INFORMATIONAL

Errata Exist

Internet Engineering Task Force (IETF) D. Eastlake 3rd Request for Comments: 6234 Huawei Obsoletes: 4634 T. Hansen Updates: 3174 AT&T Labs Category: Informational May 2011 ISSN: 2070-1721 US Secure Hash Algorithms (SHA and SHA-based HMAC and HKDF) Abstract The United States of America has adopted a suite of Secure Hash Algorithms (SHAs), including four beyond SHA-1, as part of a Federal Information Processing Standard (FIPS), namely SHA-224, SHA-256, SHA-384, and SHA-512. This document makes open source code performing these SHA hash functions conveniently available to the Internet community. The sample code supports input strings of arbitrary bit length. Much of the text herein was adapted by the authors from FIPS 180-2. This document replaces RFC 4634, fixing errata and adding code for an HMAC-based extract-and-expand Key Derivation Function, HKDF (RFC 5869). As with RFC 4634, code to perform SHA-based Hashed Message Authentication Codes (HMACs) is also included. Status of This Memo This document is not an Internet Standards Track specification; it is published for informational purposes. This document is a product of the Internet Engineering Task Force (IETF). It represents the consensus of the IETF community. It has received public review and has been approved for publication by the Internet Engineering Steering Group (IESG). Not all documents approved by the IESG are a candidate for any level of Internet Standard; see Section 2 of RFC 5741. Information about the current status of this document, any errata, and how to provide feedback on it may be obtained at http://www.rfc-editor.org/info/rfc6234. Eastlake & Hansen Informational [Page 1]

RFC 6234 SHAs, HMAC-SHAs, and HKDF May 2011 BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (http://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Simplified BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Simplified BSD License. Eastlake & Hansen Informational [Page 2]

RFC 6234 SHAs, HMAC-SHAs, and HKDF May 2011 1 . Overview of Contents RFC2104]) based on the SHAs, and code to implement HKDF (HMAC-based Key Derivation Function, [RFC5869]) based on HMAC. Specifications for HMAC and HKDF are not included as they appear elsewhere in the RFC series [RFC2104] [RFC5869]. NOTE: Much of the text below is taken from [SHS], and the assertions of the security of the hash algorithms described therein are made by the US Government, the author of [SHS], not by the listed authors of this document. See also [RFC6194] concerning the security of SHA-1. The text below specifies Secure Hash Algorithms, SHA-224 [RFC3874], SHA-256, SHA-384, and SHA-512, for computing a condensed representation of a message or a data file. (SHA-1 is specified in [RFC3174].) When a message of any length < 2^64 bits (for SHA-224 and SHA-256) or < 2^128 bits (for SHA-384 and SHA-512) is input to one of these algorithms, the result is an output called a message digest. The message digests range in length from 224 to 512 bits, depending on the algorithm. Secure Hash Algorithms are typically used with other cryptographic algorithms, such as digital signature algorithms and keyed-hash authentication codes, the generation of random numbers [RFC4086], or in key derivation functions. The algorithms specified in this document are called secure because it is computationally infeasible to (1) find a message that corresponds to a given message digest, or (2) find two different messages that produce the same message digest. Any change to a message in transit will, with very high probability, result in a different message digest. This will result in a verification failure when the Secure Hash Algorithm is used with a digital signature algorithm or a keyed-hash message authentication algorithm. The code provided herein supports input strings of arbitrary bit length. SHA-1's sample code from [RFC3174] has also been updated to handle input strings of arbitrary bit length. Permission is granted for all uses, commercial and non-commercial, of this code. This document obsoletes [RFC4634], and the changes from that RFC are summarized in the Appendix. Eastlake & Hansen Informational [Page 4]

RFC 6234 SHAs, HMAC-SHAs, and HKDF May 2011 RFC4055], are as follows: id-sha1 OBJECT IDENTIFIER ::= { iso(1) identified-organization(3) oiw(14) secsig(3) algorithms(2) 26 } id-sha224 OBJECT IDENTIFIER ::= {{ joint-iso-itu-t(2) country(16) us(840) organization(1) gov(101) csor(3) nistalgorithm(4) hashalgs(2) 4 } id-sha256 OBJECT IDENTIFIER ::= { joint-iso-itu-t(2) country(16) us(840) organization(1) gov(101) csor(3) nistalgorithm(4) hashalgs(2) 1 } id-sha384 OBJECT IDENTIFIER ::= { joint-iso-itu-t(2) country(16) us(840) organization(1) gov(101) csor(3) nistalgorithm(4) hashalgs(2) 2 } id-sha512 OBJECT IDENTIFIER ::= { joint-iso-itu-t(2) country(16) us(840) organization(1) gov(101) csor(3) nistalgorithm(4) hashalgs(2) 3 } Section 2 below defines the terminology and functions used as building blocks to form these algorithms. Section 3 describes the fundamental operations on words from which these algorithms are built. Section 4 describes how messages are padded up to an integral multiple of the required block size and then parsed into blocks. Section 5 defines the constants and the composite functions used to specify the hash algorithms. Section 6 gives the actual specification for the SHA-224, SHA-256, SHA-384, and SHA-512 functions. Section 7 provides pointers to the specification of HMAC keyed message authentication codes and to the specification of an extract-and-expand key derivation function based on HMAC. Section 8 gives sample code for the SHA algorithms, for SHA-based HMACs, and for HMAC-based extract-and-expand key derivation function. 2 . Notation for Bit Strings and Integers Eastlake & Hansen Informational [Page 5]

RFC 6234 SHAs, HMAC-SHAs, and HKDF May 2011 3 . Operations on Words Eastlake & Hansen Informational [Page 6]

RFC 6234 SHAs, HMAC-SHAs, and HKDF May 2011 Eastlake & Hansen Informational [Page 7]

RFC 6234 SHAs, HMAC-SHAs, and HKDF May 2011 4 . Message Padding and Parsing 4.1 . SHA-224 and SHA-256 Eastlake & Hansen Informational [Page 8]

RFC 6234 SHAs, HMAC-SHAs, and HKDF May 2011 5 . Functions and Constants Used 5.1 . SHA-224 and SHA-256 Eastlake & Hansen Informational [Page 10]

RFC 6234 SHAs, HMAC-SHAs, and HKDF May 2011 6 . Computing the Message Digest 6.1 . SHA-224 and SHA-256 Initialization Eastlake & Hansen Informational [Page 12]

RFC 6234 SHAs, HMAC-SHAs, and HKDF May 2011 6.2 . SHA-224 and SHA-256 Processing Section 4.1 above, then parsed into 512-bit blocks that are considered to be composed of sixteen 32-bit words M(i)0, M(i)1, ..., M(i)15. The following computations are then performed for each of the N message blocks. All addition is performed modulo 2^32. For i = 1 to N 1. Prepare the message schedule W: For t = 0 to 15 Wt = M(i)t For t = 16 to 63 Wt = SSIG1(W(t-2)) + W(t-7) + SSIG0(w(t-15)) + W(t-16) Eastlake & Hansen Informational [Page 13]

RFC 6234 SHAs, HMAC-SHAs, and HKDF May 2011 6.3 . SHA-384 and SHA-512 Initialization Eastlake & Hansen Informational [Page 14]

RFC 6234 SHAs, HMAC-SHAs, and HKDF May 2011 6.4 . SHA-384 and SHA-512 Processing Section 4.2 above, then parsed into 1024-bit blocks that are considered to be composed of sixteen 64-bit words M(i)0, M(i)1, ..., M(i)15. The following computations are then performed for each of the N message blocks. All addition is performed modulo 2^64. Eastlake & Hansen Informational [Page 15]

RFC 6234 SHAs, HMAC-SHAs, and HKDF May 2011 Eastlake & Hansen Informational [Page 16]

RFC 6234 SHAs, HMAC-SHAs, and HKDF May 2011 7 . HKDF- and SHA-Based HMACs 7.1 . SHA-Based HMACs RFC2104]. It uses a key to mix in with the input text to produce the final hash. Sample code is also provided, in Section 8.3 below, to perform HMAC based on any of the SHA algorithms described herein. The sample code found in [RFC2104] was written in terms of a specified text size. Since SHA is defined in terms of an arbitrary number of bits, the sample HMAC code has been written to allow the text input to HMAC to have an arbitrary number of octets and bits. A fixed-length interface is also provided. 7.2 . HKDF RFC5869], is based on HMAC. Sample code for HKDF is provided in Section 8.4 below. 8 . C Code for SHAs, HMAC, and HKDF Section 8.1 contains the header file sha.h that declares all constants, structures, and functions used by the SHA and HMAC functions. It includes conditionals based on the state of definition of USE_32BIT_ONLY that, if that symbol is defined at compile time, avoids 64-bit operations. It also contains sha- private.h that provides some declarations common to all the SHA functions. Section 8.2 contains the C code for sha1.c, sha224-256.c, sha384-512.c, and usha.c. Section 8.3 contains the C code for the HMAC functions, and Section 8.4 contains the C code for HKDF. Section 8.5 contains a test driver to exercise the code. For each of the digest lengths $$$, there is the following set of constants, a structure, and functions: Eastlake & Hansen Informational [Page 17]

RFC 6234 SHAs, HMAC-SHAs, and HKDF May 2011 Eastlake & Hansen Informational [Page 18]

RFC 6234 SHAs, HMAC-SHAs, and HKDF May 2011 Eastlake & Hansen Informational [Page 19]

RFC 6234 SHAs, HMAC-SHAs, and HKDF May 2011 RFC2104], that allows a fixed-length text input to be used. int hmac(SHAversion whichSha, const unsigned char *text, int text_len, const unsigned char *key, int key_len, uint8_t Message_Digest[USHAMaxHashSize]); Calculate the given digest for the given text and key, and return the resulting MAC. Octets in Message_Digest beyond USHAHashSize(whichSha) are left untouched. The HKDF functions follow the same pattern to allow any length of text input to be used. Structure: typedef HKDFContext an opaque structure holding the complete state for producing the keying material Functions: int hkdfReset(HKDFContext *context, enum SHAversion whichSha, const unsigned char *salt, int salt_len) Reset the key derivation state and initialize it with the salt_len octets of the optional salt. int hkdfInput(HKDFContext *context, const unsigned char *ikm, int ikm_len) Incorporate ikm_len octets into the entropy extractor. int hkdfFinalBits(HKDFContext *context, uint8_t ikm_bits, unsigned int ikm_bit_count) Incorporate ikm_bit_count bits into the entropy extractor. int hkdfResult(HKDFContext *context, uint8_t prk[USHAMaxHashSize], const unsigned char *info, int info_len, uint8_t okm[ ], int okm_len) Finish the HKDF extraction and perform the final HKDF expansion, storing the okm_len octets into output keying material (okm). Optionally store the pseudo-random key (prk) that is generated internally. In addition, combined interfaces are provided, similar to that shown in [RFC5869], that allows a fixed-length text input to be used. int hkdfExtract(SHAversion whichSha, const unsigned char *salt, int salt_len, const unsigned char *ikm, int ikm_len, uint8_t prk[USHAMaxHashSize]) Eastlake & Hansen Informational [Page 20]

RFC 6234 SHAs, HMAC-SHAs, and HKDF May 2011 8.1 . The Header Files 8.1.1 . The .h file Section 8.1.2, or the like. /**************************** sha.h ****************************/ /***************** See RFC 6234 for details. *******************/ /* Copyright (c) 2011 IETF Trust and the persons identified as authors of the code. All rights reserved. Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met: - Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer. Eastlake & Hansen Informational [Page 21]

RFC 6234 SHAs, HMAC-SHAs, and HKDF May 2011 http://csrc.nist.gov/publications/fips/ * fips180-3/fips180-3_final.pdf * * The five hashes are defined in these sizes: * SHA-1 20 byte / 160 bit * SHA-224 28 byte / 224 bit * SHA-256 32 byte / 256 bit * SHA-384 48 byte / 384 bit * SHA-512 64 byte / 512 bit * Eastlake & Hansen Informational [Page 22]

RFC 6234 SHAs, HMAC-SHAs, and HKDF May 2011 Eastlake & Hansen Informational [Page 23]

RFC 6234 SHAs, HMAC-SHAs, and HKDF May 2011 Eastlake & Hansen Informational [Page 24]

RFC 6234 SHAs, HMAC-SHAs, and HKDF May 2011 Eastlake & Hansen Informational [Page 25]

RFC 6234 SHAs, HMAC-SHAs, and HKDF May 2011 Eastlake & Hansen Informational [Page 26]

RFC 6234 SHAs, HMAC-SHAs, and HKDF May 2011 Eastlake & Hansen Informational [Page 27]

RFC 6234 SHAs, HMAC-SHAs, and HKDF May 2011 RFC 2104, * for all SHAs. * This interface allows a fixed-length text input to be used. */ extern int hmac(SHAversion whichSha, /* which SHA algorithm to use */ const unsigned char *text, /* pointer to data stream */ int text_len, /* length of data stream */ const unsigned char *key, /* pointer to authentication key */ int key_len, /* length of authentication key */ uint8_t digest[USHAMaxHashSize]); /* caller digest to fill in */ /* * HMAC Keyed-Hashing for Message Authentication, RFC 2104, * for all SHAs. * This interface allows any length of text input to be used. */ extern int hmacReset(HMACContext *context, enum SHAversion whichSha, const unsigned char *key, int key_len); extern int hmacInput(HMACContext *context, const unsigned char *text, int text_len); extern int hmacFinalBits(HMACContext *context, uint8_t bits, unsigned int bit_count); extern int hmacResult(HMACContext *context, uint8_t digest[USHAMaxHashSize]); /* * HKDF HMAC-based Extract-and-Expand Key Derivation Function, * RFC 5869, for all SHAs. */ extern int hkdf(SHAversion whichSha, const unsigned char *salt, int salt_len, const unsigned char *ikm, int ikm_len, const unsigned char *info, int info_len, uint8_t okm[ ], int okm_len); extern int hkdfExtract(SHAversion whichSha, const unsigned char *salt, int salt_len, const unsigned char *ikm, int ikm_len, uint8_t prk[USHAMaxHashSize]); extern int hkdfExpand(SHAversion whichSha, const uint8_t prk[ ], int prk_len, const unsigned char *info, int info_len, uint8_t okm[ ], int okm_len); /* * HKDF HMAC-based Extract-and-Expand Key Derivation Function, * RFC 5869, for all SHAs. * This interface allows any length of text input to be used. */ extern int hkdfReset(HKDFContext *context, enum SHAversion whichSha, const unsigned char *salt, int salt_len); Eastlake & Hansen Informational [Page 28]

RFC 6234 SHAs, HMAC-SHAs, and HKDF May 2011 8.1.2 . stdint-example.h RFC 6234 for details. *******************/ #ifndef STDINT_H #define STDINT_H typedef unsigned long long uint64_t; /* unsigned 64-bit integer */ typedef unsigned int uint32_t; /* unsigned 32-bit integer */ typedef unsigned char uint8_t; /* unsigned 8-bit integer */ /* (i.e., unsigned char) */ typedef int int_least32_t; /* integer of >= 32 bits */ typedef short int_least16_t; /* integer of >= 16 bits */ #endif /* STDINT_H */ 8.1.3 . sha-private.h RFC 6234 for details. *******************/ #ifndef _SHA_PRIVATE__H #define _SHA_PRIVATE__H /* * These definitions are defined in FIPS 180-3, section 4.1. * Ch() and Maj() are defined identically in sections 4.1.1, * 4.1.2, and 4.1.3. * * The definitions used in FIPS 180-3 are as follows: */ Eastlake & Hansen Informational [Page 29]

RFC 6234 SHAs, HMAC-SHAs, and HKDF May 2011 8.2 . The SHA Code 8.2.1 . sha1.c RFC 6234 for details. *******************/ /* Copyright (c) 2011 IETF Trust and the persons identified as */ /* authors of the code. All rights reserved. */ /* See sha.h for terms of use and redistribution. */ /* * Description: * This file implements the Secure Hash Algorithm SHA-1 * as defined in the U.S. National Institute of Standards * and Technology Federal Information Processing Standards * Publication (FIPS PUB) 180-3 published in October 2008 * and formerly defined in its predecessors, FIPS PUB 180-1 * and FIP PUB 180-2. * * A combined document showing all algorithms is available at * http://csrc.nist.gov/publications/fips/ * fips180-3/fips180-3_final.pdf * Eastlake & Hansen Informational [Page 30]

RFC 6234 SHAs, HMAC-SHAs, and HKDF May 2011 Eastlake & Hansen Informational [Page 31]

RFC 6234 SHAs, HMAC-SHAs, and HKDF May 2011 section 5.3.1 */ context->Intermediate_Hash[0] = 0x67452301; context->Intermediate_Hash[1] = 0xEFCDAB89; context->Intermediate_Hash[2] = 0x98BADCFE; context->Intermediate_Hash[3] = 0x10325476; context->Intermediate_Hash[4] = 0xC3D2E1F0; context->Computed = 0; context->Corrupted = shaSuccess; return shaSuccess; } /* * SHA1Input * * Description: * This function accepts an array of octets as the next portion * of the message. * * Parameters: * context: [in/out] * The SHA context to update. * message_array[ ]: [in] * An array of octets representing the next portion of * the message. Eastlake & Hansen Informational [Page 32]

RFC 6234 SHAs, HMAC-SHAs, and HKDF May 2011 Eastlake & Hansen Informational [Page 33]

RFC 6234 SHAs, HMAC-SHAs, and HKDF May 2011 Eastlake & Hansen Informational [Page 34]

RFC 6234 SHAs, HMAC-SHAs, and HKDF May 2011 Eastlake & Hansen Informational [Page 36]

RFC 6234 SHAs, HMAC-SHAs, and HKDF May 2011 Eastlake & Hansen Informational [Page 37]

RFC 6234 SHAs, HMAC-SHAs, and HKDF May 2011 Eastlake & Hansen Informational [Page 38]

RFC 6234 SHAs, HMAC-SHAs, and HKDF May 2011 8.2.2 . sha224-256.c RFC 6234 for details. *******************/ /* Copyright (c) 2011 IETF Trust and the persons identified as */ /* authors of the code. All rights reserved. */ /* See sha.h for terms of use and redistribution. */ /* * Description: * This file implements the Secure Hash Algorithms SHA-224 and * SHA-256 as defined in the U.S. National Institute of Standards * and Technology Federal Information Processing Standards * Publication (FIPS PUB) 180-3 published in October 2008 * and formerly defined in its predecessors, FIPS PUB 180-1 * and FIP PUB 180-2. * * A combined document showing all algorithms is available at * http://csrc.nist.gov/publications/fips/ * fips180-3/fips180-3_final.pdf * * The SHA-224 and SHA-256 algorithms produce 224-bit and 256-bit * message digests for a given data stream. It should take about * 2**n steps to find a message with the same digest as a given * message and 2**(n/2) to find any two messages with the same * digest, when n is the digest size in bits. Therefore, this * algorithm can serve as a means of providing a * "fingerprint" for a message. * * Portability Issues: * SHA-224 and SHA-256 are defined in terms of 32-bit "words". * This code uses <stdint.h> (included via "sha.h") to define 32- * and 8-bit unsigned integer types. If your C compiler does not Eastlake & Hansen Informational [Page 39]

RFC 6234 SHAs, HMAC-SHAs, and HKDF May 2011 Eastlake & Hansen Informational [Page 40]

RFC 6234 SHAs, HMAC-SHAs, and HKDF May 2011 section 5.3.2 */ static uint32_t SHA224_H0[SHA256HashSize/4] = { 0xC1059ED8, 0x367CD507, 0x3070DD17, 0xF70E5939, 0xFFC00B31, 0x68581511, 0x64F98FA7, 0xBEFA4FA4 }; /* Initial Hash Values: FIPS 180-3 section 5.3.3 */ static uint32_t SHA256_H0[SHA256HashSize/4] = { 0x6A09E667, 0xBB67AE85, 0x3C6EF372, 0xA54FF53A, 0x510E527F, 0x9B05688C, 0x1F83D9AB, 0x5BE0CD19 }; /* * SHA224Reset * * Description: * This function will initialize the SHA224Context in preparation * for computing a new SHA224 message digest. * * Parameters: * context: [in/out] * The context to reset. * * Returns: * sha Error Code. */ int SHA224Reset(SHA224Context *context) { return SHA224_256Reset(context, SHA224_H0); } /* * SHA224Input * * Description: * This function accepts an array of octets as the next portion * of the message. * * Parameters: * context: [in/out] * The SHA context to update. * message_array[ ]: [in] * An array of octets representing the next portion of * the message. Eastlake & Hansen Informational [Page 41]

RFC 6234 SHAs, HMAC-SHAs, and HKDF May 2011 Eastlake & Hansen Informational [Page 42]

RFC 6234 SHAs, HMAC-SHAs, and HKDF May 2011 Eastlake & Hansen Informational [Page 43]

RFC 6234 SHAs, HMAC-SHAs, and HKDF May 2011 Eastlake & Hansen Informational [Page 44]

RFC 6234 SHAs, HMAC-SHAs, and HKDF May 2011 Eastlake & Hansen Informational [Page 45]

RFC 6234 SHAs, HMAC-SHAs, and HKDF May 2011 Eastlake & Hansen Informational [Page 46]

RFC 6234 SHAs, HMAC-SHAs, and HKDF May 2011 section 4.2.2 */ static const uint32_t K[64] = { 0x428a2f98, 0x71374491, 0xb5c0fbcf, 0xe9b5dba5, 0x3956c25b, 0x59f111f1, 0x923f82a4, 0xab1c5ed5, 0xd807aa98, 0x12835b01, 0x243185be, 0x550c7dc3, 0x72be5d74, 0x80deb1fe, 0x9bdc06a7, 0xc19bf174, 0xe49b69c1, 0xefbe4786, 0x0fc19dc6, 0x240ca1cc, 0x2de92c6f, 0x4a7484aa, 0x5cb0a9dc, 0x76f988da, 0x983e5152, 0xa831c66d, 0xb00327c8, 0xbf597fc7, 0xc6e00bf3, 0xd5a79147, 0x06ca6351, 0x14292967, 0x27b70a85, 0x2e1b2138, 0x4d2c6dfc, 0x53380d13, 0x650a7354, 0x766a0abb, 0x81c2c92e, 0x92722c85, 0xa2bfe8a1, 0xa81a664b, 0xc24b8b70, 0xc76c51a3, 0xd192e819, 0xd6990624, 0xf40e3585, 0x106aa070, 0x19a4c116, 0x1e376c08, 0x2748774c, 0x34b0bcb5, 0x391c0cb3, 0x4ed8aa4a, 0x5b9cca4f, 0x682e6ff3, 0x748f82ee, 0x78a5636f, 0x84c87814, 0x8cc70208, 0x90befffa, 0xa4506ceb, 0xbef9a3f7, 0xc67178f2 }; int t, t4; /* Loop counter */ uint32_t temp1, temp2; /* Temporary word value */ uint32_t W[64]; /* Word sequence */ uint32_t A, B, C, D, E, F, G, H; /* Word buffers */ /* * Initialize the first 16 words in the array W */ for (t = t4 = 0; t < 16; t++, t4 += 4) W[t] = (((uint32_t)context->Message_Block[t4]) << 24) | (((uint32_t)context->Message_Block[t4 + 1]) << 16) | (((uint32_t)context->Message_Block[t4 + 2]) << 8) | (((uint32_t)context->Message_Block[t4 + 3])); Eastlake & Hansen Informational [Page 47]

RFC 6234 SHAs, HMAC-SHAs, and HKDF May 2011 Eastlake & Hansen Informational [Page 48]

RFC 6234 SHAs, HMAC-SHAs, and HKDF May 2011 Eastlake & Hansen Informational [Page 49]

RFC 6234 SHAs, HMAC-SHAs, and HKDF May 2011 Eastlake & Hansen Informational [Page 50]

RFC 6234 SHAs, HMAC-SHAs, and HKDF May 2011 8.2.3 . sha384-512.c RFC 6234 for details. *******************/ /* Copyright (c) 2011 IETF Trust and the persons identified as */ /* authors of the code. All rights reserved. */ /* See sha.h for terms of use and redistribution. */ /* * Description: * This file implements the Secure Hash Algorithms SHA-384 and * SHA-512 as defined in the U.S. National Institute of Standards * and Technology Federal Information Processing Standards * Publication (FIPS PUB) 180-3 published in October 2008 * and formerly defined in its predecessors, FIPS PUB 180-1 * and FIP PUB 180-2. * * A combined document showing all algorithms is available at * http://csrc.nist.gov/publications/fips/ * fips180-3/fips180-3_final.pdf * * The SHA-384 and SHA-512 algorithms produce 384-bit and 512-bit * message digests for a given data stream. It should take about * 2**n steps to find a message with the same digest as a given Eastlake & Hansen Informational [Page 51]

RFC 6234 SHAs, HMAC-SHAs, and HKDF May 2011 Eastlake & Hansen Informational [Page 52]

RFC 6234 SHAs, HMAC-SHAs, and HKDF May 2011 Eastlake & Hansen Informational [Page 53]

RFC 6234 SHAs, HMAC-SHAs, and HKDF May 2011 Eastlake & Hansen Informational [Page 54]

RFC 6234 SHAs, HMAC-SHAs, and HKDF May 2011 section 4.1.3. * ((x & y) ^ (~x & z)) becomes * ((x & (y ^ z)) ^ z) */ #define SHA_Ch(x, y, z, ret) ( \ (ret)[0] = (((x)[0] & ((y)[0] ^ (z)[0])) ^ (z)[0]), \ (ret)[1] = (((x)[1] & ((y)[1] ^ (z)[1])) ^ (z)[1]) ) /* * ((x & y) ^ (x & z) ^ (y & z)) becomes * ((x & (y | z)) | (y & z)) */ #define SHA_Maj(x, y, z, ret) ( \ ret[0] = (((x)[0] & ((y)[0] | (z)[0])) | ((y)[0] & (z)[0])), \ ret[1] = (((x)[1] & ((y)[1] | (z)[1])) | ((y)[1] & (z)[1])) ) #endif /* USE_MODIFIED_MACROS */ /* * Add "length" to the length. * Set Corrupted when overflow has occurred. */ static uint32_t addTemp[4] = { 0, 0, 0, 0 }; #define SHA384_512AddLength(context, length) ( \ addTemp[3] = (length), SHA512_ADDTO4((context)->Length, addTemp), \ (context)->Corrupted = (((context)->Length[3] < (length)) && \ ((context)->Length[2] == 0) && ((context)->Length[1] == 0) && \ ((context)->Length[0] == 0)) ? shaInputTooLong : \ (context)->Corrupted ) /* Local Function Prototypes */ static int SHA384_512Reset(SHA512Context *context, uint32_t H0[SHA512HashSize/4]); static void SHA384_512ProcessMessageBlock(SHA512Context *context); static void SHA384_512Finalize(SHA512Context *context, uint8_t Pad_Byte); static void SHA384_512PadMessage(SHA512Context *context, uint8_t Pad_Byte); static int SHA384_512ResultN( SHA512Context *context, uint8_t Message_Digest[ ], int HashSize); /* Initial Hash Values: FIPS 180-3 sections 5.3.4 and 5.3.5 */ static uint32_t SHA384_H0[SHA512HashSize/4] = { 0xCBBB9D5D, 0xC1059ED8, 0x629A292A, 0x367CD507, 0x9159015A, Eastlake & Hansen Informational [Page 56]

RFC 6234 SHAs, HMAC-SHAs, and HKDF May 2011 Eastlake & Hansen Informational [Page 57]

RFC 6234 SHAs, HMAC-SHAs, and HKDF May 2011 5.3.4 and 5.3.5 */ static uint64_t SHA384_H0[ ] = { 0xCBBB9D5DC1059ED8ll, 0x629A292A367CD507ll, 0x9159015A3070DD17ll, 0x152FECD8F70E5939ll, 0x67332667FFC00B31ll, 0x8EB44A8768581511ll, 0xDB0C2E0D64F98FA7ll, 0x47B5481DBEFA4FA4ll }; static uint64_t SHA512_H0[ ] = { 0x6A09E667F3BCC908ll, 0xBB67AE8584CAA73Bll, 0x3C6EF372FE94F82Bll, 0xA54FF53A5F1D36F1ll, 0x510E527FADE682D1ll, 0x9B05688C2B3E6C1Fll, 0x1F83D9ABFB41BD6Bll, 0x5BE0CD19137E2179ll }; #endif /* USE_32BIT_ONLY */ /* * SHA384Reset * * Description: * This function will initialize the SHA384Context in preparation * for computing a new SHA384 message digest. * * Parameters: * context: [in/out] * The context to reset. * * Returns: * sha Error Code. * */ int SHA384Reset(SHA384Context *context) { return SHA384_512Reset(context, SHA384_H0); } /* * SHA384Input * * Description: * This function accepts an array of octets as the next portion * of the message. Eastlake & Hansen Informational [Page 58]

RFC 6234 SHAs, HMAC-SHAs, and HKDF May 2011 Eastlake & Hansen Informational [Page 59]

RFC 6234 SHAs, HMAC-SHAs, and HKDF May 2011 Eastlake & Hansen Informational [Page 60]

RFC 6234 SHAs, HMAC-SHAs, and HKDF May 2011 Eastlake & Hansen Informational [Page 61]

RFC 6234 SHAs, HMAC-SHAs, and HKDF May 2011 Eastlake & Hansen Informational [Page 62]

RFC 6234 SHAs, HMAC-SHAs, and HKDF May 2011 Eastlake & Hansen Informational [Page 63]

RFC 6234 SHAs, HMAC-SHAs, and HKDF May 2011 Eastlake & Hansen Informational [Page 65]

RFC 6234 SHAs, HMAC-SHAs, and HKDF May 2011 Eastlake & Hansen Informational [Page 66]

RFC 6234 SHAs, HMAC-SHAs, and HKDF May 2011 Eastlake & Hansen Informational [Page 68]

RFC 6234 SHAs, HMAC-SHAs, and HKDF May 2011 Eastlake & Hansen Informational [Page 69]

RFC 6234 SHAs, HMAC-SHAs, and HKDF May 2011 Eastlake & Hansen Informational [Page 70]

RFC 6234 SHAs, HMAC-SHAs, and HKDF May 2011 Eastlake & Hansen Informational [Page 71]

RFC 6234 SHAs, HMAC-SHAs, and HKDF May 2011 Eastlake & Hansen Informational [Page 72]

RFC 6234 SHAs, HMAC-SHAs, and HKDF May 2011 8.2.4 . usha.c RFC 6234 for details. *******************/ /* Copyright (c) 2011 IETF Trust and the persons identified as */ /* authors of the code. All rights reserved. */ /* See sha.h for terms of use and redistribution. */ /* * Description: * This file implements a unified interface to the SHA algorithms. */ #include "sha.h" /* * USHAReset * * Description: * This function will initialize the SHA Context in preparation * for computing a new SHA message digest. * * Parameters: * context: [in/out] * The context to reset. * whichSha: [in] * Selects which SHA reset to call * * Returns: * sha Error Code. * */ int USHAReset(USHAContext *context, enum SHAversion whichSha) { if (!context) return shaNull; context->whichSha = whichSha; switch (whichSha) { case SHA1: return SHA1Reset((SHA1Context*)&context->ctx); case SHA224: return SHA224Reset((SHA224Context*)&context->ctx); case SHA256: return SHA256Reset((SHA256Context*)&context->ctx); case SHA384: return SHA384Reset((SHA384Context*)&context->ctx); case SHA512: return SHA512Reset((SHA512Context*)&context->ctx); default: return shaBadParam; } } Eastlake & Hansen Informational [Page 73]

RFC 6234 SHAs, HMAC-SHAs, and HKDF May 2011 Eastlake & Hansen Informational [Page 74]

RFC 6234 SHAs, HMAC-SHAs, and HKDF May 2011 Eastlake & Hansen Informational [Page 75]

RFC 6234 SHAs, HMAC-SHAs, and HKDF May 2011 Eastlake & Hansen Informational [Page 76]

RFC 6234 SHAs, HMAC-SHAs, and HKDF May 2011 Eastlake & Hansen Informational [Page 77]

RFC 6234 SHAs, HMAC-SHAs, and HKDF May 2011 Eastlake & Hansen Informational [Page 78]

RFC 6234 SHAs, HMAC-SHAs, and HKDF May 2011 8.3 . The HMAC Code RFC 6234 for details. *******************/ /* Copyright (c) 2011 IETF Trust and the persons identified as */ /* authors of the code. All rights reserved. */ /* See sha.h for terms of use and redistribution. */ /* * Description: * This file implements the HMAC algorithm (Keyed-Hashing for * Message Authentication, [RFC 2104]), expressed in terms of * the various SHA algorithms. */ #include "sha.h" /* * hmac * * Description: * This function will compute an HMAC message digest. * * Parameters: * whichSha: [in] * One of SHA1, SHA224, SHA256, SHA384, SHA512 * message_array[ ]: [in] * An array of octets representing the message. * Note: in RFC 2104, this parameter is known * as 'text'. * length: [in] * The length of the message in message_array. * key[ ]: [in] * The secret shared key. * key_len: [in] * The length of the secret shared key. * digest[ ]: [out] * Where the digest is to be returned. * NOTE: The length of the digest is determined by * the value of whichSha. * Eastlake & Hansen Informational [Page 79]

RFC 6234 SHAs, HMAC-SHAs, and HKDF May 2011 Eastlake & Hansen Informational [Page 80]

RFC 6234 SHAs, HMAC-SHAs, and HKDF May 2011 Eastlake & Hansen Informational [Page 81]

RFC 6234 SHAs, HMAC-SHAs, and HKDF May 2011 Eastlake & Hansen Informational [Page 82]

RFC 6234 SHAs, HMAC-SHAs, and HKDF May 2011 Eastlake & Hansen Informational [Page 83]

RFC 6234 SHAs, HMAC-SHAs, and HKDF May 2011 8.4 . The HKDF Code RFC 6234 for details. *******************/ /* Copyright (c) 2011 IETF Trust and the persons identified as */ /* authors of the code. All rights reserved. */ /* See sha.h for terms of use and redistribution. */ /* * Description: * This file implements the HKDF algorithm (HMAC-based * Extract-and-Expand Key Derivation Function, RFC 5869), * expressed in terms of the various SHA algorithms. */ #include "sha.h" #include <string.h> #include <stdlib.h> /* * hkdf * * Description: * This function will generate keying material using HKDF. * * Parameters: * whichSha: [in] * One of SHA1, SHA224, SHA256, SHA384, SHA512 * salt[ ]: [in] * The optional salt value (a non-secret random value); * if not provided (salt == NULL), it is set internally Eastlake & Hansen Informational [Page 84]

RFC 6234 SHAs, HMAC-SHAs, and HKDF May 2011 Eastlake & Hansen Informational [Page 85]

RFC 6234 SHAs, HMAC-SHAs, and HKDF May 2011 Eastlake & Hansen Informational [Page 86]

RFC 6234 SHAs, HMAC-SHAs, and HKDF May 2011 Eastlake & Hansen Informational [Page 87]

RFC 6234 SHAs, HMAC-SHAs, and HKDF May 2011 Eastlake & Hansen Informational [Page 88]

RFC 6234 SHAs, HMAC-SHAs, and HKDF May 2011 Eastlake & Hansen Informational [Page 89]

RFC 6234 SHAs, HMAC-SHAs, and HKDF May 2011 Eastlake & Hansen Informational [Page 90]

RFC 6234 SHAs, HMAC-SHAs, and HKDF May 2011 8.5 . The Test Driver US-ASCII] and a run time check warns if the code appears to have been compiled with some other character system. See also [SHAVS]. /************************** shatest.c **************************/ /***************** See RFC 6234 for details. *******************/ /* Copyright (c) 2011 IETF Trust and the persons identified as */ /* authors of the code. All rights reserved. */ /* See sha.h for terms of use and redistribution. */ /* * Description: * This file will exercise the SHA code performing * the three tests documented in FIPS PUB 180-3 * (http://csrc.nist.gov/publications/fips/ * fips180-2/fips180-2withchangenotice.pdf) * one that calls SHAInput with an exact multiple of 512 bits * the seven tests documented for each algorithm in * "The Secure Hash Algorithm Validation System (SHAVS)" * (http://csrc.nist.gov/cryptval/shs/SHAVS.pdf), * three of which are bit-level tests * Eastlake & Hansen Informational [Page 91]

RFC 6234 SHAs, HMAC-SHAs, and HKDF May 2011 http://csrc.nist.gov/groups/ST/toolkit/examples.html * * This file will exercise the HMAC SHA1 code performing * the seven tests documented in RFCs [RFC 2202] and [RFC 4231]. * * This file will exercise the HKDF code performing * the seven tests documented in RFC 4869. * * To run the tests and just see PASSED/FAILED, use the -p option. * * Other options exercise: * hashing an arbitrary string * hashing a file's contents * a few error test checks * printing the results in raw format * * Portability Issues: * None. * */ #include <stdint.h> #include <stdio.h> #include <stdlib.h> #include <string.h> #include <ctype.h> #include <unistd.h> /* defines getopt() and optarg */ #include "sha.h" static int scasecmp(const char *s1, const char *s2); /* * Define patterns for testing */ #define TEST1 "abc" #define TEST2_1 \ "abcdbcdecdefdefgefghfghighijhijkijkljklmklmnlmnomnopnopq" #define TEST2_2a \ "abcdefghbcdefghicdefghijdefghijkefghijklfghijklmghijklmn" #define TEST2_2b \ "hijklmnoijklmnopjklmnopqklmnopqrlmnopqrsmnopqrstnopqrstu" #define TEST2_2 TEST2_2a TEST2_2b #define TEST3 "a" /* times 1000000 */ #define TEST4a "01234567012345670123456701234567" #define TEST4b "01234567012345670123456701234567" /* an exact multiple of 512 bits */ #define TEST4 TEST4a TEST4b /* times 10 */ Eastlake & Hansen Informational [Page 92]

RFC 6234 SHAs, HMAC-SHAs, and HKDF May 2011 Eastlake & Hansen Informational [Page 93]

RFC 6234 SHAs, HMAC-SHAs, and HKDF May 2011 Eastlake & Hansen Informational [Page 94]

RFC 6234 SHAs, HMAC-SHAs, and HKDF May 2011 Eastlake & Hansen Informational [Page 95]

RFC 6234 SHAs, HMAC-SHAs, and HKDF May 2011 Eastlake & Hansen Informational [Page 96]

RFC 6234 SHAs, HMAC-SHAs, and HKDF May 2011 Eastlake & Hansen Informational [Page 97]

RFC 6234 SHAs, HMAC-SHAs, and HKDF May 2011 Eastlake & Hansen Informational [Page 98]

RFC 6234 SHAs, HMAC-SHAs, and HKDF May 2011 Eastlake & Hansen Informational [Page 99]

RFC 6234 SHAs, HMAC-SHAs, and HKDF May 2011 Eastlake & Hansen Informational [Page 100]

RFC 6234 SHAs, HMAC-SHAs, and HKDF May 2011 Eastlake & Hansen Informational [Page 101]

RFC 6234 SHAs, HMAC-SHAs, and HKDF May 2011 Eastlake & Hansen Informational [Page 102]

RFC 6234 SHAs, HMAC-SHAs, and HKDF May 2011 Eastlake & Hansen Informational [Page 103]

RFC 6234 SHAs, HMAC-SHAs, and HKDF May 2011 RFC 5869 A.1. Test Case 1 */ SHA256, 22, "\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b" Eastlake & Hansen Informational [Page 104]

RFC 6234 SHAs, HMAC-SHAs, and HKDF May 2011 RFC 5869 A.7. Test Case 7. */ SHA1, 22, "\x0c\x0c\x0c\x0c\x0c\x0c\x0c\x0c\x0c\x0c\x0c\x0c\x0c\x0c" "\x0c\x0c\x0c\x0c\x0c\x0c\x0c\x0c", 0, 0, 0, "", 20, "2ADCCADA18779E7C2077AD2EB19D3F3E731385DD", 42, "2C91117204D745F3500D636A62F64F0A" "B3BAE548AA53D423B0D1F27EBBA6F5E5" "673A081D70CCE7ACFC48" } }; /* * Check the hash value against the expected string, expressed in hex */ static const char hexdigits[ ] = "0123456789ABCDEF"; int checkmatch(const unsigned char *hashvalue, const char *hexstr, int hashsize) { int i; for (i = 0; i < hashsize; ++i) { if (*hexstr++ != hexdigits[(hashvalue[i] >> 4) & 0xF]) return 0; if (*hexstr++ != hexdigits[hashvalue[i] & 0xF]) return 0; } return 1; } /* * Print the string, converting non-printable characters to "." */ void printstr(const char *str, int len) { for ( ; len-- > 0; str++) putchar(isprint((unsigned char)*str) ? *str : '.'); } /* * Print the string, converting all characters to hex "## ". */ void printxstr(const char *str, int len) { char *sep = ""; for ( ; len-- > 0; str++) { printf("%s%c%c", sep, hexdigits[(*str >> 4) & 0xF], Eastlake & Hansen Informational [Page 107]

RFC 6234 SHAs, HMAC-SHAs, and HKDF May 2011 Eastlake & Hansen Informational [Page 108]

RFC 6234 SHAs, HMAC-SHAs, and HKDF May 2011 Eastlake & Hansen Informational [Page 109]

RFC 6234 SHAs, HMAC-SHAs, and HKDF May 2011 Eastlake & Hansen Informational [Page 110]

RFC 6234 SHAs, HMAC-SHAs, and HKDF May 2011 Eastlake & Hansen Informational [Page 111]

RFC 6234 SHAs, HMAC-SHAs, and HKDF May 2011 Eastlake & Hansen Informational [Page 112]

RFC 6234 SHAs, HMAC-SHAs, and HKDF May 2011 Eastlake & Hansen Informational [Page 113]

RFC 6234 SHAs, HMAC-SHAs, and HKDF May 2011 Eastlake & Hansen Informational [Page 114]

RFC 6234 SHAs, HMAC-SHAs, and HKDF May 2011 Eastlake & Hansen Informational [Page 115]

RFC 6234 SHAs, HMAC-SHAs, and HKDF May 2011 Eastlake & Hansen Informational [Page 116]

RFC 6234 SHAs, HMAC-SHAs, and HKDF May 2011 Eastlake & Hansen Informational [Page 117]

RFC 6234 SHAs, HMAC-SHAs, and HKDF May 2011 Eastlake & Hansen Informational [Page 118]

RFC 6234 SHAs, HMAC-SHAs, and HKDF May 2011 Eastlake & Hansen Informational [Page 119]

RFC 6234 SHAs, HMAC-SHAs, and HKDF May 2011 Eastlake & Hansen Informational [Page 120]

RFC 6234 SHAs, HMAC-SHAs, and HKDF May 2011 Eastlake & Hansen Informational [Page 121]

RFC 6234 SHAs, HMAC-SHAs, and HKDF May 2011 Eastlake & Hansen Informational [Page 122]

RFC 6234 SHAs, HMAC-SHAs, and HKDF May 2011 9 . Security Considerations RFC6194] for a discussion of SHA-1 Security Considerations. 10 . Acknowledgements RFC4634] that were provided by Alfred Hoenes and Jan Andres and to Alfred's comments on the document hereof. Also to the following in alphabetic order, whose comments lead to improvements in the document: James Carlson, Russ Housley, Tero Kivinen, Juergen Quittek, and Sean Turner. Eastlake & Hansen Informational [Page 123]

RFC 6234 SHAs, HMAC-SHAs, and HKDF May 2011 SHAVS] "The Secure Hash Algorithm Validation System (SHAVS)", http://csrc.nist.gov/groups/STM/cavp/documents/shs/ SHAVS.pdf, July 2004. Eastlake & Hansen Informational [Page 125]

RFC 6234 SHAs, HMAC-SHAs, and HKDF May 2011 RFC 4634 The following changes were made to RFC 4634 to produce this document: 1. Add code for HKDF and brief text about HKDF with pointer to [RFC5869]. 2. Fix numerous errata filed against [RFC4634] as included below. Note that in no case did the old code return an incorrect hash value. 2.a. Correct some of the error return values which has erroneously been "shaNull" to the correct "shaInputTooLong" error. 2.b. Update comments and variable names within the code for consistency and clarity and other editorial changes. 2.c. The previous code for SHA-384 and SHA-512 would stop after 2^93 bytes (2^96 bits). The fixed code handles up to 2^125 bytes (2^128 bits). 2.d. Add additional error checking including a run time check in the test driver to detect attempts to run the test driver after compilation using some other character set instead of [US-ASCII]. 3. Update boilerplate, remove special license in [RFC4634] as new boilerplate mandates simplified BSD license. 4. Replace MIT version of getopt with new code to satisfy IETF incoming and outgoing license restrictions. 5. Add references to [RFC6194]. 6. Other assorted editorial improvements. Eastlake & Hansen Informational [Page 126]