sha256_int.c (25632B)
1 /* SPDX-License-Identifier: LGPL-2.1-or-later OR (GPL-2.0-or-later WITH eCos-exception-2.0) */ 2 /* 3 This file is part of GNU libmicrohttpd. 4 Copyright (C) 2019-2024 Evgeny Grin (Karlson2k) 5 6 GNU libmicrohttpd is free software; you can redistribute it and/or 7 modify it under the terms of the GNU Lesser General Public 8 License as published by the Free Software Foundation; either 9 version 2.1 of the License, or (at your option) any later version. 10 11 GNU libmicrohttpd is distributed in the hope that it will be useful, 12 but WITHOUT ANY WARRANTY; without even the implied warranty of 13 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU 14 Lesser General Public License for more details. 15 16 Alternatively, you can redistribute GNU libmicrohttpd and/or 17 modify it under the terms of the GNU General Public License as 18 published by the Free Software Foundation; either version 2 of 19 the License, or (at your option) any later version, together 20 with the eCos exception, as follows: 21 22 As a special exception, if other files instantiate templates or 23 use macros or inline functions from this file, or you compile this 24 file and link it with other works to produce a work based on this 25 file, this file does not by itself cause the resulting work to be 26 covered by the GNU General Public License. However the source code 27 for this file must still be made available in accordance with 28 section (3) of the GNU General Public License v2. 29 30 This exception does not invalidate any other reasons why a work 31 based on this file might be covered by the GNU General Public 32 License. 33 34 You should have received copies of the GNU Lesser General Public 35 License and the GNU General Public License along with this library; 36 if not, see <https://www.gnu.org/licenses/>. 37 */ 38 39 /** 40 * @file src/mhd2/sha256.c 41 * @brief Calculation of SHA-256 digest as defined in FIPS PUB 180-4 (2015) 42 * @author Karlson2k (Evgeny Grin) 43 */ 44 45 #include "mhd_sys_options.h" 46 47 #include "sys_bool_type.h" 48 49 #include <string.h> 50 #include "mhd_bithelpers.h" 51 #include "mhd_align.h" 52 #include "mhd_assert.h" 53 54 #include "sha256_int.h" 55 56 MHD_INTERNAL void MHD_FN_PAR_NONNULL_ALL_ 57 mhd_SHA256_init (struct mhd_Sha256CtxInt *ctx) 58 { 59 /* Initial hash values, see FIPS PUB 180-4 paragraph 5.3.3 */ 60 /* First thirty-two bits of the fractional parts of the square 61 * roots of the first eight prime numbers: 2, 3, 5, 7, 11, 13, 62 * 17, 19." */ 63 ctx->H[0] = UINT32_C (0x6a09e667); 64 ctx->H[1] = UINT32_C (0xbb67ae85); 65 ctx->H[2] = UINT32_C (0x3c6ef372); 66 ctx->H[3] = UINT32_C (0xa54ff53a); 67 ctx->H[4] = UINT32_C (0x510e527f); 68 ctx->H[5] = UINT32_C (0x9b05688c); 69 ctx->H[6] = UINT32_C (0x1f83d9ab); 70 ctx->H[7] = UINT32_C (0x5be0cd19); 71 72 /* Initialise number of bytes. */ 73 ctx->count = 0; 74 } 75 76 77 mhd_DATA_TRUNCATION_RUNTIME_CHECK_DISABLE 78 79 static MHD_FN_PAR_NONNULL_ALL_ void 80 sha256_transform (uint32_t H[mhd_SHA256_DIGEST_SIZE_WORDS], 81 const void *restrict data) 82 { 83 /* Working variables, 84 see FIPS PUB 180-4 paragraph 6.2. */ 85 uint32_t a = H[0]; 86 uint32_t b = H[1]; 87 uint32_t c = H[2]; 88 uint32_t d = H[3]; 89 uint32_t e = H[4]; 90 uint32_t f = H[5]; 91 uint32_t g = H[6]; 92 uint32_t h = H[7]; 93 94 /* Data buffer, used as cyclic buffer. 95 See FIPS PUB 180-4 paragraphs 5.2.1, 6.2. */ 96 uint32_t W[16]; 97 98 #ifndef mhd_GET_32BIT_BE_UNALIGNED 99 if (0 != (((uintptr_t) data) % mhd_UINT32_ALIGN)) 100 { 101 /* Copy the unaligned input data to the aligned buffer */ 102 memcpy (W, data, mhd_SHA256_BLOCK_SIZE); 103 /* The W[] buffer itself will be used as the source of the data, 104 * but data will be reloaded in correct bytes order during 105 * the next steps */ 106 data = (const void *) W; 107 } 108 #endif /* mhd_GET_32BIT_BE_UNALIGNED */ 109 110 /* 'Ch' and 'Maj' macro functions are defined with 111 widely-used optimization. 112 See FIPS PUB 180-4 formulae 4.2, 4.3. */ 113 #define Ch(x,y,z) ( (z) ^ ((x) & ((y) ^ (z))) ) 114 #define Maj(x,y,z) ( ((x) & (y)) ^ ((z) & ((x) ^ (y))) ) 115 /* Unoptimized (original) versions: */ 116 /* #define Ch(x,y,z) ( ( (x) & (y) ) ^ ( ~(x) & (z) ) ) */ 117 /* #define Maj(x,y,z) ( ((x) & (y)) ^ ((x) & (z)) ^ ((y) & (z)) ) */ 118 119 /* Four 'Sigma' macro functions. 120 See FIPS PUB 180-4 formulae 4.4, 4.5, 4.6, 4.7. */ 121 #define SIG0(x) (mhd_ROTR32 ((x), 2) ^ mhd_ROTR32 ((x), 13) ^ \ 122 mhd_ROTR32 ((x), 22) ) 123 #define SIG1(x) (mhd_ROTR32 ((x), 6) ^ mhd_ROTR32 ((x), 11) ^ \ 124 mhd_ROTR32 ((x), 25) ) 125 #define sig0(x) (mhd_ROTR32 ((x), 7) ^ mhd_ROTR32 ((x), 18) ^ \ 126 ((x) >> 3) ) 127 #define sig1(x) (mhd_ROTR32 ((x), 17) ^ mhd_ROTR32 ((x),19) ^ \ 128 ((x) >> 10) ) 129 130 /* One step of SHA-256 computation, 131 see FIPS PUB 180-4 paragraph 6.2.2 step 3. 132 * Note: this macro updates working variables in-place, without rotation. 133 * Note: first (vH += SIG1(vE) + Ch(vE,vF,vG) + kt + wt) equals T1 in FIPS PUB 180-4 paragraph 6.2.2 step 3. 134 second (vH += SIG0(vA) + Maj(vE,vF,vC) equals T1 + T2 in FIPS PUB 180-4 paragraph 6.2.2 step 3. 135 * Note: 'wt' must be used exactly one time in this macro as it change other data as well 136 every time when used. */ 137 #define SHA2STEP32(vA,vB,vC,vD,vE,vF,vG,vH,kt,wt) do { \ 138 (vD) += ((vH) += SIG1 ((vE)) + Ch ((vE),(vF),(vG)) + (kt) + (wt)); \ 139 (vH) += SIG0 ((vA)) + Maj ((vA),(vB),(vC)); } while (0) 140 141 /* Get value of W(t) from input data buffer, 142 See FIPS PUB 180-4 paragraph 6.2. 143 Input data must be read in big-endian bytes order, 144 see FIPS PUB 180-4 paragraph 3.1.2. */ 145 /* Use cast to (const void*) to mute compiler alignment warning, 146 * data was already aligned in previous step */ 147 #define GET_W_FROM_DATA(buf,t) \ 148 mhd_GET_32BIT_BE ((const void*) (((const uint8_t*) (buf)) + \ 149 (t) * mhd_SHA256_BYTES_IN_WORD)) 150 151 /* 'W' generation and assignment for 16 <= t <= 63. 152 See FIPS PUB 180-4 paragraph 6.2.2. 153 As only last 16 'W' are used in calculations, it is possible to 154 use 16 elements array of W as cyclic buffer. 155 * Note: ((t-16)&0xf) have same value as (t&0xf) */ 156 #define Wgen(w,t) ( (w)[(t - 16) & 0xf] + sig1 ((w)[((t) - 2) & 0xf]) \ 157 + (w)[((t) - 7) & 0xf] + sig0 ((w)[((t) - 15) & 0xf]) ) 158 159 #ifndef MHD_FAVOR_SMALL_CODE 160 161 /* Note: instead of using K constants as array, all K values are specified 162 individually for each step, see FIPS PUB 180-4 paragraph 4.2.2 for 163 K values. */ 164 /* Note: instead of reassigning all working variables on each step, 165 variables are rotated for each step: 166 SHA2STEP32(a, b, c, d, e, f, g, h, K[0], data[0]); 167 SHA2STEP32(h, a, b, c, d, e, f, g, K[1], data[1]); 168 so current 'vD' will be used as 'vE' on next step, 169 current 'vH' will be used as 'vA' on next step. */ 170 #if mhd_BYTE_ORDER == mhd_BIG_ENDIAN 171 if ((const void *) W == data) 172 { 173 /* The input data is already in the cyclic data buffer W[] in correct bytes 174 order. */ 175 SHA2STEP32 (a, b, c, d, e, f, g, h, UINT32_C (0x428a2f98), W[0]); 176 SHA2STEP32 (h, a, b, c, d, e, f, g, UINT32_C (0x71374491), W[1]); 177 SHA2STEP32 (g, h, a, b, c, d, e, f, UINT32_C (0xb5c0fbcf), W[2]); 178 SHA2STEP32 (f, g, h, a, b, c, d, e, UINT32_C (0xe9b5dba5), W[3]); 179 SHA2STEP32 (e, f, g, h, a, b, c, d, UINT32_C (0x3956c25b), W[4]); 180 SHA2STEP32 (d, e, f, g, h, a, b, c, UINT32_C (0x59f111f1), W[5]); 181 SHA2STEP32 (c, d, e, f, g, h, a, b, UINT32_C (0x923f82a4), W[6]); 182 SHA2STEP32 (b, c, d, e, f, g, h, a, UINT32_C (0xab1c5ed5), W[7]); 183 SHA2STEP32 (a, b, c, d, e, f, g, h, UINT32_C (0xd807aa98), W[8]); 184 SHA2STEP32 (h, a, b, c, d, e, f, g, UINT32_C (0x12835b01), W[9]); 185 SHA2STEP32 (g, h, a, b, c, d, e, f, UINT32_C (0x243185be), W[10]); 186 SHA2STEP32 (f, g, h, a, b, c, d, e, UINT32_C (0x550c7dc3), W[11]); 187 SHA2STEP32 (e, f, g, h, a, b, c, d, UINT32_C (0x72be5d74), W[12]); 188 SHA2STEP32 (d, e, f, g, h, a, b, c, UINT32_C (0x80deb1fe), W[13]); 189 SHA2STEP32 (c, d, e, f, g, h, a, b, UINT32_C (0x9bdc06a7), W[14]); 190 SHA2STEP32 (b, c, d, e, f, g, h, a, UINT32_C (0xc19bf174), W[15]); 191 } 192 else /* Combined with the next 'if' */ 193 #endif /* mhd_BYTE_ORDER == mhd_BIG_ENDIAN */ 194 if (1) 195 { 196 /* During first 16 steps, before making any calculations on each step, 197 the W element is read from input data buffer as big-endian value and 198 stored in array of W elements. */ 199 SHA2STEP32 (a, b, c, d, e, f, g, h, UINT32_C (0x428a2f98), W[0] = \ 200 GET_W_FROM_DATA (data, 0)); 201 SHA2STEP32 (h, a, b, c, d, e, f, g, UINT32_C (0x71374491), W[1] = \ 202 GET_W_FROM_DATA (data, 1)); 203 SHA2STEP32 (g, h, a, b, c, d, e, f, UINT32_C (0xb5c0fbcf), W[2] = \ 204 GET_W_FROM_DATA (data, 2)); 205 SHA2STEP32 (f, g, h, a, b, c, d, e, UINT32_C (0xe9b5dba5), W[3] = \ 206 GET_W_FROM_DATA (data, 3)); 207 SHA2STEP32 (e, f, g, h, a, b, c, d, UINT32_C (0x3956c25b), W[4] = \ 208 GET_W_FROM_DATA (data, 4)); 209 SHA2STEP32 (d, e, f, g, h, a, b, c, UINT32_C (0x59f111f1), W[5] = \ 210 GET_W_FROM_DATA (data, 5)); 211 SHA2STEP32 (c, d, e, f, g, h, a, b, UINT32_C (0x923f82a4), W[6] = \ 212 GET_W_FROM_DATA (data, 6)); 213 SHA2STEP32 (b, c, d, e, f, g, h, a, UINT32_C (0xab1c5ed5), W[7] = \ 214 GET_W_FROM_DATA (data, 7)); 215 SHA2STEP32 (a, b, c, d, e, f, g, h, UINT32_C (0xd807aa98), W[8] = \ 216 GET_W_FROM_DATA (data, 8)); 217 SHA2STEP32 (h, a, b, c, d, e, f, g, UINT32_C (0x12835b01), W[9] = \ 218 GET_W_FROM_DATA (data, 9)); 219 SHA2STEP32 (g, h, a, b, c, d, e, f, UINT32_C (0x243185be), W[10] = \ 220 GET_W_FROM_DATA (data, 10)); 221 SHA2STEP32 (f, g, h, a, b, c, d, e, UINT32_C (0x550c7dc3), W[11] = \ 222 GET_W_FROM_DATA (data, 11)); 223 SHA2STEP32 (e, f, g, h, a, b, c, d, UINT32_C (0x72be5d74), W[12] = \ 224 GET_W_FROM_DATA (data, 12)); 225 SHA2STEP32 (d, e, f, g, h, a, b, c, UINT32_C (0x80deb1fe), W[13] = \ 226 GET_W_FROM_DATA (data, 13)); 227 SHA2STEP32 (c, d, e, f, g, h, a, b, UINT32_C (0x9bdc06a7), W[14] = \ 228 GET_W_FROM_DATA (data, 14)); 229 SHA2STEP32 (b, c, d, e, f, g, h, a, UINT32_C (0xc19bf174), W[15] = \ 230 GET_W_FROM_DATA (data, 15)); 231 } 232 233 /* During last 48 steps, before making any calculations on each step, 234 current W element is generated from other W elements of the cyclic buffer 235 and the generated value is stored back in the cyclic buffer. */ 236 /* Note: instead of using K constants as array, all K values are specified 237 individually for each step, see FIPS PUB 180-4 paragraph 4.2.2 for K values. */ 238 SHA2STEP32 (a, b, c, d, e, f, g, h, UINT32_C (0xe49b69c1), W[16 & 0xf] = \ 239 Wgen (W,16)); 240 SHA2STEP32 (h, a, b, c, d, e, f, g, UINT32_C (0xefbe4786), W[17 & 0xf] = \ 241 Wgen (W,17)); 242 SHA2STEP32 (g, h, a, b, c, d, e, f, UINT32_C (0x0fc19dc6), W[18 & 0xf] = \ 243 Wgen (W,18)); 244 SHA2STEP32 (f, g, h, a, b, c, d, e, UINT32_C (0x240ca1cc), W[19 & 0xf] = \ 245 Wgen (W,19)); 246 SHA2STEP32 (e, f, g, h, a, b, c, d, UINT32_C (0x2de92c6f), W[20 & 0xf] = \ 247 Wgen (W,20)); 248 SHA2STEP32 (d, e, f, g, h, a, b, c, UINT32_C (0x4a7484aa), W[21 & 0xf] = \ 249 Wgen (W,21)); 250 SHA2STEP32 (c, d, e, f, g, h, a, b, UINT32_C (0x5cb0a9dc), W[22 & 0xf] = \ 251 Wgen (W,22)); 252 SHA2STEP32 (b, c, d, e, f, g, h, a, UINT32_C (0x76f988da), W[23 & 0xf] = \ 253 Wgen (W,23)); 254 SHA2STEP32 (a, b, c, d, e, f, g, h, UINT32_C (0x983e5152), W[24 & 0xf] = \ 255 Wgen (W,24)); 256 SHA2STEP32 (h, a, b, c, d, e, f, g, UINT32_C (0xa831c66d), W[25 & 0xf] = \ 257 Wgen (W,25)); 258 SHA2STEP32 (g, h, a, b, c, d, e, f, UINT32_C (0xb00327c8), W[26 & 0xf] = \ 259 Wgen (W,26)); 260 SHA2STEP32 (f, g, h, a, b, c, d, e, UINT32_C (0xbf597fc7), W[27 & 0xf] = \ 261 Wgen (W,27)); 262 SHA2STEP32 (e, f, g, h, a, b, c, d, UINT32_C (0xc6e00bf3), W[28 & 0xf] = \ 263 Wgen (W,28)); 264 SHA2STEP32 (d, e, f, g, h, a, b, c, UINT32_C (0xd5a79147), W[29 & 0xf] = \ 265 Wgen (W,29)); 266 SHA2STEP32 (c, d, e, f, g, h, a, b, UINT32_C (0x06ca6351), W[30 & 0xf] = \ 267 Wgen (W,30)); 268 SHA2STEP32 (b, c, d, e, f, g, h, a, UINT32_C (0x14292967), W[31 & 0xf] = \ 269 Wgen (W,31)); 270 SHA2STEP32 (a, b, c, d, e, f, g, h, UINT32_C (0x27b70a85), W[32 & 0xf] = \ 271 Wgen (W,32)); 272 SHA2STEP32 (h, a, b, c, d, e, f, g, UINT32_C (0x2e1b2138), W[33 & 0xf] = \ 273 Wgen (W,33)); 274 SHA2STEP32 (g, h, a, b, c, d, e, f, UINT32_C (0x4d2c6dfc), W[34 & 0xf] = \ 275 Wgen (W,34)); 276 SHA2STEP32 (f, g, h, a, b, c, d, e, UINT32_C (0x53380d13), W[35 & 0xf] = \ 277 Wgen (W,35)); 278 SHA2STEP32 (e, f, g, h, a, b, c, d, UINT32_C (0x650a7354), W[36 & 0xf] = \ 279 Wgen (W,36)); 280 SHA2STEP32 (d, e, f, g, h, a, b, c, UINT32_C (0x766a0abb), W[37 & 0xf] = \ 281 Wgen (W,37)); 282 SHA2STEP32 (c, d, e, f, g, h, a, b, UINT32_C (0x81c2c92e), W[38 & 0xf] = \ 283 Wgen (W,38)); 284 SHA2STEP32 (b, c, d, e, f, g, h, a, UINT32_C (0x92722c85), W[39 & 0xf] = \ 285 Wgen (W,39)); 286 SHA2STEP32 (a, b, c, d, e, f, g, h, UINT32_C (0xa2bfe8a1), W[40 & 0xf] = \ 287 Wgen (W,40)); 288 SHA2STEP32 (h, a, b, c, d, e, f, g, UINT32_C (0xa81a664b), W[41 & 0xf] = \ 289 Wgen (W,41)); 290 SHA2STEP32 (g, h, a, b, c, d, e, f, UINT32_C (0xc24b8b70), W[42 & 0xf] = \ 291 Wgen (W,42)); 292 SHA2STEP32 (f, g, h, a, b, c, d, e, UINT32_C (0xc76c51a3), W[43 & 0xf] = \ 293 Wgen (W,43)); 294 SHA2STEP32 (e, f, g, h, a, b, c, d, UINT32_C (0xd192e819), W[44 & 0xf] = \ 295 Wgen (W,44)); 296 SHA2STEP32 (d, e, f, g, h, a, b, c, UINT32_C (0xd6990624), W[45 & 0xf] = \ 297 Wgen (W,45)); 298 SHA2STEP32 (c, d, e, f, g, h, a, b, UINT32_C (0xf40e3585), W[46 & 0xf] = \ 299 Wgen (W,46)); 300 SHA2STEP32 (b, c, d, e, f, g, h, a, UINT32_C (0x106aa070), W[47 & 0xf] = \ 301 Wgen (W,47)); 302 SHA2STEP32 (a, b, c, d, e, f, g, h, UINT32_C (0x19a4c116), W[48 & 0xf] = \ 303 Wgen (W,48)); 304 SHA2STEP32 (h, a, b, c, d, e, f, g, UINT32_C (0x1e376c08), W[49 & 0xf] = \ 305 Wgen (W,49)); 306 SHA2STEP32 (g, h, a, b, c, d, e, f, UINT32_C (0x2748774c), W[50 & 0xf] = \ 307 Wgen (W,50)); 308 SHA2STEP32 (f, g, h, a, b, c, d, e, UINT32_C (0x34b0bcb5), W[51 & 0xf] = \ 309 Wgen (W,51)); 310 SHA2STEP32 (e, f, g, h, a, b, c, d, UINT32_C (0x391c0cb3), W[52 & 0xf] = \ 311 Wgen (W,52)); 312 SHA2STEP32 (d, e, f, g, h, a, b, c, UINT32_C (0x4ed8aa4a), W[53 & 0xf] = \ 313 Wgen (W,53)); 314 SHA2STEP32 (c, d, e, f, g, h, a, b, UINT32_C (0x5b9cca4f), W[54 & 0xf] = \ 315 Wgen (W,54)); 316 SHA2STEP32 (b, c, d, e, f, g, h, a, UINT32_C (0x682e6ff3), W[55 & 0xf] = \ 317 Wgen (W,55)); 318 SHA2STEP32 (a, b, c, d, e, f, g, h, UINT32_C (0x748f82ee), W[56 & 0xf] = \ 319 Wgen (W,56)); 320 SHA2STEP32 (h, a, b, c, d, e, f, g, UINT32_C (0x78a5636f), W[57 & 0xf] = \ 321 Wgen (W,57)); 322 SHA2STEP32 (g, h, a, b, c, d, e, f, UINT32_C (0x84c87814), W[58 & 0xf] = \ 323 Wgen (W,58)); 324 SHA2STEP32 (f, g, h, a, b, c, d, e, UINT32_C (0x8cc70208), W[59 & 0xf] = \ 325 Wgen (W,59)); 326 SHA2STEP32 (e, f, g, h, a, b, c, d, UINT32_C (0x90befffa), W[60 & 0xf] = \ 327 Wgen (W,60)); 328 SHA2STEP32 (d, e, f, g, h, a, b, c, UINT32_C (0xa4506ceb), W[61 & 0xf] = \ 329 Wgen (W,61)); 330 SHA2STEP32 (c, d, e, f, g, h, a, b, UINT32_C (0xbef9a3f7), W[62 & 0xf] = \ 331 Wgen (W,62)); 332 SHA2STEP32 (b, c, d, e, f, g, h, a, UINT32_C (0xc67178f2), W[63 & 0xf] = \ 333 Wgen (W,63)); 334 #else /* ! MHD_FAVOR_SMALL_CODE */ 335 if (1) 336 { 337 unsigned int t; 338 /* K constants array. 339 See FIPS PUB 180-4 paragraph 4.2.2 for K values. */ 340 static const uint32_t K[80] = 341 { UINT32_C (0x428a2f98), UINT32_C (0x71374491), UINT32_C (0xb5c0fbcf), 342 UINT32_C (0xe9b5dba5), UINT32_C (0x3956c25b), UINT32_C (0x59f111f1), 343 UINT32_C (0x923f82a4), UINT32_C (0xab1c5ed5), UINT32_C (0xd807aa98), 344 UINT32_C (0x12835b01), UINT32_C (0x243185be), UINT32_C (0x550c7dc3), 345 UINT32_C (0x72be5d74), UINT32_C (0x80deb1fe), UINT32_C (0x9bdc06a7), 346 UINT32_C (0xc19bf174), UINT32_C (0xe49b69c1), UINT32_C (0xefbe4786), 347 UINT32_C (0x0fc19dc6), UINT32_C (0x240ca1cc), UINT32_C (0x2de92c6f), 348 UINT32_C (0x4a7484aa), UINT32_C (0x5cb0a9dc), UINT32_C (0x76f988da), 349 UINT32_C (0x983e5152), UINT32_C (0xa831c66d), UINT32_C (0xb00327c8), 350 UINT32_C (0xbf597fc7), UINT32_C (0xc6e00bf3), UINT32_C (0xd5a79147), 351 UINT32_C (0x06ca6351), UINT32_C (0x14292967), UINT32_C (0x27b70a85), 352 UINT32_C (0x2e1b2138), UINT32_C (0x4d2c6dfc), UINT32_C (0x53380d13), 353 UINT32_C (0x650a7354), UINT32_C (0x766a0abb), UINT32_C (0x81c2c92e), 354 UINT32_C (0x92722c85), UINT32_C (0xa2bfe8a1), UINT32_C (0xa81a664b), 355 UINT32_C (0xc24b8b70), UINT32_C (0xc76c51a3), UINT32_C (0xd192e819), 356 UINT32_C (0xd6990624), UINT32_C (0xf40e3585), UINT32_C (0x106aa070), 357 UINT32_C (0x19a4c116), UINT32_C (0x1e376c08), UINT32_C (0x2748774c), 358 UINT32_C (0x34b0bcb5), UINT32_C (0x391c0cb3), UINT32_C (0x4ed8aa4a), 359 UINT32_C (0x5b9cca4f), UINT32_C (0x682e6ff3), UINT32_C (0x748f82ee), 360 UINT32_C (0x78a5636f), UINT32_C (0x84c87814), UINT32_C (0x8cc70208), 361 UINT32_C (0x90befffa), UINT32_C (0xa4506ceb), UINT32_C (0xbef9a3f7), 362 UINT32_C (0xc67178f2) }; 363 /* One step of SHA-256 computation with working variables rotation, 364 see FIPS PUB 180-4 paragraph 6.2.2 step 3. 365 * Note: this version of macro reassign all working variable on 366 each step. */ 367 #define SHA2STEP32RV(vA,vB,vC,vD,vE,vF,vG,vH,kt,wt) do { \ 368 uint32_t tmp_h_ = (vH); \ 369 SHA2STEP32 ((vA),(vB),(vC),(vD),(vE),(vF),(vG),tmp_h_,(kt),(wt)); \ 370 (vH) = (vG); \ 371 (vG) = (vF); \ 372 (vF) = (vE); \ 373 (vE) = (vD); \ 374 (vD) = (vC); \ 375 (vC) = (vB); \ 376 (vB) = (vA); \ 377 (vA) = tmp_h_; \ 378 } \ 379 while (0) 380 381 /* During first 16 steps, before making any calculations on each step, 382 the W element is read from input data buffer as big-endian value and 383 stored in array of W elements. */ 384 for (t = 0; t < 16; ++t) 385 { 386 SHA2STEP32RV (a, b, c, d, e, f, g, h, K[t], \ 387 W[t] = GET_W_FROM_DATA (data, t)); 388 } 389 390 /* During last 48 steps, before making any calculations on each step, 391 current W element is generated from other W elements of the cyclic buffer 392 and the generated value is stored back in the cyclic buffer. */ 393 for (t = 16; t < 64; ++t) 394 { 395 SHA2STEP32RV (a, b, c, d, e, f, g, h, K[t], W[t & 15] = Wgen (W,t)); 396 } 397 } 398 #endif /* ! MHD_FAVOR_SMALL_CODE */ 399 400 /* Compute intermediate hash. 401 See FIPS PUB 180-4 paragraph 6.2.2 step 4. */ 402 H[0] += a; 403 H[1] += b; 404 H[2] += c; 405 H[3] += d; 406 H[4] += e; 407 H[5] += f; 408 H[6] += g; 409 H[7] += h; 410 } 411 412 413 MHD_INTERNAL MHD_FN_PAR_NONNULL_ALL_ 414 MHD_FN_PAR_IN_SIZE_ (3, 2) void 415 mhd_SHA256_update (struct mhd_Sha256CtxInt *restrict ctx, 416 size_t size, 417 const uint8_t *restrict data) 418 { 419 unsigned bytes_have; /**< Number of bytes in buffer */ 420 421 mhd_assert (0 != size); 422 423 /* Note: (count & (mhd_SHA256_BLOCK_SIZE-1)) 424 equals (count % mhd_SHA256_BLOCK_SIZE) for this block size. */ 425 bytes_have = (unsigned) (ctx->count & (mhd_SHA256_BLOCK_SIZE - 1)); 426 ctx->count += size; 427 428 if (0 != bytes_have) 429 { 430 unsigned bytes_left = mhd_SHA256_BLOCK_SIZE - bytes_have; 431 if (size >= bytes_left) 432 { /* Combine new data with data in the buffer and 433 process full block. */ 434 memcpy (((uint8_t *) ctx->buffer) + bytes_have, 435 data, 436 bytes_left); 437 data += bytes_left; 438 size -= bytes_left; 439 sha256_transform (ctx->H, ctx->buffer); 440 bytes_have = 0; 441 } 442 } 443 444 while (mhd_SHA256_BLOCK_SIZE <= size) 445 { /* Process any full blocks of new data directly, 446 without copying to the buffer. */ 447 sha256_transform (ctx->H, data); 448 data += mhd_SHA256_BLOCK_SIZE; 449 size -= mhd_SHA256_BLOCK_SIZE; 450 } 451 452 if (0 != size) 453 { /* Copy incomplete block of new data (if any) 454 to the buffer. */ 455 memcpy (((uint8_t *) ctx->buffer) + bytes_have, data, size); 456 } 457 } 458 459 460 /** 461 * Size of "length" padding addition in bytes. 462 * See FIPS PUB 180-4 paragraph 5.1.1. 463 */ 464 #define SHA256_SIZE_OF_LEN_ADD (64 / 8) 465 466 MHD_INTERNAL MHD_FN_PAR_NONNULL_ALL_ void 467 mhd_SHA256_finish (struct mhd_Sha256CtxInt *restrict ctx, 468 uint8_t digest[mhd_SHA256_DIGEST_SIZE]) 469 { 470 uint64_t num_bits; /**< Number of processed bits */ 471 unsigned bytes_have; /**< Number of bytes in buffer */ 472 473 num_bits = ctx->count << 3; 474 /* Note: (count & (mhd_SHA256_BLOCK_SIZE-1)) 475 equal (count % mhd_SHA256_BLOCK_SIZE) for this block size. */ 476 bytes_have = (unsigned) (ctx->count & (mhd_SHA256_BLOCK_SIZE - 1)); 477 478 /* Input data must be padded with a single bit "1", then with zeros and 479 the finally the length of data in bits must be added as the final bytes 480 of the last block. 481 See FIPS PUB 180-4 paragraph 5.1.1. */ 482 483 /* Data is always processed in form of bytes (not by individual bits), 484 therefore position of first padding bit in byte is always 485 predefined (0x80). */ 486 /* Buffer always have space at least for one byte (as full buffers are 487 processed immediately). */ 488 ((uint8_t *) ctx->buffer)[bytes_have++] = 0x80; 489 490 if (mhd_SHA256_BLOCK_SIZE - bytes_have < SHA256_SIZE_OF_LEN_ADD) 491 { /* No space in current block to put total length of message. 492 Pad current block with zeros and process it. */ 493 if (bytes_have < mhd_SHA256_BLOCK_SIZE) 494 memset (((uint8_t *) ctx->buffer) + bytes_have, 0, 495 mhd_SHA256_BLOCK_SIZE - bytes_have); 496 /* Process full block. */ 497 sha256_transform (ctx->H, ctx->buffer); 498 /* Start new block. */ 499 bytes_have = 0; 500 } 501 502 /* Pad the rest of the buffer with zeros. */ 503 memset (((uint8_t *) ctx->buffer) + bytes_have, 0, 504 mhd_SHA256_BLOCK_SIZE - SHA256_SIZE_OF_LEN_ADD - bytes_have); 505 /* Put the number of bits in processed message as big-endian value. */ 506 mhd_PUT_64BIT_BE_UNALIGN (ctx->buffer + mhd_SHA256_BLOCK_SIZE_WORDS - 2, 507 num_bits); 508 /* Process full final block. */ 509 sha256_transform (ctx->H, ctx->buffer); 510 511 /* Put final hash/digest in BE mode */ 512 if (1) 513 { 514 bool use_tmp_buf_to_align_result; 515 516 #if defined(mhd_PUT_32BIT_BE_UNALIGNED) 517 use_tmp_buf_to_align_result = false; 518 #elif defined (MHD_FAVOR_SMALL_CODE) 519 use_tmp_buf_to_align_result = true; /* smaller code: eliminated branch below */ 520 #else 521 use_tmp_buf_to_align_result = 522 (0 != ((uintptr_t) digest) % mhd_UINT32_ALIGN); 523 #endif 524 if (use_tmp_buf_to_align_result) 525 { 526 /* If storing of the final result requires aligned address and 527 the destination address is not aligned or compact code is used, 528 store the final digest in aligned temporary buffer first, then 529 copy it to the destination. */ 530 uint32_t alig_dgst[mhd_SHA256_DIGEST_SIZE_WORDS]; 531 mhd_PUT_32BIT_BE (alig_dgst + 0, ctx->H[0]); 532 mhd_PUT_32BIT_BE (alig_dgst + 1, ctx->H[1]); 533 mhd_PUT_32BIT_BE (alig_dgst + 2, ctx->H[2]); 534 mhd_PUT_32BIT_BE (alig_dgst + 3, ctx->H[3]); 535 mhd_PUT_32BIT_BE (alig_dgst + 4, ctx->H[4]); 536 mhd_PUT_32BIT_BE (alig_dgst + 5, ctx->H[5]); 537 mhd_PUT_32BIT_BE (alig_dgst + 6, ctx->H[6]); 538 mhd_PUT_32BIT_BE (alig_dgst + 7, ctx->H[7]); 539 /* Copy result to unaligned destination address */ 540 memcpy (digest, alig_dgst, mhd_SHA256_DIGEST_SIZE); 541 } 542 else 543 { 544 /* Use cast to (void*) here to mute compiler alignment warnings. 545 * Compilers are not smart enough to see that alignment has been checked. */ 546 mhd_PUT_32BIT_BE ((void *) (digest + 0 * mhd_SHA256_BYTES_IN_WORD), \ 547 ctx->H[0]); 548 mhd_PUT_32BIT_BE ((void *) (digest + 1 * mhd_SHA256_BYTES_IN_WORD), \ 549 ctx->H[1]); 550 mhd_PUT_32BIT_BE ((void *) (digest + 2 * mhd_SHA256_BYTES_IN_WORD), \ 551 ctx->H[2]); 552 mhd_PUT_32BIT_BE ((void *) (digest + 3 * mhd_SHA256_BYTES_IN_WORD), \ 553 ctx->H[3]); 554 mhd_PUT_32BIT_BE ((void *) (digest + 4 * mhd_SHA256_BYTES_IN_WORD), \ 555 ctx->H[4]); 556 mhd_PUT_32BIT_BE ((void *) (digest + 5 * mhd_SHA256_BYTES_IN_WORD), \ 557 ctx->H[5]); 558 mhd_PUT_32BIT_BE ((void *) (digest + 6 * mhd_SHA256_BYTES_IN_WORD), \ 559 ctx->H[6]); 560 mhd_PUT_32BIT_BE ((void *) (digest + 7 * mhd_SHA256_BYTES_IN_WORD), \ 561 ctx->H[7]); 562 } 563 } 564 565 /* Erase potentially sensitive data. */ 566 memset (ctx, 0, sizeof(struct mhd_Sha256CtxInt)); 567 } 568 569 570 mhd_DATA_TRUNCATION_RUNTIME_CHECK_RESTORE