sha256.c (24755B)
1 /* 2 This file is part of libmicrohttpd 3 Copyright (C) 2019-2023 Evgeny Grin (Karlson2k) 4 5 libmicrohttpd is free software; you can redistribute it and/or 6 modify it under the terms of the GNU Lesser General Public 7 License as published by the Free Software Foundation; either 8 version 2.1 of the License, or (at your option) any later version. 9 10 This library is distributed in the hope that it will be useful, 11 but WITHOUT ANY WARRANTY; without even the implied warranty of 12 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU 13 Lesser General Public License for more details. 14 15 You should have received a copy of the GNU Lesser General Public 16 License along with this library. 17 If not, see <http://www.gnu.org/licenses/>. 18 */ 19 20 /** 21 * @file microhttpd/sha256.c 22 * @brief Calculation of SHA-256 digest as defined in FIPS PUB 180-4 (2015) 23 * @author Karlson2k (Evgeny Grin) 24 */ 25 26 #include "sha256.h" 27 28 #include <string.h> 29 #ifdef HAVE_MEMORY_H 30 #include <memory.h> 31 #endif /* HAVE_MEMORY_H */ 32 #include "mhd_bithelpers.h" 33 #include "mhd_assert.h" 34 35 /** 36 * Initialise structure for SHA256 calculation. 37 * 38 * @param ctx must be a `struct Sha256Ctx *` 39 */ 40 void 41 MHD_SHA256_init (struct Sha256Ctx *ctx) 42 { 43 /* Initial hash values, see FIPS PUB 180-4 paragraph 5.3.3 */ 44 /* First thirty-two bits of the fractional parts of the square 45 * roots of the first eight prime numbers: 2, 3, 5, 7, 11, 13, 46 * 17, 19." */ 47 ctx->H[0] = UINT32_C (0x6a09e667); 48 ctx->H[1] = UINT32_C (0xbb67ae85); 49 ctx->H[2] = UINT32_C (0x3c6ef372); 50 ctx->H[3] = UINT32_C (0xa54ff53a); 51 ctx->H[4] = UINT32_C (0x510e527f); 52 ctx->H[5] = UINT32_C (0x9b05688c); 53 ctx->H[6] = UINT32_C (0x1f83d9ab); 54 ctx->H[7] = UINT32_C (0x5be0cd19); 55 56 /* Initialise number of bytes. */ 57 ctx->count = 0; 58 } 59 60 61 MHD_DATA_TRUNCATION_RUNTIME_CHECK_DISABLE_ 62 63 /** 64 * Base of SHA-256 transformation. 65 * Gets full 64 bytes block of data and updates hash values; 66 * @param H hash values 67 * @param data data, must be exactly 64 bytes long 68 */ 69 static void 70 sha256_transform (uint32_t H[SHA256_DIGEST_SIZE_WORDS], 71 const void *data) 72 { 73 /* Working variables, 74 see FIPS PUB 180-4 paragraph 6.2. */ 75 uint32_t a = H[0]; 76 uint32_t b = H[1]; 77 uint32_t c = H[2]; 78 uint32_t d = H[3]; 79 uint32_t e = H[4]; 80 uint32_t f = H[5]; 81 uint32_t g = H[6]; 82 uint32_t h = H[7]; 83 84 /* Data buffer, used as cyclic buffer. 85 See FIPS PUB 180-4 paragraphs 5.2.1, 6.2. */ 86 uint32_t W[16]; 87 88 #ifndef _MHD_GET_32BIT_BE_UNALIGNED 89 if (0 != (((uintptr_t) data) % _MHD_UINT32_ALIGN)) 90 { 91 /* Copy the unaligned input data to the aligned buffer */ 92 memcpy (W, data, SHA256_BLOCK_SIZE); 93 /* The W[] buffer itself will be used as the source of the data, 94 * but data will be reloaded in correct bytes order during 95 * the next steps */ 96 data = (const void *) W; 97 } 98 #endif /* _MHD_GET_32BIT_BE_UNALIGNED */ 99 100 /* 'Ch' and 'Maj' macro functions are defined with 101 widely-used optimization. 102 See FIPS PUB 180-4 formulae 4.2, 4.3. */ 103 #define Ch(x,y,z) ( (z) ^ ((x) & ((y) ^ (z))) ) 104 #define Maj(x,y,z) ( ((x) & (y)) ^ ((z) & ((x) ^ (y))) ) 105 /* Unoptimized (original) versions: */ 106 /* #define Ch(x,y,z) ( ( (x) & (y) ) ^ ( ~(x) & (z) ) ) */ 107 /* #define Maj(x,y,z) ( ((x) & (y)) ^ ((x) & (z)) ^ ((y) & (z)) ) */ 108 109 /* Four 'Sigma' macro functions. 110 See FIPS PUB 180-4 formulae 4.4, 4.5, 4.6, 4.7. */ 111 #define SIG0(x) (_MHD_ROTR32 ((x), 2) ^ _MHD_ROTR32 ((x), 13) ^ \ 112 _MHD_ROTR32 ((x), 22) ) 113 #define SIG1(x) (_MHD_ROTR32 ((x), 6) ^ _MHD_ROTR32 ((x), 11) ^ \ 114 _MHD_ROTR32 ((x), 25) ) 115 #define sig0(x) (_MHD_ROTR32 ((x), 7) ^ _MHD_ROTR32 ((x), 18) ^ \ 116 ((x) >> 3) ) 117 #define sig1(x) (_MHD_ROTR32 ((x), 17) ^ _MHD_ROTR32 ((x),19) ^ \ 118 ((x) >> 10) ) 119 120 /* One step of SHA-256 computation, 121 see FIPS PUB 180-4 paragraph 6.2.2 step 3. 122 * Note: this macro updates working variables in-place, without rotation. 123 * Note: first (vH += SIG1(vE) + Ch(vE,vF,vG) + kt + wt) equals T1 in FIPS PUB 180-4 paragraph 6.2.2 step 3. 124 second (vH += SIG0(vA) + Maj(vE,vF,vC) equals T1 + T2 in FIPS PUB 180-4 paragraph 6.2.2 step 3. 125 * Note: 'wt' must be used exactly one time in this macro as it change other data as well 126 every time when used. */ 127 #define SHA2STEP32(vA,vB,vC,vD,vE,vF,vG,vH,kt,wt) do { \ 128 (vD) += ((vH) += SIG1 ((vE)) + Ch ((vE),(vF),(vG)) + (kt) + (wt)); \ 129 (vH) += SIG0 ((vA)) + Maj ((vA),(vB),(vC)); } while (0) 130 131 /* Get value of W(t) from input data buffer, 132 See FIPS PUB 180-4 paragraph 6.2. 133 Input data must be read in big-endian bytes order, 134 see FIPS PUB 180-4 paragraph 3.1.2. */ 135 /* Use cast to (const void*) to mute compiler alignment warning, 136 * data was already aligned in previous step */ 137 #define GET_W_FROM_DATA(buf,t) \ 138 _MHD_GET_32BIT_BE ((const void*)(((const uint8_t*) (buf)) + \ 139 (t) * SHA256_BYTES_IN_WORD)) 140 141 /* 'W' generation and assignment for 16 <= t <= 63. 142 See FIPS PUB 180-4 paragraph 6.2.2. 143 As only last 16 'W' are used in calculations, it is possible to 144 use 16 elements array of W as cyclic buffer. 145 * Note: ((t-16)&0xf) have same value as (t&0xf) */ 146 #define Wgen(w,t) ( (w)[(t - 16) & 0xf] + sig1 ((w)[((t) - 2) & 0xf]) \ 147 + (w)[((t) - 7) & 0xf] + sig0 ((w)[((t) - 15) & 0xf]) ) 148 149 #ifndef MHD_FAVOR_SMALL_CODE 150 151 /* Note: instead of using K constants as array, all K values are specified 152 individually for each step, see FIPS PUB 180-4 paragraph 4.2.2 for 153 K values. */ 154 /* Note: instead of reassigning all working variables on each step, 155 variables are rotated for each step: 156 SHA2STEP32(a, b, c, d, e, f, g, h, K[0], data[0]); 157 SHA2STEP32(h, a, b, c, d, e, f, g, K[1], data[1]); 158 so current 'vD' will be used as 'vE' on next step, 159 current 'vH' will be used as 'vA' on next step. */ 160 #if _MHD_BYTE_ORDER == _MHD_BIG_ENDIAN 161 if ((const void *) W == data) 162 { 163 /* The input data is already in the cyclic data buffer W[] in correct bytes 164 order. */ 165 SHA2STEP32 (a, b, c, d, e, f, g, h, UINT32_C (0x428a2f98), W[0]); 166 SHA2STEP32 (h, a, b, c, d, e, f, g, UINT32_C (0x71374491), W[1]); 167 SHA2STEP32 (g, h, a, b, c, d, e, f, UINT32_C (0xb5c0fbcf), W[2]); 168 SHA2STEP32 (f, g, h, a, b, c, d, e, UINT32_C (0xe9b5dba5), W[3]); 169 SHA2STEP32 (e, f, g, h, a, b, c, d, UINT32_C (0x3956c25b), W[4]); 170 SHA2STEP32 (d, e, f, g, h, a, b, c, UINT32_C (0x59f111f1), W[5]); 171 SHA2STEP32 (c, d, e, f, g, h, a, b, UINT32_C (0x923f82a4), W[6]); 172 SHA2STEP32 (b, c, d, e, f, g, h, a, UINT32_C (0xab1c5ed5), W[7]); 173 SHA2STEP32 (a, b, c, d, e, f, g, h, UINT32_C (0xd807aa98), W[8]); 174 SHA2STEP32 (h, a, b, c, d, e, f, g, UINT32_C (0x12835b01), W[9]); 175 SHA2STEP32 (g, h, a, b, c, d, e, f, UINT32_C (0x243185be), W[10]); 176 SHA2STEP32 (f, g, h, a, b, c, d, e, UINT32_C (0x550c7dc3), W[11]); 177 SHA2STEP32 (e, f, g, h, a, b, c, d, UINT32_C (0x72be5d74), W[12]); 178 SHA2STEP32 (d, e, f, g, h, a, b, c, UINT32_C (0x80deb1fe), W[13]); 179 SHA2STEP32 (c, d, e, f, g, h, a, b, UINT32_C (0x9bdc06a7), W[14]); 180 SHA2STEP32 (b, c, d, e, f, g, h, a, UINT32_C (0xc19bf174), W[15]); 181 } 182 else /* Combined with the next 'if' */ 183 #endif /* _MHD_BYTE_ORDER == _MHD_BIG_ENDIAN */ 184 if (1) 185 { 186 /* During first 16 steps, before making any calculations on each step, 187 the W element is read from input data buffer as big-endian value and 188 stored in array of W elements. */ 189 SHA2STEP32 (a, b, c, d, e, f, g, h, UINT32_C (0x428a2f98), W[0] = \ 190 GET_W_FROM_DATA (data, 0)); 191 SHA2STEP32 (h, a, b, c, d, e, f, g, UINT32_C (0x71374491), W[1] = \ 192 GET_W_FROM_DATA (data, 1)); 193 SHA2STEP32 (g, h, a, b, c, d, e, f, UINT32_C (0xb5c0fbcf), W[2] = \ 194 GET_W_FROM_DATA (data, 2)); 195 SHA2STEP32 (f, g, h, a, b, c, d, e, UINT32_C (0xe9b5dba5), W[3] = \ 196 GET_W_FROM_DATA (data, 3)); 197 SHA2STEP32 (e, f, g, h, a, b, c, d, UINT32_C (0x3956c25b), W[4] = \ 198 GET_W_FROM_DATA (data, 4)); 199 SHA2STEP32 (d, e, f, g, h, a, b, c, UINT32_C (0x59f111f1), W[5] = \ 200 GET_W_FROM_DATA (data, 5)); 201 SHA2STEP32 (c, d, e, f, g, h, a, b, UINT32_C (0x923f82a4), W[6] = \ 202 GET_W_FROM_DATA (data, 6)); 203 SHA2STEP32 (b, c, d, e, f, g, h, a, UINT32_C (0xab1c5ed5), W[7] = \ 204 GET_W_FROM_DATA (data, 7)); 205 SHA2STEP32 (a, b, c, d, e, f, g, h, UINT32_C (0xd807aa98), W[8] = \ 206 GET_W_FROM_DATA (data, 8)); 207 SHA2STEP32 (h, a, b, c, d, e, f, g, UINT32_C (0x12835b01), W[9] = \ 208 GET_W_FROM_DATA (data, 9)); 209 SHA2STEP32 (g, h, a, b, c, d, e, f, UINT32_C (0x243185be), W[10] = \ 210 GET_W_FROM_DATA (data, 10)); 211 SHA2STEP32 (f, g, h, a, b, c, d, e, UINT32_C (0x550c7dc3), W[11] = \ 212 GET_W_FROM_DATA (data, 11)); 213 SHA2STEP32 (e, f, g, h, a, b, c, d, UINT32_C (0x72be5d74), W[12] = \ 214 GET_W_FROM_DATA (data, 12)); 215 SHA2STEP32 (d, e, f, g, h, a, b, c, UINT32_C (0x80deb1fe), W[13] = \ 216 GET_W_FROM_DATA (data, 13)); 217 SHA2STEP32 (c, d, e, f, g, h, a, b, UINT32_C (0x9bdc06a7), W[14] = \ 218 GET_W_FROM_DATA (data, 14)); 219 SHA2STEP32 (b, c, d, e, f, g, h, a, UINT32_C (0xc19bf174), W[15] = \ 220 GET_W_FROM_DATA (data, 15)); 221 } 222 223 /* During last 48 steps, before making any calculations on each step, 224 current W element is generated from other W elements of the cyclic buffer 225 and the generated value is stored back in the cyclic buffer. */ 226 /* Note: instead of using K constants as array, all K values are specified 227 individually for each step, see FIPS PUB 180-4 paragraph 4.2.2 for K values. */ 228 SHA2STEP32 (a, b, c, d, e, f, g, h, UINT32_C (0xe49b69c1), W[16 & 0xf] = \ 229 Wgen (W,16)); 230 SHA2STEP32 (h, a, b, c, d, e, f, g, UINT32_C (0xefbe4786), W[17 & 0xf] = \ 231 Wgen (W,17)); 232 SHA2STEP32 (g, h, a, b, c, d, e, f, UINT32_C (0x0fc19dc6), W[18 & 0xf] = \ 233 Wgen (W,18)); 234 SHA2STEP32 (f, g, h, a, b, c, d, e, UINT32_C (0x240ca1cc), W[19 & 0xf] = \ 235 Wgen (W,19)); 236 SHA2STEP32 (e, f, g, h, a, b, c, d, UINT32_C (0x2de92c6f), W[20 & 0xf] = \ 237 Wgen (W,20)); 238 SHA2STEP32 (d, e, f, g, h, a, b, c, UINT32_C (0x4a7484aa), W[21 & 0xf] = \ 239 Wgen (W,21)); 240 SHA2STEP32 (c, d, e, f, g, h, a, b, UINT32_C (0x5cb0a9dc), W[22 & 0xf] = \ 241 Wgen (W,22)); 242 SHA2STEP32 (b, c, d, e, f, g, h, a, UINT32_C (0x76f988da), W[23 & 0xf] = \ 243 Wgen (W,23)); 244 SHA2STEP32 (a, b, c, d, e, f, g, h, UINT32_C (0x983e5152), W[24 & 0xf] = \ 245 Wgen (W,24)); 246 SHA2STEP32 (h, a, b, c, d, e, f, g, UINT32_C (0xa831c66d), W[25 & 0xf] = \ 247 Wgen (W,25)); 248 SHA2STEP32 (g, h, a, b, c, d, e, f, UINT32_C (0xb00327c8), W[26 & 0xf] = \ 249 Wgen (W,26)); 250 SHA2STEP32 (f, g, h, a, b, c, d, e, UINT32_C (0xbf597fc7), W[27 & 0xf] = \ 251 Wgen (W,27)); 252 SHA2STEP32 (e, f, g, h, a, b, c, d, UINT32_C (0xc6e00bf3), W[28 & 0xf] = \ 253 Wgen (W,28)); 254 SHA2STEP32 (d, e, f, g, h, a, b, c, UINT32_C (0xd5a79147), W[29 & 0xf] = \ 255 Wgen (W,29)); 256 SHA2STEP32 (c, d, e, f, g, h, a, b, UINT32_C (0x06ca6351), W[30 & 0xf] = \ 257 Wgen (W,30)); 258 SHA2STEP32 (b, c, d, e, f, g, h, a, UINT32_C (0x14292967), W[31 & 0xf] = \ 259 Wgen (W,31)); 260 SHA2STEP32 (a, b, c, d, e, f, g, h, UINT32_C (0x27b70a85), W[32 & 0xf] = \ 261 Wgen (W,32)); 262 SHA2STEP32 (h, a, b, c, d, e, f, g, UINT32_C (0x2e1b2138), W[33 & 0xf] = \ 263 Wgen (W,33)); 264 SHA2STEP32 (g, h, a, b, c, d, e, f, UINT32_C (0x4d2c6dfc), W[34 & 0xf] = \ 265 Wgen (W,34)); 266 SHA2STEP32 (f, g, h, a, b, c, d, e, UINT32_C (0x53380d13), W[35 & 0xf] = \ 267 Wgen (W,35)); 268 SHA2STEP32 (e, f, g, h, a, b, c, d, UINT32_C (0x650a7354), W[36 & 0xf] = \ 269 Wgen (W,36)); 270 SHA2STEP32 (d, e, f, g, h, a, b, c, UINT32_C (0x766a0abb), W[37 & 0xf] = \ 271 Wgen (W,37)); 272 SHA2STEP32 (c, d, e, f, g, h, a, b, UINT32_C (0x81c2c92e), W[38 & 0xf] = \ 273 Wgen (W,38)); 274 SHA2STEP32 (b, c, d, e, f, g, h, a, UINT32_C (0x92722c85), W[39 & 0xf] = \ 275 Wgen (W,39)); 276 SHA2STEP32 (a, b, c, d, e, f, g, h, UINT32_C (0xa2bfe8a1), W[40 & 0xf] = \ 277 Wgen (W,40)); 278 SHA2STEP32 (h, a, b, c, d, e, f, g, UINT32_C (0xa81a664b), W[41 & 0xf] = \ 279 Wgen (W,41)); 280 SHA2STEP32 (g, h, a, b, c, d, e, f, UINT32_C (0xc24b8b70), W[42 & 0xf] = \ 281 Wgen (W,42)); 282 SHA2STEP32 (f, g, h, a, b, c, d, e, UINT32_C (0xc76c51a3), W[43 & 0xf] = \ 283 Wgen (W,43)); 284 SHA2STEP32 (e, f, g, h, a, b, c, d, UINT32_C (0xd192e819), W[44 & 0xf] = \ 285 Wgen (W,44)); 286 SHA2STEP32 (d, e, f, g, h, a, b, c, UINT32_C (0xd6990624), W[45 & 0xf] = \ 287 Wgen (W,45)); 288 SHA2STEP32 (c, d, e, f, g, h, a, b, UINT32_C (0xf40e3585), W[46 & 0xf] = \ 289 Wgen (W,46)); 290 SHA2STEP32 (b, c, d, e, f, g, h, a, UINT32_C (0x106aa070), W[47 & 0xf] = \ 291 Wgen (W,47)); 292 SHA2STEP32 (a, b, c, d, e, f, g, h, UINT32_C (0x19a4c116), W[48 & 0xf] = \ 293 Wgen (W,48)); 294 SHA2STEP32 (h, a, b, c, d, e, f, g, UINT32_C (0x1e376c08), W[49 & 0xf] = \ 295 Wgen (W,49)); 296 SHA2STEP32 (g, h, a, b, c, d, e, f, UINT32_C (0x2748774c), W[50 & 0xf] = \ 297 Wgen (W,50)); 298 SHA2STEP32 (f, g, h, a, b, c, d, e, UINT32_C (0x34b0bcb5), W[51 & 0xf] = \ 299 Wgen (W,51)); 300 SHA2STEP32 (e, f, g, h, a, b, c, d, UINT32_C (0x391c0cb3), W[52 & 0xf] = \ 301 Wgen (W,52)); 302 SHA2STEP32 (d, e, f, g, h, a, b, c, UINT32_C (0x4ed8aa4a), W[53 & 0xf] = \ 303 Wgen (W,53)); 304 SHA2STEP32 (c, d, e, f, g, h, a, b, UINT32_C (0x5b9cca4f), W[54 & 0xf] = \ 305 Wgen (W,54)); 306 SHA2STEP32 (b, c, d, e, f, g, h, a, UINT32_C (0x682e6ff3), W[55 & 0xf] = \ 307 Wgen (W,55)); 308 SHA2STEP32 (a, b, c, d, e, f, g, h, UINT32_C (0x748f82ee), W[56 & 0xf] = \ 309 Wgen (W,56)); 310 SHA2STEP32 (h, a, b, c, d, e, f, g, UINT32_C (0x78a5636f), W[57 & 0xf] = \ 311 Wgen (W,57)); 312 SHA2STEP32 (g, h, a, b, c, d, e, f, UINT32_C (0x84c87814), W[58 & 0xf] = \ 313 Wgen (W,58)); 314 SHA2STEP32 (f, g, h, a, b, c, d, e, UINT32_C (0x8cc70208), W[59 & 0xf] = \ 315 Wgen (W,59)); 316 SHA2STEP32 (e, f, g, h, a, b, c, d, UINT32_C (0x90befffa), W[60 & 0xf] = \ 317 Wgen (W,60)); 318 SHA2STEP32 (d, e, f, g, h, a, b, c, UINT32_C (0xa4506ceb), W[61 & 0xf] = \ 319 Wgen (W,61)); 320 SHA2STEP32 (c, d, e, f, g, h, a, b, UINT32_C (0xbef9a3f7), W[62 & 0xf] = \ 321 Wgen (W,62)); 322 SHA2STEP32 (b, c, d, e, f, g, h, a, UINT32_C (0xc67178f2), W[63 & 0xf] = \ 323 Wgen (W,63)); 324 #else /* ! MHD_FAVOR_SMALL_CODE */ 325 if (1) 326 { 327 unsigned int t; 328 /* K constants array. 329 See FIPS PUB 180-4 paragraph 4.2.2 for K values. */ 330 static const uint32_t K[80] = 331 { UINT32_C (0x428a2f98), UINT32_C (0x71374491), UINT32_C (0xb5c0fbcf), 332 UINT32_C (0xe9b5dba5), UINT32_C (0x3956c25b), UINT32_C (0x59f111f1), 333 UINT32_C (0x923f82a4), UINT32_C (0xab1c5ed5), UINT32_C (0xd807aa98), 334 UINT32_C (0x12835b01), UINT32_C (0x243185be), UINT32_C (0x550c7dc3), 335 UINT32_C (0x72be5d74), UINT32_C (0x80deb1fe), UINT32_C (0x9bdc06a7), 336 UINT32_C (0xc19bf174), UINT32_C (0xe49b69c1), UINT32_C (0xefbe4786), 337 UINT32_C (0x0fc19dc6), UINT32_C (0x240ca1cc), UINT32_C (0x2de92c6f), 338 UINT32_C (0x4a7484aa), UINT32_C (0x5cb0a9dc), UINT32_C (0x76f988da), 339 UINT32_C (0x983e5152), UINT32_C (0xa831c66d), UINT32_C (0xb00327c8), 340 UINT32_C (0xbf597fc7), UINT32_C (0xc6e00bf3), UINT32_C (0xd5a79147), 341 UINT32_C (0x06ca6351), UINT32_C (0x14292967), UINT32_C (0x27b70a85), 342 UINT32_C (0x2e1b2138), UINT32_C (0x4d2c6dfc), UINT32_C (0x53380d13), 343 UINT32_C (0x650a7354), UINT32_C (0x766a0abb), UINT32_C (0x81c2c92e), 344 UINT32_C (0x92722c85), UINT32_C (0xa2bfe8a1), UINT32_C (0xa81a664b), 345 UINT32_C (0xc24b8b70), UINT32_C (0xc76c51a3), UINT32_C (0xd192e819), 346 UINT32_C (0xd6990624), UINT32_C (0xf40e3585), UINT32_C (0x106aa070), 347 UINT32_C (0x19a4c116), UINT32_C (0x1e376c08), UINT32_C (0x2748774c), 348 UINT32_C (0x34b0bcb5), UINT32_C (0x391c0cb3), UINT32_C (0x4ed8aa4a), 349 UINT32_C (0x5b9cca4f), UINT32_C (0x682e6ff3), UINT32_C (0x748f82ee), 350 UINT32_C (0x78a5636f), UINT32_C (0x84c87814), UINT32_C (0x8cc70208), 351 UINT32_C (0x90befffa), UINT32_C (0xa4506ceb), UINT32_C (0xbef9a3f7), 352 UINT32_C (0xc67178f2) }; 353 /* One step of SHA-256 computation with working variables rotation, 354 see FIPS PUB 180-4 paragraph 6.2.2 step 3. 355 * Note: this version of macro reassign all working variable on 356 each step. */ 357 #define SHA2STEP32RV(vA,vB,vC,vD,vE,vF,vG,vH,kt,wt) do { \ 358 uint32_t tmp_h_ = (vH); \ 359 SHA2STEP32((vA),(vB),(vC),(vD),(vE),(vF),(vG),tmp_h_,(kt),(wt)); \ 360 (vH) = (vG); \ 361 (vG) = (vF); \ 362 (vF) = (vE); \ 363 (vE) = (vD); \ 364 (vD) = (vC); \ 365 (vC) = (vB); \ 366 (vB) = (vA); \ 367 (vA) = tmp_h_; } while (0) 368 369 /* During first 16 steps, before making any calculations on each step, 370 the W element is read from input data buffer as big-endian value and 371 stored in array of W elements. */ 372 for (t = 0; t < 16; ++t) 373 { 374 SHA2STEP32RV (a, b, c, d, e, f, g, h, K[t], \ 375 W[t] = GET_W_FROM_DATA (data, t)); 376 } 377 378 /* During last 48 steps, before making any calculations on each step, 379 current W element is generated from other W elements of the cyclic buffer 380 and the generated value is stored back in the cyclic buffer. */ 381 for (t = 16; t < 64; ++t) 382 { 383 SHA2STEP32RV (a, b, c, d, e, f, g, h, K[t], W[t & 15] = Wgen (W,t)); 384 } 385 } 386 #endif /* ! MHD_FAVOR_SMALL_CODE */ 387 388 389 /* Compute intermediate hash. 390 See FIPS PUB 180-4 paragraph 6.2.2 step 4. */ 391 H[0] += a; 392 H[1] += b; 393 H[2] += c; 394 H[3] += d; 395 H[4] += e; 396 H[5] += f; 397 H[6] += g; 398 H[7] += h; 399 } 400 401 402 /** 403 * Process portion of bytes. 404 * 405 * @param ctx_ must be a `struct Sha256Ctx *` 406 * @param data bytes to add to hash 407 * @param length number of bytes in @a data 408 */ 409 void 410 MHD_SHA256_update (struct Sha256Ctx *ctx, 411 const uint8_t *data, 412 size_t length) 413 { 414 unsigned bytes_have; /**< Number of bytes in buffer */ 415 416 mhd_assert ((data != NULL) || (length == 0)); 417 418 #ifndef MHD_FAVOR_SMALL_CODE 419 if (0 == length) 420 return; /* Shortcut, do nothing */ 421 #endif /* MHD_FAVOR_SMALL_CODE */ 422 423 /* Note: (count & (SHA256_BLOCK_SIZE-1)) 424 equals (count % SHA256_BLOCK_SIZE) for this block size. */ 425 bytes_have = (unsigned) (ctx->count & (SHA256_BLOCK_SIZE - 1)); 426 ctx->count += length; 427 428 if (0 != bytes_have) 429 { 430 unsigned bytes_left = SHA256_BLOCK_SIZE - bytes_have; 431 if (length >= bytes_left) 432 { /* Combine new data with data in the buffer and 433 process full block. */ 434 memcpy (((uint8_t *) ctx->buffer) + bytes_have, 435 data, 436 bytes_left); 437 data += bytes_left; 438 length -= bytes_left; 439 sha256_transform (ctx->H, ctx->buffer); 440 bytes_have = 0; 441 } 442 } 443 444 while (SHA256_BLOCK_SIZE <= length) 445 { /* Process any full blocks of new data directly, 446 without copying to the buffer. */ 447 sha256_transform (ctx->H, data); 448 data += SHA256_BLOCK_SIZE; 449 length -= SHA256_BLOCK_SIZE; 450 } 451 452 if (0 != length) 453 { /* Copy incomplete block of new data (if any) 454 to the buffer. */ 455 memcpy (((uint8_t *) ctx->buffer) + bytes_have, data, length); 456 } 457 } 458 459 460 /** 461 * Size of "length" padding addition in bytes. 462 * See FIPS PUB 180-4 paragraph 5.1.1. 463 */ 464 #define SHA256_SIZE_OF_LEN_ADD (64 / 8) 465 466 /** 467 * Finalise SHA256 calculation, return digest. 468 * 469 * @param ctx_ must be a `struct Sha256Ctx *` 470 * @param[out] digest set to the hash, must be #SHA256_DIGEST_SIZE bytes 471 */ 472 void 473 MHD_SHA256_finish (struct Sha256Ctx *ctx, 474 uint8_t digest[SHA256_DIGEST_SIZE]) 475 { 476 uint64_t num_bits; /**< Number of processed bits */ 477 unsigned bytes_have; /**< Number of bytes in buffer */ 478 479 num_bits = ctx->count << 3; 480 /* Note: (count & (SHA256_BLOCK_SIZE-1)) 481 equal (count % SHA256_BLOCK_SIZE) for this block size. */ 482 bytes_have = (unsigned) (ctx->count & (SHA256_BLOCK_SIZE - 1)); 483 484 /* Input data must be padded with a single bit "1", then with zeros and 485 the finally the length of data in bits must be added as the final bytes 486 of the last block. 487 See FIPS PUB 180-4 paragraph 5.1.1. */ 488 489 /* Data is always processed in form of bytes (not by individual bits), 490 therefore position of first padding bit in byte is always 491 predefined (0x80). */ 492 /* Buffer always have space at least for one byte (as full buffers are 493 processed immediately). */ 494 ((uint8_t *) ctx->buffer)[bytes_have++] = 0x80; 495 496 if (SHA256_BLOCK_SIZE - bytes_have < SHA256_SIZE_OF_LEN_ADD) 497 { /* No space in current block to put total length of message. 498 Pad current block with zeros and process it. */ 499 if (bytes_have < SHA256_BLOCK_SIZE) 500 memset (((uint8_t *) ctx->buffer) + bytes_have, 0, 501 SHA256_BLOCK_SIZE - bytes_have); 502 /* Process full block. */ 503 sha256_transform (ctx->H, ctx->buffer); 504 /* Start new block. */ 505 bytes_have = 0; 506 } 507 508 /* Pad the rest of the buffer with zeros. */ 509 memset (((uint8_t *) ctx->buffer) + bytes_have, 0, 510 SHA256_BLOCK_SIZE - SHA256_SIZE_OF_LEN_ADD - bytes_have); 511 /* Put the number of bits in processed message as big-endian value. */ 512 _MHD_PUT_64BIT_BE_SAFE (ctx->buffer + SHA256_BLOCK_SIZE_WORDS - 2, num_bits); 513 /* Process full final block. */ 514 sha256_transform (ctx->H, ctx->buffer); 515 516 /* Put final hash/digest in BE mode */ 517 #ifndef _MHD_PUT_32BIT_BE_UNALIGNED 518 if (1 519 #ifndef MHD_FAVOR_SMALL_CODE 520 && (0 != ((uintptr_t) digest) % _MHD_UINT32_ALIGN) 521 #endif /* MHD_FAVOR_SMALL_CODE */ 522 ) 523 { 524 /* If storing of the final result requires aligned address and 525 the destination address is not aligned or compact code is used, 526 store the final digest in aligned temporary buffer first, then 527 copy it to the destination. */ 528 uint32_t alig_dgst[SHA256_DIGEST_SIZE_WORDS]; 529 _MHD_PUT_32BIT_BE (alig_dgst + 0, ctx->H[0]); 530 _MHD_PUT_32BIT_BE (alig_dgst + 1, ctx->H[1]); 531 _MHD_PUT_32BIT_BE (alig_dgst + 2, ctx->H[2]); 532 _MHD_PUT_32BIT_BE (alig_dgst + 3, ctx->H[3]); 533 _MHD_PUT_32BIT_BE (alig_dgst + 4, ctx->H[4]); 534 _MHD_PUT_32BIT_BE (alig_dgst + 5, ctx->H[5]); 535 _MHD_PUT_32BIT_BE (alig_dgst + 6, ctx->H[6]); 536 _MHD_PUT_32BIT_BE (alig_dgst + 7, ctx->H[7]); 537 /* Copy result to unaligned destination address */ 538 memcpy (digest, alig_dgst, SHA256_DIGEST_SIZE); 539 } 540 #ifndef MHD_FAVOR_SMALL_CODE 541 else /* Combined with the next 'if' */ 542 #endif /* MHD_FAVOR_SMALL_CODE */ 543 #endif /* ! _MHD_PUT_32BIT_BE_UNALIGNED */ 544 #if ! defined(MHD_FAVOR_SMALL_CODE) || defined(_MHD_PUT_32BIT_BE_UNALIGNED) 545 if (1) 546 { 547 /* Use cast to (void*) here to mute compiler alignment warnings. 548 * Compilers are not smart enough to see that alignment has been checked. */ 549 _MHD_PUT_32BIT_BE ((void *) (digest + 0 * SHA256_BYTES_IN_WORD), ctx->H[0]); 550 _MHD_PUT_32BIT_BE ((void *) (digest + 1 * SHA256_BYTES_IN_WORD), ctx->H[1]); 551 _MHD_PUT_32BIT_BE ((void *) (digest + 2 * SHA256_BYTES_IN_WORD), ctx->H[2]); 552 _MHD_PUT_32BIT_BE ((void *) (digest + 3 * SHA256_BYTES_IN_WORD), ctx->H[3]); 553 _MHD_PUT_32BIT_BE ((void *) (digest + 4 * SHA256_BYTES_IN_WORD), ctx->H[4]); 554 _MHD_PUT_32BIT_BE ((void *) (digest + 5 * SHA256_BYTES_IN_WORD), ctx->H[5]); 555 _MHD_PUT_32BIT_BE ((void *) (digest + 6 * SHA256_BYTES_IN_WORD), ctx->H[6]); 556 _MHD_PUT_32BIT_BE ((void *) (digest + 7 * SHA256_BYTES_IN_WORD), ctx->H[7]); 557 } 558 #endif /* ! MHD_FAVOR_SMALL_CODE || _MHD_PUT_32BIT_BE_UNALIGNED */ 559 560 /* Erase potentially sensitive data. */ 561 memset (ctx, 0, sizeof(struct Sha256Ctx)); 562 } 563 564 565 MHD_DATA_TRUNCATION_RUNTIME_CHECK_RESTORE_