File: rfc3174.txt

package info (click to toggle)
doc-rfc 20181229-2
  • links: PTS, VCS
  • area: non-free
  • in suites:
  • size: 570,944 kB
  • sloc: xml: 285,646; sh: 107; python: 90; perl: 42; makefile: 14
file content (1235 lines) | stat: -rw-r--r-- 35,525 bytes parent folder | download | duplicates (5)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
740
741
742
743
744
745
746
747
748
749
750
751
752
753
754
755
756
757
758
759
760
761
762
763
764
765
766
767
768
769
770
771
772
773
774
775
776
777
778
779
780
781
782
783
784
785
786
787
788
789
790
791
792
793
794
795
796
797
798
799
800
801
802
803
804
805
806
807
808
809
810
811
812
813
814
815
816
817
818
819
820
821
822
823
824
825
826
827
828
829
830
831
832
833
834
835
836
837
838
839
840
841
842
843
844
845
846
847
848
849
850
851
852
853
854
855
856
857
858
859
860
861
862
863
864
865
866
867
868
869
870
871
872
873
874
875
876
877
878
879
880
881
882
883
884
885
886
887
888
889
890
891
892
893
894
895
896
897
898
899
900
901
902
903
904
905
906
907
908
909
910
911
912
913
914
915
916
917
918
919
920
921
922
923
924
925
926
927
928
929
930
931
932
933
934
935
936
937
938
939
940
941
942
943
944
945
946
947
948
949
950
951
952
953
954
955
956
957
958
959
960
961
962
963
964
965
966
967
968
969
970
971
972
973
974
975
976
977
978
979
980
981
982
983
984
985
986
987
988
989
990
991
992
993
994
995
996
997
998
999
1000
1001
1002
1003
1004
1005
1006
1007
1008
1009
1010
1011
1012
1013
1014
1015
1016
1017
1018
1019
1020
1021
1022
1023
1024
1025
1026
1027
1028
1029
1030
1031
1032
1033
1034
1035
1036
1037
1038
1039
1040
1041
1042
1043
1044
1045
1046
1047
1048
1049
1050
1051
1052
1053
1054
1055
1056
1057
1058
1059
1060
1061
1062
1063
1064
1065
1066
1067
1068
1069
1070
1071
1072
1073
1074
1075
1076
1077
1078
1079
1080
1081
1082
1083
1084
1085
1086
1087
1088
1089
1090
1091
1092
1093
1094
1095
1096
1097
1098
1099
1100
1101
1102
1103
1104
1105
1106
1107
1108
1109
1110
1111
1112
1113
1114
1115
1116
1117
1118
1119
1120
1121
1122
1123
1124
1125
1126
1127
1128
1129
1130
1131
1132
1133
1134
1135
1136
1137
1138
1139
1140
1141
1142
1143
1144
1145
1146
1147
1148
1149
1150
1151
1152
1153
1154
1155
1156
1157
1158
1159
1160
1161
1162
1163
1164
1165
1166
1167
1168
1169
1170
1171
1172
1173
1174
1175
1176
1177
1178
1179
1180
1181
1182
1183
1184
1185
1186
1187
1188
1189
1190
1191
1192
1193
1194
1195
1196
1197
1198
1199
1200
1201
1202
1203
1204
1205
1206
1207
1208
1209
1210
1211
1212
1213
1214
1215
1216
1217
1218
1219
1220
1221
1222
1223
1224
1225
1226
1227
1228
1229
1230
1231
1232
1233
1234
1235






Network Working Group                                   D. Eastlake, 3rd
Request for Comments: 3174                                      Motorola
Category: Informational                                         P. Jones
                                                           Cisco Systems
                                                          September 2001


                   US Secure Hash Algorithm 1 (SHA1)

Status of this Memo

   This memo provides information for the Internet community.  It does
   not specify an Internet standard of any kind.  Distribution of this
   memo is unlimited.

Copyright Notice

   Copyright (C) The Internet Society (2001).  All Rights Reserved.

Abstract

   The purpose of this document is to make the SHA-1 (Secure Hash
   Algorithm 1) hash algorithm conveniently available to the Internet
   community.  The United States of America has adopted the SHA-1 hash
   algorithm described herein as a Federal Information Processing
   Standard.  Most of the text herein was taken by the authors from FIPS
   180-1.  Only the C code implementation is "original".

Acknowledgements

   Most of the text herein was taken from [FIPS 180-1].  Only the C code
   implementation is "original" but its style is similar to the
   previously published MD4 and MD5 RFCs [RFCs 1320, 1321].

   The SHA-1 is based on principles similar to those used by Professor
   Ronald L. Rivest of MIT when designing the MD4 message digest
   algorithm [MD4] and is modeled after that algorithm [RFC 1320].

   Useful comments from the following, which have been incorporated
   herein, are gratefully acknowledged:

      Tony Hansen
      Garrett Wollman








Eastlake & Jones             Informational                      [Page 1]

RFC 3174           US Secure Hash Algorithm 1 (SHA1)      September 2001


Table of Contents

   1. Overview of Contents...........................................  2
   2. Definitions of Bit Strings and Integers........................  3
   3. Operations on Words............................................  3
   4. Message Padding................................................  4
   5. Functions and Constants Used...................................  6
   6. Computing the Message Digest...................................  6
   6.1 Method 1......................................................  6
   6.2 Method 2......................................................  7
   7. C Code.........................................................  8
   7.1 .h file.......................................................  8
   7.2 .c file....................................................... 10
   7.3 Test Driver................................................... 18
   8. Security Considerations........................................ 20
   References........................................................ 21
   Authors' Addresses................................................ 21
   Full Copyright Statement.......................................... 22

1. Overview of Contents

   NOTE: The text below is mostly taken from [FIPS 180-1] and assertions
   therein of the security of SHA-1 are made by the US Government, the
   author of [FIPS 180-1], and not by the authors of this document.

   This document specifies a Secure Hash Algorithm, SHA-1, for computing
   a condensed representation of a message or a data file.  When a
   message of any length < 2^64 bits is input, the SHA-1 produces a
   160-bit output called a message digest.  The message digest can then,
   for example, be input to a signature algorithm which generates or
   verifies the signature for the message.  Signing the message digest
   rather than the message often improves the efficiency of the process
   because the message digest is usually much smaller in size than the
   message.  The same hash algorithm must be used by the verifier of a
   digital signature as was used by the creator of the digital
   signature.  Any change to the message in transit will, with very high
   probability, result in a different message digest, and the signature
   will fail to verify.

   The SHA-1 is called secure because it is computationally infeasible
   to find a message which corresponds to a given message digest, or to
   find two different messages which produce the same message digest.
   Any change to a message in transit will, with very high probability,
   result in a different message digest, and the signature will fail to
   verify.






Eastlake & Jones             Informational                      [Page 2]

RFC 3174           US Secure Hash Algorithm 1 (SHA1)      September 2001


   Section 2 below defines the terminology and functions used as
   building blocks to form SHA-1.

2. Definitions of Bit Strings and Integers

   The following terminology related to bit strings and integers will be
   used:

   a. A hex digit is an element of the set {0, 1, ... , 9, A, ... , F}.
      A hex digit is the representation of a 4-bit string.  Examples:  7
      = 0111, A = 1010.

   b. A word equals a 32-bit string which may be represented as a
      sequence of 8 hex digits.  To convert a word to 8 hex digits each
      4-bit string is converted to its hex equivalent as described in
      (a) above.  Example:

      1010 0001 0000 0011 1111 1110 0010 0011 = A103FE23.

   c. An integer between 0 and 2^32 - 1 inclusive may be represented as
      a word.  The least significant four bits of the integer are
      represented by the right-most hex digit of the word
      representation.  Example: the integer 291 = 2^8+2^5+2^1+2^0 =
      256+32+2+1 is represented by the hex word, 00000123.

      If z is an integer, 0 <= z < 2^64, then z = (2^32)x + y where 0 <=
      x < 2^32 and 0 <= y < 2^32.  Since x and y can be represented as
      words X and Y, respectively, z can be represented as the pair of
      words (X,Y).

   d. block = 512-bit string.  A block (e.g., B) may be represented as a
      sequence of 16 words.

3. Operations on Words

   The following logical operators will be applied to words:

   a. Bitwise logical word operations

      X AND Y  =  bitwise logical "and" of  X and Y.

      X OR Y   =  bitwise logical "inclusive-or" of X and Y.

      X XOR Y  =  bitwise logical "exclusive-or" of X and Y.

      NOT X    =  bitwise logical "complement" of X.





Eastlake & Jones             Informational                      [Page 3]

RFC 3174           US Secure Hash Algorithm 1 (SHA1)      September 2001


      Example:

               01101100101110011101001001111011
         XOR   01100101110000010110100110110111
               --------------------------------
           =   00001001011110001011101111001100

   b. The operation X + Y is defined as follows:  words X and Y
      represent integers x and y, where 0 <= x < 2^32 and 0 <= y < 2^32.
      For positive integers n and m, let n mod m be the remainder upon
      dividing n by m.  Compute

         z  =  (x + y) mod 2^32.

      Then 0 <= z < 2^32.  Convert z to a word,  Z, and define Z = X +
      Y.

   c. The circular left shift operation S^n(X), where X is a word and n
      is an integer with 0 <= n < 32, is defined by

         S^n(X)  =  (X << n) OR (X >> 32-n).

      In the above, X << n is obtained as follows: discard the left-most
      n bits of X and then pad the result with n zeroes on the right
      (the result will still be 32 bits).  X >> n is obtained by
      discarding the right-most n bits of X and then padding the result
      with n zeroes on the left.  Thus S^n(X) is equivalent to a
      circular shift of X by n positions to the left.

4. Message Padding

   SHA-1 is used to compute a message digest for a message or data file
   that is provided as input.  The message or data file should be
   considered to be a bit string.  The length of the message is the
   number of bits in the message (the empty message has length 0).  If
   the number of bits in a message is a multiple of 8, for compactness
   we can represent the message in hex.  The purpose of message padding
   is to make the total length of a padded message a multiple of 512.
   SHA-1 sequentially processes blocks of 512 bits when computing the
   message digest.  The following specifies how this padding shall be
   performed.  As a summary, a "1" followed by m "0"s followed by a 64-
   bit integer are appended to the end of the message to produce a
   padded message of length 512 * n.  The 64-bit integer is the length
   of the original message.  The padded message is then processed by the
   SHA-1 as n 512-bit blocks.






Eastlake & Jones             Informational                      [Page 4]

RFC 3174           US Secure Hash Algorithm 1 (SHA1)      September 2001


   Suppose a message has length l < 2^64.  Before it is input to the
   SHA-1, the message is padded on the right as follows:

   a. "1" is appended.  Example: if the original message is "01010000",
      this is padded to "010100001".

   b. "0"s are appended.  The number of "0"s will depend on the original
      length of the message.  The last 64 bits of the last 512-bit block
      are reserved

      for the length l of the original message.

      Example:  Suppose the original message is the bit string

         01100001 01100010 01100011 01100100 01100101.

      After step (a) this gives

         01100001 01100010 01100011 01100100 01100101 1.

      Since l = 40, the number of bits in the above is 41 and 407 "0"s
      are appended, making the total now 448.  This gives (in hex)

         61626364 65800000 00000000 00000000
         00000000 00000000 00000000 00000000
         00000000 00000000 00000000 00000000
         00000000 00000000.

   c. Obtain the 2-word representation of l, the number of bits in the
      original message.  If l < 2^32 then the first word is all zeroes.
      Append these two words to the padded message.

      Example: Suppose the original message is as in (b).  Then l = 40
      (note that l is computed before any padding).  The two-word
      representation of 40 is hex 00000000 00000028.  Hence the final
      padded message is hex

         61626364 65800000 00000000 00000000
         00000000 00000000 00000000 00000000
         00000000 00000000 00000000 00000000
         00000000 00000000 00000000 00000028.

      The padded message will contain 16 * n words for some n > 0.
      The padded message is regarded as a sequence of n blocks M(1) ,
      M(2), first characters (or bits) of the message.






Eastlake & Jones             Informational                      [Page 5]

RFC 3174           US Secure Hash Algorithm 1 (SHA1)      September 2001


5. Functions and Constants Used

   A sequence of logical functions f(0), f(1),..., f(79) is used in
   SHA-1.  Each f(t), 0 <= t <= 79, operates on three 32-bit words B, C,
   D and produces a 32-bit word as output.  f(t;B,C,D) is defined as
   follows: for words B, C, D,

      f(t;B,C,D) = (B AND C) OR ((NOT B) AND D)         ( 0 <= t <= 19)

      f(t;B,C,D) = B XOR C XOR D                        (20 <= t <= 39)

      f(t;B,C,D) = (B AND C) OR (B AND D) OR (C AND D)  (40 <= t <= 59)

      f(t;B,C,D) = B XOR C XOR D                        (60 <= t <= 79).

   A sequence of constant words K(0), K(1), ... , K(79) is used in the
   SHA-1.  In hex these are given by

      K(t) = 5A827999         ( 0 <= t <= 19)

      K(t) = 6ED9EBA1         (20 <= t <= 39)

      K(t) = 8F1BBCDC         (40 <= t <= 59)

      K(t) = CA62C1D6         (60 <= t <= 79).

6. Computing the Message Digest

   The methods given in 6.1 and 6.2 below yield the same message digest.
   Although using method 2 saves sixty-four 32-bit words of storage, it
   is likely to lengthen execution time due to the increased complexity
   of the address computations for the { W[t] } in step (c).  There are
   other computation methods which give identical results.

6.1 Method 1

   The message digest is computed using the message padded as described
   in section 4.  The computation is described using two buffers, each
   consisting of five 32-bit words, and a sequence of eighty 32-bit
   words.  The words of the first 5-word buffer are labeled A,B,C,D,E.
   The words of the second 5-word buffer are labeled H0, H1, H2, H3, H4.
   The words of the 80-word sequence are labeled W(0), W(1),..., W(79).
   A single word buffer TEMP is also employed.

   To generate the message digest, the 16-word blocks M(1), M(2),...,
   M(n) defined in section 4 are processed in order.  The processing of
   each M(i) involves 80 steps.




Eastlake & Jones             Informational                      [Page 6]

RFC 3174           US Secure Hash Algorithm 1 (SHA1)      September 2001


   Before processing any blocks, the H's are initialized as follows: in
   hex,

      H0 = 67452301

      H1 = EFCDAB89

      H2 = 98BADCFE

      H3 = 10325476

      H4 = C3D2E1F0.

   Now M(1), M(2), ... , M(n) are processed.  To process M(i), we
   proceed as follows:

      a. Divide M(i) into 16 words W(0), W(1), ... , W(15), where W(0)
         is the left-most word.

      b. For t = 16 to 79 let

         W(t) = S^1(W(t-3) XOR W(t-8) XOR W(t-14) XOR W(t-16)).

      c. Let A = H0, B = H1, C = H2, D = H3, E = H4.

      d. For t = 0 to 79 do

         TEMP = S^5(A) + f(t;B,C,D) + E + W(t) + K(t);

         E = D;  D = C;  C = S^30(B);  B = A; A = TEMP;

      e. Let H0 = H0 + A, H1 = H1 + B, H2 = H2 + C, H3 = H3 + D, H4 = H4
         + E.

   After processing M(n), the message digest is the 160-bit string
   represented by the 5 words

         H0 H1 H2 H3 H4.

6.2 Method 2

   The method above assumes that the sequence W(0), ... , W(79) is
   implemented as an array of eighty 32-bit words.  This is efficient
   from the standpoint of minimization of execution time, since the
   addresses of W(t-3), ...  ,W(t-16) in step (b) are easily computed.
   If space is at a premium, an alternative is to regard { W(t) } as a





Eastlake & Jones             Informational                      [Page 7]

RFC 3174           US Secure Hash Algorithm 1 (SHA1)      September 2001


   circular queue, which may be implemented using an array of sixteen
   32-bit words W[0], ... W[15].  In this case, in hex let

   MASK = 0000000F.  Then processing of M(i) is as follows:

      a. Divide M(i) into 16 words W[0], ... , W[15], where W[0] is the
         left-most word.

      b. Let A = H0, B = H1, C = H2, D = H3, E = H4.

      c. For t = 0 to 79 do

         s = t AND MASK;

         if (t >= 16) W[s] = S^1(W[(s + 13) AND MASK] XOR W[(s + 8) AND
         MASK] XOR W[(s + 2) AND MASK] XOR W[s]);

         TEMP = S^5(A) + f(t;B,C,D) + E + W[s] + K(t);

         E = D; D = C; C = S^30(B); B = A; A = TEMP;

      d. Let H0 = H0 + A, H1 = H1 + B, H2 = H2 + C, H3 = H3 + D, H4 = H4
         + E.

7. C Code

   Below is a demonstration implementation of SHA-1 in C.  Section 7.1
   contains the header file, 7.2 the C code, and 7.3 a test driver.

7.1 .h file

/*
 *  sha1.h
 *
 *  Description:
 *      This is the header file for code which implements the Secure
 *      Hashing Algorithm 1 as defined in FIPS PUB 180-1 published
 *      April 17, 1995.
 *
 *      Many of the variable names in this code, especially the
 *      single character names, were used because those were the names
 *      used in the publication.
 *
 *      Please read the file sha1.c for more information.
 *
 */





Eastlake & Jones             Informational                      [Page 8]

RFC 3174           US Secure Hash Algorithm 1 (SHA1)      September 2001


#ifndef _SHA1_H_
#define _SHA1_H_

#include <stdint.h>
/*
 * If you do not have the ISO standard stdint.h header file, then you
 * must typdef the following:
 *    name              meaning
 *  uint32_t         unsigned 32 bit integer
 *  uint8_t          unsigned 8 bit integer (i.e., unsigned char)
 *  int_least16_t    integer of >= 16 bits
 *
 */

#ifndef _SHA_enum_
#define _SHA_enum_
enum
{
    shaSuccess = 0,
    shaNull,            /* Null pointer parameter */
    shaInputTooLong,    /* input data too long */
    shaStateError       /* called Input after Result */
};
#endif
#define SHA1HashSize 20

/*
 *  This structure will hold context information for the SHA-1
 *  hashing operation
 */
typedef struct SHA1Context
{
    uint32_t Intermediate_Hash[SHA1HashSize/4]; /* Message Digest  */

    uint32_t Length_Low;            /* Message length in bits      */
    uint32_t Length_High;           /* Message length in bits      */

                               /* Index into message block array   */
    int_least16_t Message_Block_Index;
    uint8_t Message_Block[64];      /* 512-bit message blocks      */

    int Computed;               /* Is the digest computed?         */
    int Corrupted;             /* Is the message digest corrupted? */
} SHA1Context;

/*
 *  Function Prototypes
 */



Eastlake & Jones             Informational                      [Page 9]

RFC 3174           US Secure Hash Algorithm 1 (SHA1)      September 2001


int SHA1Reset(  SHA1Context *);
int SHA1Input(  SHA1Context *,
                const uint8_t *,
                unsigned int);
int SHA1Result( SHA1Context *,
                uint8_t Message_Digest[SHA1HashSize]);

#endif

7.2 .c file

/*
 *  sha1.c
 *
 *  Description:
 *      This file implements the Secure Hashing Algorithm 1 as
 *      defined in FIPS PUB 180-1 published April 17, 1995.
 *
 *      The SHA-1, produces a 160-bit message digest for a given
 *      data stream.  It should take about 2**n steps to find a
 *      message with the same digest as a given message and
 *      2**(n/2) to find any two messages with the same digest,
 *      when n is the digest size in bits.  Therefore, this
 *      algorithm can serve as a means of providing a
 *      "fingerprint" for a message.
 *
 *  Portability Issues:
 *      SHA-1 is defined in terms of 32-bit "words".  This code
 *      uses <stdint.h> (included via "sha1.h" to define 32 and 8
 *      bit unsigned integer types.  If your C compiler does not
 *      support 32 bit unsigned integers, this code is not
 *      appropriate.
 *
 *  Caveats:
 *      SHA-1 is designed to work with messages less than 2^64 bits
 *      long.  Although SHA-1 allows a message digest to be generated
 *      for messages of any number of bits less than 2^64, this
 *      implementation only works with messages with a length that is
 *      a multiple of the size of an 8-bit character.
 *
 */










Eastlake & Jones             Informational                     [Page 10]

RFC 3174           US Secure Hash Algorithm 1 (SHA1)      September 2001


#include "sha1.h"

/*
 *  Define the SHA1 circular left shift macro
 */
#define SHA1CircularShift(bits,word) \
                (((word) << (bits)) | ((word) >> (32-(bits))))

/* Local Function Prototyptes */
void SHA1PadMessage(SHA1Context *);
void SHA1ProcessMessageBlock(SHA1Context *);

/*
 *  SHA1Reset
 *
 *  Description:
 *      This function will initialize the SHA1Context in preparation
 *      for computing a new SHA1 message digest.
 *
 *  Parameters:
 *      context: [in/out]
 *          The context to reset.
 *
 *  Returns:
 *      sha Error Code.
 *
 */
int SHA1Reset(SHA1Context *context)
{
    if (!context)
    {
        return shaNull;
    }

    context->Length_Low             = 0;
    context->Length_High            = 0;
    context->Message_Block_Index    = 0;

    context->Intermediate_Hash[0]   = 0x67452301;
    context->Intermediate_Hash[1]   = 0xEFCDAB89;
    context->Intermediate_Hash[2]   = 0x98BADCFE;
    context->Intermediate_Hash[3]   = 0x10325476;
    context->Intermediate_Hash[4]   = 0xC3D2E1F0;

    context->Computed   = 0;
    context->Corrupted  = 0;





Eastlake & Jones             Informational                     [Page 11]

RFC 3174           US Secure Hash Algorithm 1 (SHA1)      September 2001


    return shaSuccess;
}

/*
 *  SHA1Result
 *
 *  Description:
 *      This function will return the 160-bit message digest into the
 *      Message_Digest array  provided by the caller.
 *      NOTE: The first octet of hash is stored in the 0th element,
 *            the last octet of hash in the 19th element.
 *
 *  Parameters:
 *      context: [in/out]
 *          The context to use to calculate the SHA-1 hash.
 *      Message_Digest: [out]
 *          Where the digest is returned.
 *
 *  Returns:
 *      sha Error Code.
 *
 */
int SHA1Result( SHA1Context *context,
                uint8_t Message_Digest[SHA1HashSize])
{
    int i;

    if (!context || !Message_Digest)
    {
        return shaNull;
    }

    if (context->Corrupted)
    {
        return context->Corrupted;
    }

    if (!context->Computed)
    {
        SHA1PadMessage(context);
        for(i=0; i<64; ++i)
        {
            /* message may be sensitive, clear it out */
            context->Message_Block[i] = 0;
        }
        context->Length_Low = 0;    /* and clear length */
        context->Length_High = 0;
        context->Computed = 1;



Eastlake & Jones             Informational                     [Page 12]

RFC 3174           US Secure Hash Algorithm 1 (SHA1)      September 2001


    }

    for(i = 0; i < SHA1HashSize; ++i)
    {
        Message_Digest[i] = context->Intermediate_Hash[i>>2]
                            >> 8 * ( 3 - ( i & 0x03 ) );
    }

    return shaSuccess;
}

/*
 *  SHA1Input
 *
 *  Description:
 *      This function accepts an array of octets as the next portion
 *      of the message.
 *
 *  Parameters:
 *      context: [in/out]
 *          The SHA context to update
 *      message_array: [in]
 *          An array of characters representing the next portion of
 *          the message.
 *      length: [in]
 *          The length of the message in message_array
 *
 *  Returns:
 *      sha Error Code.
 *
 */
int SHA1Input(    SHA1Context    *context,
                  const uint8_t  *message_array,
                  unsigned       length)
{
    if (!length)
    {
        return shaSuccess;
    }

    if (!context || !message_array)
    {
        return shaNull;
    }

    if (context->Computed)
    {
        context->Corrupted = shaStateError;



Eastlake & Jones             Informational                     [Page 13]

RFC 3174           US Secure Hash Algorithm 1 (SHA1)      September 2001


        return shaStateError;
    }

    if (context->Corrupted)
    {
         return context->Corrupted;
    }
    while(length-- && !context->Corrupted)
    {
    context->Message_Block[context->Message_Block_Index++] =
                    (*message_array & 0xFF);

    context->Length_Low += 8;
    if (context->Length_Low == 0)
    {
        context->Length_High++;
        if (context->Length_High == 0)
        {
            /* Message is too long */
            context->Corrupted = 1;
        }
    }

    if (context->Message_Block_Index == 64)
    {
        SHA1ProcessMessageBlock(context);
    }

    message_array++;
    }

    return shaSuccess;
}

/*
 *  SHA1ProcessMessageBlock
 *
 *  Description:
 *      This function will process the next 512 bits of the message
 *      stored in the Message_Block array.
 *
 *  Parameters:
 *      None.
 *
 *  Returns:
 *      Nothing.
 *
 *  Comments:



Eastlake & Jones             Informational                     [Page 14]

RFC 3174           US Secure Hash Algorithm 1 (SHA1)      September 2001


 *      Many of the variable names in this code, especially the
 *      single character names, were used because those were the
 *      names used in the publication.
 *
 *
 */
void SHA1ProcessMessageBlock(SHA1Context *context)
{
    const uint32_t K[] =    {       /* Constants defined in SHA-1   */
                            0x5A827999,
                            0x6ED9EBA1,
                            0x8F1BBCDC,
                            0xCA62C1D6
                            };
    int           t;                 /* Loop counter                */
    uint32_t      temp;              /* Temporary word value        */
    uint32_t      W[80];             /* Word sequence               */
    uint32_t      A, B, C, D, E;     /* Word buffers                */

    /*
     *  Initialize the first 16 words in the array W
     */
    for(t = 0; t < 16; t++)
    {
        W[t] = context->Message_Block[t * 4] << 24;
        W[t] |= context->Message_Block[t * 4 + 1] << 16;
        W[t] |= context->Message_Block[t * 4 + 2] << 8;
        W[t] |= context->Message_Block[t * 4 + 3];
    }

    for(t = 16; t < 80; t++)
    {
       W[t] = SHA1CircularShift(1,W[t-3] ^ W[t-8] ^ W[t-14] ^ W[t-16]);
    }

    A = context->Intermediate_Hash[0];
    B = context->Intermediate_Hash[1];
    C = context->Intermediate_Hash[2];
    D = context->Intermediate_Hash[3];
    E = context->Intermediate_Hash[4];

    for(t = 0; t < 20; t++)
    {
        temp =  SHA1CircularShift(5,A) +
                ((B & C) | ((~B) & D)) + E + W[t] + K[0];
        E = D;
        D = C;
        C = SHA1CircularShift(30,B);



Eastlake & Jones             Informational                     [Page 15]

RFC 3174           US Secure Hash Algorithm 1 (SHA1)      September 2001


        B = A;
        A = temp;
    }

    for(t = 20; t < 40; t++)
    {
        temp = SHA1CircularShift(5,A) + (B ^ C ^ D) + E + W[t] + K[1];
        E = D;
        D = C;
        C = SHA1CircularShift(30,B);
        B = A;
        A = temp;
    }

    for(t = 40; t < 60; t++)
    {
        temp = SHA1CircularShift(5,A) +
               ((B & C) | (B & D) | (C & D)) + E + W[t] + K[2];
        E = D;
        D = C;
        C = SHA1CircularShift(30,B);
        B = A;
        A = temp;
    }

    for(t = 60; t < 80; t++)
    {
        temp = SHA1CircularShift(5,A) + (B ^ C ^ D) + E + W[t] + K[3];
        E = D;
        D = C;
        C = SHA1CircularShift(30,B);
        B = A;
        A = temp;
    }

    context->Intermediate_Hash[0] += A;
    context->Intermediate_Hash[1] += B;
    context->Intermediate_Hash[2] += C;
    context->Intermediate_Hash[3] += D;
    context->Intermediate_Hash[4] += E;

    context->Message_Block_Index = 0;
}


/*
 *  SHA1PadMessage
 *



Eastlake & Jones             Informational                     [Page 16]

RFC 3174           US Secure Hash Algorithm 1 (SHA1)      September 2001


 *  Description:
 *      According to the standard, the message must be padded to an even
 *      512 bits.  The first padding bit must be a '1'.  The last 64
 *      bits represent the length of the original message.  All bits in
 *      between should be 0.  This function will pad the message
 *      according to those rules by filling the Message_Block array
 *      accordingly.  It will also call the ProcessMessageBlock function
 *      provided appropriately.  When it returns, it can be assumed that
 *      the message digest has been computed.
 *
 *  Parameters:
 *      context: [in/out]
 *          The context to pad
 *      ProcessMessageBlock: [in]
 *          The appropriate SHA*ProcessMessageBlock function
 *  Returns:
 *      Nothing.
 *
 */

void SHA1PadMessage(SHA1Context *context)
{
    /*
     *  Check to see if the current message block is too small to hold
     *  the initial padding bits and length.  If so, we will pad the
     *  block, process it, and then continue padding into a second
     *  block.
     */
    if (context->Message_Block_Index > 55)
    {
        context->Message_Block[context->Message_Block_Index++] = 0x80;
        while(context->Message_Block_Index < 64)
        {
            context->Message_Block[context->Message_Block_Index++] = 0;
        }

        SHA1ProcessMessageBlock(context);

        while(context->Message_Block_Index < 56)
        {
            context->Message_Block[context->Message_Block_Index++] = 0;
        }
    }
    else
    {
        context->Message_Block[context->Message_Block_Index++] = 0x80;
        while(context->Message_Block_Index < 56)
        {



Eastlake & Jones             Informational                     [Page 17]

RFC 3174           US Secure Hash Algorithm 1 (SHA1)      September 2001


            context->Message_Block[context->Message_Block_Index++] = 0;
        }
    }

    /*
     *  Store the message length as the last 8 octets
     */
    context->Message_Block[56] = context->Length_High >> 24;
    context->Message_Block[57] = context->Length_High >> 16;
    context->Message_Block[58] = context->Length_High >> 8;
    context->Message_Block[59] = context->Length_High;
    context->Message_Block[60] = context->Length_Low >> 24;
    context->Message_Block[61] = context->Length_Low >> 16;
    context->Message_Block[62] = context->Length_Low >> 8;
    context->Message_Block[63] = context->Length_Low;

    SHA1ProcessMessageBlock(context);
}

7.3 Test Driver

   The following code is a main program test driver to exercise the code
   in sha1.c.

/*
 *  sha1test.c
 *
 *  Description:
 *      This file will exercise the SHA-1 code performing the three
 *      tests documented in FIPS PUB 180-1 plus one which calls
 *      SHA1Input with an exact multiple of 512 bits, plus a few
 *      error test checks.
 *
 *  Portability Issues:
 *      None.
 *
 */

#include <stdint.h>
#include <stdio.h>
#include <string.h>
#include "sha1.h"

/*
 *  Define patterns for testing
 */
#define TEST1   "abc"
#define TEST2a  "abcdbcdecdefdefgefghfghighijhi"



Eastlake & Jones             Informational                     [Page 18]

RFC 3174           US Secure Hash Algorithm 1 (SHA1)      September 2001


#define TEST2b  "jkijkljklmklmnlmnomnopnopq"
#define TEST2   TEST2a TEST2b
#define TEST3   "a"
#define TEST4a  "01234567012345670123456701234567"
#define TEST4b  "01234567012345670123456701234567"
    /* an exact multiple of 512 bits */
#define TEST4   TEST4a TEST4b
char *testarray[4] =
{
    TEST1,
    TEST2,
    TEST3,
    TEST4
};
long int repeatcount[4] = { 1, 1, 1000000, 10 };
char *resultarray[4] =
{
    "A9 99 3E 36 47 06 81 6A BA 3E 25 71 78 50 C2 6C 9C D0 D8 9D",
    "84 98 3E 44 1C 3B D2 6E BA AE 4A A1 F9 51 29 E5 E5 46 70 F1",
    "34 AA 97 3C D4 C4 DA A4 F6 1E EB 2B DB AD 27 31 65 34 01 6F",
    "DE A3 56 A2 CD DD 90 C7 A7 EC ED C5 EB B5 63 93 4F 46 04 52"
};

int main()
{
    SHA1Context sha;
    int i, j, err;
    uint8_t Message_Digest[20];

    /*
     *  Perform SHA-1 tests
     */
    for(j = 0; j < 4; ++j)
    {
        printf( "\nTest %d: %d, '%s'\n",
                j+1,
                repeatcount[j],
                testarray[j]);

        err = SHA1Reset(&sha);
        if (err)
        {
            fprintf(stderr, "SHA1Reset Error %d.\n", err );
            break;    /* out of for j loop */
        }

        for(i = 0; i < repeatcount[j]; ++i)
        {



Eastlake & Jones             Informational                     [Page 19]

RFC 3174           US Secure Hash Algorithm 1 (SHA1)      September 2001


            err = SHA1Input(&sha,
                  (const unsigned char *) testarray[j],
                  strlen(testarray[j]));
            if (err)
            {
                fprintf(stderr, "SHA1Input Error %d.\n", err );
                break;    /* out of for i loop */
            }
        }

        err = SHA1Result(&sha, Message_Digest);
        if (err)
        {
            fprintf(stderr,
            "SHA1Result Error %d, could not compute message digest.\n",
            err );
        }
        else
        {
            printf("\t");
            for(i = 0; i < 20 ; ++i)
            {
                printf("%02X ", Message_Digest[i]);
            }
            printf("\n");
        }
        printf("Should match:\n");
        printf("\t%s\n", resultarray[j]);
    }

    /* Test some error returns */
    err = SHA1Input(&sha,(const unsigned char *) testarray[1], 1);
    printf ("\nError %d. Should be %d.\n", err, shaStateError );
    err = SHA1Reset(0);
    printf ("\nError %d. Should be %d.\n", err, shaNull );
    return 0;
}

8. Security Considerations

   This document is intended to provide convenient open source access by
   the Internet community to the United States of America Federal
   Information Processing Standard Secure Hash Function SHA-1 [FIPS
   180-1].  No independent assertion of the security of this hash
   function by the authors for any particular use is intended.






Eastlake & Jones             Informational                     [Page 20]

RFC 3174           US Secure Hash Algorithm 1 (SHA1)      September 2001


References

   [FIPS 180-1] "Secure Hash Standard", United States of American,
                National Institute of Science and Technology, Federal
                Information Processing Standard (FIPS) 180-1, April
                1993.

   [MD4]        "The MD4 Message Digest Algorithm," Advances in
                Cryptology - CRYPTO '90 Proceedings, Springer-Verlag,
                1991, pp. 303-311.

   [RFC 1320]   Rivest, R., "The MD4 Message-Digest Algorithm", RFC
                1320, April 1992.

   [RFC 1321]   Rivest, R., "The MD5 Message-Digest Algorithm", RFC
                1321, April 1992.

   [RFC 1750]   Eastlake, D., Crocker, S. and J. Schiller, "Randomness
                Requirements for Security", RFC 1750, December 1994.

Authors' Addresses

   Donald E. Eastlake, 3rd
   Motorola
   155 Beaver Street
   Milford, MA 01757 USA

   Phone:   +1 508-634-2066 (h)
            +1 508-261-5434 (w)
   Fax:     +1 508-261-4777
   EMail:   Donald.Eastlake@motorola.com


   Paul E. Jones
   Cisco Systems, Inc.
   7025 Kit Creek Road
   Research Triangle Park, NC 27709 USA

   Phone:   +1 919 392 6948
   EMail:   paulej@packetizer.com











Eastlake & Jones             Informational                     [Page 21]

RFC 3174           US Secure Hash Algorithm 1 (SHA1)      September 2001


Full Copyright Statement

   Copyright (C) The Internet Society (2001).  All Rights Reserved.

   This document and translations of it may be copied and furnished to
   others, and derivative works that comment on or otherwise explain it
   or assist in its implementation may be prepared, copied, published
   and distributed, in whole or in part, without restriction of any
   kind, provided that the above copyright notice and this paragraph are
   included on all such copies and derivative works.  However, this
   document itself may not be modified in any way, such as by removing
   the copyright notice or references to the Internet Society or other
   Internet organizations, except as needed for the purpose of
   developing Internet standards in which case the procedures for
   copyrights defined in the Internet Standards process must be
   followed, or as required to translate it into languages other than
   English.

   The limited permissions granted above are perpetual and will not be
   revoked by the Internet Society or its successors or assigns.

   This document and the information contained herein is provided on an
   "AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING
   TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING
   BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION
   HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF
   MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.

Acknowledgement

   Funding for the RFC Editor function is currently provided by the
   Internet Society.



















Eastlake & Jones             Informational                     [Page 22]