GNU libmicrohttpd  0.9.66
sha256.c
Go to the documentation of this file.
1 /*
2  This file is part of libmicrohttpd
3  Copyright (C) 2019 Karlson2k (Evgeny Grin)
4  Some ideas are based on Libgcrypt implementation.
5  Copyright (C) 2003, 2006, 2008, 2009 Free Software Foundation, Inc.
6 
7  libmicrohttpd is free software; you can redistribute it and/or
8  modify it under the terms of the GNU Lesser General Public
9  License as published by the Free Software Foundation; either
10  version 2.1 of the License, or (at your option) any later version.
11 
12  This library is distributed in the hope that it will be useful,
13  but WITHOUT ANY WARRANTY; without even the implied warranty of
14  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
15  Lesser General Public License for more details.
16 
17  You should have received a copy of the GNU Lesser General Public
18  License along with this library.
19  If not, see <http://www.gnu.org/licenses/>.
20 */
21 
28 /* Some tricks are based on Libgcrypt implementation. */
29 
30 #include "sha256.h"
31 
32 #include <string.h>
33 #ifdef HAVE_MEMORY_H
34 #include <memory.h>
35 #endif /* HAVE_MEMORY_H */
36 #include "mhd_bithelpers.h"
37 #include "mhd_assert.h"
38 
44 void
45 MHD_SHA256_init (void *ctx_)
46 {
47  struct sha256_ctx *const ctx = ctx_;
48  /* Initial hash values, see FIPS PUB 180-4 paragraph 5.3.3 */
49  /* First thirty-two bits of the fractional parts of the square
50  * roots of the first eight prime numbers: 2, 3, 5, 7, 11, 13,
51  * 17, 19." */
52  ctx->H[0] = 0x6a09e667UL;
53  ctx->H[1] = 0xbb67ae85UL;
54  ctx->H[2] = 0x3c6ef372UL;
55  ctx->H[3] = 0xa54ff53aUL;
56  ctx->H[4] = 0x510e527fUL;
57  ctx->H[5] = 0x9b05688cUL;
58  ctx->H[6] = 0x1f83d9abUL;
59  ctx->H[7] = 0x5be0cd19UL;
60 
61  /* Initialise number of bytes. */
62  ctx->count = 0;
63 }
64 
69 #define SHA256_BYTES_IN_WORD 4
70 
77 static void
79  const uint8_t data[SHA256_BLOCK_SIZE])
80 {
81  /* Working variables,
82  see FIPS PUB 180-4 paragraph 6.2. */
83  uint32_t a = H[0];
84  uint32_t b = H[1];
85  uint32_t c = H[2];
86  uint32_t d = H[3];
87  uint32_t e = H[4];
88  uint32_t f = H[5];
89  uint32_t g = H[6];
90  uint32_t h = H[7];
91 
92  /* Data buffer, used as cyclic buffer.
93  See FIPS PUB 180-4 paragraphs 5.2.1, 6.2. */
94  uint32_t W[16];
95 
96  /* 'Ch' and 'Maj' macro functions are defined with
97  widely-used optimization.
98  See FIPS PUB 180-4 formulae 4.2, 4.3. */
99 #define Ch(x,y,z) ( (z) ^ ((x) & ((y) ^ (z))) )
100 #define Maj(x,y,z) ( ((x) & (y)) ^ ((z) & ((x) ^ (y))) )
101  /* Unoptimized (original) versions: */
102 /* #define Ch(x,y,z) ( ( (x) & (y) ) | ( ~(x) & (z) ) ) */
103 /* #define Maj(x,y,z) ( ((x) & (y)) ^ ((x) & (z)) ^ ((y) & (z)) ) */
104 
105  /* Four 'Sigma' macro functions.
106  See FIPS PUB 180-4 formulae 4.4, 4.5, 4.6, 4.7. */
107 #define SIG0(x) ( _MHD_ROTR32((x),2) ^ _MHD_ROTR32((x),13) ^ _MHD_ROTR32((x),22) )
108 #define SIG1(x) ( _MHD_ROTR32((x),6) ^ _MHD_ROTR32((x),11) ^ _MHD_ROTR32((x),25) )
109 #define sig0(x) ( _MHD_ROTR32((x),7) ^ _MHD_ROTR32((x),18) ^ ((x) >> 3) )
110 #define sig1(x) ( _MHD_ROTR32((x),17) ^ _MHD_ROTR32((x),19) ^ ((x) >> 10) )
111 
112  /* Single step of SHA-256 computation,
113  see FIPS PUB 180-4 paragraph 6.2.2 step 3.
114  * Note: instead of reassigning all working variables on each step,
115  variables are rotated for each step:
116  SHA2STEP32(a, b, c, d, e, f, g, h, K[0], data[0]);
117  SHA2STEP32(h, a, b, c, d, e, f, g, K[1], data[1]);
118  so current 'vD' will be used as 'vE' on next step,
119  current 'vH' will be used as 'vA' on next step.
120  * Note: first (vH += SIG1(vE) + Ch(vE,vF,vG) + kt + wt) equals T1 in FIPS PUB 180-4 paragraph 6.2.2 step 3.
121  second (vH += SIG0(vA) + Maj(vE,vF,vC) equals T1 + T2 in FIPS PUB 180-4 paragraph 6.2.2 step 3.
122  * Note: 'wt' must be used exactly one time in this macro as it change other data as well
123  every time when used. */
124 #define SHA2STEP32(vA,vB,vC,vD,vE,vF,vG,vH,kt,wt) do { \
125  (vD) += ((vH) += SIG1((vE)) + Ch((vE),(vF),(vG)) + (kt) + (wt)); \
126  (vH) += SIG0((vA)) + Maj((vA),(vB),(vC)); } while (0)
127 
128  /* Get value of W(t) from input data buffer,
129  See FIPS PUB 180-4 paragraph 6.2.
130  Input data must be read in big-endian bytes order,
131  see FIPS PUB 180-4 paragraph 3.1.2. */
132 #define GET_W_FROM_DATA(buf,t) \
133  _MHD_GET_32BIT_BE(((const uint8_t*)(buf)) + (t) * SHA256_BYTES_IN_WORD)
134 
135  /* During first 16 steps, before making any calculations on each step,
136  the W element is read from input data buffer as big-endian value and
137  stored in array of W elements. */
138  /* Note: instead of using K constants as array, all K values are specified
139  individually for each step, see FIPS PUB 180-4 paragraph 4.2.2 for K values. */
140  SHA2STEP32(a, b, c, d, e, f, g, h, 0x428a2f98UL, W[0] = GET_W_FROM_DATA(data,0));
141  SHA2STEP32(h, a, b, c, d, e, f, g, 0x71374491UL, W[1] = GET_W_FROM_DATA(data,1));
142  SHA2STEP32(g, h, a, b, c, d, e, f, 0xb5c0fbcfUL, W[2] = GET_W_FROM_DATA(data,2));
143  SHA2STEP32(f, g, h, a, b, c, d, e, 0xe9b5dba5UL, W[3] = GET_W_FROM_DATA(data,3));
144  SHA2STEP32(e, f, g, h, a, b, c, d, 0x3956c25bUL, W[4] = GET_W_FROM_DATA(data,4));
145  SHA2STEP32(d, e, f, g, h, a, b, c, 0x59f111f1UL, W[5] = GET_W_FROM_DATA(data,5));
146  SHA2STEP32(c, d, e, f, g, h, a, b, 0x923f82a4UL, W[6] = GET_W_FROM_DATA(data,6));
147  SHA2STEP32(b, c, d, e, f, g, h, a, 0xab1c5ed5UL, W[7] = GET_W_FROM_DATA(data,7));
148  SHA2STEP32(a, b, c, d, e, f, g, h, 0xd807aa98UL, W[8] = GET_W_FROM_DATA(data,8));
149  SHA2STEP32(h, a, b, c, d, e, f, g, 0x12835b01UL, W[9] = GET_W_FROM_DATA(data,9));
150  SHA2STEP32(g, h, a, b, c, d, e, f, 0x243185beUL, W[10] = GET_W_FROM_DATA(data,10));
151  SHA2STEP32(f, g, h, a, b, c, d, e, 0x550c7dc3UL, W[11] = GET_W_FROM_DATA(data,11));
152  SHA2STEP32(e, f, g, h, a, b, c, d, 0x72be5d74UL, W[12] = GET_W_FROM_DATA(data,12));
153  SHA2STEP32(d, e, f, g, h, a, b, c, 0x80deb1feUL, W[13] = GET_W_FROM_DATA(data,13));
154  SHA2STEP32(c, d, e, f, g, h, a, b, 0x9bdc06a7UL, W[14] = GET_W_FROM_DATA(data,14));
155  SHA2STEP32(b, c, d, e, f, g, h, a, 0xc19bf174UL, W[15] = GET_W_FROM_DATA(data,15));
156 
157  /* 'W' generation and assignment for 16 <= t <= 63.
158  See FIPS PUB 180-4 paragraph 6.2.2.
159  As only last 16 'W' are used in calculations, it is possible to
160  use 16 elements array of W as cyclic buffer.
161  * Note: ((t-16)&0xf) have same value as (t&0xf) */
162 #define Wgen(w,t) ( (w)[(t-16)&0xf] + sig1((w)[((t)-2)&0xf]) + \
163  (w)[((t)-7)&0xf] + sig0((w)[((t)-15)&0xf]) )
164 
165  /* During last 48 steps, before making any calculations on each step,
166  W element is generated from W elements of cyclic buffer and generated value
167  stored back in cyclic buffer. */
168  /* Note: instead of using K constants as array, all K values are specified
169  individually for each step, see FIPS PUB 180-4 paragraph 4.2.2 for K values. */
170  SHA2STEP32(a, b, c, d, e, f, g, h, 0xe49b69c1UL, W[16&0xf] = Wgen(W,16));
171  SHA2STEP32(h, a, b, c, d, e, f, g, 0xefbe4786UL, W[17&0xf] = Wgen(W,17));
172  SHA2STEP32(g, h, a, b, c, d, e, f, 0x0fc19dc6UL, W[18&0xf] = Wgen(W,18));
173  SHA2STEP32(f, g, h, a, b, c, d, e, 0x240ca1ccUL, W[19&0xf] = Wgen(W,19));
174  SHA2STEP32(e, f, g, h, a, b, c, d, 0x2de92c6fUL, W[20&0xf] = Wgen(W,20));
175  SHA2STEP32(d, e, f, g, h, a, b, c, 0x4a7484aaUL, W[21&0xf] = Wgen(W,21));
176  SHA2STEP32(c, d, e, f, g, h, a, b, 0x5cb0a9dcUL, W[22&0xf] = Wgen(W,22));
177  SHA2STEP32(b, c, d, e, f, g, h, a, 0x76f988daUL, W[23&0xf] = Wgen(W,23));
178  SHA2STEP32(a, b, c, d, e, f, g, h, 0x983e5152UL, W[24&0xf] = Wgen(W,24));
179  SHA2STEP32(h, a, b, c, d, e, f, g, 0xa831c66dUL, W[25&0xf] = Wgen(W,25));
180  SHA2STEP32(g, h, a, b, c, d, e, f, 0xb00327c8UL, W[26&0xf] = Wgen(W,26));
181  SHA2STEP32(f, g, h, a, b, c, d, e, 0xbf597fc7UL, W[27&0xf] = Wgen(W,27));
182  SHA2STEP32(e, f, g, h, a, b, c, d, 0xc6e00bf3UL, W[28&0xf] = Wgen(W,28));
183  SHA2STEP32(d, e, f, g, h, a, b, c, 0xd5a79147UL, W[29&0xf] = Wgen(W,29));
184  SHA2STEP32(c, d, e, f, g, h, a, b, 0x06ca6351UL, W[30&0xf] = Wgen(W,30));
185  SHA2STEP32(b, c, d, e, f, g, h, a, 0x14292967UL, W[31&0xf] = Wgen(W,31));
186  SHA2STEP32(a, b, c, d, e, f, g, h, 0x27b70a85UL, W[32&0xf] = Wgen(W,32));
187  SHA2STEP32(h, a, b, c, d, e, f, g, 0x2e1b2138UL, W[33&0xf] = Wgen(W,33));
188  SHA2STEP32(g, h, a, b, c, d, e, f, 0x4d2c6dfcUL, W[34&0xf] = Wgen(W,34));
189  SHA2STEP32(f, g, h, a, b, c, d, e, 0x53380d13UL, W[35&0xf] = Wgen(W,35));
190  SHA2STEP32(e, f, g, h, a, b, c, d, 0x650a7354UL, W[36&0xf] = Wgen(W,36));
191  SHA2STEP32(d, e, f, g, h, a, b, c, 0x766a0abbUL, W[37&0xf] = Wgen(W,37));
192  SHA2STEP32(c, d, e, f, g, h, a, b, 0x81c2c92eUL, W[38&0xf] = Wgen(W,38));
193  SHA2STEP32(b, c, d, e, f, g, h, a, 0x92722c85UL, W[39&0xf] = Wgen(W,39));
194  SHA2STEP32(a, b, c, d, e, f, g, h, 0xa2bfe8a1UL, W[40&0xf] = Wgen(W,40));
195  SHA2STEP32(h, a, b, c, d, e, f, g, 0xa81a664bUL, W[41&0xf] = Wgen(W,41));
196  SHA2STEP32(g, h, a, b, c, d, e, f, 0xc24b8b70UL, W[42&0xf] = Wgen(W,42));
197  SHA2STEP32(f, g, h, a, b, c, d, e, 0xc76c51a3UL, W[43&0xf] = Wgen(W,43));
198  SHA2STEP32(e, f, g, h, a, b, c, d, 0xd192e819UL, W[44&0xf] = Wgen(W,44));
199  SHA2STEP32(d, e, f, g, h, a, b, c, 0xd6990624UL, W[45&0xf] = Wgen(W,45));
200  SHA2STEP32(c, d, e, f, g, h, a, b, 0xf40e3585UL, W[46&0xf] = Wgen(W,46));
201  SHA2STEP32(b, c, d, e, f, g, h, a, 0x106aa070UL, W[47&0xf] = Wgen(W,47));
202  SHA2STEP32(a, b, c, d, e, f, g, h, 0x19a4c116UL, W[48&0xf] = Wgen(W,48));
203  SHA2STEP32(h, a, b, c, d, e, f, g, 0x1e376c08UL, W[49&0xf] = Wgen(W,49));
204  SHA2STEP32(g, h, a, b, c, d, e, f, 0x2748774cUL, W[50&0xf] = Wgen(W,50));
205  SHA2STEP32(f, g, h, a, b, c, d, e, 0x34b0bcb5UL, W[51&0xf] = Wgen(W,51));
206  SHA2STEP32(e, f, g, h, a, b, c, d, 0x391c0cb3UL, W[52&0xf] = Wgen(W,52));
207  SHA2STEP32(d, e, f, g, h, a, b, c, 0x4ed8aa4aUL, W[53&0xf] = Wgen(W,53));
208  SHA2STEP32(c, d, e, f, g, h, a, b, 0x5b9cca4fUL, W[54&0xf] = Wgen(W,54));
209  SHA2STEP32(b, c, d, e, f, g, h, a, 0x682e6ff3UL, W[55&0xf] = Wgen(W,55));
210  SHA2STEP32(a, b, c, d, e, f, g, h, 0x748f82eeUL, W[56&0xf] = Wgen(W,56));
211  SHA2STEP32(h, a, b, c, d, e, f, g, 0x78a5636fUL, W[57&0xf] = Wgen(W,57));
212  SHA2STEP32(g, h, a, b, c, d, e, f, 0x84c87814UL, W[58&0xf] = Wgen(W,58));
213  SHA2STEP32(f, g, h, a, b, c, d, e, 0x8cc70208UL, W[59&0xf] = Wgen(W,59));
214  SHA2STEP32(e, f, g, h, a, b, c, d, 0x90befffaUL, W[60&0xf] = Wgen(W,60));
215  SHA2STEP32(d, e, f, g, h, a, b, c, 0xa4506cebUL, W[61&0xf] = Wgen(W,61));
216  SHA2STEP32(c, d, e, f, g, h, a, b, 0xbef9a3f7UL, W[62&0xf] = Wgen(W,62));
217  SHA2STEP32(b, c, d, e, f, g, h, a, 0xc67178f2UL, W[63&0xf] = Wgen(W,63));
218 
219  /* Compute intermediate hash.
220  See FIPS PUB 180-4 paragraph 4.2.2 step 4. */
221  H[0] += a;
222  H[1] += b;
223  H[2] += c;
224  H[3] += d;
225  H[4] += e;
226  H[5] += f;
227  H[6] += g;
228  H[7] += h;
229 }
230 
238 void
239 MHD_SHA256_update (void *ctx_,
240  const uint8_t *data,
241  size_t length)
242 {
243  struct sha256_ctx *const ctx = ctx_;
244  unsigned bytes_have;
246  mhd_assert((data != NULL) || (length == 0));
247 
248  if (0 == length)
249  return; /* Do nothing */
250 
251  /* Note: (count & (SHA256_BLOCK_SIZE-1))
252  equal (count % SHA256_BLOCK_SIZE) for this block size. */
253  bytes_have = (unsigned)(ctx->count & (SHA256_BLOCK_SIZE-1));
254  ctx->count += length;
255 
256  if (0 != bytes_have)
257  {
258  unsigned bytes_left = SHA256_BLOCK_SIZE - bytes_have;
259  if (length >= bytes_left)
260  { /* Combine new data with data in buffer and
261  process full block. */
262  memcpy (ctx->buffer + bytes_have,
263  data,
264  bytes_left);
265  data += bytes_left;
266  length -= bytes_left;
267  sha256_transform (ctx->H, ctx->buffer);
268  bytes_have = 0;
269  }
270  }
271 
272  while (SHA256_BLOCK_SIZE <= length)
273  { /* Process any full blocks of new data directly,
274  without copying to buffer. */
275  sha256_transform (ctx->H, data);
277  length -= SHA256_BLOCK_SIZE;
278  }
279 
280  if (0 != length)
281  { /* Copy incomplete block of new data (if any)
282  to buffer. */
283  memcpy (ctx->buffer + bytes_have, data, length);
284  }
285 }
286 
287 
292 #define SHA256_SIZE_OF_LEN_ADD (64 / 8)
293 
300 void
301 sha256_finish (void *ctx_,
302  uint8_t digest[SHA256_DIGEST_SIZE])
303 {
304  struct sha256_ctx *const ctx = ctx_;
305  uint64_t num_bits;
306  unsigned bytes_have;
308  num_bits = ctx->count << 3;
309  /* Note: (count & (SHA256_BLOCK_SIZE-1))
310  equal (count % SHA256_BLOCK_SIZE) for this block size. */
311  bytes_have = (unsigned)(ctx->count & (SHA256_BLOCK_SIZE-1));
312 
313  /* Input data must be padded with bit "1" and with length of data in bits.
314  See FIPS PUB 180-4 paragraph 5.1.1. */
315  /* Data is always processed in form of bytes (not by individual bits),
316  therefore position of first padding bit in byte is always predefined (0x80). */
317  /* Buffer always have space at least for one byte (as full buffers are
318  processed immediately). */
319  ctx->buffer[bytes_have++] = 0x80;
320 
321  if (SHA256_BLOCK_SIZE - bytes_have < SHA256_SIZE_OF_LEN_ADD)
322  { /* No space in current block to put total length of message.
323  Pad current block with zeros and process it. */
324  while (bytes_have < SHA256_BLOCK_SIZE) ctx->buffer[bytes_have++] = 0;
325  /* Process full block. */
326  sha256_transform (ctx->H, ctx->buffer);
327  /* Start new block. */
328  bytes_have = 0;
329  }
330 
331  /* Pad the rest of the buffer with zeros. */
332  memset(ctx->buffer + bytes_have, 0,
334  /* Put number of bits in processed message as big-endian value. */
336  /* Process full final block. */
337  sha256_transform (ctx->H, ctx->buffer);
338 
339  /* Put final hash/digest in BE mode */
340  _MHD_PUT_32BIT_BE(digest + 0 * SHA256_BYTES_IN_WORD, ctx->H[0]);
341  _MHD_PUT_32BIT_BE(digest + 1 * SHA256_BYTES_IN_WORD, ctx->H[1]);
342  _MHD_PUT_32BIT_BE(digest + 2 * SHA256_BYTES_IN_WORD, ctx->H[2]);
343  _MHD_PUT_32BIT_BE(digest + 3 * SHA256_BYTES_IN_WORD, ctx->H[3]);
344  _MHD_PUT_32BIT_BE(digest + 4 * SHA256_BYTES_IN_WORD, ctx->H[4]);
345  _MHD_PUT_32BIT_BE(digest + 5 * SHA256_BYTES_IN_WORD, ctx->H[5]);
346  _MHD_PUT_32BIT_BE(digest + 6 * SHA256_BYTES_IN_WORD, ctx->H[6]);
347  _MHD_PUT_32BIT_BE(digest + 7 * SHA256_BYTES_IN_WORD, ctx->H[7]);
348 
349  /* Erase potentially sensitive data. */
350  memset(ctx, 0, sizeof(struct sha256_ctx));
351 }
#define Wgen(w, t)
void * data
Definition: microhttpd.h:2959
#define SHA256_DIGEST_SIZE
Definition: sha256.h:41
#define SHA256_SIZE_OF_LEN_ADD
Definition: sha256.c:292
#define SHA2STEP32(vA, vB, vC, vD, vE, vF, vG, vH, kt, wt)
macros for mhd_assert()
void MHD_SHA256_init(void *ctx_)
Definition: sha256.c:45
#define NULL
Definition: reason_phrase.c:30
static void sha256_transform(uint32_t H[_SHA256_DIGEST_LENGTH], const uint8_t data[SHA256_BLOCK_SIZE])
Definition: sha256.c:78
void MHD_SHA256_update(void *ctx_, const uint8_t *data, size_t length)
Definition: sha256.c:239
uint64_t count
Definition: sha256.h:57
void sha256_finish(void *ctx_, uint8_t digest[SHA256_DIGEST_SIZE])
Definition: sha256.c:301
#define SHA256_BYTES_IN_WORD
Definition: sha256.c:69
#define mhd_assert(CHK)
Definition: mhd_assert.h:39
#define _MHD_PUT_64BIT_BE(addr, value64)
uint8_t buffer[SHA256_BLOCK_SIZE]
Definition: sha256.h:58
#define SHA256_BLOCK_SIZE
Definition: sha256.h:51
#define _SHA256_DIGEST_LENGTH
Definition: sha256.h:36
#define GET_W_FROM_DATA(buf, t)
Calculation of SHA-256 digest.
#define _MHD_PUT_32BIT_BE(addr, value32)
uint32_t H[_SHA256_DIGEST_LENGTH]
Definition: sha256.h:56
macros for bits manipulations