GNU libmicrohttpd  0.9.72
sha256.c
Go to the documentation of this file.
1 /*
2  This file is part of libmicrohttpd
3  Copyright (C) 2019 Karlson2k (Evgeny Grin)
4  Some ideas are based on Libgcrypt implementation.
5  Copyright (C) 2003, 2006, 2008, 2009 Free Software Foundation, Inc.
6 
7  libmicrohttpd is free software; you can redistribute it and/or
8  modify it under the terms of the GNU Lesser General Public
9  License as published by the Free Software Foundation; either
10  version 2.1 of the License, or (at your option) any later version.
11 
12  This library is distributed in the hope that it will be useful,
13  but WITHOUT ANY WARRANTY; without even the implied warranty of
14  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
15  Lesser General Public License for more details.
16 
17  You should have received a copy of the GNU Lesser General Public
18  License along with this library.
19  If not, see <http://www.gnu.org/licenses/>.
20 */
21 
28 /* Some tricks are based on Libgcrypt implementation. */
29 
30 #include "sha256.h"
31 
32 #include <string.h>
33 #ifdef HAVE_MEMORY_H
34 #include <memory.h>
35 #endif /* HAVE_MEMORY_H */
36 #include "mhd_bithelpers.h"
37 #include "mhd_assert.h"
38 
44 void
45 MHD_SHA256_init (void *ctx_)
46 {
47  struct sha256_ctx *const ctx = ctx_;
48  /* Initial hash values, see FIPS PUB 180-4 paragraph 5.3.3 */
49  /* First thirty-two bits of the fractional parts of the square
50  * roots of the first eight prime numbers: 2, 3, 5, 7, 11, 13,
51  * 17, 19." */
52  ctx->H[0] = 0x6a09e667UL;
53  ctx->H[1] = 0xbb67ae85UL;
54  ctx->H[2] = 0x3c6ef372UL;
55  ctx->H[3] = 0xa54ff53aUL;
56  ctx->H[4] = 0x510e527fUL;
57  ctx->H[5] = 0x9b05688cUL;
58  ctx->H[6] = 0x1f83d9abUL;
59  ctx->H[7] = 0x5be0cd19UL;
60 
61  /* Initialise number of bytes. */
62  ctx->count = 0;
63 }
64 
65 
70 #define SHA256_BYTES_IN_WORD 4
71 
78 static void
80  const uint8_t data[SHA256_BLOCK_SIZE])
81 {
82  /* Working variables,
83  see FIPS PUB 180-4 paragraph 6.2. */
84  uint32_t a = H[0];
85  uint32_t b = H[1];
86  uint32_t c = H[2];
87  uint32_t d = H[3];
88  uint32_t e = H[4];
89  uint32_t f = H[5];
90  uint32_t g = H[6];
91  uint32_t h = H[7];
92 
93  /* Data buffer, used as cyclic buffer.
94  See FIPS PUB 180-4 paragraphs 5.2.1, 6.2. */
95  uint32_t W[16];
96 
97  /* 'Ch' and 'Maj' macro functions are defined with
98  widely-used optimization.
99  See FIPS PUB 180-4 formulae 4.2, 4.3. */
100 #define Ch(x,y,z) ( (z) ^ ((x) & ((y) ^ (z))) )
101 #define Maj(x,y,z) ( ((x) & (y)) ^ ((z) & ((x) ^ (y))) )
102  /* Unoptimized (original) versions: */
103 /* #define Ch(x,y,z) ( ( (x) & (y) ) | ( ~(x) & (z) ) ) */
104 /* #define Maj(x,y,z) ( ((x) & (y)) ^ ((x) & (z)) ^ ((y) & (z)) ) */
105 
106  /* Four 'Sigma' macro functions.
107  See FIPS PUB 180-4 formulae 4.4, 4.5, 4.6, 4.7. */
108 #define SIG0(x) (_MHD_ROTR32 ((x),2) ^ _MHD_ROTR32 ((x),13) ^ _MHD_ROTR32 ((x), \
109  22) )
110 #define SIG1(x) (_MHD_ROTR32 ((x),6) ^ _MHD_ROTR32 ((x),11) ^ _MHD_ROTR32 ((x), \
111  25) )
112 #define sig0(x) (_MHD_ROTR32 ((x),7) ^ _MHD_ROTR32 ((x),18) ^ ((x) >> 3) )
113 #define sig1(x) (_MHD_ROTR32 ((x),17) ^ _MHD_ROTR32 ((x),19) ^ ((x) >> 10) )
114 
115  /* Single step of SHA-256 computation,
116  see FIPS PUB 180-4 paragraph 6.2.2 step 3.
117  * Note: instead of reassigning all working variables on each step,
118  variables are rotated for each step:
119  SHA2STEP32(a, b, c, d, e, f, g, h, K[0], data[0]);
120  SHA2STEP32(h, a, b, c, d, e, f, g, K[1], data[1]);
121  so current 'vD' will be used as 'vE' on next step,
122  current 'vH' will be used as 'vA' on next step.
123  * Note: first (vH += SIG1(vE) + Ch(vE,vF,vG) + kt + wt) equals T1 in FIPS PUB 180-4 paragraph 6.2.2 step 3.
124  second (vH += SIG0(vA) + Maj(vE,vF,vC) equals T1 + T2 in FIPS PUB 180-4 paragraph 6.2.2 step 3.
125  * Note: 'wt' must be used exactly one time in this macro as it change other data as well
126  every time when used. */
127 #define SHA2STEP32(vA,vB,vC,vD,vE,vF,vG,vH,kt,wt) do { \
128  (vD) += ((vH) += SIG1 ((vE)) + Ch ((vE),(vF),(vG)) + (kt) + (wt)); \
129  (vH) += SIG0 ((vA)) + Maj ((vA),(vB),(vC)); } while (0)
130 
131  /* Get value of W(t) from input data buffer,
132  See FIPS PUB 180-4 paragraph 6.2.
133  Input data must be read in big-endian bytes order,
134  see FIPS PUB 180-4 paragraph 3.1.2. */
135 #define GET_W_FROM_DATA(buf,t) \
136  _MHD_GET_32BIT_BE (((const uint8_t*) (buf)) + (t) * SHA256_BYTES_IN_WORD)
137 
138  /* During first 16 steps, before making any calculations on each step,
139  the W element is read from input data buffer as big-endian value and
140  stored in array of W elements. */
141  /* Note: instead of using K constants as array, all K values are specified
142  individually for each step, see FIPS PUB 180-4 paragraph 4.2.2 for K values. */
143  SHA2STEP32 (a, b, c, d, e, f, g, h, 0x428a2f98UL, W[0] = GET_W_FROM_DATA (
144  data,0));
145  SHA2STEP32 (h, a, b, c, d, e, f, g, 0x71374491UL, W[1] = GET_W_FROM_DATA (
146  data,1));
147  SHA2STEP32 (g, h, a, b, c, d, e, f, 0xb5c0fbcfUL, W[2] = GET_W_FROM_DATA (
148  data,2));
149  SHA2STEP32 (f, g, h, a, b, c, d, e, 0xe9b5dba5UL, W[3] = GET_W_FROM_DATA (
150  data,3));
151  SHA2STEP32 (e, f, g, h, a, b, c, d, 0x3956c25bUL, W[4] = GET_W_FROM_DATA (
152  data,4));
153  SHA2STEP32 (d, e, f, g, h, a, b, c, 0x59f111f1UL, W[5] = GET_W_FROM_DATA (
154  data,5));
155  SHA2STEP32 (c, d, e, f, g, h, a, b, 0x923f82a4UL, W[6] = GET_W_FROM_DATA (
156  data,6));
157  SHA2STEP32 (b, c, d, e, f, g, h, a, 0xab1c5ed5UL, W[7] = GET_W_FROM_DATA (
158  data,7));
159  SHA2STEP32 (a, b, c, d, e, f, g, h, 0xd807aa98UL, W[8] = GET_W_FROM_DATA (
160  data,8));
161  SHA2STEP32 (h, a, b, c, d, e, f, g, 0x12835b01UL, W[9] = GET_W_FROM_DATA (
162  data,9));
163  SHA2STEP32 (g, h, a, b, c, d, e, f, 0x243185beUL, W[10] = GET_W_FROM_DATA (
164  data,10));
165  SHA2STEP32 (f, g, h, a, b, c, d, e, 0x550c7dc3UL, W[11] = GET_W_FROM_DATA (
166  data,11));
167  SHA2STEP32 (e, f, g, h, a, b, c, d, 0x72be5d74UL, W[12] = GET_W_FROM_DATA (
168  data,12));
169  SHA2STEP32 (d, e, f, g, h, a, b, c, 0x80deb1feUL, W[13] = GET_W_FROM_DATA (
170  data,13));
171  SHA2STEP32 (c, d, e, f, g, h, a, b, 0x9bdc06a7UL, W[14] = GET_W_FROM_DATA (
172  data,14));
173  SHA2STEP32 (b, c, d, e, f, g, h, a, 0xc19bf174UL, W[15] = GET_W_FROM_DATA (
174  data,15));
175 
176  /* 'W' generation and assignment for 16 <= t <= 63.
177  See FIPS PUB 180-4 paragraph 6.2.2.
178  As only last 16 'W' are used in calculations, it is possible to
179  use 16 elements array of W as cyclic buffer.
180  * Note: ((t-16)&0xf) have same value as (t&0xf) */
181 #define Wgen(w,t) ( (w)[(t - 16) & 0xf] + sig1 ((w)[((t) - 2) & 0xf]) \
182  + (w)[((t) - 7) & 0xf] + sig0 ((w)[((t) - 15) & 0xf]) )
183 
184  /* During last 48 steps, before making any calculations on each step,
185  W element is generated from W elements of cyclic buffer and generated value
186  stored back in cyclic buffer. */
187  /* Note: instead of using K constants as array, all K values are specified
188  individually for each step, see FIPS PUB 180-4 paragraph 4.2.2 for K values. */
189  SHA2STEP32 (a, b, c, d, e, f, g, h, 0xe49b69c1UL, W[16 & 0xf] = Wgen (W,16));
190  SHA2STEP32 (h, a, b, c, d, e, f, g, 0xefbe4786UL, W[17 & 0xf] = Wgen (W,17));
191  SHA2STEP32 (g, h, a, b, c, d, e, f, 0x0fc19dc6UL, W[18 & 0xf] = Wgen (W,18));
192  SHA2STEP32 (f, g, h, a, b, c, d, e, 0x240ca1ccUL, W[19 & 0xf] = Wgen (W,19));
193  SHA2STEP32 (e, f, g, h, a, b, c, d, 0x2de92c6fUL, W[20 & 0xf] = Wgen (W,20));
194  SHA2STEP32 (d, e, f, g, h, a, b, c, 0x4a7484aaUL, W[21 & 0xf] = Wgen (W,21));
195  SHA2STEP32 (c, d, e, f, g, h, a, b, 0x5cb0a9dcUL, W[22 & 0xf] = Wgen (W,22));
196  SHA2STEP32 (b, c, d, e, f, g, h, a, 0x76f988daUL, W[23 & 0xf] = Wgen (W,23));
197  SHA2STEP32 (a, b, c, d, e, f, g, h, 0x983e5152UL, W[24 & 0xf] = Wgen (W,24));
198  SHA2STEP32 (h, a, b, c, d, e, f, g, 0xa831c66dUL, W[25 & 0xf] = Wgen (W,25));
199  SHA2STEP32 (g, h, a, b, c, d, e, f, 0xb00327c8UL, W[26 & 0xf] = Wgen (W,26));
200  SHA2STEP32 (f, g, h, a, b, c, d, e, 0xbf597fc7UL, W[27 & 0xf] = Wgen (W,27));
201  SHA2STEP32 (e, f, g, h, a, b, c, d, 0xc6e00bf3UL, W[28 & 0xf] = Wgen (W,28));
202  SHA2STEP32 (d, e, f, g, h, a, b, c, 0xd5a79147UL, W[29 & 0xf] = Wgen (W,29));
203  SHA2STEP32 (c, d, e, f, g, h, a, b, 0x06ca6351UL, W[30 & 0xf] = Wgen (W,30));
204  SHA2STEP32 (b, c, d, e, f, g, h, a, 0x14292967UL, W[31 & 0xf] = Wgen (W,31));
205  SHA2STEP32 (a, b, c, d, e, f, g, h, 0x27b70a85UL, W[32 & 0xf] = Wgen (W,32));
206  SHA2STEP32 (h, a, b, c, d, e, f, g, 0x2e1b2138UL, W[33 & 0xf] = Wgen (W,33));
207  SHA2STEP32 (g, h, a, b, c, d, e, f, 0x4d2c6dfcUL, W[34 & 0xf] = Wgen (W,34));
208  SHA2STEP32 (f, g, h, a, b, c, d, e, 0x53380d13UL, W[35 & 0xf] = Wgen (W,35));
209  SHA2STEP32 (e, f, g, h, a, b, c, d, 0x650a7354UL, W[36 & 0xf] = Wgen (W,36));
210  SHA2STEP32 (d, e, f, g, h, a, b, c, 0x766a0abbUL, W[37 & 0xf] = Wgen (W,37));
211  SHA2STEP32 (c, d, e, f, g, h, a, b, 0x81c2c92eUL, W[38 & 0xf] = Wgen (W,38));
212  SHA2STEP32 (b, c, d, e, f, g, h, a, 0x92722c85UL, W[39 & 0xf] = Wgen (W,39));
213  SHA2STEP32 (a, b, c, d, e, f, g, h, 0xa2bfe8a1UL, W[40 & 0xf] = Wgen (W,40));
214  SHA2STEP32 (h, a, b, c, d, e, f, g, 0xa81a664bUL, W[41 & 0xf] = Wgen (W,41));
215  SHA2STEP32 (g, h, a, b, c, d, e, f, 0xc24b8b70UL, W[42 & 0xf] = Wgen (W,42));
216  SHA2STEP32 (f, g, h, a, b, c, d, e, 0xc76c51a3UL, W[43 & 0xf] = Wgen (W,43));
217  SHA2STEP32 (e, f, g, h, a, b, c, d, 0xd192e819UL, W[44 & 0xf] = Wgen (W,44));
218  SHA2STEP32 (d, e, f, g, h, a, b, c, 0xd6990624UL, W[45 & 0xf] = Wgen (W,45));
219  SHA2STEP32 (c, d, e, f, g, h, a, b, 0xf40e3585UL, W[46 & 0xf] = Wgen (W,46));
220  SHA2STEP32 (b, c, d, e, f, g, h, a, 0x106aa070UL, W[47 & 0xf] = Wgen (W,47));
221  SHA2STEP32 (a, b, c, d, e, f, g, h, 0x19a4c116UL, W[48 & 0xf] = Wgen (W,48));
222  SHA2STEP32 (h, a, b, c, d, e, f, g, 0x1e376c08UL, W[49 & 0xf] = Wgen (W,49));
223  SHA2STEP32 (g, h, a, b, c, d, e, f, 0x2748774cUL, W[50 & 0xf] = Wgen (W,50));
224  SHA2STEP32 (f, g, h, a, b, c, d, e, 0x34b0bcb5UL, W[51 & 0xf] = Wgen (W,51));
225  SHA2STEP32 (e, f, g, h, a, b, c, d, 0x391c0cb3UL, W[52 & 0xf] = Wgen (W,52));
226  SHA2STEP32 (d, e, f, g, h, a, b, c, 0x4ed8aa4aUL, W[53 & 0xf] = Wgen (W,53));
227  SHA2STEP32 (c, d, e, f, g, h, a, b, 0x5b9cca4fUL, W[54 & 0xf] = Wgen (W,54));
228  SHA2STEP32 (b, c, d, e, f, g, h, a, 0x682e6ff3UL, W[55 & 0xf] = Wgen (W,55));
229  SHA2STEP32 (a, b, c, d, e, f, g, h, 0x748f82eeUL, W[56 & 0xf] = Wgen (W,56));
230  SHA2STEP32 (h, a, b, c, d, e, f, g, 0x78a5636fUL, W[57 & 0xf] = Wgen (W,57));
231  SHA2STEP32 (g, h, a, b, c, d, e, f, 0x84c87814UL, W[58 & 0xf] = Wgen (W,58));
232  SHA2STEP32 (f, g, h, a, b, c, d, e, 0x8cc70208UL, W[59 & 0xf] = Wgen (W,59));
233  SHA2STEP32 (e, f, g, h, a, b, c, d, 0x90befffaUL, W[60 & 0xf] = Wgen (W,60));
234  SHA2STEP32 (d, e, f, g, h, a, b, c, 0xa4506cebUL, W[61 & 0xf] = Wgen (W,61));
235  SHA2STEP32 (c, d, e, f, g, h, a, b, 0xbef9a3f7UL, W[62 & 0xf] = Wgen (W,62));
236  SHA2STEP32 (b, c, d, e, f, g, h, a, 0xc67178f2UL, W[63 & 0xf] = Wgen (W,63));
237 
238  /* Compute intermediate hash.
239  See FIPS PUB 180-4 paragraph 4.2.2 step 4. */
240  H[0] += a;
241  H[1] += b;
242  H[2] += c;
243  H[3] += d;
244  H[4] += e;
245  H[5] += f;
246  H[6] += g;
247  H[7] += h;
248 }
249 
250 
258 void
259 MHD_SHA256_update (void *ctx_,
260  const uint8_t *data,
261  size_t length)
262 {
263  struct sha256_ctx *const ctx = ctx_;
264  unsigned bytes_have;
266  mhd_assert ((data != NULL) || (length == 0));
267 
268  if (0 == length)
269  return; /* Do nothing */
270 
271  /* Note: (count & (SHA256_BLOCK_SIZE-1))
272  equal (count % SHA256_BLOCK_SIZE) for this block size. */
273  bytes_have = (unsigned) (ctx->count & (SHA256_BLOCK_SIZE - 1));
274  ctx->count += length;
275 
276  if (0 != bytes_have)
277  {
278  unsigned bytes_left = SHA256_BLOCK_SIZE - bytes_have;
279  if (length >= bytes_left)
280  { /* Combine new data with data in buffer and
281  process full block. */
282  memcpy (ctx->buffer + bytes_have,
283  data,
284  bytes_left);
285  data += bytes_left;
286  length -= bytes_left;
287  sha256_transform (ctx->H, ctx->buffer);
288  bytes_have = 0;
289  }
290  }
291 
292  while (SHA256_BLOCK_SIZE <= length)
293  { /* Process any full blocks of new data directly,
294  without copying to buffer. */
295  sha256_transform (ctx->H, data);
297  length -= SHA256_BLOCK_SIZE;
298  }
299 
300  if (0 != length)
301  { /* Copy incomplete block of new data (if any)
302  to buffer. */
303  memcpy (ctx->buffer + bytes_have, data, length);
304  }
305 }
306 
307 
312 #define SHA256_SIZE_OF_LEN_ADD (64 / 8)
313 
320 void
321 sha256_finish (void *ctx_,
322  uint8_t digest[SHA256_DIGEST_SIZE])
323 {
324  struct sha256_ctx *const ctx = ctx_;
325  uint64_t num_bits;
326  unsigned bytes_have;
328  num_bits = ctx->count << 3;
329  /* Note: (count & (SHA256_BLOCK_SIZE-1))
330  equal (count % SHA256_BLOCK_SIZE) for this block size. */
331  bytes_have = (unsigned) (ctx->count & (SHA256_BLOCK_SIZE - 1));
332 
333  /* Input data must be padded with bit "1" and with length of data in bits.
334  See FIPS PUB 180-4 paragraph 5.1.1. */
335  /* Data is always processed in form of bytes (not by individual bits),
336  therefore position of first padding bit in byte is always predefined (0x80). */
337  /* Buffer always have space at least for one byte (as full buffers are
338  processed immediately). */
339  ctx->buffer[bytes_have++] = 0x80;
340 
341  if (SHA256_BLOCK_SIZE - bytes_have < SHA256_SIZE_OF_LEN_ADD)
342  { /* No space in current block to put total length of message.
343  Pad current block with zeros and process it. */
344  while (bytes_have < SHA256_BLOCK_SIZE)
345  ctx->buffer[bytes_have++] = 0;
346  /* Process full block. */
347  sha256_transform (ctx->H, ctx->buffer);
348  /* Start new block. */
349  bytes_have = 0;
350  }
351 
352  /* Pad the rest of the buffer with zeros. */
353  memset (ctx->buffer + bytes_have, 0,
355  /* Put number of bits in processed message as big-endian value. */
357  num_bits);
358  /* Process full final block. */
359  sha256_transform (ctx->H, ctx->buffer);
360 
361  /* Put final hash/digest in BE mode */
362  _MHD_PUT_32BIT_BE (digest + 0 * SHA256_BYTES_IN_WORD, ctx->H[0]);
363  _MHD_PUT_32BIT_BE (digest + 1 * SHA256_BYTES_IN_WORD, ctx->H[1]);
364  _MHD_PUT_32BIT_BE (digest + 2 * SHA256_BYTES_IN_WORD, ctx->H[2]);
365  _MHD_PUT_32BIT_BE (digest + 3 * SHA256_BYTES_IN_WORD, ctx->H[3]);
366  _MHD_PUT_32BIT_BE (digest + 4 * SHA256_BYTES_IN_WORD, ctx->H[4]);
367  _MHD_PUT_32BIT_BE (digest + 5 * SHA256_BYTES_IN_WORD, ctx->H[5]);
368  _MHD_PUT_32BIT_BE (digest + 6 * SHA256_BYTES_IN_WORD, ctx->H[6]);
369  _MHD_PUT_32BIT_BE (digest + 7 * SHA256_BYTES_IN_WORD, ctx->H[7]);
370 
371  /* Erase potentially sensitive data. */
372  memset (ctx, 0, sizeof(struct sha256_ctx));
373 }
#define mhd_assert(CHK)
Definition: mhd_assert.h:39
#define NULL
Definition: reason_phrase.c:30
macros for bits manipulations
#define _MHD_PUT_64BIT_BE(addr, value64)
#define _MHD_PUT_32BIT_BE(addr, value32)
macros for mhd_assert()
void * data
Definition: microhttpd.h:3053
#define SHA256_BYTES_IN_WORD
Definition: sha256.c:70
#define Wgen(w, t)
#define SHA256_SIZE_OF_LEN_ADD
Definition: sha256.c:312
static void sha256_transform(uint32_t H[_SHA256_DIGEST_LENGTH], const uint8_t data[SHA256_BLOCK_SIZE])
Definition: sha256.c:79
void sha256_finish(void *ctx_, uint8_t digest[SHA256_DIGEST_SIZE])
Definition: sha256.c:321
#define SHA2STEP32(vA, vB, vC, vD, vE, vF, vG, vH, kt, wt)
#define GET_W_FROM_DATA(buf, t)
void MHD_SHA256_init(void *ctx_)
Definition: sha256.c:45
void MHD_SHA256_update(void *ctx_, const uint8_t *data, size_t length)
Definition: sha256.c:259
Calculation of SHA-256 digest.
#define _SHA256_DIGEST_LENGTH
Definition: sha256.h:36
#define SHA256_DIGEST_SIZE
Definition: sha256.h:41
#define SHA256_BLOCK_SIZE
Definition: sha256.h:51
uint8_t buffer[SHA256_BLOCK_SIZE]
Definition: sha256.h:58
uint32_t H[_SHA256_DIGEST_LENGTH]
Definition: sha256.h:56
uint64_t count
Definition: sha256.h:57