GNU libmicrohttpd 0.9.77
Loading...
Searching...
No Matches
sha1.c
Go to the documentation of this file.
1/*
2 This file is part of libmicrohttpd
3 Copyright (C) 2019-2021 Karlson2k (Evgeny Grin)
4
5 libmicrohttpd is free software; you can redistribute it and/or
6 modify it under the terms of the GNU Lesser General Public
7 License as published by the Free Software Foundation; either
8 version 2.1 of the License, or (at your option) any later version.
9
10 This library is distributed in the hope that it will be useful,
11 but WITHOUT ANY WARRANTY; without even the implied warranty of
12 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
13 Lesser General Public License for more details.
14
15 You should have received a copy of the GNU Lesser General Public
16 License along with this library.
17 If not, see <http://www.gnu.org/licenses/>.
18*/
19
26#include "sha1.h"
27
28#include <string.h>
29#ifdef HAVE_MEMORY_H
30#include <memory.h>
31#endif /* HAVE_MEMORY_H */
32#include "mhd_bithelpers.h"
33#include "mhd_assert.h"
34
40void
41MHD_SHA1_init (void *ctx_)
42{
43 struct sha1_ctx *const ctx = ctx_;
44 /* Initial hash values, see FIPS PUB 180-4 paragraph 5.3.1 */
45 /* Just some "magic" numbers defined by standard */
46 ctx->H[0] = UINT32_C (0x67452301);
47 ctx->H[1] = UINT32_C (0xefcdab89);
48 ctx->H[2] = UINT32_C (0x98badcfe);
49 ctx->H[3] = UINT32_C (0x10325476);
50 ctx->H[4] = UINT32_C (0xc3d2e1f0);
51
52 /* Initialise number of bytes. */
53 ctx->count = 0;
54}
55
56
63static void
65 const uint8_t data[SHA1_BLOCK_SIZE])
66{
67 /* Working variables,
68 see FIPS PUB 180-4 paragraph 6.1.3 */
69 uint32_t a = H[0];
70 uint32_t b = H[1];
71 uint32_t c = H[2];
72 uint32_t d = H[3];
73 uint32_t e = H[4];
74
75 /* Data buffer, used as cyclic buffer.
76 See FIPS PUB 180-4 paragraphs 5.2.1, 6.1.3 */
77 uint32_t W[16];
78
79 /* 'Ch' and 'Maj' macro functions are defined with
80 widely-used optimization.
81 See FIPS PUB 180-4 formulae 4.1. */
82#define Ch(x,y,z) ( (z) ^ ((x) & ((y) ^ (z))) )
83#define Maj(x,y,z) ( ((x) & (y)) ^ ((z) & ((x) ^ (y))) )
84 /* Unoptimized (original) versions: */
85/* #define Ch(x,y,z) ( ( (x) & (y) ) ^ ( ~(x) & (z) ) ) */
86/* #define Maj(x,y,z) ( ((x) & (y)) ^ ((x) & (z)) ^ ((y) & (z)) ) */
87#define Par(x,y,z) ( (x) ^ (y) ^ (z) )
88
89 /* Single step of SHA-1 computation,
90 see FIPS PUB 180-4 paragraph 6.1.3 step 3.
91 * Note: instead of reassigning all working variables on each step,
92 variables are rotated for each step:
93 SHA1STEP32 (a, b, c, d, e, func, K00, W[0]);
94 SHA1STEP32 (e, a, b, c, d, func, K00, W[1]);
95 so current 'vC' will be used as 'vD' on the next step,
96 current 'vE' will be used as 'vA' on the next step.
97 * Note: 'wt' must be used exactly one time in this macro as it change other data as well
98 every time when used. */
99
100#define SHA1STEP32(vA,vB,vC,vD,vE,ft,kt,wt) do { \
101 (vE) += _MHD_ROTL32 ((vA), 5) + ft ((vB), (vC), (vD)) + (kt) + (wt); \
102 (vB) = _MHD_ROTL32 ((vB), 30); } while (0)
103
104 /* Get value of W(t) from input data buffer,
105 See FIPS PUB 180-4 paragraph 6.1.3.
106 Input data must be read in big-endian bytes order,
107 see FIPS PUB 180-4 paragraph 3.1.2. */
108#define GET_W_FROM_DATA(buf,t) \
109 _MHD_GET_32BIT_BE (((const uint8_t*) (buf)) + (t) * SHA1_BYTES_IN_WORD)
110
111#ifndef _MHD_GET_32BIT_BE_UNALIGNED
112 if (0 != (((uintptr_t) data) % _MHD_UINT32_ALIGN))
113 {
114 /* Copy the unaligned input data to the aligned buffer */
115 memcpy (W, data, SHA1_BLOCK_SIZE);
116 /* The W[] buffer itself will be used as the source of the data,
117 * but data will be reloaded in correct bytes order during
118 * the next steps */
119 data = (uint8_t*) W;
120 }
121#endif /* _MHD_GET_32BIT_BE_UNALIGNED */
122
123/* SHA-1 values of Kt for t=0..19, see FIPS PUB 180-4 paragraph 4.2.1. */
124#define K00 UINT32_C(0x5a827999)
125/* SHA-1 values of Kt for t=20..39, see FIPS PUB 180-4 paragraph 4.2.1.*/
126#define K20 UINT32_C(0x6ed9eba1)
127/* SHA-1 values of Kt for t=40..59, see FIPS PUB 180-4 paragraph 4.2.1.*/
128#define K40 UINT32_C(0x8f1bbcdc)
129/* SHA-1 values of Kt for t=60..79, see FIPS PUB 180-4 paragraph 4.2.1.*/
130#define K60 UINT32_C(0xca62c1d6)
131
132 /* During first 16 steps, before making any calculations on each step,
133 the W element is read from input data buffer as big-endian value and
134 stored in array of W elements. */
135 /* Note: instead of using K constants as array, all K values are specified
136 individually for each step. */
137 SHA1STEP32 (a, b, c, d, e, Ch, K00, W[0] = GET_W_FROM_DATA (data, 0));
138 SHA1STEP32 (e, a, b, c, d, Ch, K00, W[1] = GET_W_FROM_DATA (data, 1));
139 SHA1STEP32 (d, e, a, b, c, Ch, K00, W[2] = GET_W_FROM_DATA (data, 2));
140 SHA1STEP32 (c, d, e, a, b, Ch, K00, W[3] = GET_W_FROM_DATA (data, 3));
141 SHA1STEP32 (b, c, d, e, a, Ch, K00, W[4] = GET_W_FROM_DATA (data, 4));
142 SHA1STEP32 (a, b, c, d, e, Ch, K00, W[5] = GET_W_FROM_DATA (data, 5));
143 SHA1STEP32 (e, a, b, c, d, Ch, K00, W[6] = GET_W_FROM_DATA (data, 6));
144 SHA1STEP32 (d, e, a, b, c, Ch, K00, W[7] = GET_W_FROM_DATA (data, 7));
145 SHA1STEP32 (c, d, e, a, b, Ch, K00, W[8] = GET_W_FROM_DATA (data, 8));
146 SHA1STEP32 (b, c, d, e, a, Ch, K00, W[9] = GET_W_FROM_DATA (data, 9));
147 SHA1STEP32 (a, b, c, d, e, Ch, K00, W[10] = GET_W_FROM_DATA (data, 10));
148 SHA1STEP32 (e, a, b, c, d, Ch, K00, W[11] = GET_W_FROM_DATA (data, 11));
149 SHA1STEP32 (d, e, a, b, c, Ch, K00, W[12] = GET_W_FROM_DATA (data, 12));
150 SHA1STEP32 (c, d, e, a, b, Ch, K00, W[13] = GET_W_FROM_DATA (data, 13));
151 SHA1STEP32 (b, c, d, e, a, Ch, K00, W[14] = GET_W_FROM_DATA (data, 14));
152 SHA1STEP32 (a, b, c, d, e, Ch, K00, W[15] = GET_W_FROM_DATA (data, 15));
153
154 /* 'W' generation and assignment for 16 <= t <= 79.
155 See FIPS PUB 180-4 paragraph 6.1.3.
156 As only last 16 'W' are used in calculations, it is possible to
157 use 16 elements array of W as cyclic buffer. */
158#define Wgen(w,t) _MHD_ROTL32((w)[(t + 13) & 0xf] ^ (w)[(t + 8) & 0xf] \
159 ^ (w)[(t + 2) & 0xf] ^ (w)[t & 0xf], 1)
160
161 /* During last 60 steps, before making any calculations on each step,
162 W element is generated from W elements of cyclic buffer and generated value
163 stored back in cyclic buffer. */
164 /* Note: instead of using K constants as array, all K values are specified
165 individually for each step, see FIPS PUB 180-4 paragraph 4.2.1. */
166 SHA1STEP32 (e, a, b, c, d, Ch, K00, W[16 & 0xf] = Wgen (W, 16));
167 SHA1STEP32 (d, e, a, b, c, Ch, K00, W[17 & 0xf] = Wgen (W, 17));
168 SHA1STEP32 (c, d, e, a, b, Ch, K00, W[18 & 0xf] = Wgen (W, 18));
169 SHA1STEP32 (b, c, d, e, a, Ch, K00, W[19 & 0xf] = Wgen (W, 19));
170 SHA1STEP32 (a, b, c, d, e, Par, K20, W[20 & 0xf] = Wgen (W, 20));
171 SHA1STEP32 (e, a, b, c, d, Par, K20, W[21 & 0xf] = Wgen (W, 21));
172 SHA1STEP32 (d, e, a, b, c, Par, K20, W[22 & 0xf] = Wgen (W, 22));
173 SHA1STEP32 (c, d, e, a, b, Par, K20, W[23 & 0xf] = Wgen (W, 23));
174 SHA1STEP32 (b, c, d, e, a, Par, K20, W[24 & 0xf] = Wgen (W, 24));
175 SHA1STEP32 (a, b, c, d, e, Par, K20, W[25 & 0xf] = Wgen (W, 25));
176 SHA1STEP32 (e, a, b, c, d, Par, K20, W[26 & 0xf] = Wgen (W, 26));
177 SHA1STEP32 (d, e, a, b, c, Par, K20, W[27 & 0xf] = Wgen (W, 27));
178 SHA1STEP32 (c, d, e, a, b, Par, K20, W[28 & 0xf] = Wgen (W, 28));
179 SHA1STEP32 (b, c, d, e, a, Par, K20, W[29 & 0xf] = Wgen (W, 29));
180 SHA1STEP32 (a, b, c, d, e, Par, K20, W[30 & 0xf] = Wgen (W, 30));
181 SHA1STEP32 (e, a, b, c, d, Par, K20, W[31 & 0xf] = Wgen (W, 31));
182 SHA1STEP32 (d, e, a, b, c, Par, K20, W[32 & 0xf] = Wgen (W, 32));
183 SHA1STEP32 (c, d, e, a, b, Par, K20, W[33 & 0xf] = Wgen (W, 33));
184 SHA1STEP32 (b, c, d, e, a, Par, K20, W[34 & 0xf] = Wgen (W, 34));
185 SHA1STEP32 (a, b, c, d, e, Par, K20, W[35 & 0xf] = Wgen (W, 35));
186 SHA1STEP32 (e, a, b, c, d, Par, K20, W[36 & 0xf] = Wgen (W, 36));
187 SHA1STEP32 (d, e, a, b, c, Par, K20, W[37 & 0xf] = Wgen (W, 37));
188 SHA1STEP32 (c, d, e, a, b, Par, K20, W[38 & 0xf] = Wgen (W, 38));
189 SHA1STEP32 (b, c, d, e, a, Par, K20, W[39 & 0xf] = Wgen (W, 39));
190 SHA1STEP32 (a, b, c, d, e, Maj, K40, W[40 & 0xf] = Wgen (W, 40));
191 SHA1STEP32 (e, a, b, c, d, Maj, K40, W[41 & 0xf] = Wgen (W, 41));
192 SHA1STEP32 (d, e, a, b, c, Maj, K40, W[42 & 0xf] = Wgen (W, 42));
193 SHA1STEP32 (c, d, e, a, b, Maj, K40, W[43 & 0xf] = Wgen (W, 43));
194 SHA1STEP32 (b, c, d, e, a, Maj, K40, W[44 & 0xf] = Wgen (W, 44));
195 SHA1STEP32 (a, b, c, d, e, Maj, K40, W[45 & 0xf] = Wgen (W, 45));
196 SHA1STEP32 (e, a, b, c, d, Maj, K40, W[46 & 0xf] = Wgen (W, 46));
197 SHA1STEP32 (d, e, a, b, c, Maj, K40, W[47 & 0xf] = Wgen (W, 47));
198 SHA1STEP32 (c, d, e, a, b, Maj, K40, W[48 & 0xf] = Wgen (W, 48));
199 SHA1STEP32 (b, c, d, e, a, Maj, K40, W[49 & 0xf] = Wgen (W, 49));
200 SHA1STEP32 (a, b, c, d, e, Maj, K40, W[50 & 0xf] = Wgen (W, 50));
201 SHA1STEP32 (e, a, b, c, d, Maj, K40, W[51 & 0xf] = Wgen (W, 51));
202 SHA1STEP32 (d, e, a, b, c, Maj, K40, W[52 & 0xf] = Wgen (W, 52));
203 SHA1STEP32 (c, d, e, a, b, Maj, K40, W[53 & 0xf] = Wgen (W, 53));
204 SHA1STEP32 (b, c, d, e, a, Maj, K40, W[54 & 0xf] = Wgen (W, 54));
205 SHA1STEP32 (a, b, c, d, e, Maj, K40, W[55 & 0xf] = Wgen (W, 55));
206 SHA1STEP32 (e, a, b, c, d, Maj, K40, W[56 & 0xf] = Wgen (W, 56));
207 SHA1STEP32 (d, e, a, b, c, Maj, K40, W[57 & 0xf] = Wgen (W, 57));
208 SHA1STEP32 (c, d, e, a, b, Maj, K40, W[58 & 0xf] = Wgen (W, 58));
209 SHA1STEP32 (b, c, d, e, a, Maj, K40, W[59 & 0xf] = Wgen (W, 59));
210 SHA1STEP32 (a, b, c, d, e, Par, K60, W[60 & 0xf] = Wgen (W, 60));
211 SHA1STEP32 (e, a, b, c, d, Par, K60, W[61 & 0xf] = Wgen (W, 61));
212 SHA1STEP32 (d, e, a, b, c, Par, K60, W[62 & 0xf] = Wgen (W, 62));
213 SHA1STEP32 (c, d, e, a, b, Par, K60, W[63 & 0xf] = Wgen (W, 63));
214 SHA1STEP32 (b, c, d, e, a, Par, K60, W[64 & 0xf] = Wgen (W, 64));
215 SHA1STEP32 (a, b, c, d, e, Par, K60, W[65 & 0xf] = Wgen (W, 65));
216 SHA1STEP32 (e, a, b, c, d, Par, K60, W[66 & 0xf] = Wgen (W, 66));
217 SHA1STEP32 (d, e, a, b, c, Par, K60, W[67 & 0xf] = Wgen (W, 67));
218 SHA1STEP32 (c, d, e, a, b, Par, K60, W[68 & 0xf] = Wgen (W, 68));
219 SHA1STEP32 (b, c, d, e, a, Par, K60, W[69 & 0xf] = Wgen (W, 69));
220 SHA1STEP32 (a, b, c, d, e, Par, K60, W[70 & 0xf] = Wgen (W, 70));
221 SHA1STEP32 (e, a, b, c, d, Par, K60, W[71 & 0xf] = Wgen (W, 71));
222 SHA1STEP32 (d, e, a, b, c, Par, K60, W[72 & 0xf] = Wgen (W, 72));
223 SHA1STEP32 (c, d, e, a, b, Par, K60, W[73 & 0xf] = Wgen (W, 73));
224 SHA1STEP32 (b, c, d, e, a, Par, K60, W[74 & 0xf] = Wgen (W, 74));
225 SHA1STEP32 (a, b, c, d, e, Par, K60, W[75 & 0xf] = Wgen (W, 75));
226 SHA1STEP32 (e, a, b, c, d, Par, K60, W[76 & 0xf] = Wgen (W, 76));
227 SHA1STEP32 (d, e, a, b, c, Par, K60, W[77 & 0xf] = Wgen (W, 77));
228 SHA1STEP32 (c, d, e, a, b, Par, K60, W[78 & 0xf] = Wgen (W, 78));
229 SHA1STEP32 (b, c, d, e, a, Par, K60, W[79 & 0xf] = Wgen (W, 79));
230
231 /* Compute intermediate hash.
232 See FIPS PUB 180-4 paragraph 6.1.3 step 4. */
233 H[0] += a;
234 H[1] += b;
235 H[2] += c;
236 H[3] += d;
237 H[4] += e;
238}
239
240
248void
249MHD_SHA1_update (void *ctx_,
250 const uint8_t *data,
251 size_t length)
252{
253 struct sha1_ctx *const ctx = ctx_;
254 unsigned bytes_have;
256 mhd_assert ((data != NULL) || (length == 0));
257
258 if (0 == length)
259 return; /* Do nothing */
260
261 /* Note: (count & (SHA1_BLOCK_SIZE-1))
262 equal (count % SHA1_BLOCK_SIZE) for this block size. */
263 bytes_have = (unsigned) (ctx->count & (SHA1_BLOCK_SIZE - 1));
264 ctx->count += length;
265
266 if (0 != bytes_have)
267 {
268 unsigned bytes_left = SHA1_BLOCK_SIZE - bytes_have;
269 if (length >= bytes_left)
270 { /* Combine new data with the data in the buffer and
271 process the full block. */
272 memcpy (ctx->buffer + bytes_have,
273 data,
274 bytes_left);
275 data += bytes_left;
276 length -= bytes_left;
277 sha1_transform (ctx->H, ctx->buffer);
278 bytes_have = 0;
279 }
280 }
281
282 while (SHA1_BLOCK_SIZE <= length)
283 { /* Process any full blocks of new data directly,
284 without copying to the buffer. */
285 sha1_transform (ctx->H, data);
287 length -= SHA1_BLOCK_SIZE;
288 }
289
290 if (0 != length)
291 { /* Copy incomplete block of new data (if any)
292 to the buffer. */
293 memcpy (ctx->buffer + bytes_have, data, length);
294 }
295}
296
297
302#define SHA1_SIZE_OF_LEN_ADD (64 / 8)
303
310void
311MHD_SHA1_finish (void *ctx_,
312 uint8_t digest[SHA1_DIGEST_SIZE])
313{
314 struct sha1_ctx *const ctx = ctx_;
315 uint64_t num_bits;
316 unsigned bytes_have;
318 num_bits = ctx->count << 3;
319 /* Note: (count & (SHA1_BLOCK_SIZE-1))
320 equals (count % SHA1_BLOCK_SIZE) for this block size. */
321 bytes_have = (unsigned) (ctx->count & (SHA1_BLOCK_SIZE - 1));
322
323 /* Input data must be padded with bit "1" and with length of data in bits.
324 See FIPS PUB 180-4 paragraph 5.1.1. */
325 /* Data is always processed in form of bytes (not by individual bits),
326 therefore position of first padding bit in byte is always predefined (0x80). */
327 /* Buffer always have space at least for one byte (as full buffers are
328 processed immediately). */
329 ctx->buffer[bytes_have++] = 0x80;
330
331 if (SHA1_BLOCK_SIZE - bytes_have < SHA1_SIZE_OF_LEN_ADD)
332 { /* No space in current block to put total length of message.
333 Pad current block with zeros and process it. */
334 if (SHA1_BLOCK_SIZE > bytes_have)
335 memset (ctx->buffer + bytes_have, 0, SHA1_BLOCK_SIZE - bytes_have);
336 /* Process full block. */
337 sha1_transform (ctx->H, ctx->buffer);
338 /* Start new block. */
339 bytes_have = 0;
340 }
341
342 /* Pad the rest of the buffer with zeros. */
343 memset (ctx->buffer + bytes_have, 0,
345 /* Put the number of bits in the processed message as a big-endian value. */
347 num_bits);
348 /* Process the full final block. */
349 sha1_transform (ctx->H, ctx->buffer);
350
351 /* Put final hash/digest in BE mode */
352#ifndef _MHD_PUT_32BIT_BE_UNALIGNED
353 if (0 != ((uintptr_t) digest) % _MHD_UINT32_ALIGN)
354 {
355 uint32_t alig_dgst[_SHA1_DIGEST_LENGTH];
356 _MHD_PUT_32BIT_BE (alig_dgst + 0, ctx->H[0]);
357 _MHD_PUT_32BIT_BE (alig_dgst + 1, ctx->H[1]);
358 _MHD_PUT_32BIT_BE (alig_dgst + 2, ctx->H[2]);
359 _MHD_PUT_32BIT_BE (alig_dgst + 3, ctx->H[3]);
360 _MHD_PUT_32BIT_BE (alig_dgst + 4, ctx->H[4]);
361 /* Copy result to unaligned destination address */
362 memcpy (digest, alig_dgst, SHA1_DIGEST_SIZE);
363 }
364 else
365#else /* _MHD_PUT_32BIT_BE_UNALIGNED */
366 if (1)
367#endif /* _MHD_PUT_32BIT_BE_UNALIGNED */
368 {
369 _MHD_PUT_32BIT_BE (digest + 0 * SHA1_BYTES_IN_WORD, ctx->H[0]);
370 _MHD_PUT_32BIT_BE (digest + 1 * SHA1_BYTES_IN_WORD, ctx->H[1]);
371 _MHD_PUT_32BIT_BE (digest + 2 * SHA1_BYTES_IN_WORD, ctx->H[2]);
372 _MHD_PUT_32BIT_BE (digest + 3 * SHA1_BYTES_IN_WORD, ctx->H[3]);
373 _MHD_PUT_32BIT_BE (digest + 4 * SHA1_BYTES_IN_WORD, ctx->H[4]);
374 }
375
376 /* Erase potentially sensitive data. */
377 memset (ctx, 0, sizeof(struct sha1_ctx));
378}
#define mhd_assert(CHK)
Definition mhd_assert.h:39
#define NULL
#define _MHD_UINT32_ALIGN
Definition mhd_align.h:85
macros for bits manipulations
_MHD_static_inline void _MHD_PUT_64BIT_BE_SAFE(void *dst, uint64_t value)
#define _MHD_PUT_32BIT_BE(addr, value32)
macros for mhd_assert()
void MHD_SHA1_update(void *ctx_, const uint8_t *data, size_t length)
Definition sha1.c:249
#define Wgen(w, t)
void MHD_SHA1_finish(void *ctx_, uint8_t digest[SHA1_DIGEST_SIZE])
Definition sha1.c:311
#define K00
#define K40
#define Maj(x, y, z)
#define Par(x, y, z)
#define SHA1STEP32(vA, vB, vC, vD, vE, ft, kt, wt)
#define Ch(x, y, z)
void MHD_SHA1_init(void *ctx_)
Definition sha1.c:41
#define K20
#define SHA1_SIZE_OF_LEN_ADD
Definition sha1.c:302
#define GET_W_FROM_DATA(buf, t)
#define K60
static void sha1_transform(uint32_t H[_SHA1_DIGEST_LENGTH], const uint8_t data[SHA1_BLOCK_SIZE])
Definition sha1.c:64
#define _SHA1_DIGEST_LENGTH
Definition sha1.h:38
#define SHA1_DIGEST_SIZE
Definition sha1.h:53
#define SHA1_BLOCK_SIZE
Definition sha1.h:68
#define SHA1_BYTES_IN_WORD
Definition sha1.h:48
void * data
uint64_t count
Definition sha1.h:75
uint32_t H[_SHA1_DIGEST_LENGTH]
Definition sha1.h:73
uint8_t buffer[SHA1_BLOCK_SIZE]
Definition sha1.h:74