GNU libmicrohttpd  0.9.68
sha256.c
Go to the documentation of this file.
1 /*
2  This file is part of libmicrohttpd
3  Copyright (C) 2019 Karlson2k (Evgeny Grin)
4  Some ideas are based on Libgcrypt implementation.
5  Copyright (C) 2003, 2006, 2008, 2009 Free Software Foundation, Inc.
6 
7  libmicrohttpd is free software; you can redistribute it and/or
8  modify it under the terms of the GNU Lesser General Public
9  License as published by the Free Software Foundation; either
10  version 2.1 of the License, or (at your option) any later version.
11 
12  This library is distributed in the hope that it will be useful,
13  but WITHOUT ANY WARRANTY; without even the implied warranty of
14  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
15  Lesser General Public License for more details.
16 
17  You should have received a copy of the GNU Lesser General Public
18  License along with this library.
19  If not, see <http://www.gnu.org/licenses/>.
20 */
21 
28 /* Some tricks are based on Libgcrypt implementation. */
29 
30 #include "sha256.h"
31 
32 #include <string.h>
33 #ifdef HAVE_MEMORY_H
34 #include <memory.h>
35 #endif /* HAVE_MEMORY_H */
36 #include "mhd_bithelpers.h"
37 #include "mhd_assert.h"
38 
44 void
45 MHD_SHA256_init (void *ctx_)
46 {
47  struct sha256_ctx *const ctx = ctx_;
48  /* Initial hash values, see FIPS PUB 180-4 paragraph 5.3.3 */
49  /* First thirty-two bits of the fractional parts of the square
50  * roots of the first eight prime numbers: 2, 3, 5, 7, 11, 13,
51  * 17, 19." */
52  ctx->H[0] = 0x6a09e667UL;
53  ctx->H[1] = 0xbb67ae85UL;
54  ctx->H[2] = 0x3c6ef372UL;
55  ctx->H[3] = 0xa54ff53aUL;
56  ctx->H[4] = 0x510e527fUL;
57  ctx->H[5] = 0x9b05688cUL;
58  ctx->H[6] = 0x1f83d9abUL;
59  ctx->H[7] = 0x5be0cd19UL;
60 
61  /* Initialise number of bytes. */
62  ctx->count = 0;
63 }
64 
69 #define SHA256_BYTES_IN_WORD 4
70 
77 static void
79  const uint8_t data[SHA256_BLOCK_SIZE])
80 {
81  /* Working variables,
82  see FIPS PUB 180-4 paragraph 6.2. */
83  uint32_t a = H[0];
84  uint32_t b = H[1];
85  uint32_t c = H[2];
86  uint32_t d = H[3];
87  uint32_t e = H[4];
88  uint32_t f = H[5];
89  uint32_t g = H[6];
90  uint32_t h = H[7];
91 
92  /* Data buffer, used as cyclic buffer.
93  See FIPS PUB 180-4 paragraphs 5.2.1, 6.2. */
94  uint32_t W[16];
95 
96  /* 'Ch' and 'Maj' macro functions are defined with
97  widely-used optimization.
98  See FIPS PUB 180-4 formulae 4.2, 4.3. */
99 #define Ch(x,y,z) ( (z) ^ ((x) & ((y) ^ (z))) )
100 #define Maj(x,y,z) ( ((x) & (y)) ^ ((z) & ((x) ^ (y))) )
101  /* Unoptimized (original) versions: */
102 /* #define Ch(x,y,z) ( ( (x) & (y) ) | ( ~(x) & (z) ) ) */
103 /* #define Maj(x,y,z) ( ((x) & (y)) ^ ((x) & (z)) ^ ((y) & (z)) ) */
104 
105  /* Four 'Sigma' macro functions.
106  See FIPS PUB 180-4 formulae 4.4, 4.5, 4.6, 4.7. */
107 #define SIG0(x) (_MHD_ROTR32 ((x),2) ^ _MHD_ROTR32 ((x),13) ^ _MHD_ROTR32 ((x), \
108  22) )
109 #define SIG1(x) (_MHD_ROTR32 ((x),6) ^ _MHD_ROTR32 ((x),11) ^ _MHD_ROTR32 ((x), \
110  25) )
111 #define sig0(x) (_MHD_ROTR32 ((x),7) ^ _MHD_ROTR32 ((x),18) ^ ((x) >> 3) )
112 #define sig1(x) (_MHD_ROTR32 ((x),17) ^ _MHD_ROTR32 ((x),19) ^ ((x) >> 10) )
113 
114  /* Single step of SHA-256 computation,
115  see FIPS PUB 180-4 paragraph 6.2.2 step 3.
116  * Note: instead of reassigning all working variables on each step,
117  variables are rotated for each step:
118  SHA2STEP32(a, b, c, d, e, f, g, h, K[0], data[0]);
119  SHA2STEP32(h, a, b, c, d, e, f, g, K[1], data[1]);
120  so current 'vD' will be used as 'vE' on next step,
121  current 'vH' will be used as 'vA' on next step.
122  * Note: first (vH += SIG1(vE) + Ch(vE,vF,vG) + kt + wt) equals T1 in FIPS PUB 180-4 paragraph 6.2.2 step 3.
123  second (vH += SIG0(vA) + Maj(vE,vF,vC) equals T1 + T2 in FIPS PUB 180-4 paragraph 6.2.2 step 3.
124  * Note: 'wt' must be used exactly one time in this macro as it change other data as well
125  every time when used. */
126 #define SHA2STEP32(vA,vB,vC,vD,vE,vF,vG,vH,kt,wt) do { \
127  (vD) += ((vH) += SIG1 ((vE)) + Ch ((vE),(vF),(vG)) + (kt) + (wt)); \
128  (vH) += SIG0 ((vA)) + Maj ((vA),(vB),(vC)); } while (0)
129 
130  /* Get value of W(t) from input data buffer,
131  See FIPS PUB 180-4 paragraph 6.2.
132  Input data must be read in big-endian bytes order,
133  see FIPS PUB 180-4 paragraph 3.1.2. */
134 #define GET_W_FROM_DATA(buf,t) \
135  _MHD_GET_32BIT_BE (((const uint8_t*) (buf)) + (t) * SHA256_BYTES_IN_WORD)
136 
137  /* During first 16 steps, before making any calculations on each step,
138  the W element is read from input data buffer as big-endian value and
139  stored in array of W elements. */
140  /* Note: instead of using K constants as array, all K values are specified
141  individually for each step, see FIPS PUB 180-4 paragraph 4.2.2 for K values. */
142  SHA2STEP32 (a, b, c, d, e, f, g, h, 0x428a2f98UL, W[0] = GET_W_FROM_DATA (
143  data,0));
144  SHA2STEP32 (h, a, b, c, d, e, f, g, 0x71374491UL, W[1] = GET_W_FROM_DATA (
145  data,1));
146  SHA2STEP32 (g, h, a, b, c, d, e, f, 0xb5c0fbcfUL, W[2] = GET_W_FROM_DATA (
147  data,2));
148  SHA2STEP32 (f, g, h, a, b, c, d, e, 0xe9b5dba5UL, W[3] = GET_W_FROM_DATA (
149  data,3));
150  SHA2STEP32 (e, f, g, h, a, b, c, d, 0x3956c25bUL, W[4] = GET_W_FROM_DATA (
151  data,4));
152  SHA2STEP32 (d, e, f, g, h, a, b, c, 0x59f111f1UL, W[5] = GET_W_FROM_DATA (
153  data,5));
154  SHA2STEP32 (c, d, e, f, g, h, a, b, 0x923f82a4UL, W[6] = GET_W_FROM_DATA (
155  data,6));
156  SHA2STEP32 (b, c, d, e, f, g, h, a, 0xab1c5ed5UL, W[7] = GET_W_FROM_DATA (
157  data,7));
158  SHA2STEP32 (a, b, c, d, e, f, g, h, 0xd807aa98UL, W[8] = GET_W_FROM_DATA (
159  data,8));
160  SHA2STEP32 (h, a, b, c, d, e, f, g, 0x12835b01UL, W[9] = GET_W_FROM_DATA (
161  data,9));
162  SHA2STEP32 (g, h, a, b, c, d, e, f, 0x243185beUL, W[10] = GET_W_FROM_DATA (
163  data,10));
164  SHA2STEP32 (f, g, h, a, b, c, d, e, 0x550c7dc3UL, W[11] = GET_W_FROM_DATA (
165  data,11));
166  SHA2STEP32 (e, f, g, h, a, b, c, d, 0x72be5d74UL, W[12] = GET_W_FROM_DATA (
167  data,12));
168  SHA2STEP32 (d, e, f, g, h, a, b, c, 0x80deb1feUL, W[13] = GET_W_FROM_DATA (
169  data,13));
170  SHA2STEP32 (c, d, e, f, g, h, a, b, 0x9bdc06a7UL, W[14] = GET_W_FROM_DATA (
171  data,14));
172  SHA2STEP32 (b, c, d, e, f, g, h, a, 0xc19bf174UL, W[15] = GET_W_FROM_DATA (
173  data,15));
174 
175  /* 'W' generation and assignment for 16 <= t <= 63.
176  See FIPS PUB 180-4 paragraph 6.2.2.
177  As only last 16 'W' are used in calculations, it is possible to
178  use 16 elements array of W as cyclic buffer.
179  * Note: ((t-16)&0xf) have same value as (t&0xf) */
180 #define Wgen(w,t) ( (w)[(t - 16) & 0xf] + sig1 ((w)[((t) - 2) & 0xf]) \
181  + (w)[((t) - 7) & 0xf] + sig0 ((w)[((t) - 15) & 0xf]) )
182 
183  /* During last 48 steps, before making any calculations on each step,
184  W element is generated from W elements of cyclic buffer and generated value
185  stored back in cyclic buffer. */
186  /* Note: instead of using K constants as array, all K values are specified
187  individually for each step, see FIPS PUB 180-4 paragraph 4.2.2 for K values. */
188  SHA2STEP32 (a, b, c, d, e, f, g, h, 0xe49b69c1UL, W[16 & 0xf] = Wgen (W,16));
189  SHA2STEP32 (h, a, b, c, d, e, f, g, 0xefbe4786UL, W[17 & 0xf] = Wgen (W,17));
190  SHA2STEP32 (g, h, a, b, c, d, e, f, 0x0fc19dc6UL, W[18 & 0xf] = Wgen (W,18));
191  SHA2STEP32 (f, g, h, a, b, c, d, e, 0x240ca1ccUL, W[19 & 0xf] = Wgen (W,19));
192  SHA2STEP32 (e, f, g, h, a, b, c, d, 0x2de92c6fUL, W[20 & 0xf] = Wgen (W,20));
193  SHA2STEP32 (d, e, f, g, h, a, b, c, 0x4a7484aaUL, W[21 & 0xf] = Wgen (W,21));
194  SHA2STEP32 (c, d, e, f, g, h, a, b, 0x5cb0a9dcUL, W[22 & 0xf] = Wgen (W,22));
195  SHA2STEP32 (b, c, d, e, f, g, h, a, 0x76f988daUL, W[23 & 0xf] = Wgen (W,23));
196  SHA2STEP32 (a, b, c, d, e, f, g, h, 0x983e5152UL, W[24 & 0xf] = Wgen (W,24));
197  SHA2STEP32 (h, a, b, c, d, e, f, g, 0xa831c66dUL, W[25 & 0xf] = Wgen (W,25));
198  SHA2STEP32 (g, h, a, b, c, d, e, f, 0xb00327c8UL, W[26 & 0xf] = Wgen (W,26));
199  SHA2STEP32 (f, g, h, a, b, c, d, e, 0xbf597fc7UL, W[27 & 0xf] = Wgen (W,27));
200  SHA2STEP32 (e, f, g, h, a, b, c, d, 0xc6e00bf3UL, W[28 & 0xf] = Wgen (W,28));
201  SHA2STEP32 (d, e, f, g, h, a, b, c, 0xd5a79147UL, W[29 & 0xf] = Wgen (W,29));
202  SHA2STEP32 (c, d, e, f, g, h, a, b, 0x06ca6351UL, W[30 & 0xf] = Wgen (W,30));
203  SHA2STEP32 (b, c, d, e, f, g, h, a, 0x14292967UL, W[31 & 0xf] = Wgen (W,31));
204  SHA2STEP32 (a, b, c, d, e, f, g, h, 0x27b70a85UL, W[32 & 0xf] = Wgen (W,32));
205  SHA2STEP32 (h, a, b, c, d, e, f, g, 0x2e1b2138UL, W[33 & 0xf] = Wgen (W,33));
206  SHA2STEP32 (g, h, a, b, c, d, e, f, 0x4d2c6dfcUL, W[34 & 0xf] = Wgen (W,34));
207  SHA2STEP32 (f, g, h, a, b, c, d, e, 0x53380d13UL, W[35 & 0xf] = Wgen (W,35));
208  SHA2STEP32 (e, f, g, h, a, b, c, d, 0x650a7354UL, W[36 & 0xf] = Wgen (W,36));
209  SHA2STEP32 (d, e, f, g, h, a, b, c, 0x766a0abbUL, W[37 & 0xf] = Wgen (W,37));
210  SHA2STEP32 (c, d, e, f, g, h, a, b, 0x81c2c92eUL, W[38 & 0xf] = Wgen (W,38));
211  SHA2STEP32 (b, c, d, e, f, g, h, a, 0x92722c85UL, W[39 & 0xf] = Wgen (W,39));
212  SHA2STEP32 (a, b, c, d, e, f, g, h, 0xa2bfe8a1UL, W[40 & 0xf] = Wgen (W,40));
213  SHA2STEP32 (h, a, b, c, d, e, f, g, 0xa81a664bUL, W[41 & 0xf] = Wgen (W,41));
214  SHA2STEP32 (g, h, a, b, c, d, e, f, 0xc24b8b70UL, W[42 & 0xf] = Wgen (W,42));
215  SHA2STEP32 (f, g, h, a, b, c, d, e, 0xc76c51a3UL, W[43 & 0xf] = Wgen (W,43));
216  SHA2STEP32 (e, f, g, h, a, b, c, d, 0xd192e819UL, W[44 & 0xf] = Wgen (W,44));
217  SHA2STEP32 (d, e, f, g, h, a, b, c, 0xd6990624UL, W[45 & 0xf] = Wgen (W,45));
218  SHA2STEP32 (c, d, e, f, g, h, a, b, 0xf40e3585UL, W[46 & 0xf] = Wgen (W,46));
219  SHA2STEP32 (b, c, d, e, f, g, h, a, 0x106aa070UL, W[47 & 0xf] = Wgen (W,47));
220  SHA2STEP32 (a, b, c, d, e, f, g, h, 0x19a4c116UL, W[48 & 0xf] = Wgen (W,48));
221  SHA2STEP32 (h, a, b, c, d, e, f, g, 0x1e376c08UL, W[49 & 0xf] = Wgen (W,49));
222  SHA2STEP32 (g, h, a, b, c, d, e, f, 0x2748774cUL, W[50 & 0xf] = Wgen (W,50));
223  SHA2STEP32 (f, g, h, a, b, c, d, e, 0x34b0bcb5UL, W[51 & 0xf] = Wgen (W,51));
224  SHA2STEP32 (e, f, g, h, a, b, c, d, 0x391c0cb3UL, W[52 & 0xf] = Wgen (W,52));
225  SHA2STEP32 (d, e, f, g, h, a, b, c, 0x4ed8aa4aUL, W[53 & 0xf] = Wgen (W,53));
226  SHA2STEP32 (c, d, e, f, g, h, a, b, 0x5b9cca4fUL, W[54 & 0xf] = Wgen (W,54));
227  SHA2STEP32 (b, c, d, e, f, g, h, a, 0x682e6ff3UL, W[55 & 0xf] = Wgen (W,55));
228  SHA2STEP32 (a, b, c, d, e, f, g, h, 0x748f82eeUL, W[56 & 0xf] = Wgen (W,56));
229  SHA2STEP32 (h, a, b, c, d, e, f, g, 0x78a5636fUL, W[57 & 0xf] = Wgen (W,57));
230  SHA2STEP32 (g, h, a, b, c, d, e, f, 0x84c87814UL, W[58 & 0xf] = Wgen (W,58));
231  SHA2STEP32 (f, g, h, a, b, c, d, e, 0x8cc70208UL, W[59 & 0xf] = Wgen (W,59));
232  SHA2STEP32 (e, f, g, h, a, b, c, d, 0x90befffaUL, W[60 & 0xf] = Wgen (W,60));
233  SHA2STEP32 (d, e, f, g, h, a, b, c, 0xa4506cebUL, W[61 & 0xf] = Wgen (W,61));
234  SHA2STEP32 (c, d, e, f, g, h, a, b, 0xbef9a3f7UL, W[62 & 0xf] = Wgen (W,62));
235  SHA2STEP32 (b, c, d, e, f, g, h, a, 0xc67178f2UL, W[63 & 0xf] = Wgen (W,63));
236 
237  /* Compute intermediate hash.
238  See FIPS PUB 180-4 paragraph 4.2.2 step 4. */
239  H[0] += a;
240  H[1] += b;
241  H[2] += c;
242  H[3] += d;
243  H[4] += e;
244  H[5] += f;
245  H[6] += g;
246  H[7] += h;
247 }
248 
256 void
257 MHD_SHA256_update (void *ctx_,
258  const uint8_t *data,
259  size_t length)
260 {
261  struct sha256_ctx *const ctx = ctx_;
262  unsigned bytes_have;
264  mhd_assert ((data != NULL) || (length == 0));
265 
266  if (0 == length)
267  return; /* Do nothing */
268 
269  /* Note: (count & (SHA256_BLOCK_SIZE-1))
270  equal (count % SHA256_BLOCK_SIZE) for this block size. */
271  bytes_have = (unsigned) (ctx->count & (SHA256_BLOCK_SIZE - 1));
272  ctx->count += length;
273 
274  if (0 != bytes_have)
275  {
276  unsigned bytes_left = SHA256_BLOCK_SIZE - bytes_have;
277  if (length >= bytes_left)
278  { /* Combine new data with data in buffer and
279  process full block. */
280  memcpy (ctx->buffer + bytes_have,
281  data,
282  bytes_left);
283  data += bytes_left;
284  length -= bytes_left;
285  sha256_transform (ctx->H, ctx->buffer);
286  bytes_have = 0;
287  }
288  }
289 
290  while (SHA256_BLOCK_SIZE <= length)
291  { /* Process any full blocks of new data directly,
292  without copying to buffer. */
293  sha256_transform (ctx->H, data);
295  length -= SHA256_BLOCK_SIZE;
296  }
297 
298  if (0 != length)
299  { /* Copy incomplete block of new data (if any)
300  to buffer. */
301  memcpy (ctx->buffer + bytes_have, data, length);
302  }
303 }
304 
305 
310 #define SHA256_SIZE_OF_LEN_ADD (64 / 8)
311 
318 void
319 sha256_finish (void *ctx_,
320  uint8_t digest[SHA256_DIGEST_SIZE])
321 {
322  struct sha256_ctx *const ctx = ctx_;
323  uint64_t num_bits;
324  unsigned bytes_have;
326  num_bits = ctx->count << 3;
327  /* Note: (count & (SHA256_BLOCK_SIZE-1))
328  equal (count % SHA256_BLOCK_SIZE) for this block size. */
329  bytes_have = (unsigned) (ctx->count & (SHA256_BLOCK_SIZE - 1));
330 
331  /* Input data must be padded with bit "1" and with length of data in bits.
332  See FIPS PUB 180-4 paragraph 5.1.1. */
333  /* Data is always processed in form of bytes (not by individual bits),
334  therefore position of first padding bit in byte is always predefined (0x80). */
335  /* Buffer always have space at least for one byte (as full buffers are
336  processed immediately). */
337  ctx->buffer[bytes_have++] = 0x80;
338 
339  if (SHA256_BLOCK_SIZE - bytes_have < SHA256_SIZE_OF_LEN_ADD)
340  { /* No space in current block to put total length of message.
341  Pad current block with zeros and process it. */
342  while (bytes_have < SHA256_BLOCK_SIZE)
343  ctx->buffer[bytes_have++] = 0;
344  /* Process full block. */
345  sha256_transform (ctx->H, ctx->buffer);
346  /* Start new block. */
347  bytes_have = 0;
348  }
349 
350  /* Pad the rest of the buffer with zeros. */
351  memset (ctx->buffer + bytes_have, 0,
353  /* Put number of bits in processed message as big-endian value. */
355  num_bits);
356  /* Process full final block. */
357  sha256_transform (ctx->H, ctx->buffer);
358 
359  /* Put final hash/digest in BE mode */
360  _MHD_PUT_32BIT_BE (digest + 0 * SHA256_BYTES_IN_WORD, ctx->H[0]);
361  _MHD_PUT_32BIT_BE (digest + 1 * SHA256_BYTES_IN_WORD, ctx->H[1]);
362  _MHD_PUT_32BIT_BE (digest + 2 * SHA256_BYTES_IN_WORD, ctx->H[2]);
363  _MHD_PUT_32BIT_BE (digest + 3 * SHA256_BYTES_IN_WORD, ctx->H[3]);
364  _MHD_PUT_32BIT_BE (digest + 4 * SHA256_BYTES_IN_WORD, ctx->H[4]);
365  _MHD_PUT_32BIT_BE (digest + 5 * SHA256_BYTES_IN_WORD, ctx->H[5]);
366  _MHD_PUT_32BIT_BE (digest + 6 * SHA256_BYTES_IN_WORD, ctx->H[6]);
367  _MHD_PUT_32BIT_BE (digest + 7 * SHA256_BYTES_IN_WORD, ctx->H[7]);
368 
369  /* Erase potentially sensitive data. */
370  memset (ctx, 0, sizeof(struct sha256_ctx));
371 }
#define Wgen(w, t)
void * data
Definition: microhttpd.h:3031
#define SHA256_DIGEST_SIZE
Definition: sha256.h:41
#define SHA256_SIZE_OF_LEN_ADD
Definition: sha256.c:310
#define SHA2STEP32(vA, vB, vC, vD, vE, vF, vG, vH, kt, wt)
macros for mhd_assert()
void MHD_SHA256_init(void *ctx_)
Definition: sha256.c:45
#define NULL
Definition: reason_phrase.c:30
static void sha256_transform(uint32_t H[_SHA256_DIGEST_LENGTH], const uint8_t data[SHA256_BLOCK_SIZE])
Definition: sha256.c:78
void MHD_SHA256_update(void *ctx_, const uint8_t *data, size_t length)
Definition: sha256.c:257
uint64_t count
Definition: sha256.h:57
void sha256_finish(void *ctx_, uint8_t digest[SHA256_DIGEST_SIZE])
Definition: sha256.c:319
#define SHA256_BYTES_IN_WORD
Definition: sha256.c:69
#define mhd_assert(CHK)
Definition: mhd_assert.h:39
#define _MHD_PUT_64BIT_BE(addr, value64)
uint8_t buffer[SHA256_BLOCK_SIZE]
Definition: sha256.h:58
#define SHA256_BLOCK_SIZE
Definition: sha256.h:51
#define _SHA256_DIGEST_LENGTH
Definition: sha256.h:36
#define GET_W_FROM_DATA(buf, t)
Calculation of SHA-256 digest.
#define _MHD_PUT_32BIT_BE(addr, value32)
uint32_t H[_SHA256_DIGEST_LENGTH]
Definition: sha256.h:56
macros for bits manipulations