publications/fips/
 *              fips180-2/fips180-2withchangenotice.pdf
 *
 *      Five hashes are defined in these publications:
 *              SHA-1           20 byte / 160 bit
 *              SHA-224         28 byte / 224 bit
 *              SHA-256         32 byte / 256 bit
 *              SHA-384         48 byte / 512 bit
 *              SHA-512         64 byte / 512 bit
 */

#include <stdint.h>
/*
 * If you do not have the ISO standard stdint.h header file, then you
 * must typedef the following:
 *    name              meaning
 *  uint64_t         unsigned 64 bit integer
 *  uint32_t         unsigned 32 bit integer
 *  uint8_t          unsigned 8 bit integer (i.e., unsigned char)
 *  int_least16_t    integer of >= 16 bits
 *
 */

#ifndef _SHA_enum_
#define _SHA_enum_
/*
 *  All SHA functions return one of these values.
 */
enum {
    shaSuccess = 0,
    shaNull,            /* Null pointer parameter */
    shaInputTooLong,    /* input data too long */
    shaStateError       /* called Input after FinalBits or Result */
};
#endif /* _SHA_enum_ */

/*
 *  These constants hold size information for each of the SHA


D. Eastlake 3rd, T. Hansen                                     [Page 16]

INTERNET-DRAFT                   US SHAs                       June 2005


 *  hashing operations
 */
enum {
    SHA1_Message_Block_Size = 64, SHA256_Message_Block_Size = 64,
    SHA512_Message_Block_Size = 128, SHA1HashSize = 20,
    SHA224HashSize = 28, SHA256HashSize = 32, SHA384HashSize = 48,
    SHA512HashSize = 64, SHA1HashSizeBits = 160,
    SHA224HashSizeBits = 224, SHA256HashSizeBits = 256,
    SHA384HashSizeBits = 384, SHA512HashSizeBits = 512
};

/*
 *  This structure will hold context information for the SHA-1
 *  hashing operation.
 */
typedef struct SHA1Context {
    uint32_t Intermediate_Hash[SHA1HashSize/4]; /* Message Digest */

    uint32_t Length_Low;                /* Message length in bits */
    uint32_t Length_High;               /* Message length in bits */

    int_least16_t Message_Block_Index;  /* Message_Block array index */
                                        /* 512-bit message blocks */
    uint8_t Message_Block[SHA1_Message_Block_Size];

    int Computed;                       /* Is the digest computed? */
    int Corrupted;                      /* Is the digest corrupted? */
} SHA1Context;

/*
 *  This structure will hold context information for the SHA-256
 *  hashing operation.
 */
typedef struct SHA256Context {
    uint32_t Intermediate_Hash[SHA256HashSize/4]; /* Message Digest */

    uint32_t Length_Low;                /* Message length in bits */
    uint32_t Length_High;               /* Message length in bits */

    int_least16_t Message_Block_Index;  /* Message_Block array index */
                                        /* 512-bit message blocks */
    uint8_t Message_Block[SHA256_Message_Block_Size];

    int Computed;                       /* Is the digest computed? */
    int Corrupted;                      /* Is the digest corrupted? */
} SHA256Context;

/*
 *  This structure will hold context information for the SHA-512
 *  hashing operation.


D. Eastlake 3rd, T. Hansen                                     [Page 17]

INTERNET-DRAFT                   US SHAs                       June 2005


 */
typedef struct SHA512Context {
#ifdef USE_32BIT_ONLY
    uint32_t Intermediate_Hash[SHA512HashSize/4]; /* Message Digest  */
    uint32_t Length[4];                 /* Message length in bits */
#else /* !USE_32BIT_ONLY */
    uint64_t Intermediate_Hash[SHA512HashSize/8]; /* Message Digest */
    uint64_t Length_Low, Length_High;   /* Message length in bits */
#endif /* USE_32BIT_ONLY */

    int_least16_t Message_Block_Index;  /* Message_Block array index */
                                        /* 1024-bit message blocks */
    uint8_t Message_Block[SHA512_Message_Block_Size];

    int Computed;                       /* Is the digest computed?*/
    int Corrupted;                      /* Is the digest corrupted? */
} SHA512Context;

/*
 *  This structure will hold context information for the SHA-224
 *  hashing operation. It uses the SHA-256 structure for computation.
 */
typedef struct SHA256Context SHA224Context;

/*
 *  This structure will hold context information for the SHA-384
 *  hashing operation. It uses the SHA-512 structure for computation.
 */
typedef struct SHA512Context SHA384Context;

/*
 *  Function Prototypes
 */

extern int SHA1Reset(SHA1Context *);
extern int SHA1Input(SHA1Context *, const uint8_t *bytes,
                     unsigned int bytecount);
extern int SHA1FinalBits(SHA1Context *, const uint8_t bits,
                         unsigned int bitcount);
extern int SHA1Result(SHA1Context *,
                      uint8_t Message_Digest[SHA1HashSize]);

extern int SHA224Reset(SHA224Context *);
extern int SHA224Input(SHA224Context *, const uint8_t *bytes,
                       unsigned int bytecount);
extern int SHA224FinalBits(SHA224Context *, const uint8_t bits,
                           unsigned int bitcount);
extern int SHA224Result(SHA224Context *,
                        uint8_t Message_Digest[SHA224HashSize]);



D. Eastlake 3rd, T. Hansen                                     [Page 18]

INTERNET-DRAFT                   US SHAs                       June 2005


extern int SHA256Reset(SHA256Context *);
extern int SHA256Input(SHA256Context *, const uint8_t *bytes,
                       unsigned int bytecount);
extern int SHA256FinalBits(SHA256Context *, const uint8_t bits,
                           unsigned int bitcount);
extern int SHA256Result(SHA256Context *,
                        uint8_t Message_Digest[SHA256HashSize]);

extern int SHA384Reset(SHA384Context *);
extern int SHA384Input(SHA384Context *, const uint8_t *bytes,
                       unsigned int bytecount);
extern int SHA384FinalBits(SHA384Context *, const uint8_t bits,
                           unsigned int bitcount);
extern int SHA384Result(SHA384Context *,
                        uint8_t Message_Digest[SHA384HashSize]);

extern int SHA512Reset(SHA512Context *);
extern int SHA512Input(SHA512Context *, const uint8_t *bytes,
                       unsigned int bytecount);
extern int SHA512FinalBits(SHA512Context *, const uint8_t bits,
                           unsigned int bitcount);
extern int SHA512Result(SHA512Context *,
                        uint8_t Message_Digest[SHA512HashSize]);

#endif /* _SHA_H_ */



7.2 The .c files

   This code is primarily intended as expository and could be optimized
   further. For example, the assignment rotations through the variables
   a, b, ..., h could be treated as a cycle and the loop unrolled,
   rather than doing the explicit copying.

   Note that there are alternative representations of the Ch() and Maj()
   functions controller by an ifdef.



7.2.1 sha1.c

/**************************** sha1.c ****************************/
/*
 *  Description:
 *      This file implements the Secure Hash Signature Standard
 *      algorithms as defined in the National Institute of Standards
 *      and Technology Federal Information Processing Standards
 *      Publication (FIPS PUB) 180-1 published on April 17, 1995, 180-2
 *      published on August 1, 2002, and the FIPS PUB 180-2 Change


D. Eastlake 3rd, T. Hansen                                     [Page 19]

INTERNET-DRAFT                   US SHAs                       June 2005


 *      Notice published on February 28, 2004.
 *
 *      A combined document showing all algorithms is available at
 *              http://csrc.nist.gov/publications/fips/
 *              fips180-2/fips180-2withchangenotice.pdf
 *
 *      The SHA-1 algorithm produces a 160-bit message digest for a
 *      given data stream.  It should take about 2**n steps to find a
 *      message with the same digest as a given message and
 *      2**(n/2) to find any two messages with the same digest,
 *      when n is the digest size in bits.  Therefore, this
 *      algorithm can serve as a means of providing a
 *      "fingerprint" for a message.
 *
 *  Portability Issues:
 *      SHA-1 is defined in terms of 32-bit "words".  This code
 *      uses <stdint.h> (included via "sha.h") to define 32 and 8
 *      bit unsigned integer types.  If your C compiler does not
 *      support 32 bit unsigned integers, this code is not
 *      appropriate.
 *
 *  Caveats:
 *      SHA-1 is designed to work with messages less than 2^64 bits
 *      long. This implementation uses SHA1Input() to hash the bits
 *      that are a multiple of the size of an 8-bit character, and then
 *      uses SHA1FinalBits() to hash the final few bits of the input.
 */

#include "sha.h"
#include "sha-private.h"

/*
 *  Define the SHA1 circular left shift macro
 */
#define SHA1_ROTL(bits,word) \
                (((word) << (bits)) | ((word) >> (32-(bits))))

/*
 * add "length" to the length
 */
static uint32_t addTemp;
#define SHA1AddLength(context, length)                     \
    (addTemp = (context)->Length_Low,                      \
     (context)->Corrupted =                                \
        (((context)->Length_Low += (length)) < addTemp) && \
        (++(context)->Length_High == 0) ? 1 : 0)

/* Local Function Prototypes */
static void SHA1Finalize(SHA1Context *context, uint8_t Pad_Byte);
static void SHA1PadMessage(SHA1Context *, uint8_t Pad_Byte);


D. Eastlake 3rd, T. Hansen                                     [Page 20]

INTERNET-DRAFT                   US SHAs                       June 2005


static void SHA1ProcessMessageBlock(SHA1Context *);

/*
 *  SHA1Reset
 *
 *  Description:
 *      This function will initialize the SHA1Context in preparation
 *      for computing a new SHA1 message digest.
 *
 *  Parameters:
 *      context: [in/out]
 *          The context to reset.
 *
 *  Returns:
 *      sha Error Code.
 *
 */
int SHA1Reset(SHA1Context *context)
{
    if (!context)
        return shaNull;

    context->Length_Low             = 0;
    context->Length_High            = 0;
    context->Message_Block_Index    = 0;

    /* Initial Hash Values: FIPS-180-2 section 5.3.1 */
    context->Intermediate_Hash[0]   = 0x67452301;
    context->Intermediate_Hash[1]   = 0xEFCDAB89;
    context->Intermediate_Hash[2]   = 0x98BADCFE;
    context->Intermediate_Hash[3]   = 0x10325476;
    context->Intermediate_Hash[4]   = 0xC3D2E1F0;

    context->Computed   = 0;
    context->Corrupted  = 0;

    return shaSuccess;
}

/*
 *  SHA1Input
 *
 *  Description:
 *      This function accepts an array of octets as the next portion
 *      of the message.
 *
 *  Parameters:
 *      context: [in/out]
 *          The SHA context to update
 *      message_array: [in]


D. Eastlake 3rd, T. Hansen                                     [Page 21]

INTERNET-DRAFT                   US SHAs                       June 2005


 *          An array of characters representing the next portion of
 *          the message.
 *      length: [in]
 *          The length of the message in message_array
 *
 *  Returns:
 *      sha Error Code.
 *
 */
int SHA1Input(SHA1Context *context,
    const uint8_t *message_array, unsigned length)
{
  if (!length)
    return shaSuccess;

  if (!context || !message_array)
    return shaNull;

  if (context->Computed) {
    context->Corrupted = shaStateError;
    return shaStateError;
  }

  if (context->Corrupted)
     return context->Corrupted;

  while (length-- && !context->Corrupted) {
    context->Message_Block[context->Message_Block_Index++] =
      (*message_array & 0xFF);

    if (!SHA1AddLength(context, 8) &&
      (context->Message_Block_Index == SHA1_Message_Block_Size))
      SHA1ProcessMessageBlock(context);

    message_array++;
  }

  return shaSuccess;
}

/*
 * SHA1FinalBits
 *
 * Description:
 *   This function will add in any final bits of the message.
 *
 * Parameters:
 *   context: [in/out]
 *     The SHA context to update
 *   message_bits: [in]


D. Eastlake 3rd, T. Hansen                                     [Page 22]

INTERNET-DRAFT                   US SHAs                       June 2005


 *     The final bits of the message, in the upper portion of the
 *     byte. (Use 0b###00000 instead of 0b00000### to input the
 *     three bits ###.)
 *   length: [in]
 *     The number of bits in message_bits, between 1 and 7.
 *
 * Returns:
 *   sha Error Code.
 */
int SHA1FinalBits(SHA1Context *context, const uint8_t message_bits,
        unsigned int length)
{
  uint8_t masks[8] = {
      /* 0 0b00000000 */ 0x00, /* 1 0b10000000 */ 0x80,
      /* 2 0b11000000 */ 0xC0, /* 3 0b11100000 */ 0xE0,
      /* 4 0b11110000 */ 0xF0, /* 5 0b11111000 */ 0xF8,
      /* 6 0b11111100 */ 0xFC, /* 7 0b11111110 */ 0xFE
  };
  uint8_t markbit[8] = {
      /* 0 0b10000000 */ 0x80, /* 1 0b01000000 */ 0x40,
      /* 2 0b00100000 */ 0x20, /* 3 0b00010000 */ 0x10,
      /* 4 0b00001000 */ 0x08, /* 5 0b00000100 */ 0x04,
      /* 6 0b00000010 */ 0x02, /* 7 0b00000001 */ 0x01
  };

  if (!length)
    return shaSuccess;

  if (!context)
    return shaNull;

  if (context->Computed || (length >= 8) || (length == 0)) {
    context->Corrupted = shaStateError;
    return shaStateError;
  }

  if (context->Corrupted)
     return context->Corrupted;

  SHA1AddLength(context, length);
  SHA1Finalize(context,
    (message_bits & masks[length]) | markbit[length]);

  return shaSuccess;
}

/*
 * SHA1Result
 *
 * Description:


D. Eastlake 3rd, T. Hansen                                     [Page 23]

INTERNET-DRAFT                   US SHAs                       June 2005


 *   This function will return the 160-bit message digest into the
 *   Message_Digest array provided by the caller.
 *   NOTE: The first octet of hash is stored in the 0th element,
 *      the last octet of hash in the 19th element.
 *
 * Parameters:
 *   context: [in/out]
 *     The context to use to calculate the SHA-1 hash.
 *   Message_Digest: [out]
 *     Where the digest is returned.
 *
 * Returns:
 *   sha Error Code.
 *
 */
int SHA1Result(SHA1Context *context,
    uint8_t Message_Digest[SHA1HashSize])
{
  int i;

  if (!context || !Message_Digest)
    return shaNull;

  if (context->Corrupted)
    return context->Corrupted;

  if (!context->Computed)
    SHA1Finalize(context, 0x80);

  for (i = 0; i < SHA1HashSize; ++i)
    Message_Digest[i] = context->Intermediate_Hash[i>>2]
              >> 8 * ( 3 - ( i & 0x03 ) );

  return shaSuccess;
}

/*
 * SHA1Finalize
 *
 * Description:
 *   This helper function finishes off the digest calculations.
 *
 * Parameters:
 *   context: [in/out]
 *     The SHA context to update
 *   Pad_Byte: [in]
 *     The last byte to add to the digest before the 0-padding
 *     and length. This will contain the last bits of the message
 *     followed by another single bit. If the message was an
 *     exact multiple of 8-bits long, Pad_Byte will be 0x80.


D. Eastlake 3rd, T. Hansen                                     [Page 24]

INTERNET-DRAFT                   US SHAs                       June 2005


 *
 * Returns:
 *   sha Error Code.
 *
 */
static void SHA1Finalize(SHA1Context *context, uint8_t Pad_Byte)
{
  int i;
  SHA1PadMessage(context, Pad_Byte);
  /* message may be sensitive, clear it out */
  for (i = 0; i < SHA1_Message_Block_Size; ++i)
    context->Message_Block[i] = 0;
  context->Length_Low = 0;  /* and clear length */
  context->Length_High = 0;
  context->Computed = 1;
}

/*
 * SHA1PadMessage
 *
 * Description:
 *   According to the standard, the message must be padded to an
 *   even 512 bits. The first padding bit must be a '1'. The last
 *   64 bits represent the length of the original message. All bits
 *   in between should be 0. This helper function will pad the
 *   message according to those rules by filling the Message_Block
 *   array accordingly. When it returns, it can be assumed that the
 *   message digest has been computed.
 *
 * Parameters:
 *   context: [in/out]
 *     The context to pad
 *   Pad_Byte: [in]
 *     The last byte to add to the digest before the 0-padding
 *     and length. This will contain the last bits of the message
 *     followed by another single bit. If the message was an
 *     exact multiple of 8-bits long, Pad_Byte will be 0x80.
 *
 * Returns:
 *   Nothing.
 */
static void SHA1PadMessage(SHA1Context *context, uint8_t Pad_Byte)
{
  /*
   * Check to see if the current message block is too small to hold
   * the initial padding bits and length. If so, we will pad the
   * block, process it, and then continue padding into a second
   * block.
   */
  if (context->Message_Block_Index >= (SHA1_Message_Block_Size - 8)) {


D. Eastlake 3rd, T. Hansen                                     [Page 25]

INTERNET-DRAFT                   US SHAs                       June 2005


    context->Message_Block[context->Message_Block_Index++] = Pad_Byte;
    while (context->Message_Block_Index < SHA1_Message_Block_Size)
      context->Message_Block[context->Message_Block_Index++] = 0;

    SHA1ProcessMessageBlock(context);
  } else
    context->Message_Block[context->Message_Block_Index++] = Pad_Byte;

  while (context->Message_Block_Index < (SHA1_Message_Block_Size - 8))
    context->Message_Block[context->Message_Block_Index++] = 0;

  /*
   * Store the message length as the last 8 octets
   */
  context->Message_Block[56] = context->Length_High >> 24;
  context->Message_Block[57] = context->Length_High >> 16;
  context->Message_Block[58] = context->Length_High >> 8;
  context->Message_Block[59] = context->Length_High;
  context->Message_Block[60] = context->Length_Low >> 24;
  context->Message_Block[61] = context->Length_Low >> 16;
  context->Message_Block[62] = context->Length_Low >> 8;
  context->Message_Block[63] = context->Length_Low;

  SHA1ProcessMessageBlock(context);
}

/*
 * SHA1ProcessMessageBlock
 *
 * Description:
 *   This helper function will process the next 512 bits of the
 *   message stored in the Message_Block array.
 *
 * Parameters:
 *   None.
 *
 * Returns:
 *   Nothing.
 *
 * Comments:
 *   Many of the variable names in this code, especially the
 *   single character names, were used because those were the
 *   names used in the publication.
 */
static void SHA1ProcessMessageBlock(SHA1Context *context)
{
  /* Constants defined in FIPS-180-2, section 4.2.1 */
  const uint32_t K[4] = {
      0x5A827999, 0x6ED9EBA1, 0x8F1BBCDC, 0xCA62C1D6
  };


D. Eastlake 3rd, T. Hansen                                     [Page 26]

INTERNET-DRAFT                   US SHAs                       June 2005


  int        t;               /* Loop counter */
  uint32_t   temp;            /* Temporary word value */
  uint32_t   W[80];           /* Word sequence */
  uint32_t   A, B, C, D, E;   /* Word buffers */

  /*
   * Initialize the first 16 words in the array W
   */
  for (t = 0; t < 16; t++) {
    W[t]  = context->Message_Block[t * 4] << 24;
    W[t] |= context->Message_Block[t * 4 + 1] << 16;
    W[t] |= context->Message_Block[t * 4 + 2] << 8;
    W[t] |= context->Message_Block[t * 4 + 3];
  }

  for (t = 16; t < 80; t++)
    W[t] = SHA1_ROTL(1, W[t-3] ^ W[t-8] ^ W[t-14] ^ W[t-16]);

  A = context->Intermediate_Hash[0];
  B = context->Intermediate_Hash[1];
  C = context->Intermediate_Hash[2];
  D = context->Intermediate_Hash[3];
  E = context->Intermediate_Hash[4];

  for (t = 0; t < 20; t++) {
    temp = SHA1_ROTL(5,A) + SHA_Ch(B, C, D) + E + W[t] + K[0];
    E = D;
    D = C;
    C = SHA1_ROTL(30,B);
    B = A;
    A = temp;
  }

  for (t = 20; t < 40; t++) {
    temp = SHA1_ROTL(5,A) + SHA_Parity(B, C, D) + E + W[t] + K[1];
    E = D;
    D = C;
    C = SHA1_ROTL(30,B);
    B = A;
    A = temp;
  }

  for (t = 40; t < 60; t++) {
    temp = SHA1_ROTL(5,A) + SHA_Maj(B, C, D) + E + W[t] + K[2];
    E = D;
    D = C;
    C = SHA1_ROTL(30,B);
    B = A;
    A = temp;
  }


D. Eastlake 3rd, T. Hansen                                     [Page 27]

INTERNET-DRAFT                   US SHAs                       June 2005


  for (t = 60; t < 80; t++) {
    temp = SHA1_ROTL(5,A) + SHA_Parity(B, C, D) + E + W[t] + K[3];
    E = D;
    D = C;
    C = SHA1_ROTL(30,B);
    B = A;
    A = temp;
  }

  context->Intermediate_Hash[0] += A;
  context->Intermediate_Hash[1] += B;
  context->Intermediate_Hash[2] += C;
  context->Intermediate_Hash[3] += D;
  context->Intermediate_Hash[4] += E;

  context->Message_Block_Index = 0;
}



7.2.2 sha224-256.c

/*************************** sha224-256.c ***************************/
/*
 * Description:
 *   This file implements the Secure Hash Signature Standard
 *   algorithms as defined in the National Institute of Standards
 *   and Technology Federal Information Processing Standards
 *   Publication (FIPS PUB) 180-1 published on April 17, 1995, 180-2
 *   published on August 1, 2002, and the FIPS PUB 180-2 Change
 *   Notice published on February 28, 2004.
 *
 *   A combined document showing all algorithms is available at
 *       http://csrc.nist.gov/publications/fips/
 *       fips180-2/fips180-2withchangenotice.pdf
 *
 *   The SHA-224 and SHA-256 algorithms produce 224-bit and 256-bit
 *   message digests for a given data stream. It should take about
 *   2**n steps to find a message with the same digest as a given
 *   message and 2**(n/2) to find any two messages with the same
 *   digest, when n is the digest size in bits. Therefore, this
 *   algorithm can serve as a means of providing a
 *   "fingerprint" for a message.
 *
 * Portability Issues:
 *   SHA-224 and SHA-256 are defined in terms of 32-bit "words".
 *   This code uses <stdint.h> (included via "sha.h") to define 32
 *   and 8 bit unsigned integer types. If your C compiler does not
 *   support 32 bit unsigned integers, this code is not
 *   appropriate.


D. Eastlake 3rd, T. Hansen                                     [Page 28]

INTERNET-DRAFT                   US SHAs                       June 2005


 *
 * Caveats:
 *   SHA-224 and SHA-256 are designed to work with messages less
 *   than 2^64 bits long. This implementation uses SHA224/256Input()
 *   to hash the bits that are a multiple of the size of an 8-bit
 *   character, and then uses SHA224/256FinalBits() to hash the
 *   final few bits of the input.
 */

#include "sha.h"
#include "sha-private.h"

/* Define the SHA shift, rotate left and rotate right macro */
#define SHA256_SHR(bits,word)      ((word) >> (bits))
#define SHA256_ROTL(bits,word)                         \
  (((word) << (bits)) | ((word) >> (32-(bits))))
#define SHA256_ROTR(bits,word)                         \
  (((word) >> (bits)) | ((word) << (32-(bits))))

/* Define the SHA SIGMA and sigma macros */
#define SHA256_SIGMA0(word)   \
  (SHA256_ROTR( 2,word) ^ SHA256_ROTR(13,word) ^ SHA256_ROTR(22,word))
#define SHA256_SIGMA1(word)   \
  (SHA256_ROTR( 6,word) ^ SHA256_ROTR(11,word) ^ SHA256_ROTR(25,word))
#define SHA256_sigma0(word)   \
  (SHA256_ROTR( 7,word) ^ SHA256_ROTR(18,word) ^ SHA256_SHR( 3,word))
#define SHA256_sigma1(word)   \
  (SHA256_ROTR(17,word) ^ SHA256_ROTR(19,word) ^ SHA256_SHR(10,word))

/*
 * add "length" to the length
 */
static uint32_t addTemp;
#define SHA224_256AddLength(context, length)               \
  (addTemp = (context)->Length_Low, (context)->Corrupted = \
    (((context)->Length_Low += (length)) < addTemp) &&     \
    (++(context)->Length_High == 0) ? 1 : 0)

/* Local Function Prototypes */
static void SHA224_256Finalize(SHA256Context *context,
  uint8_t Pad_Byte);
static void SHA224_256PadMessage(SHA256Context *context,
  uint8_t Pad_Byte);
static void SHA224_256ProcessMessageBlock(SHA256Context *context);
static int SHA224_256Reset(SHA256Context *context, uint32_t *H0);
static int SHA224_256ResultN(SHA256Context *context,
  uint8_t Message_Digest[], int HashSize);

/* Initial Hash Values: FIPS-180-2 Change Notice 1 */
static uint32_t SHA224_H0[SHA256HashSize/4] = {


D. Eastlake 3rd, T. Hansen                                     [Page 29]

INTERNET-DRAFT                   US SHAs                       June 2005


    0xC1059ED8, 0x367CD507, 0x3070DD17, 0xF70E5939,
    0xFFC00B31, 0x68581511, 0x64F98FA7, 0xBEFA4FA4
};

/* Initial Hash Values: FIPS-180-2 section 5.3.2 */
static uint32_t SHA256_H0[SHA256HashSize/4] = {
  0x6A09E667, 0xBB67AE85, 0x3C6EF372, 0xA54FF53A,
  0x510E527F, 0x9B05688C, 0x1F83D9AB, 0x5BE0CD19
};

/*
 * SHA224Reset
 *
 * Description:
 *   This function will initialize the SHA384Context in preparation
 *   for computing a new SHA224 message digest.
 *
 * Parameters:
 *   context: [in/out]
 *     The context to reset.
 *
 * Returns:
 *   sha Error Code.
 */
int SHA224Reset(SHA224Context *context)
{
  return SHA224_256Reset(context, SHA224_H0);
}

/*
 * SHA224Input
 *
 * Description:
 *   This function accepts an array of octets as the next portion
 *   of the message.
 *
 * Parameters:
 *   context: [in/out]
 *     The SHA context to update
 *   message_array: [in]
 *     An array of characters representing the next portion of
 *     the message.
 *   length: [in]
 *     The length of the message in message_array
 *
 * Returns:
 *   sha Error Code.
 *
 */
int SHA224Input(SHA224Context *context, const uint8_t *message_array,


D. Eastlake 3rd, T. Hansen                                     [Page 30]

INTERNET-DRAFT                   US SHAs                       June 2005


    unsigned int length)
{
  return SHA256Input(context, message_array, length);
}

/*
 * SHA224FinalBits
 *
 * Description:
 *   This function will add in any final bits of the message.
 *
 * Parameters:
 *   context: [in/out]
 *     The SHA context to update
 *   message_bits: [in]
 *     The final bits of the message, in the upper portion of the
 *     byte. (Use 0b###00000 instead of 0b00000### to input the
 *     three bits ###.)
 *   length: [in]
 *     The number of bits in message_bits, between 1 and 7.
 *
 * Returns:
 *   sha Error Code.
 */
int SHA224FinalBits( SHA224Context *context,
    const uint8_t message_bits, unsigned int length)
{
  return SHA256FinalBits(context, message_bits, length);
}

/*
 * SHA224Result
 *
 * Description:
 *   This function will return the 224-bit message
 *   digest into the Message_Digest array provided by the caller.
 *   NOTE: The first octet of hash is stored in the 0th element,
 *      the last octet of hash in the 28th element.
 *
 * Parameters:
 *   context: [in/out]
 *     The context to use to calculate the SHA hash.
 *   Message_Digest: [out]
 *     Where the digest is returned.
 *
 * Returns:
 *   sha Error Code.
 */
int SHA224Result(SHA224Context *context,
    uint8_t Message_Digest[SHA224HashSize])


D. Eastlake 3rd, T. Hansen                                     [Page 31]

INTERNET-DRAFT                   US SHAs                       June 2005


{
  return SHA224_256ResultN(context, Message_Digest, SHA224HashSize);
}

/*
 * SHA256Reset
 *
 * Description:
 *   This function will initialize the SHA256Context in preparation
 *   for computing a new SHA256 message digest.
 *
 * Parameters:
 *   context: [in/out]
 *     The context to reset.
 *
 * Returns:
 *   sha Error Code.
 */
int SHA256Reset(SHA256Context *context)
{
  return SHA224_256Reset(context, SHA256_H0);
}

/*
 * SHA256Input
 *
 * Description:
 *   This function accepts an array of octets as the next portion
 *   of the message.
 *
 * Parameters:
 *   context: [in/out]
 *     The SHA context to update
 *   message_array: [in]
 *     An array of characters representing the next portion of
 *     the message.
 *   length: [in]
 *     The length of the message in message_array
 *
 * Returns:
 *   sha Error Code.
 */
int SHA256Input(SHA256Context *context, const uint8_t *message_array,
    unsigned int length)
{
  if (!length)
    return shaSuccess;

  if (!context || !message_array)
    return shaNull;


D. Eastlake 3rd, T. Hansen                                     [Page 32]

INTERNET-DRAFT                   US SHAs                       June 2005


  if (context->Computed) {
    context->Corrupted = shaStateError;
    return shaStateError;
  }

  if (context->Corrupted)
     return context->Corrupted;

  while (length-- && !context->Corrupted) {
    context->Message_Block[context->Message_Block_Index++] =
            (*message_array & 0xFF);

    if (!SHA224_256AddLength(context, 8) &&
      (context->Message_Block_Index == SHA256_Message_Block_Size))
      SHA224_256ProcessMessageBlock(context);

    message_array++;
  }

  return shaSuccess;

}

/*
 * SHA256FinalBits
 *
 * Description:
 *   This function will add in any final bits of the message.
 *
 * Parameters:
 *   context: [in/out]
 *     The SHA context to update
 *   message_bits: [in]
 *     The final bits of the message, in the upper portion of the
 *     byte. (Use 0b###00000 instead of 0b00000### to input the
 *     three bits ###.)
 *   length: [in]
 *     The number of bits in message_bits, between 1 and 7.
 *
 * Returns:
 *   sha Error Code.
 */
int SHA256FinalBits(SHA256Context *context,
    const uint8_t message_bits, unsigned int length)
{
  uint8_t masks[8] = {
      /* 0 0b00000000 */ 0x00, /* 1 0b10000000 */ 0x80,
      /* 2 0b11000000 */ 0xC0, /* 3 0b11100000 */ 0xE0,
      /* 4 0b11110000 */ 0xF0, /* 5 0b11111000 */ 0xF8,
      /* 6 0b11111100 */ 0xFC, /* 7 0b11111110 */ 0xFE


D. Eastlake 3rd, T. Hansen                                     [Page 33]

INTERNET-DRAFT                   US SHAs                       June 2005


  };
  uint8_t markbit[8] = {
      /* 0 0b10000000 */ 0x80, /* 1 0b01000000 */ 0x40,
      /* 2 0b00100000 */ 0x20, /* 3 0b00010000 */ 0x10,
      /* 4 0b00001000 */ 0x08, /* 5 0b00000100 */ 0x04,
      /* 6 0b00000010 */ 0x02, /* 7 0b00000001 */ 0x01
  };

  if (!length)
    return shaSuccess;

  if (!context)
    return shaNull;

  if ((context->Computed) || (length >= 8) || (length == 0)) {
    context->Corrupted = shaStateError;
    return shaStateError;
  }

  if (context->Corrupted)
    return context->Corrupted;

  SHA224_256AddLength(context, length);
  SHA224_256Finalize(context,
    (message_bits & masks[length]) | markbit[length]);

  return shaSuccess;
}

/*
 * SHA256Result
 *
 * Description:
 *   This function will return the 256-bit message
 *   digest into the Message_Digest array provided by the caller.
 *   NOTE: The first octet of hash is stored in the 0th element,
 *      the last octet of hash in the 32nd element.
 *
 * Parameters:
 *   context: [in/out]
 *     The context to use to calculate the SHA hash.
 *   Message_Digest: [out]
 *     Where the digest is returned.
 *
 * Returns:
 *   sha Error Code.
 */
int SHA256Result(SHA256Context *context, uint8_t Message_Digest[])
{
  return SHA224_256ResultN(context, Message_Digest, SHA256HashSize);


D. Eastlake 3rd, T. Hansen                                     [Page 34]

INTERNET-DRAFT                   US SHAs                       June 2005


}

/*
 * SHA224_256Finalize
 *
 * Description:
 *   This helper function finishes off the digest calculations.
 *
 * Parameters:
 *   context: [in/out]
 *     The SHA context to update
 *   Pad_Byte: [in]
 *     The last byte to add to the digest before the 0-padding
 *     and length. This will contain the last bits of the message
 *     followed by another single bit. If the message was an
 *     exact multiple of 8-bits long, Pad_Byte will be 0x80.
 *
 * Returns:
 *   sha Error Code.
 */
static void SHA224_256Finalize(SHA256Context *context,
    uint8_t Pad_Byte)
{
  int i;
  SHA224_256PadMessage(context, Pad_Byte);
  /* message may be sensitive, so clear it out */
  for (i = 0; i < SHA256_Message_Block_Size; ++i)
    context->Message_Block[i] = 0;
  context->Length_Low = 0;  /* and clear length */
  context->Length_High = 0;
  context->Computed = 1;
}

/*
 * SHA224_256PadMessage
 *
 * Description:
 *   According to the standard, the message must be padded to an
 *   even 512 bits. The first padding bit must be a '1'. The
 *   last 64 bits represent the length of the original message.
 *   All bits in between should be 0. This helper function will pad
 *   the message according to those rules by filling the
 *   Message_Block array accordingly. When it returns, it can be
 *   assumed that the message digest has been computed.
 *
 * Parameters:
 *   context: [in/out]
 *     The context to pad
 *   Pad_Byte: [in]
 *     The last byte to add to the digest before the 0-padding


D. Eastlake 3rd, T. Hansen                                     [Page 35]

INTERNET-DRAFT                   US SHAs                       June 2005


 *     and length. This will contain the last bits of the message
 *     followed by another single bit. If the message was an
 *     exact multiple of 8-bits long, Pad_Byte will be 0x80.
 *
 * Returns:
 *   Nothing.
 */
static void SHA224_256PadMessage(SHA256Context *context,
    uint8_t Pad_Byte)
{
  /*
   * Check to see if the current message block is too small to hold
   * the initial padding bits and length. If so, we will pad the
   * block, process it, and then continue padding into a second
   * block.
   */
  if (context->Message_Block_Index >= (SHA256_Message_Block_Size-8)) {
    context->Message_Block[context->Message_Block_Index++] = Pad_Byte;
    while (context->Message_Block_Index < SHA256_Message_Block_Size)
      context->Message_Block[context->Message_Block_Index++] = 0;
    SHA224_256ProcessMessageBlock(context);
  } else
    context->Message_Block[context->Message_Block_Index++] = Pad_Byte;

  while (context->Message_Block_Index < (SHA256_Message_Block_Size-8))
    context->Message_Block[context->Message_Block_Index++] = 0;

  /*
   * Store the message length as the last 8 octets
   */
  context->Message_Block[56] = context->Length_High >> 24;
  context->Message_Block[57] = context->Length_High >> 16;
  context->Message_Block[58] = context->Length_High >> 8;
  context->Message_Block[59] = context->Length_High;
  context->Message_Block[60] = context->Length_Low >> 24;
  context->Message_Block[61] = context->Length_Low >> 16;
  context->Message_Block[62] = context->Length_Low >> 8;
  context->Message_Block[63] = context->Length_Low;

  SHA224_256ProcessMessageBlock(context);
}

/*
 * SHA224_256ProcessMessageBlock
 *
 * Description:
 *   This function will process the next 512 bits of the message
 *   stored in the Message_Block array.
 *
 * Parameters:


D. Eastlake 3rd, T. Hansen                                     [Page 36]

INTERNET-DRAFT                   US SHAs                       June 2005


 *   context: [in/out]
 *     The SHA context to update
 *
 * Returns:
 *   Nothing.
 *
 * Comments:
 *   Many of the variable names in this code, especially the
 *   single character names, were used because those were the
 *   names used in the publication.
 */
static void SHA224_256ProcessMessageBlock(SHA256Context *context)
{
  /* Constants defined in FIPS-180-2, section 4.2.2 */
  static const uint32_t K[64] = {
      0x428a2f98, 0x71374491, 0xb5c0fbcf, 0xe9b5dba5, 0x3956c25b,
      0x59f111f1, 0x923f82a4, 0xab1c5ed5, 0xd807aa98, 0x12835b01,
      0x243185be, 0x550c7dc3, 0x72be5d74, 0x80deb1fe, 0x9bdc06a7,
      0xc19bf174, 0xe49b69c1, 0xefbe4786, 0x0fc19dc6, 0x240ca1cc,
      0x2de92c6f, 0x4a7484aa, 0x5cb0a9dc, 0x76f988da, 0x983e5152,
      0xa831c66d, 0xb00327c8, 0xbf597fc7, 0xc6e00bf3, 0xd5a79147,
      0x06ca6351, 0x14292967, 0x27b70a85, 0x2e1b2138, 0x4d2c6dfc,
      0x53380d13, 0x650a7354, 0x766a0abb, 0x81c2c92e, 0x92722c85,
      0xa2bfe8a1, 0xa81a664b, 0xc24b8b70, 0xc76c51a3, 0xd192e819,
      0xd6990624, 0xf40e3585, 0x106aa070, 0x19a4c116, 0x1e376c08,
      0x2748774c, 0x34b0bcb5, 0x391c0cb3, 0x4ed8aa4a, 0x5b9cca4f,
      0x682e6ff3, 0x748f82ee, 0x78a5636f, 0x84c87814, 0x8cc70208,
      0x90befffa, 0xa4506ceb, 0xbef9a3f7, 0xc67178f2
  };
  int        t, t4;                   /* Loop counter */
  uint32_t   temp1, temp2;            /* Temporary word value */
  uint32_t   W[64];                   /* Word sequence */
  uint32_t   A, B, C, D, E, F, G, H;  /* Word buffers */

  /*
   * Initialize the first 16 words in the array W
   */
  for (t = t4 = 0; t < 16; t++, t4 += 4)
    W[t] = (context->Message_Block[t4] << 24) |
        (context->Message_Block[t4 + 1] << 16) |
        (context->Message_Block[t4 + 2] << 8) |
        (context->Message_Block[t4 + 3]);

  for (t = 16; t < 64; t++)
    W[t] = SHA256_sigma1(W[t-2]) + W[t-7] +
        SHA256_sigma0(W[t-15]) + W[t-16];

  A = context->Intermediate_Hash[0];
  B = context->Intermediate_Hash[1];
  C = context->Intermediate_Hash[2];


D. Eastlake 3rd, T. Hansen                                     [Page 37]

INTERNET-DRAFT                   US SHAs                       June 2005


  D = context->Intermediate_Hash[3];
  E = context->Intermediate_Hash[4];
  F = context->Intermediate_Hash[5];
  G = context->Intermediate_Hash[6];
  H = context->Intermediate_Hash[7];

  for (t = 0; t < 64; t++) {
    temp1 = H + SHA256_SIGMA1(E) + SHA_Ch(E,F,G) + K[t] + W[t];
    temp2 = SHA256_SIGMA0(A) + SHA_Maj(A,B,C);
    H = G;
    G = F;
    F = E;
    E = D + temp1;
    D = C;
    C = B;
    B = A;
    A = temp1 + temp2;
  }

  context->Intermediate_Hash[0] += A;
  context->Intermediate_Hash[1] += B;
  context->Intermediate_Hash[2] += C;
  context->Intermediate_Hash[3] += D;
  context->Intermediate_Hash[4] += E;
  context->Intermediate_Hash[5] += F;
  context->Intermediate_Hash[6] += G;
  context->Intermediate_Hash[7] += H;

  context->Message_Block_Index = 0;
}

/*
 * SHA224_256Reset
 *
 * Description:
 *   This helper function will initialize the SHA256Context in
 *   preparation for computing a new SHA256 message digest.
 *
 * Parameters:
 *   context: [in/out]
 *     The context to reset.
 *   H0
 *     The initial hash value to use.
 *
 * Returns:
 *   sha Error Code.
 */
static int SHA224_256Reset(SHA256Context *context, uint32_t *H0)
{
  if (!context)


D. Eastlake 3rd, T. Hansen                                     [Page 38]

INTERNET-DRAFT                   US SHAs                       June 2005


    return shaNull;

  context->Length_Low           = 0;
  context->Length_High          = 0;
  context->Message_Block_Index  = 0;

  context->Intermediate_Hash[0] = H0[0];
  context->Intermediate_Hash[1] = H0[1];
  context->Intermediate_Hash[2] = H0[2];
  context->Intermediate_Hash[3] = H0[3];
  context->Intermediate_Hash[4] = H0[4];
  context->Intermediate_Hash[5] = H0[5];
  context->Intermediate_Hash[6] = H0[6];
  context->Intermediate_Hash[7] = H0[7];

  context->Computed  = 0;
  context->Corrupted = 0;

  return shaSuccess;
}

/*
 * SHA224_256ResultN
 *
 * Description:
 *   This helper function will return the 224-bit or 256-bit message
 *   digest into the Message_Digest array provided by the caller.
 *   NOTE: The first octet of hash is stored in the 0th element,
 *      the last octet of hash in the 28th/32nd element.
 *
 * Parameters:
 *   context: [in/out]
 *     The context to use to calculate the SHA hash.
 *   Message_Digest: [out]
 *     Where the digest is returned.
 *   HashSize: [in]
 *     The size of the hash, either 28 or 32.
 *
 * Returns:
 *   sha Error Code.
 */
static int SHA224_256ResultN(SHA256Context *context,
    uint8_t Message_Digest[], int HashSize)
{
  int i;

  if (!context || !Message_Digest)
    return shaNull;

  if (context->Corrupted)


D. Eastlake 3rd, T. Hansen                                     [Page 39]

INTERNET-DRAFT                   US SHAs                       June 2005


    return context->Corrupted;

  if (!context->Computed)
    SHA224_256Finalize(context, 0x80);

  for (i = 0; i < HashSize; ++i)
    Message_Digest[i] =
     context->Intermediate_Hash[i>>2] >> 8 * ( 3 - ( i & 0x03 ) );

  return shaSuccess;
}



7.2.3 sha384-512.c

/*************************** sha384-512.c ***************************/
/*
 * Description:
 *   This file implements the Secure Hash Signature Standard
 *   algorithms as defined in the National Institute of Standards
 *   and Technology Federal Information Processing Standards
 *   Publication (FIPS PUB) 180-1 published on April 17, 1995, 180-2
 *   published on August 1, 2002, and the FIPS PUB 180-2 Change
 *   Notice published on February 28, 2004.
 *
 *   A combined document showing all algorithms is available at
 *       http://csrc.nist.gov/publications/fips/
 *       fips180-2/fips180-2withchangenotice.pdf
 *
 *   The SHA-384 and SHA-512 algorithms produce 384-bit and 512-bit
 *   message digests for a given data stream. It should take about
 *   2**n steps to find a message with the same digest as a given
 *   message and 2**(n/2) to find any two messages with the same
 *   digest, when n is the digest size in bits. Therefore, this
 *   algorithm can serve as a means of providing a
 *   "fingerprint" for a message.
 *
 * Portability Issues:
 *   SHA-384 and SHA-512 are defined in terms of 64-bit "words",
 *   but if USE_32BIT_ONLY is #defined, this code is implemented in
 *   terms of 32-bit "words". This code uses <stdint.h> (included
 *   via "sha.h") to define the 64, 32 and 8 bit unsigned integer
 *   types. If your C compiler does not support 64 bit unsigned
 *   integers, and you do not #define USE_32BIT_ONLY, this code is
 *   not appropriate.
 *
 * Caveats:
 *   SHA-384 and SHA-512 are designed to work with messages less
 *   than 2^128 bits long. This implementation uses


D. Eastlake 3rd, T. Hansen                                     [Page 40]

INTERNET-DRAFT                   US SHAs                       June 2005


 *   SHA384/512Input() to hash the bits that are a multiple of the
 *   size of an 8-bit character, and then uses SHA384/256FinalBits()
 *   to hash the final few bits of the input.
 *
 */

#include "sha.h"
#include "sha-private.h"

#ifdef USE_32BIT_ONLY
/*
 * Define 64-bit arithmetic in terms of 32-bit arithmetic.
 * Each 64-bit number is represented in a 2-word array.
 * All macros are defined such that the result is the last parameter.
 */

/*
 * Define shift, rotate left and rotate right functions
 */
#define SHA512_SHR(bits, word, ret) (                          \
    /* (((uint64_t)((word))) >> (bits)) */                     \
    (ret)[0] = (((bits) < 32) && ((bits) >= 0)) ?              \
      ((word)[0] >> (bits)) : 0,                               \
    (ret)[1] = ((bits) > 32) ? ((word)[0] >> ((bits) - 32)) :  \
      ((bits) == 32) ? (word)[0] :                             \
      ((bits) >= 0) ?                                          \
        (((word)[0] << (32 - (bits))) |                        \
        ((word)[1] >> (bits))) : 0 )

#define SHA512_SHL(bits, word, ret) (                          \
    /* (((uint64_t)(word)) << (bits)) */                       \
    (ret)[0] = ((bits) > 32) ? ((word)[1] << ((bits) - 32)) :  \
         ((bits) == 32) ? (word)[1] :                          \
         ((bits) >= 0) ?                                       \
           (((word)[0] << (bits)) |                            \
           ((word)[1] >> (32 - (bits)))) :                     \
         0,                                                    \
    (ret)[1] = (((bits) < 32) && ((bits) >= 0)) ?              \
        ((word)[1] << (bits)) : 0 )

/*
 * Define 64-bit OR
 */
#define SHA512_OR(word1, word2, ret) (                         \
    (ret)[0] = (word1)[0] | (word2)[0],                        \
    (ret)[1] = (word1)[1] | (word2)[1] )

/*
 * Define 64-bit XOR
 */


D. Eastlake 3rd, T. Hansen                                     [Page 41]

INTERNET-DRAFT                   US SHAs                       June 2005


#define SHA512_XOR(word1, word2, ret) (                        \
    (ret)[0] = (word1)[0] ^ (word2)[0],                        \
    (ret)[1] = (word1)[1] ^ (word2)[1] )

/*
 * Define 64-bit AND
 */
#define SHA512_AND(word1, word2, ret) (                        \
    (ret)[0] = (word1)[0] & (word2)[0],                        \
    (ret)[1] = (word1)[1] & (word2)[1] )

/*
 * Define 64-bit TILDA
 */
#define SHA512_TILDA(word, ret)                                \
  ( (ret)[0] = ~(word)[0], (ret)[1] = ~(word)[1] )

/*
 * Define 64-bit ADD
 */
#define SHA512_ADD(word1, word2, ret) (                        \
    (ret)[1] = (word1)[1], (ret)[1] += (word2)[1],             \
    (ret)[0] = (word1)[0] + (word2)[0] + ((ret)[1] < (word1)[1]) )

/*
 * Add the 4word value in word2 to word1.
 */
static uint32_t ADDTO4_temp, ADDTO4_temp2;
#define SHA512_ADDTO4(word1, word2) (                          \
    ADDTO4_temp = (word1)[3],                                  \
    (word1)[3] += (word2)[3],                                  \
    ADDTO4_temp2 = (word1)[2],                                 \
    (word1)[2] += (word2)[2] + ((word1)[3] < ADDTO4_temp),     \
    ADDTO4_temp = (word1)[1],                                  \
    (word1)[1] += (word2)[1] + ((word1)[2] < ADDTO4_temp2),    \
    (word1)[0] += (word2)[0] + ((word1)[1] < ADDTO4_temp) )

/*
 * Add the 2word value in word2 to word1.
 */
static uint32_t ADDTO2_temp;
#define SHA512_ADDTO2(word1, word2) (                          \
    ADDTO2_temp = (word1)[1],                                  \
    (word1)[1] += (word2)[1],                                  \
    (word1)[0] += (word2)[0] + ((word1)[1] < ADDTO2_temp) )

/*
 * SHA rotate   ((word >> bits) | (word << (64-bits)))
 */
static uint32_t ROTR_temp1[2], ROTR_temp2[2];


D. Eastlake 3rd, T. Hansen                                     [Page 42]

INTERNET-DRAFT                   US SHAs                       June 2005


#define SHA512_ROTR(bits, word, ret) (                         \
    SHA512_SHR((bits), (word), ROTR_temp1),                    \
    SHA512_SHL(64-(bits), (word), ROTR_temp2),                 \
    SHA512_OR(ROTR_temp1, ROTR_temp2, (ret)) )

/*
 * Define the SHA SIGMA and sigma macros
 *  SHA512_ROTR(28,word) ^ SHA512_ROTR(34,word) ^ SHA512_ROTR(39,word)
 */
static uint32_t SIGMA0_temp1[2], SIGMA0_temp2[2],
  SIGMA0_temp3[2], SIGMA0_temp4[2];
#define SHA512_SIGMA0(word, ret) (                             \
    SHA512_ROTR(28, (word), SIGMA0_temp1),                     \
    SHA512_ROTR(34, (word), SIGMA0_temp2),                     \
    SHA512_ROTR(39, (word), SIGMA0_temp3),                     \
    SHA512_XOR(SIGMA0_temp2, SIGMA0_temp3, SIGMA0_temp4),      \
    SHA512_XOR(SIGMA0_temp1, SIGMA0_temp4, (ret)) )

/*
 * SHA512_ROTR(14,word) ^ SHA512_ROTR(18,word) ^ SHA512_ROTR(41,word)
 */
static uint32_t SIGMA1_temp1[2], SIGMA1_temp2[2],
  SIGMA1_temp3[2], SIGMA1_temp4[2];
#define SHA512_SIGMA1(word, ret) (                             \
    SHA512_ROTR(14, (word), SIGMA1_temp1),                     \
    SHA512_ROTR(18, (word), SIGMA1_temp2),                     \
    SHA512_ROTR(41, (word), SIGMA1_temp3),                     \
    SHA512_XOR(SIGMA1_temp2, SIGMA1_temp3, SIGMA1_temp4),      \
    SHA512_XOR(SIGMA1_temp1, SIGMA1_temp4, (ret)) )

/*
 * (SHA512_ROTR( 1,word) ^ SHA512_ROTR( 8,word) ^ SHA512_SHR( 7,word))
 */
static uint32_t sigma0_temp1[2], sigma0_temp2[2],
  sigma0_temp3[2], sigma0_temp4[2];
#define SHA512_sigma0(word, ret) (                             \
    SHA512_ROTR( 1, (word), sigma0_temp1),                     \
    SHA512_ROTR( 8, (word), sigma0_temp2),                     \
    SHA512_SHR( 7, (word), sigma0_temp3),                      \
    SHA512_XOR(sigma0_temp2, sigma0_temp3, sigma0_temp4),      \
    SHA512_XOR(sigma0_temp1, sigma0_temp4, (ret)) )

/*
 * (SHA512_ROTR(19,word) ^ SHA512_ROTR(61,word) ^ SHA512_SHR( 6,word))
 */
static uint32_t sigma1_temp1[2], sigma1_temp2[2],
  sigma1_temp3[2], sigma1_temp4[2];
#define SHA512_sigma1(word, ret) (                             \
    SHA512_ROTR(19, (word), sigma1_temp1),                     \
    SHA512_ROTR(61, (word), sigma1_temp2),                     \


D. Eastlake 3rd, T. Hansen                                     [Page 43]

INTERNET-DRAFT                   US SHAs                       June 2005


    SHA512_SHR( 6, (word), sigma1_temp3),                      \
    SHA512_XOR(sigma1_temp2, sigma1_temp3, sigma1_temp4),      \
    SHA512_XOR(sigma1_temp1, sigma1_temp4, (ret)) )

#undef SHA_Ch
#undef SHA_Maj

#ifndef USE_MODIFIED_MACROS
/*
 * These definitions are the ones used in FIPS-180-2, section 4.1.3
 *  Ch(x,y,z)   ((x & y) ^ (~x & z))
 */
static uint32_t Ch_temp1[2], Ch_temp2[2], Ch_temp3[2];
#define SHA_Ch(x, y, z, ret) (                                 \
    SHA512_AND(x, y, Ch_temp1),                                \
    SHA512_TILDA(x, Ch_temp2),                                 \
    SHA512_AND(Ch_temp2, z, Ch_temp3),                         \
    SHA512_XOR(Ch_temp1, Ch_temp3, (ret)) )

/*
 *  Maj(x,y,z)  (((x)&(y)) ^ ((x)&(z)) ^ ((y)&(z)))
 */
static uint32_t Maj_temp1[2], Maj_temp2[2],
  Maj_temp3[2], Maj_temp4[2];
#define SHA_Maj(x, y, z, ret) (                                \
    SHA512_AND(x, y, Maj_temp1),                               \
    SHA512_AND(x, z, Maj_temp2),                               \
    SHA512_AND(y, z, Maj_temp3),                               \
    SHA512_XOR(Maj_temp2, Maj_temp3, Maj_temp4),               \
    SHA512_XOR(Maj_temp1, Maj_temp4, (ret)) )

#else /* !USE_32BIT_ONLY */
/*
 * These definitions are potentially faster equivalents for the ones
 * used in FIPS-180-2, section 4.1.3.
 *   ((x & y) ^ (~x & z)) becomes
 *   ((x & (y ^ z)) ^ z)
 */
#define SHA_Ch(x, y, z, ret) (                                 \
   (ret)[0] = (((x)[0] & ((y)[0] ^ (z)[0])) ^ (z)[0]),         \
   (ret)[1] = (((x)[1] & ((y)[1] ^ (z)[1])) ^ (z)[1]) )

/*
 *   ((x & y) ^ (x & z) ^ (y & z)) becomes
 *   ((x & (y | z)) | (y & z))
 */
#define SHA_Maj(x, y, z, ret) (                                 \
   ret[0] = (((x)[0] & ((y)[0] | (z)[0])) | ((y)[0] & (z)[0])), \
   ret[1] = (((x)[1] & ((y)[1] | (z)[1])) | ((y)[1] & (z)[1])) )
#endif /* USE_MODIFIED_MACROS */


D. Eastlake 3rd, T. Hansen                                     [Page 44]

INTERNET-DRAFT                   US SHAs                       June 2005


/*
 * add "length" to the length
 */
static uint32_t addTemp[4] = { 0, 0, 0, 0 };
#define SHA384_512AddLength(context, length) (                        \
    addTemp[3] = (length), SHA512_ADDTO4((context)->Length, addTemp), \
    (context)->Corrupted = (((context)->Length[3] == 0) &&            \
       ((context)->Length[2] == 0) && ((context)->Length[1] == 0) &&  \
       ((context)->Length[0] < 8)) ? 1 : 0 )

/* Local Function Prototypes */
static void SHA384_512Finalize(SHA512Context *context,
  uint8_t Pad_Byte);
static void SHA384_512PadMessage(SHA512Context *context,
  uint8_t Pad_Byte);
static void SHA384_512ProcessMessageBlock(SHA512Context *context);
static int SHA384_512Reset(SHA512Context *context, uint32_t H0[]);
static int SHA384_512ResultN( SHA512Context *context,
  uint8_t Message_Digest[], int HashSize);

/* Initial Hash Values: FIPS-180-2 sections 5.3.3 and 5.3.4 */
static uint32_t SHA384_H0[SHA512HashSize/4] = {
    0xCBBB9D5D, 0xC1059ED8, 0x629A292A, 0x367CD507, 0x9159015A,
    0x3070DD17, 0x152FECD8, 0xF70E5939, 0x67332667, 0xFFC00B31,
    0x8EB44A87, 0x68581511, 0xDB0C2E0D, 0x64F98FA7, 0x47B5481D,
    0xBEFA4FA4
};

static uint32_t SHA512_H0[SHA512HashSize/4] = {
    0x6A09E667, 0xF3BCC908, 0xBB67AE85, 0x84CAA73B, 0x3C6EF372,
    0xFE94F82B, 0xA54FF53A, 0x5F1D36F1, 0x510E527F, 0xADE682D1,
    0x9B05688C, 0x2B3E6C1F, 0x1F83D9AB, 0xFB41BD6B, 0x5BE0CD19,
    0x137E2179
};

#else /* !USE_32BIT_ONLY */

/* Define the SHA shift, rotate left and rotate right macro */
#define SHA512_SHR(bits,word)  (((uint64_t)(word)) >> (bits))
#define SHA512_ROTR(bits,word) ((((uint64_t)(word)) >> (bits)) | \
                                (((uint64_t)(word)) << (64-(bits))))

/* Define the SHA SIGMA and sigma macros */
#define SHA512_SIGMA0(word)   \
 (SHA512_ROTR(28,word) ^ SHA512_ROTR(34,word) ^ SHA512_ROTR(39,word))
#define SHA512_SIGMA1(word)   \
 (SHA512_ROTR(14,word) ^ SHA512_ROTR(18,word) ^ SHA512_ROTR(41,word))
#define SHA512_sigma0(word)   \
 (SHA512_ROTR( 1,word) ^ SHA512_ROTR( 8,word) ^ SHA512_SHR( 7,word))
#define SHA512_sigma1(word)   \


D. Eastlake 3rd, T. Hansen                                     [Page 45]

INTERNET-DRAFT                   US SHAs                       June 2005


 (SHA512_ROTR(19,word) ^ SHA512_ROTR(61,word) ^ SHA512_SHR( 6,word))

/*
 * add "length" to the length
 */
static uint64_t addTemp;
#define SHA384_512AddLength(context, length)                   \
   (addTemp = context->Length_Low, context->Corrupted =        \
    ((context->Length_Low += length) < addTemp) &&             \
    (++context->Length_High == 0) ? 1 : 0)

/* Local Function Prototypes */
static void SHA384_512Finalize(SHA512Context *context,
  uint8_t Pad_Byte);
static void SHA384_512PadMessage(SHA512Context *context,
  uint8_t Pad_Byte);
static void SHA384_512ProcessMessageBlock(SHA512Context *context);
static int SHA384_512Reset(SHA512Context *context, uint64_t H0[]);
static int SHA384_512ResultN(SHA512Context *context,
  uint8_t Message_Digest[], int HashSize);

/* Initial Hash Values: FIPS-180-2 sections 5.3.3 and 5.3.4 */
static uint64_t SHA384_H0[] = {
    0xCBBB9D5DC1059ED8ll, 0x629A292A367CD507ll, 0x9159015A3070DD17ll,
    0x152FECD8F70E5939ll, 0x67332667FFC00B31ll, 0x8EB44A8768581511ll,
    0xDB0C2E0D64F98FA7ll, 0x47B5481DBEFA4FA4ll
};
static uint64_t SHA512_H0[] = {
    0x6A09E667F3BCC908ll, 0xBB67AE8584CAA73Bll, 0x3C6EF372FE94F82Bll,
    0xA54FF53A5F1D36F1ll, 0x510E527FADE682D1ll, 0x9B05688C2B3E6C1Fll,
    0x1F83D9ABFB41BD6Bll, 0x5BE0CD19137E2179ll
};

#endif /* USE_32BIT_ONLY */

/*
 * SHA384Reset
 *
 * Description:
 *   This function will initialize the SHA384Context in preparation
 *   for computing a new SHA384 message digest.
 *
 * Parameters:
 *   context: [in/out]
 *     The context to reset.
 *
 * Returns:
 *   sha Error Code.
 *
 */


D. Eastlake 3rd, T. Hansen                                     [Page 46]

INTERNET-DRAFT                   US SHAs                       June 2005


int SHA384Reset(SHA384Context *context)
{
  return SHA384_512Reset(context, SHA384_H0);
}

/*
 * SHA384Input
 *
 * Description:
 *   This function accepts an array of octets as the next portion
 *   of the message.
 *
 * Parameters:
 *   context: [in/out]
 *     The SHA context to update
 *   message_array: [in]
 *     An array of characters representing the next portion of
 *     the message.
 *   length: [in]
 *     The length of the message in message_array
 *
 * Returns:
 *   sha Error Code.
 *
 */
int SHA384Input(SHA384Context *context,
    const uint8_t *message_array, unsigned int length)
{
  return SHA512Input(context, message_array, length);
}

/*
 * SHA384FinalBits
 *
 * Description:
 *   This function will add in any final bits of the message.
 *
 * Parameters:
 *   context: [in/out]
 *     The SHA context to update
 *   message_bits: [in]
 *     The final bits of the message, in the upper portion of the
 *     byte. (Use 0b###00000 instead of 0b00000### to input the
 *     three bits ###.)
 *   length: [in]
 *     The number of bits in message_bits, between 1 and 7.
 *
 * Returns:
 *   sha Error Code.
 *


D. Eastlake 3rd, T. Hansen                                     [Page 47]

INTERNET-DRAFT                   US SHAs                       June 2005


 */
int SHA384FinalBits(SHA384Context *context,
    const uint8_t message_bits, unsigned int length)
{
  return SHA512FinalBits(context, message_bits, length);
}

/*
 * SHA384Result
 *
 * Description:
 *   This function will return the 384-bit message
 *   digest into the Message_Digest array provided by the caller.
 *   NOTE: The first octet of hash is stored in the 0th element,
 *      the last octet of hash in the 48th element.
 *
 * Parameters:
 *   context: [in/out]
 *     The context to use to calculate the SHA hash.
 *   Message_Digest: [out]
 *     Where the digest is returned.
 *
 * Returns:
 *   sha Error Code.
 *
 */
int SHA384Result(SHA384Context *context,
    uint8_t Message_Digest[SHA384HashSize])
{
  return SHA384_512ResultN(context, Message_Digest, SHA384HashSize);
}

/*
 * SHA512Reset
 *
 * Description:
 *   This function will initialize the SHA512Context in preparation
 *   for computing a new SHA512 message digest.
 *
 * Parameters:
 *   context: [in/out]
 *     The context to reset.
 *
 * Returns:
 *   sha Error Code.
 *
 */
int SHA512Reset(SHA512Context *context)
{
  return SHA384_512Reset(context, SHA512_H0);


D. Eastlake 3rd, T. Hansen                                     [Page 48]

INTERNET-DRAFT                   US SHAs                       June 2005


}

/*
 * SHA512Input
 *
 * Description:
 *   This function accepts an array of octets as the next portion
 *   of the message.
 *
 * Parameters:
 *   context: [in/out]
 *     The SHA context to update
 *   message_array: [in]
 *     An array of characters representing the next portion of
 *     the message.
 *   length: [in]
 *     The length of the message in message_array
 *
 * Returns:
 *   sha Error Code.
 *
 */
int SHA512Input(SHA512Context *context,
        const uint8_t *message_array,
        unsigned int length)
{
  if (!length)
    return shaSuccess;

  if (!context || !message_array)
    return shaNull;

  if (context->Computed) {
    context->Corrupted = shaStateError;
    return shaStateError;
  }

  if (context->Corrupted)
     return context->Corrupted;

  while (length-- && !context->Corrupted) {
    context->Message_Block[context->Message_Block_Index++] =
            (*message_array & 0xFF);

    if (!SHA384_512AddLength(context, 8) &&
      (context->Message_Block_Index == SHA512_Message_Block_Size))
      SHA384_512ProcessMessageBlock(context);

    message_array++;
  }


D. Eastlake 3rd, T. Hansen                                     [Page 49]

INTERNET-DRAFT                   US SHAs                       June 2005


  return shaSuccess;
}

/*
 * SHA512FinalBits
 *
 * Description:
 *   This function will add in any final bits of the message.
 *
 * Parameters:
 *   context: [in/out]
 *     The SHA context to update
 *   message_bits: [in]
 *     The final bits of the message, in the upper portion of the
 *     byte. (Use 0b###00000 instead of 0b00000### to input the
 *     three bits ###.)
 *   length: [in]
 *     The number of bits in message_bits, between 1 and 7.
 *
 * Returns:
 *   sha Error Code.
 *
 */
int SHA512FinalBits(SHA512Context *context,
    const uint8_t message_bits, unsigned int length)
{
  uint8_t masks[8] = {
      /* 0 0b00000000 */ 0x00, /* 1 0b10000000 */ 0x80,
      /* 2 0b11000000 */ 0xC0, /* 3 0b11100000 */ 0xE0,
      /* 4 0b11110000 */ 0xF0, /* 5 0b11111000 */ 0xF8,
      /* 6 0b11111100 */ 0xFC, /* 7 0b11111110 */ 0xFE
  };
  uint8_t markbit[8] = {
      /* 0 0b10000000 */ 0x80, /* 1 0b01000000 */ 0x40,
      /* 2 0b00100000 */ 0x20, /* 3 0b00010000 */ 0x10,
      /* 4 0b00001000 */ 0x08, /* 5 0b00000100 */ 0x04,
      /* 6 0b00000010 */ 0x02, /* 7 0b00000001 */ 0x01
  };

  if (!length)
    return shaSuccess;

  if (!context)
    return shaNull;

  if ((context->Computed) || (length >= 8) || (length == 0)) {
    context->Corrupted = shaStateError;
    return shaStateError;
  }



D. Eastlake 3rd, T. Hansen                                     [Page 50]

INTERNET-DRAFT                   US SHAs                       June 2005


  if (context->Corrupted)
     return context->Corrupted;

  SHA384_512AddLength(context, length);
  SHA384_512Finalize(context,
    (message_bits & masks[length]) | markbit[length]);

  return shaSuccess;
}

/*
 * SHA384_512Finalize
 *
 * Description:
 *   This helper function finishes off the digest calculations.
 *
 * Parameters:
 *   context: [in/out]
 *     The SHA context to update
 *   Pad_Byte: [in]
 *     The last byte to add to the digest before the 0-padding
 *     and length. This will contain the last bits of the message
 *     followed by another single bit. If the message was an
 *     exact multiple of 8-bits long, Pad_Byte will be 0x80.
 *
 * Returns:
 *   sha Error Code.
 *
 */
static void SHA384_512Finalize(SHA512Context *context,
    uint8_t Pad_Byte)
{
  int_least16_t i;
  SHA384_512PadMessage(context, Pad_Byte);
  /* message may be sensitive, clear it out */
  for (i = 0; i < SHA512_Message_Block_Size; ++i)
    context->Message_Block[i] = 0;
#ifdef USE_32BIT_ONLY    /* and clear length */
  context->Length[0] = context->Length[1] = 0;
  context->Length[2] = context->Length[3] = 0;
#else /* !USE_32BIT_ONLY */
  context->Length_Low = 0;
  context->Length_High = 0;
#endif /* USE_32BIT_ONLY */
  context->Computed = 1;
}

/*
 * SHA512Result
 *


D. Eastlake 3rd, T. Hansen                                     [Page 51]

INTERNET-DRAFT                   US SHAs                       June 2005


 * Description:
 *   This function will return the 512-bit message
 *   digest into the Message_Digest array provided by the caller.
 *   NOTE: The first octet of hash is stored in the 0th element,
 *      the last octet of hash in the 64th element.
 *
 * Parameters:
 *   context: [in/out]
 *     The context to use to calculate the SHA hash.
 *   Message_Digest: [out]
 *     Where the digest is returned.
 *
 * Returns:
 *   sha Error Code.
 *
 */
int SHA512Result(SHA512Context *context,
    uint8_t Message_Digest[SHA512HashSize])
{
  return SHA384_512ResultN(context, Message_Digest, SHA512HashSize);
}

/*
 * SHA384_512PadMessage
 *
 * Description:
 *   According to the standard, the message must be padded to an
 *   even 1024 bits. The first padding bit must be a '1'. The
 *   last 128 bits represent the length of the original message.
 *   All bits in between should be 0. This helper function will
 *   pad the message according to those rules by filling the
 *   Message_Block array accordingly. When it returns, it can be
 *   assumed that the message digest has been computed.
 *
 * Parameters:
 *   context: [in/out]
 *     The context to pad
 *   Pad_Byte: [in]
 *     The last byte to add to the digest before the 0-padding
 *     and length. This will contain the last bits of the message
 *     followed by another single bit. If the message was an
 *     exact multiple of 8-bits long, Pad_Byte will be 0x80.
 *
 * Returns:
 *   Nothing.
 *
 */
static void SHA384_512PadMessage(SHA512Context *context,
    uint8_t Pad_Byte)
{


D. Eastlake 3rd, T. Hansen                                     [Page 52]

INTERNET-DRAFT                   US SHAs                       June 2005


  /*
   * Check to see if the current message block is too small to hold
   * the initial padding bits and length. If so, we will pad the
   * block, process it, and then continue padding into a second
   * block.
   */
  if (context->Message_Block_Index >= (SHA512_Message_Block_Size-16)) {
    context->Message_Block[context->Message_Block_Index++] = Pad_Byte;
    while (context->Message_Block_Index <
        (SHA512_Message_Block_Size - 16))
      context->Message_Block[context->Message_Block_Index++] = 0;

    SHA384_512ProcessMessageBlock(context);
  } else
    context->Message_Block[context->Message_Block_Index++] = Pad_Byte;

  while (context->Message_Block_Index < (SHA512_Message_Block_Size-16))
    context->Message_Block[context->Message_Block_Index++] = 0;

  /*
   * Store the message length as the last 16 octets
   */
#ifdef USE_32BIT_ONLY
  context->Message_Block[112] = context->Length[0] >> 24;
  context->Message_Block[113] = context->Length[0] >> 16;
  context->Message_Block[114] = context->Length[0] >> 8;
  context->Message_Block[115] = context->Length[0];
  context->Message_Block[116] = context->Length[1] >> 24;
  context->Message_Block[117] = context->Length[1] >> 16;
  context->Message_Block[118] = context->Length[1] >> 8;
  context->Message_Block[119] = context->Length[1];

  context->Message_Block[120] = context->Length[2] >> 24;
  context->Message_Block[121] = context->Length[2] >> 16;
  context->Message_Block[122] = context->Length[2] >> 8;
  context->Message_Block[123] = context->Length[2];
  context->Message_Block[124] = context->Length[3] >> 24;
  context->Message_Block[125] = context->Length[3] >> 16;
  context->Message_Block[126] = context->Length[3] >> 8;
  context->Message_Block[127] = context->Length[3];
#else /* !USE_32BIT_ONLY */
  context->Message_Block[112] = context->Length_High >> 56;
  context->Message_Block[113] = context->Length_High >> 48;
  context->Message_Block[114] = context->Length_High >> 40;
  context->Message_Block[115] = context->Length_High >> 32;
  context->Message_Block[116] = context->Length_High >> 24;
  context->Message_Block[117] = context->Length_High >> 16;
  context->Message_Block[118] = context->Length_High >> 8;
  context->Message_Block[119] = context->Length_High;



D. Eastlake 3rd, T. Hansen                                     [Page 53]

INTERNET-DRAFT                   US SHAs                       June 2005


  context->Message_Block[120] = context->Length_Low >> 56;
  context->Message_Block[121] = context->Length_Low >> 48;
  context->Message_Block[122] = context->Length_Low >> 40;
  context->Message_Block[123] = context->Length_Low >> 32;
  context->Message_Block[124] = context->Length_Low >> 24;
  context->Message_Block[125] = context->Length_Low >> 16;
  context->Message_Block[126] = context->Length_Low >> 8;
  context->Message_Block[127] = context->Length_Low;
#endif /* USE_32BIT_ONLY */

  SHA384_512ProcessMessageBlock(context);
}

/*
 * SHA384_512ProcessMessageBlock
 *
 * Description:
 *   This helper function will process the next 1024 bits of the
 *   message stored in the Message_Block array.
 *
 * Parameters:
 *   context: [in/out]
 *     The SHA context to update
 *
 * Returns:
 *   Nothing.
 *
 * Comments:
 *   Many of the variable names in this code, especially the
 *   single character names, were used because those were the
 *   names used in the publication.
 *
 *
 */
static void SHA384_512ProcessMessageBlock(SHA512Context *context)
{
  /* Constants defined in FIPS-180-2, section 4.2.3 */
#ifdef USE_32BIT_ONLY
  static const uint32_t K[80*2] = {
      0x428A2F98, 0xD728AE22, 0x71374491, 0x23EF65CD, 0xB5C0FBCF,
      0xEC4D3B2F, 0xE9B5DBA5, 0x8189DBBC, 0x3956C25B, 0xF348B538,
      0x59F111F1, 0xB605D019, 0x923F82A4, 0xAF194F9B, 0xAB1C5ED5,
      0xDA6D8118, 0xD807AA98, 0xA3030242, 0x12835B01, 0x45706FBE,
      0x243185BE, 0x4EE4B28C, 0x550C7DC3, 0xD5FFB4E2, 0x72BE5D74,
      0xF27B896F, 0x80DEB1FE, 0x3B1696B1, 0x9BDC06A7, 0x25C71235,
      0xC19BF174, 0xCF692694, 0xE49B69C1, 0x9EF14AD2, 0xEFBE4786,
      0x384F25E3, 0x0FC19DC6, 0x8B8CD5B5, 0x240CA1CC, 0x77AC9C65,
      0x2DE92C6F, 0x592B0275, 0x4A7484AA, 0x6EA6E483, 0x5CB0A9DC,
      0xBD41FBD4, 0x76F988DA, 0x831153B5, 0x983E5152, 0xEE66DFAB,
      0xA831C66D, 0x2DB43210, 0xB00327C8, 0x98FB213F, 0xBF597FC7,


D. Eastlake 3rd, T. Hansen                                     [Page 54]

INTERNET-DRAFT                   US SHAs                       June 2005


      0xBEEF0EE4, 0xC6E00BF3, 0x3DA88FC2, 0xD5A79147, 0x930AA725,
      0x06CA6351, 0xE003826F, 0x14292967, 0x0A0E6E70, 0x27B70A85,
      0x46D22FFC, 0x2E1B2138, 0x5C26C926, 0x4D2C6DFC, 0x5AC42AED,
      0x53380D13, 0x9D95B3DF, 0x650A7354, 0x8BAF63DE, 0x766A0ABB,
      0x3C77B2A8, 0x81C2C92E, 0x47EDAEE6, 0x92722C85, 0x1482353B,
      0xA2BFE8A1, 0x4CF10364, 0xA81A664B, 0xBC423001, 0xC24B8B70,
      0xD0F89791, 0xC76C51A3, 0x0654BE30, 0xD192E819, 0xD6EF5218,
      0xD6990624, 0x5565A910, 0xF40E3585, 0x5771202A, 0x106AA070,
      0x32BBD1B8, 0x19A4C116, 0xB8D2D0C8, 0x1E376C08, 0x5141AB53,
      0x2748774C, 0xDF8EEB99, 0x34B0BCB5, 0xE19B48A8, 0x391C0CB3,
      0xC5C95A63, 0x4ED8AA4A, 0xE3418ACB, 0x5B9CCA4F, 0x7763E373,
      0x682E6FF3, 0xD6B2B8A3, 0x748F82EE, 0x5DEFB2FC, 0x78A5636F,
      0x43172F60, 0x84C87814, 0xA1F0AB72, 0x8CC70208, 0x1A6439EC,
      0x90BEFFFA, 0x23631E28, 0xA4506CEB, 0xDE82BDE9, 0xBEF9A3F7,
      0xB2C67915, 0xC67178F2, 0xE372532B, 0xCA273ECE, 0xEA26619C,
      0xD186B8C7, 0x21C0C207, 0xEADA7DD6, 0xCDE0EB1E, 0xF57D4F7F,
      0xEE6ED178, 0x06F067AA, 0x72176FBA, 0x0A637DC5, 0xA2C898A6,
      0x113F9804, 0xBEF90DAE, 0x1B710B35, 0x131C471B, 0x28DB77F5,
      0x23047D84, 0x32CAAB7B, 0x40C72493, 0x3C9EBE0A, 0x15C9BEBC,
      0x431D67C4, 0x9C100D4C, 0x4CC5D4BE, 0xCB3E42B6, 0x597F299C,
      0xFC657E2A, 0x5FCB6FAB, 0x3AD6FAEC, 0x6C44198C, 0x4A475817
  };
  int     t, t2, t8;                  /* Loop counter */
  uint32_t  temp1[2], temp2[2],       /* Temporary word values */
        temp3[2], temp4[2], temp5[2];
  uint32_t  W[2*80];                  /* Word sequence */
  uint32_t  A[2], B[2], C[2], D[2],   /* Word buffers */
        E[2], F[2], G[2], H[2];

  /* Initialize the first 16 words in the array W */
  for (t = t2 = t8 = 0; t < 16; t++, t8 += 8) {
    W[t2++] = ((context->Message_Block[t8  ]) << 24) |
              ((context->Message_Block[t8 + 1]) << 16) |
              ((context->Message_Block[t8 + 2]) << 8) |
              ((context->Message_Block[t8 + 3]));
    W[t2++] = ((context->Message_Block[t8 + 4]) << 24) |
              ((context->Message_Block[t8 + 5]) << 16) |
              ((context->Message_Block[t8 + 6]) << 8) |
              ((context->Message_Block[t8 + 7]));
  }

  for (t = 16; t < 80; t++, t2 += 2) {
    /* W[t] = SHA512_sigma1(W[t-2]) + W[t-7] +
      SHA512_sigma0(W[t-15]) + W[t-16]; */
    uint32_t *Wt2 = &W[t2-2*2];
    uint32_t *Wt7 = &W[t2-7*2];
    uint32_t *Wt15 = &W[t2-15*2];
    uint32_t *Wt16 = &W[t2-16*2];
    SHA512_sigma1(Wt2, temp1);
    SHA512_ADD(temp1, Wt7, temp2);


D. Eastlake 3rd, T. Hansen                                     [Page 55]

INTERNET-DRAFT                   US SHAs                       June 2005


    SHA512_sigma0(Wt15, temp1);
    SHA512_ADD(temp1, Wt16, temp3);
    SHA512_ADD(temp2, temp3, &W[t2]);
  }

  A[0] = context->Intermediate_Hash[0];
  A[1] = context->Intermediate_Hash[1];
  B[0] = context->Intermediate_Hash[2];
  B[1] = context->Intermediate_Hash[3];
  C[0] = context->Intermediate_Hash[4];
  C[1] = context->Intermediate_Hash[5];
  D[0] = context->Intermediate_Hash[6];
  D[1] = context->Intermediate_Hash[7];
  E[0] = context->Intermediate_Hash[8];
  E[1] = context->Intermediate_Hash[9];
  F[0] = context->Intermediate_Hash[10];
  F[1] = context->Intermediate_Hash[11];
  G[0] = context->Intermediate_Hash[12];
  G[1] = context->Intermediate_Hash[13];
  H[0] = context->Intermediate_Hash[14];
  H[1] = context->Intermediate_Hash[15];

  for (t = t2 = 0; t < 80; t++, t2 += 2) {
    /*
     * temp1 = H + SHA512_SIGMA1(E) + SHA_Ch(E,F,G) + K[t] + W[t];
     */
    SHA512_SIGMA1(E,temp1);
    SHA512_ADD(H, temp1, temp2);
    SHA_Ch(E,F,G,temp3);
    SHA512_ADD(temp2, temp3, temp4);
    SHA512_ADD(&K[t2], &W[t2], temp5);
    SHA512_ADD(temp4, temp5, temp1);
    /*
     * temp2 = SHA512_SIGMA0(A) + SHA_Maj(A,B,C);
     */
    SHA512_SIGMA0(A,temp3);
    SHA_Maj(A,B,C,temp4);
    SHA512_ADD(temp3, temp4, temp2);
    H[0] = G[0]; H[1] = G[1];
    G[0] = F[0]; G[1] = F[1];
    F[0] = E[0]; F[1] = E[1];
    SHA512_ADD(D, temp1, E);
    D[0] = C[0]; D[1] = C[1];
    C[0] = B[0]; C[1] = B[1];
    B[0] = A[0]; B[1] = A[1];
    SHA512_ADD(temp1, temp2, A);
  }

  SHA512_ADDTO2(&context->Intermediate_Hash[0], A);
  SHA512_ADDTO2(&context->Intermediate_Hash[2], B);


D. Eastlake 3rd, T. Hansen                                     [Page 56]

INTERNET-DRAFT                   US SHAs                       June 2005


  SHA512_ADDTO2(&context->Intermediate_Hash[4], C);
  SHA512_ADDTO2(&context->Intermediate_Hash[6], D);
  SHA512_ADDTO2(&context->Intermediate_Hash[8], E);
  SHA512_ADDTO2(&context->Intermediate_Hash[10], F);
  SHA512_ADDTO2(&context->Intermediate_Hash[12], G);
  SHA512_ADDTO2(&context->Intermediate_Hash[14], H);

#else /* !USE_32BIT_ONLY */
  static const uint64_t K[80] = {
      0x428A2F98D728AE22ll, 0x7137449123EF65CDll, 0xB5C0FBCFEC4D3B2Fll,
      0xE9B5DBA58189DBBCll, 0x3956C25BF348B538ll, 0x59F111F1B605D019ll,
      0x923F82A4AF194F9Bll, 0xAB1C5ED5DA6D8118ll, 0xD807AA98A3030242ll,
      0x12835B0145706FBEll, 0x243185BE4EE4B28Cll, 0x550C7DC3D5FFB4E2ll,
      0x72BE5D74F27B896Fll, 0x80DEB1FE3B1696B1ll, 0x9BDC06A725C71235ll,
      0xC19BF174CF692694ll, 0xE49B69C19EF14AD2ll, 0xEFBE4786384F25E3ll,
      0x0FC19DC68B8CD5B5ll, 0x240CA1CC77AC9C65ll, 0x2DE92C6F592B0275ll,
      0x4A7484AA6EA6E483ll, 0x5CB0A9DCBD41FBD4ll, 0x76F988DA831153B5ll,
      0x983E5152EE66DFABll, 0xA831C66D2DB43210ll, 0xB00327C898FB213Fll,
      0xBF597FC7BEEF0EE4ll, 0xC6E00BF33DA88FC2ll, 0xD5A79147930AA725ll,
      0x06CA6351E003826Fll, 0x142929670A0E6E70ll, 0x27B70A8546D22FFCll,
      0x2E1B21385C26C926ll, 0x4D2C6DFC5AC42AEDll, 0x53380D139D95B3DFll,
      0x650A73548BAF63DEll, 0x766A0ABB3C77B2A8ll, 0x81C2C92E47EDAEE6ll,
      0x92722C851482353Bll, 0xA2BFE8A14CF10364ll, 0xA81A664BBC423001ll,
      0xC24B8B70D0F89791ll, 0xC76C51A30654BE30ll, 0xD192E819D6EF5218ll,
      0xD69906245565A910ll, 0xF40E35855771202All, 0x106AA07032BBD1B8ll,
      0x19A4C116B8D2D0C8ll, 0x1E376C085141AB53ll, 0x2748774CDF8EEB99ll,
      0x34B0BCB5E19B48A8ll, 0x391C0CB3C5C95A63ll, 0x4ED8AA4AE3418ACBll,
      0x5B9CCA4F7763E373ll, 0x682E6FF3D6B2B8A3ll, 0x748F82EE5DEFB2FCll,
      0x78A5636F43172F60ll, 0x84C87814A1F0AB72ll, 0x8CC702081A6439ECll,
      0x90BEFFFA23631E28ll, 0xA4506CEBDE82BDE9ll, 0xBEF9A3F7B2C67915ll,
      0xC67178F2E372532Bll, 0xCA273ECEEA26619Cll, 0xD186B8C721C0C207ll,
      0xEADA7DD6CDE0EB1Ell, 0xF57D4F7FEE6ED178ll, 0x06F067AA72176FBAll,
      0x0A637DC5A2C898A6ll, 0x113F9804BEF90DAEll, 0x1B710B35131C471Bll,
      0x28DB77F523047D84ll, 0x32CAAB7B40C72493ll, 0x3C9EBE0A15C9BEBCll,
      0x431D67C49C100D4Cll, 0x4CC5D4BECB3E42B6ll, 0x597F299CFC657E2All,
      0x5FCB6FAB3AD6FAECll, 0x6C44198C4A475817ll
  };
  int        t, t8;                   /* Loop counter */
  uint64_t   temp1, temp2;            /* Temporary word value */
  uint64_t   W[80];                   /* Word sequence */
  uint64_t   A, B, C, D, E, F, G, H;  /* Word buffers */

  /*
   * Initialize the first 16 words in the array W
   */
  for (t = t8 = 0; t < 16; t++, t8 += 8)
    W[t] = ((uint64_t)(context->Message_Block[t8  ]) << 56) |
           ((uint64_t)(context->Message_Block[t8 + 1]) << 48) |
           ((uint64_t)(context->Message_Block[t8 + 2]) << 40) |
           ((uint64_t)(context->Message_Block[t8 + 3]) << 32) |


D. Eastlake 3rd, T. Hansen                                     [Page 57]

INTERNET-DRAFT                   US SHAs                       June 2005


           ((uint64_t)(context->Message_Block[t8 + 4]) << 24) |
           ((uint64_t)(context->Message_Block[t8 + 5]) << 16) |
           ((uint64_t)(context->Message_Block[t8 + 6]) << 8) |
           ((uint64_t)(context->Message_Block[t8 + 7]));

  for (t = 16; t < 80; t++)
    W[t] = SHA512_sigma1(W[t-2]) + W[t-7] +
        SHA512_sigma0(W[t-15]) + W[t-16];

  A = context->Intermediate_Hash[0];
  B = context->Intermediate_Hash[1];
  C = context->Intermediate_Hash[2];
  D = context->Intermediate_Hash[3];
  E = context->Intermediate_Hash[4];
  F = context->Intermediate_Hash[5];
  G = context->Intermediate_Hash[6];
  H = context->Intermediate_Hash[7];

  for (t = 0; t < 80; t++) {
    temp1 = H + SHA512_SIGMA1(E) + SHA_Ch(E,F,G) + K[t] + W[t];
    temp2 = SHA512_SIGMA0(A) + SHA_Maj(A,B,C);
    H = G;
    G = F;
    F = E;
    E = D + temp1;
    D = C;
    C = B;
    B = A;
    A = temp1 + temp2;
  }

  context->Intermediate_Hash[0] += A;
  context->Intermediate_Hash[1] += B;
  context->Intermediate_Hash[2] += C;
  context->Intermediate_Hash[3] += D;
  context->Intermediate_Hash[4] += E;
  context->Intermediate_Hash[5] += F;
  context->Intermediate_Hash[6] += G;
  context->Intermediate_Hash[7] += H;
#endif /* USE_32BIT_ONLY */

  context->Message_Block_Index = 0;
}

/*
 * SHA384_512Reset
 *
 * Description:
 *   This helper function will initialize the SHA512Context in
 *   preparation for computing a new SHA384 or SHA512 message


D. Eastlake 3rd, T. Hansen                                     [Page 58]

INTERNET-DRAFT                   US SHAs                       June 2005


 *   digest.
 *
 * Parameters:
 *   context: [in/out]
 *     The context to reset.
 *   H0
 *     The initial hash value to use.
 *
 * Returns:
 *   sha Error Code.
 *
 */
#ifdef USE_32BIT_ONLY
static int SHA384_512Reset(SHA512Context *context, uint32_t H0[])
#else /* !USE_32BIT_ONLY */
static int SHA384_512Reset(SHA512Context *context, uint64_t H0[])
#endif /* USE_32BIT_ONLY */
{
  int i;
  if (!context)
    return shaNull;

  context->Message_Block_Index = 0;

#ifdef USE_32BIT_ONLY
  context->Length[0] = context->Length[1] = 0;
  context->Length[2] = context->Length[3] = 0;

  for (i = 0; i < SHA512HashSize/4; i++)
    context->Intermediate_Hash[i] = H0[i];
#else /* !USE_32BIT_ONLY */
  context->Length_High = context->Length_Low = 0;

  for (i = 0; i < SHA512HashSize/8; i++)
    context->Intermediate_Hash[i] = H0[i];
#endif /* USE_32BIT_ONLY */

  context->Computed = 0;
  context->Corrupted = 0;

  return shaSuccess;
}

/*
 * SHA384_512ResultN
 *
 * Description:
 *   This helper function will return the 384-bit or 512-bit message
 *   digest into the Message_Digest array provided by the caller.
 *   NOTE: The first octet of hash is stored in the 0th element,


D. Eastlake 3rd, T. Hansen                                     [Page 59]

INTERNET-DRAFT                   US SHAs                       June 2005


 *      the last octet of hash in the 48th/64th element.
 *
 * Parameters:
 *   context: [in/out]
 *     The context to use to calculate the SHA hash.
 *   Message_Digest: [out]
 *     Where the digest is returned.
 *   HashSize: [in]
 *     The size of the hash, either 48 or 64.
 *
 * Returns:
 *   sha Error Code.
 *
 */
static int SHA384_512ResultN(SHA512Context *context,
    uint8_t Message_Digest[], int HashSize)
{
  int i;
#ifdef USE_32BIT_ONLY
  int i2;
#endif /* USE_32BIT_ONLY */

  if (!context || !Message_Digest)
    return shaNull;

  if (context->Corrupted)
    return context->Corrupted;

  if (!context->Computed)
    SHA384_512Finalize(context, 0x80);

#ifdef USE_32BIT_ONLY
  for (i = i2 = 0; i < HashSize; ) {
    Message_Digest[i++] = context->Intermediate_Hash[i2] >> 24;
    Message_Digest[i++] = context->Intermediate_Hash[i2] >> 16;
    Message_Digest[i++] = context->Intermediate_Hash[i2] >> 8;
    Message_Digest[i++] = context->Intermediate_Hash[i2++];
    Message_Digest[i++] = context->Intermediate_Hash[i2] >> 24;
    Message_Digest[i++] = context->Intermediate_Hash[i2] >> 16;
    Message_Digest[i++] = context->Intermediate_Hash[i2] >> 8;
    Message_Digest[i++] = context->Intermediate_Hash[i2++];
  }
#else /* !USE_32BIT_ONLY */
  for (i = 0; i < HashSize; ++i)
    Message_Digest[i] =
      context->Intermediate_Hash[i>>3] >> 8 * ( 7 - ( i % 8 ) );
#endif /* USE_32BIT_ONLY */

  return shaSuccess;
}


D. Eastlake 3rd, T. Hansen                                     [Page 60]

INTERNET-DRAFT                   US SHAs                       June 2005


7.2.4 sha-private.h

/*************************** sha-private.h ***************************/
#ifndef _SHA_PRIVATE__H
#define _SHA_PRIVATE__H
/*
 * These definitions are defined in FIPS-180-2, section 4.1.
 * Ch() and Maj() are defined identically in sections 4.1.1,
 * 4.1.2 and 4.1.3.
 *
 * The definitions used in FIPS-180-2 are as follows:
 */

#ifndef USE_MODIFIED_MACROS
#define SHA_Ch(x,y,z)        (((x) & (y)) ^ ((~(x)) & (z)))
#define SHA_Maj(x,y,z)       (((x) & (y)) ^ ((x) & (z)) ^ ((y) & (z)))

#else /* USE_MODIFIED_MACROS */
/*
 * The following definitions are equivalent and potentially faster.
 */

#define SHA_Ch(x, y, z)      (((x) & ((y) ^ (z))) ^ (z))
#define SHA_Maj(x, y, z)     (((x) & ((y) | (z))) | ((y) & (z)))

#endif /* USE_MODIFIED_MACROS */

#define SHA_Parity(x, y, z)  ((x) ^ (y) ^ (z))

#endif /* _SHA_PRIVATE__H */



7.3 The Test Driver

   The following code is a main program test driver to exercise the code
   in sha1.c, sha224-256.c, and sha384-512.c. The test driver can also
   be used as a standalone program for generating the hashes.

   See also [SHAVS].

/**************************** shatest.c ****************************/
/*
 *  Description:
 *    This file will exercise the SHA code performing
 *      the three tests documented in FIPS PUB 180-2
 *        (http://csrc.nist.gov/publications/fips/
 *         fips180-2/fips180-2withchangenotice.pdf)
 *      one that calls SHAInput with an exact multiple of 512 bits
 *      the seven tests documented for each algorithm in


D. Eastlake 3rd, T. Hansen                                     [Page 61]

INTERNET-DRAFT                   US SHAs                       June 2005


 *        "The Secure Hash Algorithm Validation System (SHAVS)",
 *        three of which are bit-level tests
 *        (http://csrc.nist.gov/cryptval/shs/SHAVS.pdf)
 *
 *    To run the tests and just see PASSED/FAILED, use the -p option.
 *
 *    Other options exercise:
 *      hashing an arbitrary string
 *      hashing a file's contents
 *      a few error test checks
 *      printing the results in raw format
 *
 *  Portability Issues:
 *    None.
 *
 */

#include <stdint.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <ctype.h>
#include "sha.h"

static int xgetopt(int argc, char **argv, const char *optstring);
extern char *xoptarg;
static int scasecmp(const char *s1, const char *s2);

/*
 *  Define patterns for testing
 */
#define TEST1    "abc"
#define TEST2_1  \
        "abcdbcdecdefdefgefghfghighijhijkijkljklmklmnlmnomnopnopq"
#define TEST2_2a \
        "abcdefghbcdefghicdefghijdefghijkefghijklfghijklmghijklmn"
#define TEST2_2b \
        "hijklmnoijklmnopjklmnopqklmnopqrlmnopqrsmnopqrstnopqrstu"
#define TEST2_2  TEST2_2a TEST2_2b
#define TEST3    "a"                            /* times 1000000 */
#define TEST4a   "01234567012345670123456701234567"
#define TEST4b   "01234567012345670123456701234567"
    /* an exact multiple of 512 bits */
#define TEST4   TEST4a TEST4b                   /* times 10 */

#define TEST7_1 \
  "\x49\xb2\xae\xc2\x59\x4b\xbe\x3a\x3b\x11\x75\x42\xd9\x4a\xc8"
#define TEST8_1 \
  "\x9a\x7d\xfd\xf1\xec\xea\xd0\x6e\xd6\x46\xaa\x55\xfe\x75\x71\x46"
#define TEST9_1 \


D. Eastlake 3rd, T. Hansen                                     [Page 62]

INTERNET-DRAFT                   US SHAs                       June 2005


  "\x65\xf9\x32\x99\x5b\xa4\xce\x2c\xb1\xb4\xa2\xe7\x1a\xe7\x02\x20" \
  "\xaa\xce\xc8\x96\x2d\xd4\x49\x9c\xbd\x7c\x88\x7a\x94\xea\xaa\x10" \
  "\x1e\xa5\xaa\xbc\x52\x9b\x4e\x7e\x43\x66\x5a\x5a\xf2\xcd\x03\xfe" \
  "\x67\x8e\xa6\xa5\x00\x5b\xba\x3b\x08\x22\x04\xc2\x8b\x91\x09\xf4" \
  "\x69\xda\xc9\x2a\xaa\xb3\xaa\x7c\x11\xa1\xb3\x2a"
#define TEST10_1 \
  "\xf7\x8f\x92\x14\x1b\xcd\x17\x0a\xe8\x9b\x4f\xba\x15\xa1\xd5\x9f" \
  "\x3f\xd8\x4d\x22\x3c\x92\x51\xbd\xac\xbb\xae\x61\xd0\x5e\xd1\x15" \
  "\xa0\x6a\x7c\xe1\x17\xb7\xbe\xea\xd2\x44\x21\xde\xd9\xc3\x25\x92" \
  "\xbd\x57\xed\xea\xe3\x9c\x39\xfa\x1f\xe8\x94\x6a\x84\xd0\xcf\x1f" \
  "\x7b\xee\xad\x17\x13\xe2\xe0\x95\x98\x97\x34\x7f\x67\xc8\x0b\x04" \
  "\x00\xc2\x09\x81\x5d\x6b\x10\xa6\x83\x83\x6f\xd5\x56\x2a\x56\xca" \
  "\xb1\xa2\x8e\x81\xb6\x57\x66\x54\x63\x1c\xf1\x65\x66\xb8\x6e\x3b" \
  "\x33\xa1\x08\xb0\x53\x07\xc0\x0a\xff\x14\xa7\x68\xed\x73\x50\x60" \
  "\x6a\x0f\x85\xe6\xa9\x1d\x39\x6f\x5b\x5c\xbe\x57\x7f\x9b\x38\x80" \
  "\x7c\x7d\x52\x3d\x6d\x79\x2f\x6e\xbc\x24\xa4\xec\xf2\xb3\xa4\x27" \
  "\xcd\xbb\xfb"
#define TEST7_224 \
  "\xf0\x70\x06\xf2\x5a\x0b\xea\x68\xcd\x76\xa2\x95\x87\xc2\x8d"
#define TEST8_224 \
  "\x18\x80\x40\x05\xdd\x4f\xbd\x15\x56\x29\x9d\x6f\x9d\x93\xdf\x62"
#define TEST9_224 \
  "\xa2\xbe\x6e\x46\x32\x81\x09\x02\x94\xd9\xce\x94\x82\x65\x69\x42" \
  "\x3a\x3a\x30\x5e\xd5\xe2\x11\x6c\xd4\xa4\xc9\x87\xfc\x06\x57\x00" \
  "\x64\x91\xb1\x49\xcc\xd4\xb5\x11\x30\xac\x62\xb1\x9d\xc2\x48\xc7" \
  "\x44\x54\x3d\x20\xcd\x39\x52\xdc\xed\x1f\x06\xcc\x3b\x18\xb9\x1f" \
  "\x3f\x55\x63\x3e\xcc\x30\x85\xf4\x90\x70\x60\xd2"
#define TEST10_224 \
  "\x55\xb2\x10\x07\x9c\x61\xb5\x3a\xdd\x52\x06\x22\xd1\xac\x97\xd5" \
  "\xcd\xbe\x8c\xb3\x3a\xa0\xae\x34\x45\x17\xbe\xe4\xd7\xba\x09\xab" \
  "\xc8\x53\x3c\x52\x50\x88\x7a\x43\xbe\xbb\xac\x90\x6c\x2e\x18\x37" \
  "\xf2\x6b\x36\xa5\x9a\xe3\xbe\x78\x14\xd5\x06\x89\x6b\x71\x8b\x2a" \
  "\x38\x3e\xcd\xac\x16\xb9\x61\x25\x55\x3f\x41\x6f\xf3\x2c\x66\x74" \
  "\xc7\x45\x99\xa9\x00\x53\x86\xd9\xce\x11\x12\x24\x5f\x48\xee\x47" \
  "\x0d\x39\x6c\x1e\xd6\x3b\x92\x67\x0c\xa5\x6e\xc8\x4d\xee\xa8\x14" \
  "\xb6\x13\x5e\xca\x54\x39\x2b\xde\xdb\x94\x89\xbc\x9b\x87\x5a\x8b" \
  "\xaf\x0d\xc1\xae\x78\x57\x36\x91\x4a\xb7\xda\xa2\x64\xbc\x07\x9d" \
  "\x26\x9f\x2c\x0d\x7e\xdd\xd8\x10\xa4\x26\x14\x5a\x07\x76\xf6\x7c" \
  "\x87\x82\x73"
#define TEST7_256 \
  "\xbe\x27\x46\xc6\xdb\x52\x76\x5f\xdb\x2f\x88\x70\x0f\x9a\x73"
#define TEST8_256 \
  "\xe3\xd7\x25\x70\xdc\xdd\x78\x7c\xe3\x88\x7a\xb2\xcd\x68\x46\x52"
#define TEST9_256 \
  "\x3e\x74\x03\x71\xc8\x10\xc2\xb9\x9f\xc0\x4e\x80\x49\x07\xef\x7c" \
  "\xf2\x6b\xe2\x8b\x57\xcb\x58\xa3\xe2\xf3\xc0\x07\x16\x6e\x49\xc1" \
  "\x2e\x9b\xa3\x4c\x01\x04\x06\x91\x29\xea\x76\x15\x64\x25\x45\x70" \
  "\x3a\x2b\xd9\x01\xe1\x6e\xb0\xe0\x5d\xeb\xa0\x14\xeb\xff\x64\x06" \
  "\xa0\x7d\x54\x36\x4e\xff\x74\x2d\xa7\x79\xb0\xb3"
#define TEST10_256 \


D. Eastlake 3rd, T. Hansen                                     [Page 63]

INTERNET-DRAFT                   US SHAs                       June 2005


  "\x83\x26\x75\x4e\x22\x77\x37\x2f\x4f\xc1\x2b\x20\x52\x7a\xfe\xf0" \
  "\x4d\x8a\x05\x69\x71\xb1\x1a\xd5\x71\x23\xa7\xc1\x37\x76\x00\x00" \
  "\xd7\xbe\xf6\xf3\xc1\xf7\xa9\x08\x3a\xa3\x9d\x81\x0d\xb3\x10\x77" \
  "\x7d\xab\x8b\x1e\x7f\x02\xb8\x4a\x26\xc7\x73\x32\x5f\x8b\x23\x74" \
  "\xde\x7a\x4b\x5a\x58\xcb\x5c\x5c\xf3\x5b\xce\xe6\xfb\x94\x6e\x5b" \
  "\xd6\x94\xfa\x59\x3a\x8b\xeb\x3f\x9d\x65\x92\xec\xed\xaa\x66\xca" \
  "\x82\xa2\x9d\x0c\x51\xbc\xf9\x33\x62\x30\xe5\xd7\x84\xe4\xc0\xa4" \
  "\x3f\x8d\x79\xa3\x0a\x16\x5c\xba\xbe\x45\x2b\x77\x4b\x9c\x71\x09" \
  "\xa9\x7d\x13\x8f\x12\x92\x28\x96\x6f\x6c\x0a\xdc\x10\x6a\xad\x5a" \
  "\x9f\xdd\x30\x82\x57\x69\xb2\xc6\x71\xaf\x67\x59\xdf\x28\xeb\x39" \
  "\x3d\x54\xd6"
#define TEST7_384 \
  "\x8b\xc5\x00\xc7\x7c\xee\xd9\x87\x9d\xa9\x89\x10\x7c\xe0\xaa"
#define TEST8_384 \
  "\xa4\x1c\x49\x77\x79\xc0\x37\x5f\xf1\x0a\x7f\x4e\x08\x59\x17\x39"
#define TEST9_384 \
  "\x68\xf5\x01\x79\x2d\xea\x97\x96\x76\x70\x22\xd9\x3d\xa7\x16\x79" \
  "\x30\x99\x20\xfa\x10\x12\xae\xa3\x57\xb2\xb1\x33\x1d\x40\xa1\xd0" \
  "\x3c\x41\xc2\x40\xb3\xc9\xa7\x5b\x48\x92\xf4\xc0\x72\x4b\x68\xc8" \
  "\x75\x32\x1a\xb8\xcf\xe5\x02\x3b\xd3\x75\xbc\x0f\x94\xbd\x89\xfe" \
  "\x04\xf2\x97\x10\x5d\x7b\x82\xff\xc0\x02\x1a\xeb\x1c\xcb\x67\x4f" \
  "\x52\x44\xea\x34\x97\xde\x26\xa4\x19\x1c\x5f\x62\xe5\xe9\xa2\xd8" \
  "\x08\x2f\x05\x51\xf4\xa5\x30\x68\x26\xe9\x1c\xc0\x06\xce\x1b\xf6" \
  "\x0f\xf7\x19\xd4\x2f\xa5\x21\xc8\x71\xcd\x23\x94\xd9\x6e\xf4\x46" \
  "\x8f\x21\x96\x6b\x41\xf2\xba\x80\xc2\x6e\x83\xa9"
#define TEST10_384 \
  "\x39\x96\x69\xe2\x8f\x6b\x9c\x6d\xbc\xbb\x69\x12\xec\x10\xff\xcf" \
  "\x74\x79\x03\x49\xb7\xdc\x8f\xbe\x4a\x8e\x7b\x3b\x56\x21\xdb\x0f" \
  "\x3e\x7d\xc8\x7f\x82\x32\x64\xbb\xe4\x0d\x18\x11\xc9\xea\x20\x61" \
  "\xe1\xc8\x4a\xd1\x0a\x23\xfa\xc1\x72\x7e\x72\x02\xfc\x3f\x50\x42" \
  "\xe6\xbf\x58\xcb\xa8\xa2\x74\x6e\x1f\x64\xf9\xb9\xea\x35\x2c\x71" \
  "\x15\x07\x05\x3c\xf4\xe5\x33\x9d\x52\x86\x5f\x25\xcc\x22\xb5\xe8" \
  "\x77\x84\xa1\x2f\xc9\x61\xd6\x6c\xb6\xe8\x95\x73\x19\x9a\x2c\xe6" \
  "\x56\x5c\xbd\xf1\x3d\xca\x40\x38\x32\xcf\xcb\x0e\x8b\x72\x11\xe8" \
  "\x3a\xf3\x2a\x11\xac\x17\x92\x9f\xf1\xc0\x73\xa5\x1c\xc0\x27\xaa" \
  "\xed\xef\xf8\x5a\xad\x7c\x2b\x7c\x5a\x80\x3e\x24\x04\xd9\x6d\x2a" \
  "\x77\x35\x7b\xda\x1a\x6d\xae\xed\x17\x15\x1c\xb9\xbc\x51\x25\xa4" \
  "\x22\xe9\x41\xde\x0c\xa0\xfc\x50\x11\xc2\x3e\xcf\xfe\xfd\xd0\x96" \
  "\x76\x71\x1c\xf3\xdb\x0a\x34\x40\x72\x0e\x16\x15\xc1\xf2\x2f\xbc" \
  "\x3c\x72\x1d\xe5\x21\xe1\xb9\x9b\xa1\xbd\x55\x77\x40\x86\x42\x14" \
  "\x7e\xd0\x96"
#define TEST7_512 \
  "\x08\xec\xb5\x2e\xba\xe1\xf7\x42\x2d\xb6\x2b\xcd\x54\x26\x70"
#define TEST8_512 \
  "\x8d\x4e\x3c\x0e\x38\x89\x19\x14\x91\x81\x6e\x9d\x98\xbf\xf0\xa0"
#define TEST9_512 \
  "\x3a\xdd\xec\x85\x59\x32\x16\xd1\x61\x9a\xa0\x2d\x97\x56\x97\x0b" \
  "\xfc\x70\xac\xe2\x74\x4f\x7c\x6b\x27\x88\x15\x10\x28\xf7\xb6\xa2" \
  "\x55\x0f\xd7\x4a\x7e\x6e\x69\xc2\xc9\xb4\x5f\xc4\x54\x96\x6d\xc3" \
  "\x1d\x2e\x10\xda\x1f\x95\xce\x02\xbe\xb4\xbf\x87\x65\x57\x4c\xbd" \


D. Eastlake 3rd, T. Hansen                                     [Page 64]

INTERNET-DRAFT                   US SHAs                       June 2005


  "\x6e\x83\x37\xef\x42\x0a\xdc\x98\xc1\x5c\xb6\xd5\xe4\xa0\x24\x1b" \
  "\xa0\x04\x6d\x25\x0e\x51\x02\x31\xca\xc2\x04\x6c\x99\x16\x06\xab" \
  "\x4e\xe4\x14\x5b\xee\x2f\xf4\xbb\x12\x3a\xab\x49\x8d\x9d\x44\x79" \
  "\x4f\x99\xcc\xad\x89\xa9\xa1\x62\x12\x59\xed\xa7\x0a\x5b\x6d\xd4" \
  "\xbd\xd8\x77\x78\xc9\x04\x3b\x93\x84\xf5\x49\x06"
#define TEST10_512 \
  "\xa5\x5f\x20\xc4\x11\xaa\xd1\x32\x80\x7a\x50\x2d\x65\x82\x4e\x31" \
  "\xa2\x30\x54\x32\xaa\x3d\x06\xd3\xe2\x82\xa8\xd8\x4e\x0d\xe1\xde" \
  "\x69\x74\xbf\x49\x54\x69\xfc\x7f\x33\x8f\x80\x54\xd5\x8c\x26\xc4" \
  "\x93\x60\xc3\xe8\x7a\xf5\x65\x23\xac\xf6\xd8\x9d\x03\xe5\x6f\xf2" \
  "\xf8\x68\x00\x2b\xc3\xe4\x31\xed\xc4\x4d\xf2\xf0\x22\x3d\x4b\xb3" \
  "\xb2\x43\x58\x6e\x1a\x7d\x92\x49\x36\x69\x4f\xcb\xba\xf8\x8d\x95" \
  "\x19\xe4\xeb\x50\xa6\x44\xf8\xe4\xf9\x5e\xb0\xea\x95\xbc\x44\x65" \
  "\xc8\x82\x1a\xac\xd2\xfe\x15\xab\x49\x81\x16\x4b\xbb\x6d\xc3\x2f" \
  "\x96\x90\x87\xa1\x45\xb0\xd9\xcc\x9c\x67\xc2\x2b\x76\x32\x99\x41" \
  "\x9c\xc4\x12\x8b\xe9\xa0\x77\xb3\xac\xe6\x34\x06\x4e\x6d\x99\x28" \
  "\x35\x13\xdc\x06\xe7\x51\x5d\x0d\x73\x13\x2e\x9a\x0d\xc6\xd3\xb1" \
  "\xf8\xb2\x46\xf1\xa9\x8a\x3f\xc7\x29\x41\xb1\xe3\xbb\x20\x98\xe8" \
  "\xbf\x16\xf2\x68\xd6\x4f\x0b\x0f\x47\x07\xfe\x1e\xa1\xa1\x79\x1b" \
  "\xa2\xf3\xc0\xc7\x58\xe5\xf5\x51\x86\x3a\x96\xc9\x49\xad\x47\xd7" \
  "\xfb\x40\xd2"
#define SHA1_SEED "\xd0\x56\x9c\xb3\x66\x5a\x8a\x43\xeb\x6e\xa2\x3d" \
  "\x75\xa3\xc4\xd2\x05\x4a\x0d\x7d"
#define SHA224_SEED "\xd0\x56\x9c\xb3\x66\x5a\x8a\x43\xeb\x6e\xa2" \
  "\x3d\x75\xa3\xc4\xd2\x05\x4a\x0d\x7d\x66\xa9\xca\x99\xc9\xce\xb0" \
  "\x27"
#define SHA256_SEED "\xf4\x1e\xce\x26\x13\xe4\x57\x39\x15\x69\x6b" \
  "\x5a\xdc\xd5\x1c\xa3\x28\xbe\x3b\xf5\x66\xa9\xca\x99\xc9\xce\xb0" \
  "\x27\x9c\x1c\xb0\xa7"
#define SHA384_SEED "\x82\x40\xbc\x51\xe4\xec\x7e\xf7\x6d\x18\xe3" \
  "\x52\x04\xa1\x9f\x51\xa5\x21\x3a\x73\xa8\x1d\x6f\x94\x46\x80\xd3" \
  "\x07\x59\x48\xb7\xe4\x63\x80\x4e\xa3\xd2\x6e\x13\xea\x82\x0d\x65" \
  "\xa4\x84\xbe\x74\x53"
#define SHA512_SEED "\x47\x3f\xf1\xb9\xb3\xff\xdf\xa1\x26\x69\x9a" \
  "\xc7\xef\x9e\x8e\x78\x77\x73\x09\x58\x24\xc6\x42\x55\x7c\x13\x99" \
  "\xd9\x8e\x42\x20\x44\x8d\xc3\x5b\x99\xbf\xdd\x44\x77\x95\x43\x92" \
  "\x4c\x1c\xe9\x3b\xc5\x94\x15\x38\x89\x5d\xb9\x88\x26\x1b\x00\x77" \
  "\x4b\x12\x27\x20\x39"

#define TESTCOUNT 10
#define HASHCOUNT 5
#define RANDOMCOUNT 4
#define PRINTNONE 0
#define PRINTTEXT 1
#define PRINTRAW 2
#define PRINTHEX 3
#define PRINTBASE64 4

typedef int (*funcReset_t)(void *);
typedef int (*funcInput_t)(void *, const uint8_t *, unsigned int);


D. Eastlake 3rd, T. Hansen                                     [Page 65]

INTERNET-DRAFT                   US SHAs                       June 2005


typedef int (*funcFinalBits_t)(void *, const uint8_t, unsigned int);
typedef int (*funcResult_t)(void *, uint8_t Message_Digest[]);

typedef union {
    SHA1Context sha1Context;
    SHA224Context sha224Context; SHA256Context sha256Context;
    SHA384Context sha384Context; SHA512Context sha512Context;
  } USHA;

#define length(x) (sizeof(x)-1)

struct hash {
  const char *name;
  funcReset_t funcReset;
  funcInput_t funcInput;
  funcFinalBits_t funcFinalBits;
  funcResult_t funcResult;
  int hashsize;
  struct {
      const char *testarray;
      int length;
      long repeatcount;
      int extrabits;
      int number_extrabits;
      const char *resultarray;
  } tests[TESTCOUNT];
  const char *randomtest;
  const char *randomresults[RANDOMCOUNT];
} hashes[HASHCOUNT] = {
  { "SHA1", (funcReset_t)SHA1Reset, (funcInput_t)SHA1Input,
    (funcFinalBits_t)SHA1FinalBits, (funcResult_t)SHA1Result,
    SHA1HashSize,
    {
      /* 1 */ { TEST1, length(TEST1), 1, 0, 0,
        "A9993E364706816ABA3E25717850C26C9CD0D89D" },
      /* 2 */ { TEST2_1, length(TEST2_1), 1, 0, 0,
        "84983E441C3BD26EBAAE4AA1F95129E5E54670F1" },
      /* 3 */ { TEST3, length(TEST3), 1000000, 0, 0,
        "34AA973CD4C4DAA4F61EEB2BDBAD27316534016F" },
      /* 4 */ { TEST4, length(TEST4), 10, 0, 0,
        "DEA356A2CDDD90C7A7ECEDC5EBB563934F460452" },
      /* 5 */ { "", 0, 0, 0x98, 5,
        "29826B003B906E660EFF4027CE98AF3531AC75BA" },
      /* 6 */ { "\x5e", 1, 1, 0, 0,
        "5E6F80A34A9798CAFC6A5DB96CC57BA4C4DB59C2" },
      /* 7 */ { TEST7_1, length(TEST7_1), 1, 0x80, 3,
        "6239781E03729919C01955B3FFA8ACB60B988340" },
      /* 8 */ { TEST8_1, length(TEST8_1), 1, 0, 0,
        "82ABFF6605DBE1C17DEF12A394FA22A82B544A35" },
      /* 9 */ { TEST9_1, length(TEST9_1), 1, 0xE0, 3,


D. Eastlake 3rd, T. Hansen                                     [Page 66]

INTERNET-DRAFT                   US SHAs                       June 2005


        "8C5B2A5DDAE5A97FC7F9D85661C672ADBF7933D4" },
      /* 10 */ { TEST10_1, length(TEST10_1), 1, 0, 0,
        "CB0082C8F197D260991BA6A460E76E202BAD27B3" }
    }, SHA1_SEED, { "E216836819477C7F78E0D843FE4FF1B6D6C14CD4",
        "A2DBC7A5B1C6C0A8BCB7AAA41252A6A7D0690DBC",
        "DB1F9050BB863DFEF4CE37186044E2EEB17EE013",
        "127FDEDF43D372A51D5747C48FBFFE38EF6CDF7B"
     } },
  { "SHA224", (funcReset_t)SHA224Reset, (funcInput_t)SHA224Input,
    (funcFinalBits_t)SHA224FinalBits, (funcResult_t)SHA224Result,
    SHA224HashSize,
    {
      /* 1 */ { TEST1, length(TEST1), 1, 0, 0,
        "23097D223405D8228642A477BDA255B32AADBCE4BDA0B3F7E36C9DA7" },
      /* 2 */ { TEST2_1, length(TEST2_1), 1, 0, 0,
        "75388B16512776CC5DBA5DA1FD890150B0C6455CB4F58B1952522525" },
      /* 3 */ { TEST3, length(TEST3), 1000000, 0, 0,
        "20794655980C91D8BBB4C1EA97618A4BF03F42581948B2EE4EE7AD67" },
      /* 4 */ { TEST4, length(TEST4), 10, 0, 0,
        "567F69F168CD7844E65259CE658FE7AADFA25216E68ECA0EB7AB8262" },
      /* 5 */ { "", 0, 0, 0x68, 5,
        "E3B048552C3C387BCAB37F6EB06BB79B96A4AEE5FF27F51531A9551C" },
      /* 6 */ { "\x07", 1, 1, 0, 0,
        "00ECD5F138422B8AD74C9799FD826C531BAD2FCABC7450BEE2AA8C2A" },
      /* 7 */ { TEST7_224, length(TEST7_224), 1, 0xA0, 3,
        "1B01DB6CB4A9E43DED1516BEB3DB0B87B6D1EA43187462C608137150" },
      /* 8 */ { TEST8_224, length(TEST8_224), 1, 0, 0,
        "DF90D78AA78821C99B40BA4C966921ACCD8FFB1E98AC388E56191DB1" },
      /* 9 */ { TEST9_224, length(TEST9_224), 1, 0xE0, 3,
        "54BEA6EAB8195A2EB0A7906A4B4A876666300EEFBD1F3B8474F9CD57" },
      /* 10 */ { TEST10_224, length(TEST10_224), 1, 0, 0,
        "0B31894EC8937AD9B91BDFBCBA294D9ADEFAA18E09305E9F20D5C3A4" }
    }, SHA224_SEED, { "100966A5B4FDE0B42E2A6C5953D4D7F41BA7CF79FD"
        "2DF431416734BE", "1DCA396B0C417715DEFAAE9641E10A2E99D55A"
        "BCB8A00061EB3BE8BD", "1864E627BDB2319973CD5ED7D68DA71D8B"
        "F0F983D8D9AB32C34ADB34", "A2406481FC1BCAF24DD08E6752E844"
        "709563FB916227FED598EB621F" }
     },
  { "SHA256", (funcReset_t)SHA256Reset, (funcInput_t)SHA256Input,
    (funcFinalBits_t)SHA256FinalBits, (funcResult_t)SHA256Result,
    SHA256HashSize,
  {
      /* 1 */ { TEST1, length(TEST1), 1, 0, 0, "BA7816BF8F01CFEA4141"
        "40DE5DAE2223B00361A396177A9CB410FF61F20015AD" },
      /* 2 */ { TEST2_1, length(TEST2_1), 1, 0, 0, "248D6A61D20638B8"
        "E5C026930C3E6039A33CE45964FF2167F6ECEDD419DB06C1" },
      /* 3 */ { TEST3, length(TEST3), 1000000, 0, 0, "CDC76E5C9914FB92"
        "81A1C7E284D73E67F1809A48A497200E046D39CCC7112CD0" },
      /* 4 */ { TEST4, length(TEST4), 10, 0, 0, "594847328451BDFA"
        "85056225462CC1D867D877FB388DF0CE35F25AB5562BFBB5" },


D. Eastlake 3rd, T. Hansen                                     [Page 67]

INTERNET-DRAFT                   US SHAs                       June 2005


      /* 5 */ { "", 0, 0, 0x68, 5, "D6D3E02A31A84A8CAA9718ED6C2057BE"
        "09DB45E7823EB5079CE7A573A3760F95" },
      /* 6 */ { "\x19", 1, 1, 0, 0, "68AA2E2EE5DFF96E3355E6C7EE373E3D"
        "6A4E17F75F9518D843709C0C9BC3E3D4" },
      /* 7 */ { TEST7_256, length(TEST7_256), 1, 0x60, 3, "77EC1DC8"
        "9C821FF2A1279089FA091B35B8CD960BCAF7DE01C6A7680756BEB972" },
      /* 8 */ { TEST8_256, length(TEST8_256), 1, 0, 0, "175EE69B02BA"
        "9B58E2B0A5FD13819CEA573F3940A94F825128CF4209BEABB4E8" },
      /* 9 */ { TEST9_256, length(TEST9_256), 1, 0xA0, 3, "3E9AD646"
        "8BBBAD2AC3C2CDC292E018BA5FD70B960CF1679777FCE708FDB066E9" },
      /* 10 */ { TEST10_256, length(TEST10_256), 1, 0, 0, "97DBCA7D"
        "F46D62C8A422C941DD7E835B8AD3361763F7E9B2D95F4F0DA6E1CCBC" },
    }, SHA256_SEED, { "83D28614D49C3ADC1D6FC05DB5F48037C056F8D2A4CE44"
        "EC6457DEA5DD797CD1", "99DBE3127EF2E93DD9322D6A07909EB33B6399"
        "5E529B3F954B8581621BB74D39", "8D4BE295BB64661CA3C7EFD129A2F7"
        "25B33072DBDDE32385B9A87B9AF88EA76F", "40AF5D3F9716B040DF9408"
        "E31536B70FF906EC51B00447CA97D7DD97C12411F4" }
    },
  { "SHA384", (funcReset_t)SHA384Reset, (funcInput_t)SHA384Input,
    (funcFinalBits_t)SHA384FinalBits, (funcResult_t)SHA384Result,
    SHA384HashSize,
    {
      /* 1 */ { TEST1, length(TEST1), 1, 0, 0,
        "CB00753F45A35E8BB5A03D699AC65007272C32AB0EDED163"
        "1A8B605A43FF5BED8086072BA1E7CC2358BAECA134C825A7" },
      /* 2 */ { TEST2_2, length(TEST2_2), 1, 0, 0,
        "09330C33F71147E83D192FC782CD1B4753111B173B3B05D2"
        "2FA08086E3B0F712FCC7C71A557E2DB966C3E9FA91746039" },
      /* 3 */ { TEST3, length(TEST3), 1000000, 0, 0,
        "9D0E1809716474CB086E834E310A4A1CED149E9C00F24852"
        "7972CEC5704C2A5B07B8B3DC38ECC4EBAE97DDD87F3D8985" },
      /* 4 */ { TEST4, length(TEST4), 10, 0, 0,
        "2FC64A4F500DDB6828F6A3430B8DD72A368EB7F3A8322A70"
        "BC84275B9C0B3AB00D27A5CC3C2D224AA6B61A0D79FB4596" },
      /* 5 */ { "", 0, 0, 0x10, 5,
        "8D17BE79E32B6718E07D8A603EB84BA0478F7FCFD1BB9399"
        "5F7D1149E09143AC1FFCFC56820E469F3878D957A15A3FE4" },
      /* 6 */ { "\xb9", 1, 1, 0, 0,
        "BC8089A19007C0B14195F4ECC74094FEC64F01F90929282C"
        "2FB392881578208AD466828B1C6C283D2722CF0AD1AB6938" },
      /* 7 */ { TEST7_384, length(TEST7_384), 1, 0xA0, 3,
        "D8C43B38E12E7C42A7C9B810299FD6A770BEF30920F17532"
        "A898DE62C7A07E4293449C0B5FA70109F0783211CFC4BCE3" },
      /* 8 */ { TEST8_384, length(TEST8_384), 1, 0, 0,
        "C9A68443A005812256B8EC76B00516F0DBB74FAB26D66591"
        "3F194B6FFB0E91EA9967566B58109CBC675CC208E4C823F7" },
      /* 9 */ { TEST9_384, length(TEST9_384), 1, 0xE0, 3,
        "5860E8DE91C21578BB4174D227898A98E0B45C4C760F0095"
        "49495614DAEDC0775D92D11D9F8CE9B064EEAC8DAFC3A297" },
      /* 10 */ { TEST10_384, length(TEST10_384), 1, 0, 0,


D. Eastlake 3rd, T. Hansen                                     [Page 68]

INTERNET-DRAFT                   US SHAs                       June 2005


        "4F440DB1E6EDD2899FA335F09515AA025EE177A79F4B4AAF"
        "38E42B5C4DE660F5DE8FB2A5B2FBD2A3CBFFD20CFF1288C0" }
    }, SHA384_SEED, { "CE44D7D63AE0C91482998CF662A51EC80BF6FC68661A3C"
        "57F87566112BD635A743EA904DEB7D7A42AC808CABE697F38F", "F9C6D2"
        "61881FEE41ACD39E67AA8D0BAD507C7363EB67E2B81F45759F9C0FD7B503"
        "DF1A0B9E80BDE7BC333D75B804197D", "D96512D8C9F4A7A4967A366C01"
        "C6FD97384225B58343A88264847C18E4EF8AB7AEE4765FFBC3E30BD485D3"
        "638A01418F", "0CA76BD0813AF1509E170907A96005938BC985628290B2"
        "5FEF73CF6FAD68DDBA0AC8920C94E0541607B0915A7B4457F7"
    } },
  { "SHA512", (funcReset_t)SHA512Reset, (funcInput_t)SHA512Input,
    (funcFinalBits_t)SHA512FinalBits, (funcResult_t)SHA512Result,
    SHA512HashSize,
    {
      /* 1 */ { TEST1, length(TEST1), 1, 0, 0,
        "DDAF35A193617ABACC417349AE20413112E6FA4E89A97EA2"
        "0A9EEEE64B55D39A2192992A274FC1A836BA3C23A3FEEBBD"
        "454D4423643CE80E2A9AC94FA54CA49F" },
      /* 2 */ { TEST2_2, length(TEST2_2), 1, 0, 0,
        "8E959B75DAE313DA8CF4F72814FC143F8F7779C6EB9F7FA1"
        "7299AEADB6889018501D289E4900F7E4331B99DEC4B5433A"
        "C7D329EEB6DD26545E96E55B874BE909" },
       /* 3 */ { TEST3, length(TEST3), 1000000, 0, 0,
        "E718483D0CE769644E2E42C7BC15B4638E1F98B13B204428"
        "5632A803AFA973EBDE0FF244877EA60A4CB0432CE577C31B"
        "EB009C5C2C49AA2E4EADB217AD8CC09B" },
      /* 4 */ { TEST4, length(TEST4), 10, 0, 0,
        "89D05BA632C699C31231DED4FFC127D5A894DAD412C0E024"
        "DB872D1ABD2BA8141A0F85072A9BE1E2AA04CF33C765CB51"
        "0813A39CD5A84C4ACAA64D3F3FB7BAE9" },
      /* 5 */ { "", 0, 0, 0xB0, 5,
        "D4EE29A9E90985446B913CF1D1376C836F4BE2C1CF3CADA0"
        "720A6BF4857D886A7ECB3C4E4C0FA8C7F95214E41DC1B0D2"
        "1B22A84CC03BF8CE4845F34DD5BDBAD4" },
      /* 6 */ { "\xD0", 1, 1, 0, 0,
        "9992202938E882E73E20F6B69E68A0A7149090423D93C81B"
        "AB3F21678D4ACEEEE50E4E8CAFADA4C85A54EA8306826C4A"
        "D6E74CECE9631BFA8A549B4AB3FBBA15" },
      /* 7 */ { TEST7_512, length(TEST7_512), 1, 0x80, 3,
        "ED8DC78E8B01B69750053DBB7A0A9EDA0FB9E9D292B1ED71"
        "5E80A7FE290A4E16664FD913E85854400C5AF05E6DAD316B"
        "7359B43E64F8BEC3C1F237119986BBB6" },
      /* 8 */ { TEST8_512, length(TEST8_512), 1, 0, 0,
        "CB0B67A4B8712CD73C9AABC0B199E9269B20844AFB75ACBD"
        "D1C153C9828924C3DDEDAAFE669C5FDD0BC66F630F677398"
        "8213EB1B16F517AD0DE4B2F0C95C90F8" },
      /* 9 */ { TEST9_512, length(TEST9_512), 1, 0x80, 3,
        "32BA76FC30EAA0208AEB50FFB5AF1864FDBF17902A4DC0A6"
        "82C61FCEA6D92B783267B21080301837F59DE79C6B337DB2"
        "526F8A0A510E5E53CAFED4355FE7C2F1" },


D. Eastlake 3rd, T. Hansen                                     [Page 69]

INTERNET-DRAFT                   US SHAs                       June 2005


      /* 10 */ { TEST10_512, length(TEST10_512), 1, 0, 0,
        "C665BEFB36DA189D78822D10528CBF3B12B3EEF726039909"
        "C1A16A270D48719377966B957A878E720584779A62825C18"
        "DA26415E49A7176A894E7510FD1451F5" }
    }, SHA512_SEED, { "2FBB1E7E00F746BA514FBC8C421F36792EC0E11FF5EFC3"
        "78E1AB0C079AA5F0F66A1E3EDBAEB4F9984BE14437123038A452004A5576"
        "8C1FD8EED49E4A21BEDCD0", "25CBE5A4F2C7B1D7EF07011705D50C62C5"
        "000594243EAFD1241FC9F3D22B58184AE2FEE38E171CF8129E29459C9BC2"
        "EF461AF5708887315F15419D8D17FE7949", "5B8B1F2687555CE2D7182B"
        "92E5C3F6C36547DA1C13DBB9EA4F73EA4CBBAF89411527906D35B1B06C1B"
        "6A8007D05EC66DF0A406066829EAB618BDE3976515AAFC", "46E36B007D"
        "19876CDB0B29AD074FE3C08CDD174D42169D6ABE5A1414B6E79707DF5877"
        "6A98091CF431854147BB6D3C66D43BFBC108FD715BDE6AA127C2B0E79F"
    }
  }
};

/*
 * Check the hash value against the expected string, expressed in hex
 */
static const char hexdigits[] = "0123456789ABCDEF";
const char *checkmatch(const unsigned char *hashvalue,
  const char *hexstr, int hashsize)
{
  int i;
  for (i = 0; i < hashsize; ++i) {
    if (*hexstr++ != hexdigits[(hashvalue[i] >> 4) & 0xF])
      return "FAILED";
    if (*hexstr++ != hexdigits[hashvalue[i] & 0xF]) return "FAILED";
  }
  return "PASSED";
}

/*
 * Print the string, converting non-printable characters to "."
 */
void printstr(const char *str, int len)
{
  for ( ; len-- > 0; str++)
    putchar(isprint((unsigned char)*str) ? *str : '.');
}

/*
 * Print the string, converting non-printable characters to hex "## ".
 */
void printxstr(const char *str, int len)
{
  for ( ; len-- > 0; str++)
    printf("%c%c ", hexdigits[(*str >> 4) & 0xF],
      hexdigits[*str & 0xF]);


D. Eastlake 3rd, T. Hansen                                     [Page 70]

INTERNET-DRAFT                   US SHAs                       June 2005


}

/*
 * Print a usage message.
 */
void usage(const char *argv0)
{
  fprintf(stderr,
    "Usage:\n"
    "Standard tests:\n"
    "\t%s [-h hash] [-l loopcount] [-t test#] [-e]\n"
      "\t\t[-r randomseed] [-R randomloop-count] [-p|-w|-x] [-P]\n"
    "Hash a string:\n"
    "\t%s [-h hash] [-w|-x] [-S result] -s hashstr\n"
    "Hash a file:\n"
    "\t%s [-h hash] [-w|-x] [-S result] -f file\n"
    "-h\thash to test: "
      "0|SHA1, 1|SHA224, 2|SHA256, 3|SHA384, 4|SHA512\n"
    "-t\ttest case to run, 1-10\n"
    "-l\thow may times to run the test\n"
    "-e\ttest error returns\n"
    "-p\tdo not print results\n"
    "-P\tdo not print PASSED/FAILED\n"
    "-r\tseed for random test\n"
    "-R\thow many times to run random test\n"
    "-s\tstring to hash\n"
    "-S\texpected result of hashed string, in hex\n"
    "-w\toutput hash in raw format\n"
    "-x\toutput hash in hex format\n"
    , argv0, argv0, argv0);
  exit(1);
}

/*
 * Print the results and PASS/FAIL.
 */
void printResult(uint8_t *Message_Digest, int hashsize,
    const char *hashname, const char *testtype, const char *testname,
    const char *resultarray, int printResults, int printPassFail)
{
  int i, k;
  if (printResults == PRINTTEXT) {
    putchar('\t');
    for (i = 0; i < hashsize ; ++i) {
      putchar(hexdigits[(Message_Digest[i] >> 4) & 0xF]);
      putchar(hexdigits[Message_Digest[i] & 0xF]);
      putchar(' ');
    }
    putchar('\n');
  } else if (printResults == PRINTRAW) {


D. Eastlake 3rd, T. Hansen                                     [Page 71]

INTERNET-DRAFT                   US SHAs                       June 2005


    fwrite(Message_Digest, 1, hashsize, stdout);
  } else if (printResults == PRINTHEX) {
    for (i = 0; i < hashsize ; ++i) {
      putchar(hexdigits[(Message_Digest[i] >> 4) & 0xF]);
      putchar(hexdigits[Message_Digest[i] & 0xF]);
    }
    putchar('\n');
  }

  if (printResults && resultarray) {
    printf("    Should match:\n\t");
    for (i = 0, k = 0; i < hashsize; i++, k += 2) {
      putchar(resultarray[k]);
      putchar(resultarray[k+1]);
      putchar(' ');
    }
    putchar('\n');
  }

  if (printPassFail && resultarray)
    printf("%s %s %s: %s\n", hashname, testtype, testname,
      checkmatch(Message_Digest, resultarray, hashsize));
}

/*
 * Exercise a hash series of functions. The input is the testarray,
 * repeated repeatcount times, followed by the extrabits. If the
 * result is known, it is in resultarray in uppercase hex.
 */
int hash(USHA *psha, int testno, int loopno, int hashno,
  const char *testarray, int length, long repeatcount,
  int number_extrabits, int extrabits, const char *resultarray,
  int printResults, int printPassFail)
{
  int err, i, j;
  uint8_t Message_Digest[SHA512HashSize];
  char buf[20];

  if (printResults == PRINTTEXT) {
    printf("\nTest %d: Iteration %d, Repeat %ld\n\t'", testno+1,
      loopno, repeatcount);
    printstr(testarray, length);
    printf("'\n\t'");
    printxstr(testarray, length);
    printf("'\n");
    printf("    Length=%d bytes (%d bits), ", length, length * 8);
    printf("ExtraBits %d: %2.2x\n", number_extrabits, extrabits);
  }

  err = hashes[hashno].funcReset(psha);


D. Eastlake 3rd, T. Hansen                                     [Page 72]

INTERNET-DRAFT                   US SHAs                       June 2005


  if (err != shaSuccess) {
    fprintf(stderr, "shaReset Error %d.\n", err );
    return err;
  }

  j = length;
  for (i = 0; i < repeatcount; ++i) {
    err = hashes[hashno].funcInput(psha,
        (const unsigned char *) testarray, j);
    if (err != shaSuccess) {
      fprintf(stderr, "shaInput Error %d.\n", err );
      return err;
    }
  }

  if (number_extrabits > 0) {
    err = hashes[hashno].funcFinalBits(psha, extrabits,
      number_extrabits);
    if (err != shaSuccess) {
      fprintf(stderr, "shaFinalBits Error %d.\n", err );
      return err;
    }
  }

  err = hashes[hashno].funcResult(psha, Message_Digest);
  if (err != shaSuccess) {
    fprintf(stderr, "shaResult Error %d, "
      "could not compute message digest.\n", err );
    return err;
  }

  sprintf(buf, "%d", testno+1);
  printResult(Message_Digest, hashes[hashno].hashsize,
    hashes[hashno].name, "standard test", buf, resultarray,
    printResults, printPassFail);

  return err;
}

/*
 * Exercise a hash series of functions. The input is a filename.
 * If the result is known, it is in resultarray in uppercase hex.
 */
int hashfile(USHA *psha, int hashno, const char *hashfilename,
  const char *resultarray, int printResults, int printPassFail)
{
  int err;
  unsigned char buf[4096];
  uint8_t Message_Digest[SHA512HashSize];
  int nread;


D. Eastlake 3rd, T. Hansen                                     [Page 73]

INTERNET-DRAFT                   US SHAs                       June 2005


  FILE *hashfp = (strcmp(hashfilename, "-") == 0) ? stdin :
    fopen(hashfilename, "r");

  if (!hashfp) {
    fprintf(stderr, "cannot open file '%s'\n", hashfilename);
    return shaStateError;
  }

  err = hashes[hashno].funcReset(psha);
  if (err != shaSuccess) {
    fprintf(stderr, "shaReset Error %d.\n", err );
    return err;
  }

  while ((nread = fread(buf, 1, sizeof(buf), hashfp)) > 0) {
    err = hashes[hashno].funcInput(psha, buf, nread);
    if (err != shaSuccess) {
      fprintf(stderr, "shaInput Error %d.\n", err );
      if (hashfp != stdin) fclose(hashfp);
      return err;
    }
  }

  err = hashes[hashno].funcResult(psha, Message_Digest);
  if (err != shaSuccess) {
    fprintf(stderr, "shaResult Error %d.\n", err );
    if (hashfp != stdin) fclose(hashfp);
    return err;
  }

  printResult(Message_Digest, hashes[hashno].hashsize,
    hashes[hashno].name, "file", hashfilename, resultarray,
    printResults, printPassFail);

  if (hashfp != stdin) fclose(hashfp);
  return err;
}

/*
 * Exercise a hash series of functions through multiple permutations.
 * The input is an initial seed. That seed is replicated 3 times.
 * For 1000 rounds, the previous three results are used as the input.
 * This result is then checked, and used to seed the next cycle.
 * If the result is known, it is in resultarrays in uppercase hex.
 */
void randomtest(int hashno, const char *seed, int hashsize,
    const char **resultarrays, int randomcount,
    int printResults, int printPassFail)
{
  int i, j; char buf[20];


D. Eastlake 3rd, T. Hansen                                     [Page 74]

INTERNET-DRAFT                   US SHAs                       June 2005


  unsigned char SEED[SHA512HashSize], MD[1003][SHA512HashSize];

  /* INPUT: Seed - A random seed n bits long */
  memcpy(SEED, seed, hashsize);
  if (printResults == PRINTTEXT) {
    printf("%s random test seed= '", hashes[hashno].name);
    printxstr(seed, hashsize);
    printf("'\n");
  }

  for (j = 0; j < randomcount; j++) {
    /* MD0 = MD1 = MD2 = Seed; */
    memcpy(MD[0], SEED, hashsize);
    memcpy(MD[1], SEED, hashsize);
    memcpy(MD[2], SEED, hashsize);
    for (i=3; i<1003; i++) {
      /* Mi = MDi-3 || MDi-2 || MDi-1; */
      USHA Mi;
      hashes[hashno].funcReset(&Mi);
      hashes[hashno].funcInput(&Mi, MD[i-3], hashsize);
      hashes[hashno].funcInput(&Mi, MD[i-2], hashsize);
      hashes[hashno].funcInput(&Mi, MD[i-1], hashsize);
      /* MDi = SHA(Mi); */
      hashes[hashno].funcResult(&Mi, MD[i]);
    }

    /* MDj = Seed = MDi; */
    memcpy(SEED, MD[i-1], hashsize);

    /* OUTPUT: MDj */
    sprintf(buf, "%d", j);
    printResult(SEED, hashsize, hashes[hashno].name, "random test",
      buf, resultarrays[j], printResults,
      printPassFail && (j < RANDOMCOUNT));
  }
}

/*
 * Look up a hash name.
 */
int findhash(const char *argv0, const char *opt)
{
  int i;
  const char *names[HASHCOUNT][2] = {
    { "0", "sha1" }, { "1", "sha224" }, { "2", "sha256" },
    { "3", "sha384" }, { "4", "sha512" }
  };

  for (i = 0; i < HASHCOUNT; i++)
    if ((strcmp(opt, names[i][0]) == 0) ||


D. Eastlake 3rd, T. Hansen                                     [Page 75]

INTERNET-DRAFT                   US SHAs                       June 2005


        (scasecmp(opt, names[i][1]) == 0))
      return i;

  fprintf(stderr, "%s: Unknown hash name: '%s'\n", argv0, opt);
  usage(argv0);
  return 0;
}

int main(int argc, char **argv)
{
  int i, err;
  USHA sha;
  int loopno, loopnohigh = 1;
  int hashno, hashnolow = 0, hashnohigh = HASHCOUNT - 1;
  int testno, testnolow = 0, testnohigh = TESTCOUNT - 1;
  int printResults = PRINTTEXT;
  int printPassFail = 1;
  int checkErrors = 0;
  const char *hashstr = 0;
  const char *resultstr = 0;
  const char *randomteststr = 0;
  int randomcount = RANDOMCOUNT;
  const char *hashfilename = 0;

  while ((i = xgetopt(argc, argv, "ef:h:l:pPr:R:s:S:t:wx")) != -1)
    switch (i) {
      case 'e': checkErrors = 1; break;
      case 'f': hashfilename = xoptarg; break;
      case 'h': hashnolow = hashnohigh = findhash(argv[0], xoptarg);
        break;
      case 'l': loopnohigh = atoi(xoptarg); break;
      case 'P': printPassFail = 0; break;
      case 'p': printResults = PRINTNONE; break;
      case 'R': randomcount = atoi(xoptarg); break;
      case 'r': randomteststr = xoptarg; break;
      case 's': hashstr = xoptarg; break;
      case 'S': resultstr = xoptarg; break;
      case 't': testnolow = testnohigh = atoi(xoptarg) - 1; break;
      case 'w': printResults = PRINTRAW; break;
      case 'x': printResults = PRINTHEX; break;
      default: usage(argv[0]);
      }

  if ((testnolow < 0) || (testnohigh >= TESTCOUNT) ||
      (hashnolow < 0) || (hashnohigh >= HASHCOUNT) ||
      (hashstr && (testnolow == testnohigh)) ||
      (randomcount < 0) || (resultstr && (!hashstr && !hashfilename)))
    usage(argv[0]);

  /*


D. Eastlake 3rd, T. Hansen                                     [Page 76]

INTERNET-DRAFT                   US SHAs                       June 2005


   *  Perform SHA tests
   */
  for (hashno = hashnolow; hashno <= hashnohigh; ++hashno) {
    if (printResults == PRINTTEXT)
      printf("Hash %s\n", hashes[hashno].name);
    err = shaSuccess;

    for (loopno = 1; (loopno <= loopnohigh) && (err == shaSuccess);
         ++loopno) {
      if (hashstr)
        err = hash(&sha, 0, loopno, hashno, hashstr, strlen(hashstr),
          1, 0, 0, resultstr, printResults, printPassFail);

      else if (randomteststr)
        randomtest(hashno, randomteststr, hashes[hashno].hashsize, 0,
          randomcount, printResults, printPassFail);

      else if (hashfilename)
        err = hashfile(&sha, hashno, hashfilename, resultstr,
          printResults, printPassFail);

      else /* standard tests */ {
        for (testno = testnolow;
             (testno <= testnohigh) && (err == shaSuccess); ++testno)
          err = hash(&sha, testno, loopno, hashno,
                      hashes[hashno].tests[testno].testarray,
                      hashes[hashno].tests[testno].length,
                      hashes[hashno].tests[testno].repeatcount,
                      hashes[hashno].tests[testno].number_extrabits,
                      hashes[hashno].tests[testno].extrabits,
                      hashes[hashno].tests[testno].resultarray,
                      printResults, printPassFail);
        randomtest(hashno, hashes[hashno].randomtest,
              hashes[hashno].hashsize, hashes[hashno].randomresults,
              RANDOMCOUNT, printResults, printPassFail);
      }
    }

    /* Test some error returns */
    if (checkErrors) {
      err = hashes[hashno].funcInput(&sha, (const unsigned char *)
        hashes[hashno].tests[1].testarray, 1);
      if (printResults == PRINTTEXT)
        printf ("\nError %d. Should be %d.\n", err, shaStateError);
      if (printPassFail)
        printf("%s se: %s\n", hashes[hashno].name,
          (err == shaStateError) ? "PASSED" : "FAILED");

      err = hashes[hashno].funcReset(0);
      if (printResults == PRINTTEXT)


D. Eastlake 3rd, T. Hansen                                     [Page 77]

INTERNET-DRAFT                   US SHAs                       June 2005


         printf("\nError %d. Should be %d.\n", err, shaNull );
      if (printPassFail)
         printf("%s se: %s\n", hashes[hashno].name,
          (err == shaNull) ? "PASSED" : "FAILED");
    }
  }

  return 0;
}

/*
 * Compare two strings, case independently.
 * Equivalent to strcasecmp() found on some systems.
 */
int scasecmp(const char *s1, const char *s2)
{
  for (;;) {
    char u1 = tolower(*s1++);
    char u2 = tolower(*s2++);
    if (u1 != u2)
      return u1 - u2;
    if (u1 == '\0')
      return 0;
   }
}

/*
 * This is a copy of getopt provided for those systems that do not
 * have it. The name was changed to xgetopt to not conflict on those
 * systems that do have it. Similarly, optarg, optind and opterr
 * were renamed to xoptarg, xoptind and xopterr.
 *
 * Copyright 1990, 1991, 1992 by the Massachusetts Institute of
 * Technology and UniSoft Group Limited.
 *
 * Permission to use, copy, modify, distribute, and sell this software
 * and its documentation for any purpose is hereby granted without fee,
 * provided that the above copyright notice appear in all copies and
 * that both that copyright notice and this permission notice appear in
 * supporting documentation, and that the names of MIT and UniSoft not
 * be used in advertising or publicity pertaining to distribution of
 * the software without specific, written prior permission.  MIT and
 * UniSoft make no representations about the suitability of this
 * software for any purpose.  It is provided "as is" without express
 * or implied warranty.
 *
 * $XConsortium: getopt.c,v 1.2 92/07/01 11:59:04 rws Exp $
 * NB: Reformatted to match above style.
 */



D. Eastlake 3rd, T. Hansen                                     [Page 78]

INTERNET-DRAFT                   US SHAs                       June 2005


char    *xoptarg;
int     xoptind = 1;
int     xopterr = 1;

static int xgetopt(int argc, char **argv, const char *optstring)
{
  static int avplace;
  char    *ap;
  char    *cp;
  int     c;

  if (xoptind >= argc)
    return EOF;

  ap = argv[xoptind] + avplace;

  /* At begining of arg but not an option */
  if (avplace == 0) {
    if (ap[0] != '-')
      return EOF;
    else if (ap[1] == '-') {
      /* Special end of options option */
      xoptind++;
      return EOF;
    } else if (ap[1] == '\0')
      return EOF;  /* single '-' is not allowed */
  }

  /* Get next letter */
  avplace++;
  c = *++ap;

  cp = strchr(optstring, c);
  if (cp == NULL || c == ':') {
    if (xopterr)
      fprintf(stderr, "Unrecognised option -- %c\n", c);
    return '?';
  }

  if (cp[1] == ':') {
    /* There should be an option arg */
    avplace = 0;
    if (ap[1] == '\0') {
      /* It is a separate arg */
      if (++xoptind >= argc) {
        if (xopterr)
          fprintf(stderr, "Option requires an argument\n");
        return '?';
      }
      xoptarg = argv[xoptind++];


D. Eastlake 3rd, T. Hansen                                     [Page 79]

INTERNET-DRAFT                   US SHAs                       June 2005


    } else {
      /* is attached to option letter */
      xoptarg = ap + 1;
      ++xoptind;
    }
  } else {
    /* If we are out of letters then go to next arg */
    if (ap[1] == '\0') {
      ++xoptind;
      avplace = 0;
    }

    xoptarg = NULL;
  }
  return c;
}




































D. Eastlake 3rd, T. Hansen                                     [Page 80]

INTERNET-DRAFT                   US SHAs                       June 2005


8. IANA Considerations

   None.



9. Security Considerations

   This document is intended to provide convenient open source access by
   the Internet community to the United States of America Federal
   Information Processing Standard Secure Hash Algorithms (SHAs) [FIPS
   180-2]. No independent assertion of the security of this hash
   function by the authors for any particular use is intended.







































D. Eastlake 3rd, T. Hansen                                     [Page 81]

INTERNET-DRAFT                   US SHAs                       June 2005


Copyright and Disclaimer

   Copyright (C) The Internet Society (2005).  This document is subject to
   the rights, licenses and restrictions contained in BCP 78, and except
   as set forth therein, the authors retain all their rights.


   This document and the information contained herein are provided on an
   "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS
   OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE INTERNET
   ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED,
   INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE
   INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED
   WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.



Normative References

   [FIPS 180-2] - "Secure Hash Standard", United States of American,
   National Institute of Science and Technology, Federal Information
   Processing Standard (FIPS) 180-2,
   http://csrc.nist.gov/publications/fips/fips180-2/fips180-
   2withchangenotice.pdf.



Informative References

   [RFC 3174] - D. Eastlake 3rd, P. Jones, "US Secure Hash Algorithm 1
   (SHA1)", September 2001.

   [RFC 3874] - R. Housley, "A 224-bit One-way Hash Function: SHA-224",
   September 2004.

   [RFC 4086] - D. Eastlake, S. Crocker, J. Schiller, "Randomness
   Requirements for Security", May 2005.

   [SHAVS] - "The Secure Hash Algorithm Validation System (SHAVS)",
   http://csrc.nist.gov/cryptval/shs/SHAVS.pdf.












D. Eastlake 3rd, T. Hansen                                     [Page 82]

INTERNET-DRAFT                   US SHAs                       June 2005


Author's Address

   Donald E. Eastlake, 3rd
   Motorola Laboratories
   155 Beaver Street
   Milford, MA 01757 USA

   Telephone:   +1-508-786-7554 (w)
   EMail:       donald.eastlake@motorola.com


   Tony Hansen
   AT&T Laboratories
   200 Laurel Ave.
   Middletown, NJ 07748 USA

   Telephone:   +1-732-420-8934 (w)
   Email:       tony+shs@millennium.att.com



Expiration and File Name

   This draft expires December 2005.

   Its file name is draft-eastlake-sha2-00.txt.


























D. Eastlake 3rd, T. Hansen                                     [Page 83]


Html markup produced by rfcmarkup 1.107, available from http://tools.ietf.org/tools/rfcmarkup/