diff options
Diffstat (limited to 'src')
-rw-r--r-- | src/microhttpd/sha256.c | 401 | ||||
-rw-r--r-- | src/microhttpd/sha256.h | 74 |
2 files changed, 475 insertions, 0 deletions
diff --git a/src/microhttpd/sha256.c b/src/microhttpd/sha256.c new file mode 100644 index 00000000..12675a73 --- /dev/null +++ b/src/microhttpd/sha256.c | |||
@@ -0,0 +1,401 @@ | |||
1 | /* sha256.c | ||
2 | |||
3 | The sha256 hash function. | ||
4 | See http://csrc.nist.gov/publications/fips/fips180-2/fips180-2.pdf | ||
5 | |||
6 | Copyright (C) 2001 Niels Möller | ||
7 | Copyright (C) 2018 Christian Grothoff (extraction of minimal subset | ||
8 | from GNU Nettle to work with GNU libmicrohttpd) | ||
9 | |||
10 | This file is part of GNU Nettle. | ||
11 | |||
12 | GNU Nettle is free software: you can redistribute it and/or | ||
13 | modify it under the terms of either: | ||
14 | |||
15 | * the GNU Lesser General Public License as published by the Free | ||
16 | Software Foundation; either version 3 of the License, or (at your | ||
17 | option) any later version. | ||
18 | |||
19 | or | ||
20 | |||
21 | * the GNU General Public License as published by the Free | ||
22 | Software Foundation; either version 2 of the License, or (at your | ||
23 | option) any later version. | ||
24 | |||
25 | or both in parallel, as here. | ||
26 | |||
27 | GNU Nettle is distributed in the hope that it will be useful, | ||
28 | but WITHOUT ANY WARRANTY; without even the implied warranty of | ||
29 | MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU | ||
30 | General Public License for more details. | ||
31 | |||
32 | You should have received copies of the GNU General Public License and | ||
33 | the GNU Lesser General Public License along with this program. If | ||
34 | not, see http://www.gnu.org/licenses/. | ||
35 | */ | ||
36 | |||
37 | /* Modelled after the sha1.c code by Peter Gutmann. */ | ||
38 | |||
39 | #include <assert.h> | ||
40 | #include <stdlib.h> | ||
41 | #include <string.h> | ||
42 | #include <stdint.h> | ||
43 | |||
44 | #include "sha256.h" | ||
45 | |||
46 | |||
47 | /* Generated by the shadata program. */ | ||
48 | static const uint32_t | ||
49 | K[64] = | ||
50 | { | ||
51 | 0x428a2f98UL, 0x71374491UL, 0xb5c0fbcfUL, 0xe9b5dba5UL, | ||
52 | 0x3956c25bUL, 0x59f111f1UL, 0x923f82a4UL, 0xab1c5ed5UL, | ||
53 | 0xd807aa98UL, 0x12835b01UL, 0x243185beUL, 0x550c7dc3UL, | ||
54 | 0x72be5d74UL, 0x80deb1feUL, 0x9bdc06a7UL, 0xc19bf174UL, | ||
55 | 0xe49b69c1UL, 0xefbe4786UL, 0x0fc19dc6UL, 0x240ca1ccUL, | ||
56 | 0x2de92c6fUL, 0x4a7484aaUL, 0x5cb0a9dcUL, 0x76f988daUL, | ||
57 | 0x983e5152UL, 0xa831c66dUL, 0xb00327c8UL, 0xbf597fc7UL, | ||
58 | 0xc6e00bf3UL, 0xd5a79147UL, 0x06ca6351UL, 0x14292967UL, | ||
59 | 0x27b70a85UL, 0x2e1b2138UL, 0x4d2c6dfcUL, 0x53380d13UL, | ||
60 | 0x650a7354UL, 0x766a0abbUL, 0x81c2c92eUL, 0x92722c85UL, | ||
61 | 0xa2bfe8a1UL, 0xa81a664bUL, 0xc24b8b70UL, 0xc76c51a3UL, | ||
62 | 0xd192e819UL, 0xd6990624UL, 0xf40e3585UL, 0x106aa070UL, | ||
63 | 0x19a4c116UL, 0x1e376c08UL, 0x2748774cUL, 0x34b0bcb5UL, | ||
64 | 0x391c0cb3UL, 0x4ed8aa4aUL, 0x5b9cca4fUL, 0x682e6ff3UL, | ||
65 | 0x748f82eeUL, 0x78a5636fUL, 0x84c87814UL, 0x8cc70208UL, | ||
66 | 0x90befffaUL, 0xa4506cebUL, 0xbef9a3f7UL, 0xc67178f2UL, | ||
67 | }; | ||
68 | |||
69 | |||
70 | /* A block, treated as a sequence of 32-bit words. */ | ||
71 | #define SHA256_DATA_LENGTH 16 | ||
72 | |||
73 | /* The SHA256 functions. The Choice function is the same as the SHA1 | ||
74 | function f1, and the majority function is the same as the SHA1 f3 | ||
75 | function. They can be optimized to save one boolean operation each | ||
76 | - thanks to Rich Schroeppel, rcs@cs.arizona.edu for discovering | ||
77 | this */ | ||
78 | |||
79 | /* #define Choice(x,y,z) ( ( (x) & (y) ) | ( ~(x) & (z) ) ) */ | ||
80 | #define Choice(x,y,z) ( (z) ^ ( (x) & ( (y) ^ (z) ) ) ) | ||
81 | /* #define Majority(x,y,z) ( ((x) & (y)) ^ ((x) & (z)) ^ ((y) & (z)) ) */ | ||
82 | #define Majority(x,y,z) ( ((x) & (y)) ^ ((z) & ((x) ^ (y))) ) | ||
83 | |||
84 | #define S0(x) (ROTL32(30,(x)) ^ ROTL32(19,(x)) ^ ROTL32(10,(x))) | ||
85 | #define S1(x) (ROTL32(26,(x)) ^ ROTL32(21,(x)) ^ ROTL32(7,(x))) | ||
86 | |||
87 | #define s0(x) (ROTL32(25,(x)) ^ ROTL32(14,(x)) ^ ((x) >> 3)) | ||
88 | #define s1(x) (ROTL32(15,(x)) ^ ROTL32(13,(x)) ^ ((x) >> 10)) | ||
89 | |||
90 | /* The initial expanding function. The hash function is defined over an | ||
91 | 64-word expanded input array W, where the first 16 are copies of the input | ||
92 | data, and the remaining 64 are defined by | ||
93 | |||
94 | W[ t ] = s1(W[t-2]) + W[t-7] + s0(W[i-15]) + W[i-16] | ||
95 | |||
96 | This implementation generates these values on the fly in a circular | ||
97 | buffer - thanks to Colin Plumb, colin@nyx10.cs.du.edu for this | ||
98 | optimization. | ||
99 | */ | ||
100 | |||
101 | #define EXPAND(W,i) \ | ||
102 | ( W[(i) & 15 ] += (s1(W[((i)-2) & 15]) + W[((i)-7) & 15] + s0(W[((i)-15) & 15])) ) | ||
103 | |||
104 | /* The prototype SHA sub-round. The fundamental sub-round is: | ||
105 | |||
106 | T1 = h + S1(e) + Choice(e,f,g) + K[t] + W[t] | ||
107 | T2 = S0(a) + Majority(a,b,c) | ||
108 | a' = T1+T2 | ||
109 | b' = a | ||
110 | c' = b | ||
111 | d' = c | ||
112 | e' = d + T1 | ||
113 | f' = e | ||
114 | g' = f | ||
115 | h' = g | ||
116 | |||
117 | but this is implemented by unrolling the loop 8 times and renaming | ||
118 | the variables | ||
119 | ( h, a, b, c, d, e, f, g ) = ( a, b, c, d, e, f, g, h ) each | ||
120 | iteration. */ | ||
121 | |||
122 | /* It's crucial that DATA is only used once, as that argument will | ||
123 | * have side effects. */ | ||
124 | #define ROUND(a,b,c,d,e,f,g,h,k,data) do { \ | ||
125 | h += S1(e) + Choice(e,f,g) + k + data; \ | ||
126 | d += h; \ | ||
127 | h += S0(a) + Majority(a,b,c); \ | ||
128 | } while (0) | ||
129 | |||
130 | |||
131 | /* Reads a 32-bit integer, in network, big-endian, byte order */ | ||
132 | #define READ_UINT32(p) \ | ||
133 | ( (((uint32_t) (p)[0]) << 24) \ | ||
134 | | (((uint32_t) (p)[1]) << 16) \ | ||
135 | | (((uint32_t) (p)[2]) << 8) \ | ||
136 | | ((uint32_t) (p)[3])) | ||
137 | |||
138 | #define WRITE_UINT32(p, i) \ | ||
139 | do { \ | ||
140 | (p)[0] = ((i) >> 24) & 0xff; \ | ||
141 | (p)[1] = ((i) >> 16) & 0xff; \ | ||
142 | (p)[2] = ((i) >> 8) & 0xff; \ | ||
143 | (p)[3] = (i) & 0xff; \ | ||
144 | } while(0) | ||
145 | |||
146 | #define WRITE_UINT64(p, i) \ | ||
147 | do { \ | ||
148 | (p)[0] = ((i) >> 56) & 0xff; \ | ||
149 | (p)[1] = ((i) >> 48) & 0xff; \ | ||
150 | (p)[2] = ((i) >> 40) & 0xff; \ | ||
151 | (p)[3] = ((i) >> 32) & 0xff; \ | ||
152 | (p)[4] = ((i) >> 24) & 0xff; \ | ||
153 | (p)[5] = ((i) >> 16) & 0xff; \ | ||
154 | (p)[6] = ((i) >> 8) & 0xff; \ | ||
155 | (p)[7] = (i) & 0xff; \ | ||
156 | } while(0) | ||
157 | |||
158 | /* The masking of the right shift is needed to allow n == 0 (using | ||
159 | just 32 - n and 64 - n results in undefined behaviour). Most uses | ||
160 | of these macros use a constant and non-zero rotation count. */ | ||
161 | #define ROTL32(n,x) (((x)<<(n)) | ((x)>>((-(n)&31)))) | ||
162 | |||
163 | static void | ||
164 | _nettle_sha256_compress(uint32_t *state, const uint8_t *input, const uint32_t *k) | ||
165 | { | ||
166 | uint32_t data[SHA256_DATA_LENGTH]; | ||
167 | uint32_t A, B, C, D, E, F, G, H; /* Local vars */ | ||
168 | unsigned i; | ||
169 | uint32_t *d; | ||
170 | |||
171 | for (i = 0; i < SHA256_DATA_LENGTH; i++, input+= 4) | ||
172 | { | ||
173 | data[i] = READ_UINT32(input); | ||
174 | } | ||
175 | |||
176 | /* Set up first buffer and local data buffer */ | ||
177 | A = state[0]; | ||
178 | B = state[1]; | ||
179 | C = state[2]; | ||
180 | D = state[3]; | ||
181 | E = state[4]; | ||
182 | F = state[5]; | ||
183 | G = state[6]; | ||
184 | H = state[7]; | ||
185 | |||
186 | /* Heavy mangling */ | ||
187 | /* First 16 subrounds that act on the original data */ | ||
188 | |||
189 | for (i = 0, d = data; i<16; i+=8, k += 8, d+= 8) | ||
190 | { | ||
191 | ROUND(A, B, C, D, E, F, G, H, k[0], d[0]); | ||
192 | ROUND(H, A, B, C, D, E, F, G, k[1], d[1]); | ||
193 | ROUND(G, H, A, B, C, D, E, F, k[2], d[2]); | ||
194 | ROUND(F, G, H, A, B, C, D, E, k[3], d[3]); | ||
195 | ROUND(E, F, G, H, A, B, C, D, k[4], d[4]); | ||
196 | ROUND(D, E, F, G, H, A, B, C, k[5], d[5]); | ||
197 | ROUND(C, D, E, F, G, H, A, B, k[6], d[6]); | ||
198 | ROUND(B, C, D, E, F, G, H, A, k[7], d[7]); | ||
199 | } | ||
200 | |||
201 | for (; i<64; i += 16, k+= 16) | ||
202 | { | ||
203 | ROUND(A, B, C, D, E, F, G, H, k[ 0], EXPAND(data, 0)); | ||
204 | ROUND(H, A, B, C, D, E, F, G, k[ 1], EXPAND(data, 1)); | ||
205 | ROUND(G, H, A, B, C, D, E, F, k[ 2], EXPAND(data, 2)); | ||
206 | ROUND(F, G, H, A, B, C, D, E, k[ 3], EXPAND(data, 3)); | ||
207 | ROUND(E, F, G, H, A, B, C, D, k[ 4], EXPAND(data, 4)); | ||
208 | ROUND(D, E, F, G, H, A, B, C, k[ 5], EXPAND(data, 5)); | ||
209 | ROUND(C, D, E, F, G, H, A, B, k[ 6], EXPAND(data, 6)); | ||
210 | ROUND(B, C, D, E, F, G, H, A, k[ 7], EXPAND(data, 7)); | ||
211 | ROUND(A, B, C, D, E, F, G, H, k[ 8], EXPAND(data, 8)); | ||
212 | ROUND(H, A, B, C, D, E, F, G, k[ 9], EXPAND(data, 9)); | ||
213 | ROUND(G, H, A, B, C, D, E, F, k[10], EXPAND(data, 10)); | ||
214 | ROUND(F, G, H, A, B, C, D, E, k[11], EXPAND(data, 11)); | ||
215 | ROUND(E, F, G, H, A, B, C, D, k[12], EXPAND(data, 12)); | ||
216 | ROUND(D, E, F, G, H, A, B, C, k[13], EXPAND(data, 13)); | ||
217 | ROUND(C, D, E, F, G, H, A, B, k[14], EXPAND(data, 14)); | ||
218 | ROUND(B, C, D, E, F, G, H, A, k[15], EXPAND(data, 15)); | ||
219 | } | ||
220 | |||
221 | /* Update state */ | ||
222 | state[0] += A; | ||
223 | state[1] += B; | ||
224 | state[2] += C; | ||
225 | state[3] += D; | ||
226 | state[4] += E; | ||
227 | state[5] += F; | ||
228 | state[6] += G; | ||
229 | state[7] += H; | ||
230 | } | ||
231 | |||
232 | |||
233 | #define COMPRESS(ctx, data) (_nettle_sha256_compress((ctx)->state, (data), K)) | ||
234 | |||
235 | /* Initialize the SHA values */ | ||
236 | |||
237 | void | ||
238 | sha256_init(struct sha256_ctx *ctx) | ||
239 | { | ||
240 | /* Initial values, also generated by the shadata program. */ | ||
241 | static const uint32_t H0[_SHA256_DIGEST_LENGTH] = | ||
242 | { | ||
243 | 0x6a09e667UL, 0xbb67ae85UL, 0x3c6ef372UL, 0xa54ff53aUL, | ||
244 | 0x510e527fUL, 0x9b05688cUL, 0x1f83d9abUL, 0x5be0cd19UL, | ||
245 | }; | ||
246 | |||
247 | memcpy(ctx->state, H0, sizeof(H0)); | ||
248 | |||
249 | /* Initialize bit count */ | ||
250 | ctx->count = 0; | ||
251 | |||
252 | /* Initialize buffer */ | ||
253 | ctx->index = 0; | ||
254 | } | ||
255 | |||
256 | |||
257 | /* Takes the compression function f as argument. NOTE: also clobbers | ||
258 | length and data. */ | ||
259 | #define MD_UPDATE(ctx, length, data, f, incr) \ | ||
260 | do { \ | ||
261 | if ((ctx)->index) \ | ||
262 | { \ | ||
263 | /* Try to fill partial block */ \ | ||
264 | unsigned __md_left = sizeof((ctx)->block) - (ctx)->index; \ | ||
265 | if ((length) < __md_left) \ | ||
266 | { \ | ||
267 | memcpy((ctx)->block + (ctx)->index, (data), (length)); \ | ||
268 | (ctx)->index += (length); \ | ||
269 | goto __md_done; /* Finished */ \ | ||
270 | } \ | ||
271 | else \ | ||
272 | { \ | ||
273 | memcpy((ctx)->block + (ctx)->index, (data), __md_left); \ | ||
274 | \ | ||
275 | f((ctx), (ctx)->block); \ | ||
276 | (incr); \ | ||
277 | \ | ||
278 | (data) += __md_left; \ | ||
279 | (length) -= __md_left; \ | ||
280 | } \ | ||
281 | } \ | ||
282 | while ((length) >= sizeof((ctx)->block)) \ | ||
283 | { \ | ||
284 | f((ctx), (data)); \ | ||
285 | (incr); \ | ||
286 | \ | ||
287 | (data) += sizeof((ctx)->block); \ | ||
288 | (length) -= sizeof((ctx)->block); \ | ||
289 | } \ | ||
290 | memcpy ((ctx)->block, (data), (length)); \ | ||
291 | (ctx)->index = (length); \ | ||
292 | __md_done: \ | ||
293 | ; \ | ||
294 | } while (0) | ||
295 | |||
296 | /* Pads the block to a block boundary with the bit pattern 1 0*, | ||
297 | leaving size octets for the length field at the end. If needed, | ||
298 | compresses the block and starts a new one. */ | ||
299 | #define MD_PAD(ctx, size, f) \ | ||
300 | do { \ | ||
301 | unsigned __md_i; \ | ||
302 | __md_i = (ctx)->index; \ | ||
303 | \ | ||
304 | /* Set the first char of padding to 0x80. This is safe since there \ | ||
305 | is always at least one byte free */ \ | ||
306 | \ | ||
307 | assert(__md_i < sizeof((ctx)->block)); \ | ||
308 | (ctx)->block[__md_i++] = 0x80; \ | ||
309 | \ | ||
310 | if (__md_i > (sizeof((ctx)->block) - (size))) \ | ||
311 | { /* No room for length in this block. Process it and \ | ||
312 | pad with another one */ \ | ||
313 | memset((ctx)->block + __md_i, 0, sizeof((ctx)->block) - __md_i); \ | ||
314 | \ | ||
315 | f((ctx), (ctx)->block); \ | ||
316 | __md_i = 0; \ | ||
317 | } \ | ||
318 | memset((ctx)->block + __md_i, 0, \ | ||
319 | sizeof((ctx)->block) - (size) - __md_i); \ | ||
320 | \ | ||
321 | } while (0) | ||
322 | |||
323 | |||
324 | void | ||
325 | sha256_update(struct sha256_ctx *ctx, | ||
326 | size_t length, const uint8_t *data) | ||
327 | { | ||
328 | MD_UPDATE (ctx, length, data, COMPRESS, ctx->count++); | ||
329 | } | ||
330 | |||
331 | |||
332 | |||
333 | void | ||
334 | _nettle_write_be32(size_t length, uint8_t *dst, | ||
335 | const uint32_t *src) | ||
336 | { | ||
337 | size_t i; | ||
338 | size_t words; | ||
339 | unsigned leftover; | ||
340 | |||
341 | words = length / 4; | ||
342 | leftover = length % 4; | ||
343 | |||
344 | for (i = 0; i < words; i++, dst += 4) | ||
345 | WRITE_UINT32(dst, src[i]); | ||
346 | |||
347 | if (leftover) | ||
348 | { | ||
349 | uint32_t word; | ||
350 | unsigned j = leftover; | ||
351 | |||
352 | word = src[i]; | ||
353 | |||
354 | switch (leftover) | ||
355 | { | ||
356 | default: | ||
357 | abort(); | ||
358 | case 3: | ||
359 | dst[--j] = (word >> 8) & 0xff; | ||
360 | /* Fall through */ | ||
361 | case 2: | ||
362 | dst[--j] = (word >> 16) & 0xff; | ||
363 | /* Fall through */ | ||
364 | case 1: | ||
365 | dst[--j] = (word >> 24) & 0xff; | ||
366 | } | ||
367 | } | ||
368 | } | ||
369 | |||
370 | |||
371 | static void | ||
372 | sha256_write_digest(struct sha256_ctx *ctx, | ||
373 | size_t length, | ||
374 | uint8_t *digest) | ||
375 | { | ||
376 | uint64_t bit_count; | ||
377 | |||
378 | assert(length <= SHA256_DIGEST_SIZE); | ||
379 | |||
380 | MD_PAD(ctx, 8, COMPRESS); | ||
381 | |||
382 | /* There are 512 = 2^9 bits in one block */ | ||
383 | bit_count = (ctx->count << 9) | (ctx->index << 3); | ||
384 | |||
385 | /* This is slightly inefficient, as the numbers are converted to | ||
386 | big-endian format, and will be converted back by the compression | ||
387 | function. It's probably not worth the effort to fix this. */ | ||
388 | WRITE_UINT64(ctx->block + (SHA256_BLOCK_SIZE - 8), bit_count); | ||
389 | COMPRESS(ctx, ctx->block); | ||
390 | |||
391 | _nettle_write_be32(length, digest, ctx->state); | ||
392 | } | ||
393 | |||
394 | void | ||
395 | sha256_digest(struct sha256_ctx *ctx, | ||
396 | size_t length, | ||
397 | uint8_t *digest) | ||
398 | { | ||
399 | sha256_write_digest(ctx, length, digest); | ||
400 | sha256_init(ctx); | ||
401 | } | ||
diff --git a/src/microhttpd/sha256.h b/src/microhttpd/sha256.h new file mode 100644 index 00000000..6d36ebef --- /dev/null +++ b/src/microhttpd/sha256.h | |||
@@ -0,0 +1,74 @@ | |||
1 | /* sha256.h | ||
2 | |||
3 | The sha256 hash function. | ||
4 | |||
5 | Copyright (C) 2001, 2012 Niels Möller | ||
6 | Copyright (C) 2018 Christian Grothoff (extraction of minimal subset | ||
7 | from GNU Nettle to work with GNU libmicrohttpd) | ||
8 | |||
9 | This file is part of GNU Nettle. | ||
10 | |||
11 | GNU Nettle is free software: you can redistribute it and/or | ||
12 | modify it under the terms of either: | ||
13 | |||
14 | * the GNU Lesser General Public License as published by the Free | ||
15 | Software Foundation; either version 3 of the License, or (at your | ||
16 | option) any later version. | ||
17 | |||
18 | or | ||
19 | |||
20 | * the GNU General Public License as published by the Free | ||
21 | Software Foundation; either version 2 of the License, or (at your | ||
22 | option) any later version. | ||
23 | |||
24 | or both in parallel, as here. | ||
25 | |||
26 | GNU Nettle is distributed in the hope that it will be useful, | ||
27 | but WITHOUT ANY WARRANTY; without even the implied warranty of | ||
28 | MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU | ||
29 | General Public License for more details. | ||
30 | |||
31 | You should have received copies of the GNU General Public License and | ||
32 | the GNU Lesser General Public License along with this program. If | ||
33 | not, see http://www.gnu.org/licenses/. | ||
34 | */ | ||
35 | |||
36 | #ifndef NETTLE_SHA2_H_INCLUDED | ||
37 | #define NETTLE_SHA2_H_INCLUDED | ||
38 | |||
39 | #ifdef __cplusplus | ||
40 | extern "C" { | ||
41 | #endif | ||
42 | |||
43 | #define SHA256_DIGEST_SIZE 32 | ||
44 | #define SHA256_BLOCK_SIZE 64 | ||
45 | |||
46 | /* Digest is kept internally as 8 32-bit words. */ | ||
47 | #define _SHA256_DIGEST_LENGTH 8 | ||
48 | |||
49 | struct sha256_ctx | ||
50 | { | ||
51 | uint32_t state[_SHA256_DIGEST_LENGTH]; /* State variables */ | ||
52 | uint64_t count; /* 64-bit block count */ | ||
53 | uint8_t block[SHA256_BLOCK_SIZE]; /* SHA256 data buffer */ | ||
54 | unsigned int index; /* index into buffer */ | ||
55 | }; | ||
56 | |||
57 | void | ||
58 | sha256_init(struct sha256_ctx *ctx); | ||
59 | |||
60 | void | ||
61 | sha256_update(struct sha256_ctx *ctx, | ||
62 | size_t length, | ||
63 | const uint8_t *data); | ||
64 | |||
65 | void | ||
66 | sha256_digest(struct sha256_ctx *ctx, | ||
67 | size_t length, | ||
68 | uint8_t *digest); | ||
69 | |||
70 | #ifdef __cplusplus | ||
71 | } | ||
72 | #endif | ||
73 | |||
74 | #endif /* NETTLE_SHA2_H_INCLUDED */ | ||