GNU libmicrohttpd 0.9.71
sha256.c
Go to the documentation of this file.
1/*
2 This file is part of libmicrohttpd
3 Copyright (C) 2019 Karlson2k (Evgeny Grin)
4 Some ideas are based on Libgcrypt implementation.
5 Copyright (C) 2003, 2006, 2008, 2009 Free Software Foundation, Inc.
6
7 libmicrohttpd is free software; you can redistribute it and/or
8 modify it under the terms of the GNU Lesser General Public
9 License as published by the Free Software Foundation; either
10 version 2.1 of the License, or (at your option) any later version.
11
12 This library is distributed in the hope that it will be useful,
13 but WITHOUT ANY WARRANTY; without even the implied warranty of
14 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
15 Lesser General Public License for more details.
16
17 You should have received a copy of the GNU Lesser General Public
18 License along with this library.
19 If not, see <http://www.gnu.org/licenses/>.
20*/
21
28/* Some tricks are based on Libgcrypt implementation. */
29
30#include "sha256.h"
31
32#include <string.h>
33#ifdef HAVE_MEMORY_H
34#include <memory.h>
35#endif /* HAVE_MEMORY_H */
36#include "mhd_bithelpers.h"
37#include "mhd_assert.h"
38
44void
45MHD_SHA256_init (void *ctx_)
46{
47 struct sha256_ctx *const ctx = ctx_;
48 /* Initial hash values, see FIPS PUB 180-4 paragraph 5.3.3 */
49 /* First thirty-two bits of the fractional parts of the square
50 * roots of the first eight prime numbers: 2, 3, 5, 7, 11, 13,
51 * 17, 19." */
52 ctx->H[0] = 0x6a09e667UL;
53 ctx->H[1] = 0xbb67ae85UL;
54 ctx->H[2] = 0x3c6ef372UL;
55 ctx->H[3] = 0xa54ff53aUL;
56 ctx->H[4] = 0x510e527fUL;
57 ctx->H[5] = 0x9b05688cUL;
58 ctx->H[6] = 0x1f83d9abUL;
59 ctx->H[7] = 0x5be0cd19UL;
60
61 /* Initialise number of bytes. */
62 ctx->count = 0;
63}
64
65
70#define SHA256_BYTES_IN_WORD 4
71
78static void
80 const uint8_t data[SHA256_BLOCK_SIZE])
81{
82 /* Working variables,
83 see FIPS PUB 180-4 paragraph 6.2. */
84 uint32_t a = H[0];
85 uint32_t b = H[1];
86 uint32_t c = H[2];
87 uint32_t d = H[3];
88 uint32_t e = H[4];
89 uint32_t f = H[5];
90 uint32_t g = H[6];
91 uint32_t h = H[7];
92
93 /* Data buffer, used as cyclic buffer.
94 See FIPS PUB 180-4 paragraphs 5.2.1, 6.2. */
95 uint32_t W[16];
96
97 /* 'Ch' and 'Maj' macro functions are defined with
98 widely-used optimization.
99 See FIPS PUB 180-4 formulae 4.2, 4.3. */
100#define Ch(x,y,z) ( (z) ^ ((x) & ((y) ^ (z))) )
101#define Maj(x,y,z) ( ((x) & (y)) ^ ((z) & ((x) ^ (y))) )
102 /* Unoptimized (original) versions: */
103/* #define Ch(x,y,z) ( ( (x) & (y) ) | ( ~(x) & (z) ) ) */
104/* #define Maj(x,y,z) ( ((x) & (y)) ^ ((x) & (z)) ^ ((y) & (z)) ) */
105
106 /* Four 'Sigma' macro functions.
107 See FIPS PUB 180-4 formulae 4.4, 4.5, 4.6, 4.7. */
108#define SIG0(x) (_MHD_ROTR32 ((x),2) ^ _MHD_ROTR32 ((x),13) ^ _MHD_ROTR32 ((x), \
109 22) )
110#define SIG1(x) (_MHD_ROTR32 ((x),6) ^ _MHD_ROTR32 ((x),11) ^ _MHD_ROTR32 ((x), \
111 25) )
112#define sig0(x) (_MHD_ROTR32 ((x),7) ^ _MHD_ROTR32 ((x),18) ^ ((x) >> 3) )
113#define sig1(x) (_MHD_ROTR32 ((x),17) ^ _MHD_ROTR32 ((x),19) ^ ((x) >> 10) )
114
115 /* Single step of SHA-256 computation,
116 see FIPS PUB 180-4 paragraph 6.2.2 step 3.
117 * Note: instead of reassigning all working variables on each step,
118 variables are rotated for each step:
119 SHA2STEP32(a, b, c, d, e, f, g, h, K[0], data[0]);
120 SHA2STEP32(h, a, b, c, d, e, f, g, K[1], data[1]);
121 so current 'vD' will be used as 'vE' on next step,
122 current 'vH' will be used as 'vA' on next step.
123 * Note: first (vH += SIG1(vE) + Ch(vE,vF,vG) + kt + wt) equals T1 in FIPS PUB 180-4 paragraph 6.2.2 step 3.
124 second (vH += SIG0(vA) + Maj(vE,vF,vC) equals T1 + T2 in FIPS PUB 180-4 paragraph 6.2.2 step 3.
125 * Note: 'wt' must be used exactly one time in this macro as it change other data as well
126 every time when used. */
127#define SHA2STEP32(vA,vB,vC,vD,vE,vF,vG,vH,kt,wt) do { \
128 (vD) += ((vH) += SIG1 ((vE)) + Ch ((vE),(vF),(vG)) + (kt) + (wt)); \
129 (vH) += SIG0 ((vA)) + Maj ((vA),(vB),(vC)); } while (0)
130
131 /* Get value of W(t) from input data buffer,
132 See FIPS PUB 180-4 paragraph 6.2.
133 Input data must be read in big-endian bytes order,
134 see FIPS PUB 180-4 paragraph 3.1.2. */
135#define GET_W_FROM_DATA(buf,t) \
136 _MHD_GET_32BIT_BE (((const uint8_t*) (buf)) + (t) * SHA256_BYTES_IN_WORD)
137
138 /* During first 16 steps, before making any calculations on each step,
139 the W element is read from input data buffer as big-endian value and
140 stored in array of W elements. */
141 /* Note: instead of using K constants as array, all K values are specified
142 individually for each step, see FIPS PUB 180-4 paragraph 4.2.2 for K values. */
143 SHA2STEP32 (a, b, c, d, e, f, g, h, 0x428a2f98UL, W[0] = GET_W_FROM_DATA (
144 data,0));
145 SHA2STEP32 (h, a, b, c, d, e, f, g, 0x71374491UL, W[1] = GET_W_FROM_DATA (
146 data,1));
147 SHA2STEP32 (g, h, a, b, c, d, e, f, 0xb5c0fbcfUL, W[2] = GET_W_FROM_DATA (
148 data,2));
149 SHA2STEP32 (f, g, h, a, b, c, d, e, 0xe9b5dba5UL, W[3] = GET_W_FROM_DATA (
150 data,3));
151 SHA2STEP32 (e, f, g, h, a, b, c, d, 0x3956c25bUL, W[4] = GET_W_FROM_DATA (
152 data,4));
153 SHA2STEP32 (d, e, f, g, h, a, b, c, 0x59f111f1UL, W[5] = GET_W_FROM_DATA (
154 data,5));
155 SHA2STEP32 (c, d, e, f, g, h, a, b, 0x923f82a4UL, W[6] = GET_W_FROM_DATA (
156 data,6));
157 SHA2STEP32 (b, c, d, e, f, g, h, a, 0xab1c5ed5UL, W[7] = GET_W_FROM_DATA (
158 data,7));
159 SHA2STEP32 (a, b, c, d, e, f, g, h, 0xd807aa98UL, W[8] = GET_W_FROM_DATA (
160 data,8));
161 SHA2STEP32 (h, a, b, c, d, e, f, g, 0x12835b01UL, W[9] = GET_W_FROM_DATA (
162 data,9));
163 SHA2STEP32 (g, h, a, b, c, d, e, f, 0x243185beUL, W[10] = GET_W_FROM_DATA (
164 data,10));
165 SHA2STEP32 (f, g, h, a, b, c, d, e, 0x550c7dc3UL, W[11] = GET_W_FROM_DATA (
166 data,11));
167 SHA2STEP32 (e, f, g, h, a, b, c, d, 0x72be5d74UL, W[12] = GET_W_FROM_DATA (
168 data,12));
169 SHA2STEP32 (d, e, f, g, h, a, b, c, 0x80deb1feUL, W[13] = GET_W_FROM_DATA (
170 data,13));
171 SHA2STEP32 (c, d, e, f, g, h, a, b, 0x9bdc06a7UL, W[14] = GET_W_FROM_DATA (
172 data,14));
173 SHA2STEP32 (b, c, d, e, f, g, h, a, 0xc19bf174UL, W[15] = GET_W_FROM_DATA (
174 data,15));
175
176 /* 'W' generation and assignment for 16 <= t <= 63.
177 See FIPS PUB 180-4 paragraph 6.2.2.
178 As only last 16 'W' are used in calculations, it is possible to
179 use 16 elements array of W as cyclic buffer.
180 * Note: ((t-16)&0xf) have same value as (t&0xf) */
181#define Wgen(w,t) ( (w)[(t - 16) & 0xf] + sig1 ((w)[((t) - 2) & 0xf]) \
182 + (w)[((t) - 7) & 0xf] + sig0 ((w)[((t) - 15) & 0xf]) )
183
184 /* During last 48 steps, before making any calculations on each step,
185 W element is generated from W elements of cyclic buffer and generated value
186 stored back in cyclic buffer. */
187 /* Note: instead of using K constants as array, all K values are specified
188 individually for each step, see FIPS PUB 180-4 paragraph 4.2.2 for K values. */
189 SHA2STEP32 (a, b, c, d, e, f, g, h, 0xe49b69c1UL, W[16 & 0xf] = Wgen (W,16));
190 SHA2STEP32 (h, a, b, c, d, e, f, g, 0xefbe4786UL, W[17 & 0xf] = Wgen (W,17));
191 SHA2STEP32 (g, h, a, b, c, d, e, f, 0x0fc19dc6UL, W[18 & 0xf] = Wgen (W,18));
192 SHA2STEP32 (f, g, h, a, b, c, d, e, 0x240ca1ccUL, W[19 & 0xf] = Wgen (W,19));
193 SHA2STEP32 (e, f, g, h, a, b, c, d, 0x2de92c6fUL, W[20 & 0xf] = Wgen (W,20));
194 SHA2STEP32 (d, e, f, g, h, a, b, c, 0x4a7484aaUL, W[21 & 0xf] = Wgen (W,21));
195 SHA2STEP32 (c, d, e, f, g, h, a, b, 0x5cb0a9dcUL, W[22 & 0xf] = Wgen (W,22));
196 SHA2STEP32 (b, c, d, e, f, g, h, a, 0x76f988daUL, W[23 & 0xf] = Wgen (W,23));
197 SHA2STEP32 (a, b, c, d, e, f, g, h, 0x983e5152UL, W[24 & 0xf] = Wgen (W,24));
198 SHA2STEP32 (h, a, b, c, d, e, f, g, 0xa831c66dUL, W[25 & 0xf] = Wgen (W,25));
199 SHA2STEP32 (g, h, a, b, c, d, e, f, 0xb00327c8UL, W[26 & 0xf] = Wgen (W,26));
200 SHA2STEP32 (f, g, h, a, b, c, d, e, 0xbf597fc7UL, W[27 & 0xf] = Wgen (W,27));
201 SHA2STEP32 (e, f, g, h, a, b, c, d, 0xc6e00bf3UL, W[28 & 0xf] = Wgen (W,28));
202 SHA2STEP32 (d, e, f, g, h, a, b, c, 0xd5a79147UL, W[29 & 0xf] = Wgen (W,29));
203 SHA2STEP32 (c, d, e, f, g, h, a, b, 0x06ca6351UL, W[30 & 0xf] = Wgen (W,30));
204 SHA2STEP32 (b, c, d, e, f, g, h, a, 0x14292967UL, W[31 & 0xf] = Wgen (W,31));
205 SHA2STEP32 (a, b, c, d, e, f, g, h, 0x27b70a85UL, W[32 & 0xf] = Wgen (W,32));
206 SHA2STEP32 (h, a, b, c, d, e, f, g, 0x2e1b2138UL, W[33 & 0xf] = Wgen (W,33));
207 SHA2STEP32 (g, h, a, b, c, d, e, f, 0x4d2c6dfcUL, W[34 & 0xf] = Wgen (W,34));
208 SHA2STEP32 (f, g, h, a, b, c, d, e, 0x53380d13UL, W[35 & 0xf] = Wgen (W,35));
209 SHA2STEP32 (e, f, g, h, a, b, c, d, 0x650a7354UL, W[36 & 0xf] = Wgen (W,36));
210 SHA2STEP32 (d, e, f, g, h, a, b, c, 0x766a0abbUL, W[37 & 0xf] = Wgen (W,37));
211 SHA2STEP32 (c, d, e, f, g, h, a, b, 0x81c2c92eUL, W[38 & 0xf] = Wgen (W,38));
212 SHA2STEP32 (b, c, d, e, f, g, h, a, 0x92722c85UL, W[39 & 0xf] = Wgen (W,39));
213 SHA2STEP32 (a, b, c, d, e, f, g, h, 0xa2bfe8a1UL, W[40 & 0xf] = Wgen (W,40));
214 SHA2STEP32 (h, a, b, c, d, e, f, g, 0xa81a664bUL, W[41 & 0xf] = Wgen (W,41));
215 SHA2STEP32 (g, h, a, b, c, d, e, f, 0xc24b8b70UL, W[42 & 0xf] = Wgen (W,42));
216 SHA2STEP32 (f, g, h, a, b, c, d, e, 0xc76c51a3UL, W[43 & 0xf] = Wgen (W,43));
217 SHA2STEP32 (e, f, g, h, a, b, c, d, 0xd192e819UL, W[44 & 0xf] = Wgen (W,44));
218 SHA2STEP32 (d, e, f, g, h, a, b, c, 0xd6990624UL, W[45 & 0xf] = Wgen (W,45));
219 SHA2STEP32 (c, d, e, f, g, h, a, b, 0xf40e3585UL, W[46 & 0xf] = Wgen (W,46));
220 SHA2STEP32 (b, c, d, e, f, g, h, a, 0x106aa070UL, W[47 & 0xf] = Wgen (W,47));
221 SHA2STEP32 (a, b, c, d, e, f, g, h, 0x19a4c116UL, W[48 & 0xf] = Wgen (W,48));
222 SHA2STEP32 (h, a, b, c, d, e, f, g, 0x1e376c08UL, W[49 & 0xf] = Wgen (W,49));
223 SHA2STEP32 (g, h, a, b, c, d, e, f, 0x2748774cUL, W[50 & 0xf] = Wgen (W,50));
224 SHA2STEP32 (f, g, h, a, b, c, d, e, 0x34b0bcb5UL, W[51 & 0xf] = Wgen (W,51));
225 SHA2STEP32 (e, f, g, h, a, b, c, d, 0x391c0cb3UL, W[52 & 0xf] = Wgen (W,52));
226 SHA2STEP32 (d, e, f, g, h, a, b, c, 0x4ed8aa4aUL, W[53 & 0xf] = Wgen (W,53));
227 SHA2STEP32 (c, d, e, f, g, h, a, b, 0x5b9cca4fUL, W[54 & 0xf] = Wgen (W,54));
228 SHA2STEP32 (b, c, d, e, f, g, h, a, 0x682e6ff3UL, W[55 & 0xf] = Wgen (W,55));
229 SHA2STEP32 (a, b, c, d, e, f, g, h, 0x748f82eeUL, W[56 & 0xf] = Wgen (W,56));
230 SHA2STEP32 (h, a, b, c, d, e, f, g, 0x78a5636fUL, W[57 & 0xf] = Wgen (W,57));
231 SHA2STEP32 (g, h, a, b, c, d, e, f, 0x84c87814UL, W[58 & 0xf] = Wgen (W,58));
232 SHA2STEP32 (f, g, h, a, b, c, d, e, 0x8cc70208UL, W[59 & 0xf] = Wgen (W,59));
233 SHA2STEP32 (e, f, g, h, a, b, c, d, 0x90befffaUL, W[60 & 0xf] = Wgen (W,60));
234 SHA2STEP32 (d, e, f, g, h, a, b, c, 0xa4506cebUL, W[61 & 0xf] = Wgen (W,61));
235 SHA2STEP32 (c, d, e, f, g, h, a, b, 0xbef9a3f7UL, W[62 & 0xf] = Wgen (W,62));
236 SHA2STEP32 (b, c, d, e, f, g, h, a, 0xc67178f2UL, W[63 & 0xf] = Wgen (W,63));
237
238 /* Compute intermediate hash.
239 See FIPS PUB 180-4 paragraph 4.2.2 step 4. */
240 H[0] += a;
241 H[1] += b;
242 H[2] += c;
243 H[3] += d;
244 H[4] += e;
245 H[5] += f;
246 H[6] += g;
247 H[7] += h;
248}
249
250
258void
260 const uint8_t *data,
261 size_t length)
262{
263 struct sha256_ctx *const ctx = ctx_;
264 unsigned bytes_have;
266 mhd_assert ((data != NULL) || (length == 0));
267
268 if (0 == length)
269 return; /* Do nothing */
270
271 /* Note: (count & (SHA256_BLOCK_SIZE-1))
272 equal (count % SHA256_BLOCK_SIZE) for this block size. */
273 bytes_have = (unsigned) (ctx->count & (SHA256_BLOCK_SIZE - 1));
274 ctx->count += length;
275
276 if (0 != bytes_have)
277 {
278 unsigned bytes_left = SHA256_BLOCK_SIZE - bytes_have;
279 if (length >= bytes_left)
280 { /* Combine new data with data in buffer and
281 process full block. */
282 memcpy (ctx->buffer + bytes_have,
283 data,
284 bytes_left);
285 data += bytes_left;
286 length -= bytes_left;
287 sha256_transform (ctx->H, ctx->buffer);
288 bytes_have = 0;
289 }
290 }
291
292 while (SHA256_BLOCK_SIZE <= length)
293 { /* Process any full blocks of new data directly,
294 without copying to buffer. */
295 sha256_transform (ctx->H, data);
297 length -= SHA256_BLOCK_SIZE;
298 }
299
300 if (0 != length)
301 { /* Copy incomplete block of new data (if any)
302 to buffer. */
303 memcpy (ctx->buffer + bytes_have, data, length);
304 }
305}
306
307
312#define SHA256_SIZE_OF_LEN_ADD (64 / 8)
313
320void
321sha256_finish (void *ctx_,
322 uint8_t digest[SHA256_DIGEST_SIZE])
323{
324 struct sha256_ctx *const ctx = ctx_;
325 uint64_t num_bits;
326 unsigned bytes_have;
328 num_bits = ctx->count << 3;
329 /* Note: (count & (SHA256_BLOCK_SIZE-1))
330 equal (count % SHA256_BLOCK_SIZE) for this block size. */
331 bytes_have = (unsigned) (ctx->count & (SHA256_BLOCK_SIZE - 1));
332
333 /* Input data must be padded with bit "1" and with length of data in bits.
334 See FIPS PUB 180-4 paragraph 5.1.1. */
335 /* Data is always processed in form of bytes (not by individual bits),
336 therefore position of first padding bit in byte is always predefined (0x80). */
337 /* Buffer always have space at least for one byte (as full buffers are
338 processed immediately). */
339 ctx->buffer[bytes_have++] = 0x80;
340
341 if (SHA256_BLOCK_SIZE - bytes_have < SHA256_SIZE_OF_LEN_ADD)
342 { /* No space in current block to put total length of message.
343 Pad current block with zeros and process it. */
344 while (bytes_have < SHA256_BLOCK_SIZE)
345 ctx->buffer[bytes_have++] = 0;
346 /* Process full block. */
347 sha256_transform (ctx->H, ctx->buffer);
348 /* Start new block. */
349 bytes_have = 0;
350 }
351
352 /* Pad the rest of the buffer with zeros. */
353 memset (ctx->buffer + bytes_have, 0,
355 /* Put number of bits in processed message as big-endian value. */
357 num_bits);
358 /* Process full final block. */
359 sha256_transform (ctx->H, ctx->buffer);
360
361 /* Put final hash/digest in BE mode */
362 _MHD_PUT_32BIT_BE (digest + 0 * SHA256_BYTES_IN_WORD, ctx->H[0]);
363 _MHD_PUT_32BIT_BE (digest + 1 * SHA256_BYTES_IN_WORD, ctx->H[1]);
364 _MHD_PUT_32BIT_BE (digest + 2 * SHA256_BYTES_IN_WORD, ctx->H[2]);
365 _MHD_PUT_32BIT_BE (digest + 3 * SHA256_BYTES_IN_WORD, ctx->H[3]);
366 _MHD_PUT_32BIT_BE (digest + 4 * SHA256_BYTES_IN_WORD, ctx->H[4]);
367 _MHD_PUT_32BIT_BE (digest + 5 * SHA256_BYTES_IN_WORD, ctx->H[5]);
368 _MHD_PUT_32BIT_BE (digest + 6 * SHA256_BYTES_IN_WORD, ctx->H[6]);
369 _MHD_PUT_32BIT_BE (digest + 7 * SHA256_BYTES_IN_WORD, ctx->H[7]);
370
371 /* Erase potentially sensitive data. */
372 memset (ctx, 0, sizeof(struct sha256_ctx));
373}
#define mhd_assert(CHK)
Definition: mhd_assert.h:39
#define NULL
Definition: reason_phrase.c:30
macros for bits manipulations
#define _MHD_PUT_64BIT_BE(addr, value64)
#define _MHD_PUT_32BIT_BE(addr, value32)
macros for mhd_assert()
void * data
Definition: microhttpd.h:3038
#define SHA256_BYTES_IN_WORD
Definition: sha256.c:70
#define Wgen(w, t)
#define SHA256_SIZE_OF_LEN_ADD
Definition: sha256.c:312
static void sha256_transform(uint32_t H[_SHA256_DIGEST_LENGTH], const uint8_t data[SHA256_BLOCK_SIZE])
Definition: sha256.c:79
void sha256_finish(void *ctx_, uint8_t digest[SHA256_DIGEST_SIZE])
Definition: sha256.c:321
#define SHA2STEP32(vA, vB, vC, vD, vE, vF, vG, vH, kt, wt)
#define GET_W_FROM_DATA(buf, t)
void MHD_SHA256_init(void *ctx_)
Definition: sha256.c:45
void MHD_SHA256_update(void *ctx_, const uint8_t *data, size_t length)
Definition: sha256.c:259
Calculation of SHA-256 digest.
#define _SHA256_DIGEST_LENGTH
Definition: sha256.h:36
#define SHA256_DIGEST_SIZE
Definition: sha256.h:41
#define SHA256_BLOCK_SIZE
Definition: sha256.h:51
uint8_t buffer[SHA256_BLOCK_SIZE]
Definition: sha256.h:58
uint32_t H[_SHA256_DIGEST_LENGTH]
Definition: sha256.h:56
uint64_t count
Definition: sha256.h:57