NAME
shs1, shs, sha1, sha - Secure Hash Standard
SYNOPSIS
shs1 [-cCdhiqtx] [-m num]
[-p prefix] [-P prefile] [-s str] file ...
shs [-cCdhiqtx] [-m num]
[-p prefix] [-P prefile] [-s str] file ...
sha1 [-cCdhiqtx] [-m num]
[-p prefix] [-P prefile] [-s str] file ...
sha [-cCdhiqtx] [-m num]
[-p prefix] [-P prefile] [-s str] file ...
DESCRIPTION
The sha1 utility implements the Secure Hash Algorithm-1
(SHA-1). It produces 160-bit Secure Hash Digests of files,
strings or data read on stdin. If no file is given, and no
string is to be digested (-s) then stdin will be digested.
By default, a digests are printed as 40 hex characters
without a leading 0x.
The shs1 utility is the same as sha1 and is linked for
backward compatibility.
The Secure Hash Standard-1 (SHS-1) is a United States
Department of Commerce National Institute of Standards and
Technology approved standard (FIPS Pub 180-1) for secure
hashing. The SHS-1 is designed to work with the Digital
Signature Standard (DSS). The Secure Hash Algorithm (SHA-1)
specified in this standard is necessary to ensure the
security of the Digital Signature Standard. When a message
of length < 2^64 bits is input, the SHA-1 produces a 160-bit
representation of the message called the message digest. The
message digest is used during generation of a signature for
the message. The SHA-1 is designed to have the following
properties: it is computationally infeasible to recover a
message corresponding to a given message digest, or to find
two different messages which produce the same message
digest.
On 1994 May 31, the United States Department of Commerce
National Institute of Standards and Technology published a
technical modification (FIPS Pub 180-1) to the Secure Hash
Standard known as Secure Hash Algorithm-1 (SHA-1). The sha1
utility implements the new Secure Hash Algorithm-1 (SHA-1)
as specified by (FIPS Pub 180-1). The sha utility
implements the old Secure Hash Algorithm (SHA) as specified
by (FIPS Pub 180). It uses the same arguments and interface
as sha1. This utility is provided for backward
compatibility with version at or before 2.10.1.
The shs utility is the same as sha and is linked for
backward compatibility.
If a str (string) argument is given, then the digest for
str, followed by a space, followed by str enclosed double
quotes is written to stdout. Any file arguments are
ignored.
If one or more file if given, a separate digest if produced
for each file. By default, file digests are followed by a
space and the filename.
If no str or file arguments are given, then a digest of
stdin is written to stdout.
-c Print C style hex digests with a leading 0x.
-C When printing multi digests (see -d or -m num), do not
separate digests with spaces. When combined with -c
and -q, the output is only a single long hex value.
-d Shorthand for -m 2. Used for backward compatibility.
-h Print a help and usage message.
-i Compute inode digests of files.
Prepend the filename and various inode information to
the file data being digested. The inode information
prepended includes information such as the device
(st_dev), inode number (st_ino), mode (st_mode), link
count (st_nlink), uid (st_uid), gid (st_gid), size
(st_size), modification time (st_mtime) and change time
(st_ctime). The prepended data is padded with zeros to
make it a multiple of 64 bytes long. Both a stat(2)
and a lstat(2) information are both used.
The -i flag allows one to include various inode
information in the digest. This option is useful in
detecting file tampering. For example, the following
will produce different digests:
sha1 -i /tmp/chongo
cp /tmp/chongo /tmp/was_here
cp /tmp/was_here /tmp/chongo
sha1 -i /tmp/chongo
Note that a -i digest is not portable to other systems.
This is because inode information will likely change as
the contents of a file are copied from machine to
machine.
To mark a -i digest as a special value, .0 is prepended
onto the digest output.
One may only compute inode digests of files. Use of -i
disables reading from stdin. The -i flag is not
compatible with -s.
-mnum
Compute multiple digests in parallel.
Every num-th octet of the prefix (if given) and data
are processed by a separate digest. Each successive
octet is assigned an index starting with 0. The i-th
digest is taken from all octets with an index of i mod
num.
The result of a multiple digest is a hash that is num
times as long as a standard digest.
-pprefix
-Pprefile
Insert a prefix into the data to be digested.
By using -pprefix, one may prepend any set of data with
a string. The digest produced is equivalent to digest
that is produced with the string pretended to the data.
Thus the following two commands produce the same
digest:
sha1 -p curds -s whey
sha1 -s curdswhey
By use of the -Pprefile interface, one may prepend
using up to the 32k of a file. This interface allows
one to prepend using binary data. The following
produces the same digest:
sha1 -P /usr/bin/awk /bin/ls
dd if=/usr/bin/awk of=/tmp/foo bs=32k count=1
cat /tmp/foo /bin/ls > /tmp/ls
sha1 /tmp/ls
Knowledge of the original prepend data is only kept in
the digest. Thus one may use the prepend string as a
``salt'' making it intractable for someone else to
reproduce the digest of a file without knowledge of the
prepend data.
This feature works in conjunction all modes of
operation except the -t and -x modes.
-q Output only digests. The filename or string will not
be written to stdout.
-sstr
Digest str as if it were a string.
The trailing NUL byte is not digested. No files are
digested. The str is written to stdout enclosed in
double quotes.
-t Time the user cpu seconds needed to digest several
megabytes of data. The number of megabytes, followed
by the digest produced, followed by the number of user
cpu seconds followed by the number of characters per
user second is written to stdout.
On some systems with certain virtual memory
characteristics, you may need to run the performance
test several times, ignoring the first result. The
default amount of data tested is 16 megabytes. On some
systems, this amount may differ. One may change the
number of megabytes processed by changing the value of
TEST_MEG in the file shs1drvr.c (or shsdrvr.c) and
recompiling.
-v Print the version.
-x Perform an extended standard SHS-1 test suite.
The test suite will first look in the current directory
for file1. If it is not found, it will look in
${DESTDIR} (usually /usr/local/lib/shs). It is assumes
that file2 is in the same location as
The standard test suite been extended. The initial
string now says:
sha1 test suite results
instead of:
SHA test suite results
to reflect the utility name instead of the algorithm
implemented. This also helps distinguish this version
from much older versions which did not have the -v
flag. Also the original test file foo which contained
the string "abc" (with no newline) was renamed file1.
SEE ALSO
md5(1), stat(2), lstat(2)
FILES
${DESTDIR}/file1 alternate test file location
${DESTDIR}/file2 alternate test file location
The typical value of ${DESTDIR} is /usr/local/lib/shs, or
/usr/local/lib.
AUTHOR
Much of this code was written, re-written or modified by:
Landon Curt Noll ({chongo,noll}@{toad,sgi}.com) /\../\
This code is based on code by Peter C. Gutmann. Much thanks goes
to Peter C. Gutman (pgut1@cs.aukuni.ac.nz) , Shawn A. Clifford
(sac@eng.ufl.edu), Pat Myrto (pat@rwing.uucp), Colin Plumb
(colin@nyx10.cs.du.edu), Rich Schroeppel (rcs@cs.arizona.edu)
and others who wrote and/or worked on the original code.
NOTICE
LANDON CURT NOLL DISCLAIMS ALL WARRANTIES WITH REGARD TO
THIS SOFTWARE, INCLUDING ALL IMPLIED WARRANTIES OF
MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL LANDON CURT
NOLL BE LIABLE FOR ANY SPECIAL, INDIRECT OR CONSEQUENTIAL
DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM LOSS OF
USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT,
NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN
CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
BUGS
The command:
sha1 -s '/\"O/\'
writes to stdout, the following line:
945a6306a6d7caee4a28fabb36838750a673fc9f "/
The string written in double quotes by -s may not be a valid
string according to C or shell syntax.