Verifying SHA-1 Algorithm (function)

Question 1

Thanks to Nickolay Olshevsky for the Test Vector guidance and to Daniel Kamil Kozar for the link.

The method to validate the algorithm is to feed it known test vectors and compare the digest to known digests from the NIST library: NIST Library

The best process for testing would be to send the algorithm on the platform that the code is running. Next best is to develop a C program the uses the source code file (without modifications).

Question 2

If you want something "official", then within the United States (and Canada, I believe), and it's a FIPS 140-2 algorithm (as SHA-1 is), then what comes to mind is the NIST Cryptographic Module Validation Program (CMVP). You can tell what's been validated by looking at the list of Validated FIPS 140-1 and FIPS 140-2 Cryptographic Modules.

A prerequisite to CMVP validation is Cryptographic Algorithm Validation Program (CAVP). That conformance testing will verify that your implementation complies with FIPS 180-4's definition of SHA-1 by using The Secure Hash Algorithm Validation System (SHAVS). All testing is done by a testing laboratory.

Be prepared to break out your checkbook - official validation testing isn't free, though it sounds like you haven't been looking at the full CMVP validation, so it might not be as expensive, particularly for only SHA-1.

P.S. is there any particular reason you're not starting with a SHA-2 family function (SHA-224, SHA-256, SHA-384, or SHA-512)? See NIST SP 800-131A - SHA-1 is deprecated or disallowed for almost all uses at this time, and if you're in the U.S., and you're doing medical work, you're likely bound by HIPAA and HITECH - using a fading hash standard seems pointless for new development - you don't want to have to go through the validation process a second time if SHA-1 is now, or becomes in the future, disallowed for whatever purpose you're using it for.