varnish-cache/lib/libvarnish/vsha256.c
0
/*-
1
 * Copyright 2005 Colin Percival
2
 * All rights reserved.
3
 *
4
 * SPDX-License-Identifier: BSD-2-Clause
5
 *
6
 * Redistribution and use in source and binary forms, with or without
7
 * modification, are permitted provided that the following conditions
8
 * are met:
9
 * 1. Redistributions of source code must retain the above copyright
10
 *    notice, this list of conditions and the following disclaimer.
11
 * 2. Redistributions in binary form must reproduce the above copyright
12
 *    notice, this list of conditions and the following disclaimer in the
13
 *    documentation and/or other materials provided with the distribution.
14
 *
15
 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
16
 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
17
 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
18
 * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
19
 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
20
 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
21
 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
22
 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
23
 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
24
 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
25
 * SUCH DAMAGE.
26
 *
27
 * From:
28
 * $FreeBSD: sys/crypto/sha2/sha256c.c 300966 2016-05-29 17:26:40Z cperciva $
29
 */
30
31
#include "config.h"
32
33
#if defined(HAVE_SYS_ENDIAN_H)
34
#  include <sys/types.h>
35
#  include <sys/endian.h>
36
#  define VBYTE_ORDER   _BYTE_ORDER
37
#  define VBIG_ENDIAN   _BIG_ENDIAN
38
#elif defined(HAVE_ENDIAN_H)
39
#  include <endian.h>
40
#  define VBYTE_ORDER   __BYTE_ORDER
41
#  define VBIG_ENDIAN   __BIG_ENDIAN
42
#endif
43
44
#include <stdint.h>
45
#include <string.h>
46
47
#include "vdef.h"
48
49
#include "vas.h"
50
#include "vend.h"
51
#include "vsha256.h"
52
53
#if defined(VBYTE_ORDER) && VBYTE_ORDER == VBIG_ENDIAN
54
55
/* Copy a vector of big-endian uint32_t into a vector of bytes */
56
#define be32enc_vect(dst, src, len)     \
57
        memcpy((void *)dst, (const void *)src, (size_t)len)
58
59
/* Copy a vector of bytes into a vector of big-endian uint32_t */
60
#define be32dec_vect(dst, src, len)     \
61
        memcpy((void *)dst, (const void *)src, (size_t)len)
62
63
#else /* BYTE_ORDER != BIG_ENDIAN or in doubt... */
64
65
/*
66
 * Encode a length len/4 vector of (uint32_t) into a length len vector of
67
 * (unsigned char) in big-endian form.  Assumes len is a multiple of 4.
68
 */
69
static void
70 506833
be32enc_vect(unsigned char *dst, const uint32_t *src, size_t len)
71
{
72
        size_t i;
73
74 4561192
        for (i = 0; i < len / 4; i++)
75 4054359
                vbe32enc(dst + i * 4, src[i]);
76 506833
}
77
78
/*
79
 * Decode a big-endian length len vector of (unsigned char) into a length
80
 * len/4 vector of (uint32_t).  Assumes len is a multiple of 4.
81
 */
82
static void
83 967969
be32dec_vect(uint32_t *dst, const unsigned char *src, size_t len)
84
{
85
        size_t i;
86
87 16454879
        for (i = 0; i < len / 4; i++)
88 15486910
                dst[i] = vbe32dec(src + i * 4);
89 967969
}
90
91
#endif /* BYTE_ORDER != BIG_ENDIAN */
92
93
/* SHA256 round constants. */
94
static const uint32_t K[64] = {
95
        0x428a2f98, 0x71374491, 0xb5c0fbcf, 0xe9b5dba5,
96
        0x3956c25b, 0x59f111f1, 0x923f82a4, 0xab1c5ed5,
97
        0xd807aa98, 0x12835b01, 0x243185be, 0x550c7dc3,
98
        0x72be5d74, 0x80deb1fe, 0x9bdc06a7, 0xc19bf174,
99
        0xe49b69c1, 0xefbe4786, 0x0fc19dc6, 0x240ca1cc,
100
        0x2de92c6f, 0x4a7484aa, 0x5cb0a9dc, 0x76f988da,
101
        0x983e5152, 0xa831c66d, 0xb00327c8, 0xbf597fc7,
102
        0xc6e00bf3, 0xd5a79147, 0x06ca6351, 0x14292967,
103
        0x27b70a85, 0x2e1b2138, 0x4d2c6dfc, 0x53380d13,
104
        0x650a7354, 0x766a0abb, 0x81c2c92e, 0x92722c85,
105
        0xa2bfe8a1, 0xa81a664b, 0xc24b8b70, 0xc76c51a3,
106
        0xd192e819, 0xd6990624, 0xf40e3585, 0x106aa070,
107
        0x19a4c116, 0x1e376c08, 0x2748774c, 0x34b0bcb5,
108
        0x391c0cb3, 0x4ed8aa4a, 0x5b9cca4f, 0x682e6ff3,
109
        0x748f82ee, 0x78a5636f, 0x84c87814, 0x8cc70208,
110
        0x90befffa, 0xa4506ceb, 0xbef9a3f7, 0xc67178f2
111
};
112
113
/* Elementary functions used by SHA256 */
114
#define Ch(x, y, z)     ((x & (y ^ z)) ^ z)
115
#define Maj(x, y, z)    ((x & (y | z)) | (y & z))
116
#define SHR(x, n)       (x >> n)
117
#define ROTR(x, n)      ((x >> n) | (x << (32 - n)))
118
#define S0(x)           (ROTR(x, 2) ^ ROTR(x, 13) ^ ROTR(x, 22))
119
#define S1(x)           (ROTR(x, 6) ^ ROTR(x, 11) ^ ROTR(x, 25))
120
#define s0(x)           (ROTR(x, 7) ^ ROTR(x, 18) ^ SHR(x, 3))
121
#define s1(x)           (ROTR(x, 17) ^ ROTR(x, 19) ^ SHR(x, 10))
122
123
/* SHA256 round function */
124
#define RND(a, b, c, d, e, f, g, h, k)                          \
125
        do {                                                    \
126
                h += S1(e) + Ch(e, f, g) + (k);                 \
127
                d += h;                                         \
128
                h += S0(a) + Maj(a, b, c);                      \
129
        } while (0)
130
131
/* Adjusted round function for rotating state */
132
#define RNDr(S, W, i, ii)                       \
133
        RND(S[(64 - i) % 8], S[(65 - i) % 8],   \
134
            S[(66 - i) % 8], S[(67 - i) % 8],   \
135
            S[(68 - i) % 8], S[(69 - i) % 8],   \
136
            S[(70 - i) % 8], S[(71 - i) % 8],   \
137
            W[i + ii] + K[i + ii])
138
139
/* Message schedule computation */
140
#define MSCH(W, ii, i)                                          \
141
        do {                                                    \
142
                W[i + ii + 16] =                                \
143
                    s1(W[i + ii + 14]) + W[i + ii + 9] +        \
144
                    s0(W[i + ii + 1]) + W[i + ii];              \
145
        } while (0)
146
147
/*
148
 * SHA256 block compression function.  The 256-bit state is transformed via
149
 * the 512-bit input block to produce a new state.
150
 */
151
static void
152 968022
VSHA256_Transform(uint32_t * state, const unsigned char block[64])
153
{
154
        uint32_t W[64];
155
        uint32_t S[8];
156
        int i;
157
158
        /* 1. Prepare the first part of the message schedule W. */
159 968022
        be32dec_vect(W, block, 64);
160
161
        /* 2. Initialize working variables. */
162 968022
        memcpy(S, state, 32);
163
164
        /* 3. Mix. */
165 3871966
        for (i = 0; i < 64; i += 16) {
166 3871950
                RNDr(S, W, 0, i);
167 3871950
                RNDr(S, W, 1, i);
168 3871950
                RNDr(S, W, 2, i);
169 3871950
                RNDr(S, W, 3, i);
170 3871950
                RNDr(S, W, 4, i);
171 3871950
                RNDr(S, W, 5, i);
172 3871950
                RNDr(S, W, 6, i);
173 3871950
                RNDr(S, W, 7, i);
174 3871950
                RNDr(S, W, 8, i);
175 3871950
                RNDr(S, W, 9, i);
176 3871950
                RNDr(S, W, 10, i);
177 3871950
                RNDr(S, W, 11, i);
178 3871950
                RNDr(S, W, 12, i);
179 3871950
                RNDr(S, W, 13, i);
180 3871950
                RNDr(S, W, 14, i);
181 3871950
                RNDr(S, W, 15, i);
182
183 3871950
                if (i == 48)
184 968006
                        break;
185 2903944
                MSCH(W, 0, i);
186 2903944
                MSCH(W, 1, i);
187 2903944
                MSCH(W, 2, i);
188 2903944
                MSCH(W, 3, i);
189 2903944
                MSCH(W, 4, i);
190 2903944
                MSCH(W, 5, i);
191 2903944
                MSCH(W, 6, i);
192 2903944
                MSCH(W, 7, i);
193 2903944
                MSCH(W, 8, i);
194 2903944
                MSCH(W, 9, i);
195 2903944
                MSCH(W, 10, i);
196 2903944
                MSCH(W, 11, i);
197 2903944
                MSCH(W, 12, i);
198 2903944
                MSCH(W, 13, i);
199 2903944
                MSCH(W, 14, i);
200 2903944
                MSCH(W, 15, i);
201 2903944
        }
202
203
        /* 4. Mix local working variables into global state */
204 8711864
        for (i = 0; i < 8; i++)
205 7743842
                state[i] += S[i];
206 967992
}
207
208
static const unsigned char PAD[64] = {
209
        0x80, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
210
        0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
211
        0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
212
        0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0
213
};
214
215
/* Add padding and terminating bit-count. */
216
static void
217 506833
VSHA256_Pad(VSHA256_CTX * ctx)
218
{
219
        size_t r;
220
221
        /* Figure out how many bytes we have buffered. */
222 506833
        r = (ctx->count >> 3) & 0x3f;
223
224
        /* Pad to 56 mod 64, transforming if we finish a block en route. */
225 506833
        if (r < 56) {
226
                /* Pad to 56 mod 64. */
227 464753
                memcpy(&ctx->buf[r], PAD, 56 - r);
228 464753
        } else {
229
                /* Finish the current block and mix. */
230 42080
                memcpy(&ctx->buf[r], PAD, 64 - r);
231 42080
                VSHA256_Transform(ctx->state, ctx->buf);
232
233
                /* The start of the final block is all zeroes. */
234 42080
                memset(&ctx->buf[0], 0, 56);
235
        }
236
237
        /* Add the terminating bit-count. */
238 506833
        vbe64enc(&ctx->buf[56], ctx->count);
239
240
        /* Mix in the final block. */
241 506833
        VSHA256_Transform(ctx->state, ctx->buf);
242 506833
}
243
244
/* SHA-256 initialization.  Begins a SHA-256 operation. */
245
void
246 490225
VSHA256_Init(VSHA256_CTX * ctx)
247
{
248
249
        /* Zero bits processed so far */
250 490225
        ctx->count = 0;
251
252
        /* Magic initialization constants */
253 490225
        ctx->state[0] = 0x6A09E667;
254 490225
        ctx->state[1] = 0xBB67AE85;
255 490225
        ctx->state[2] = 0x3C6EF372;
256 490225
        ctx->state[3] = 0xA54FF53A;
257 490225
        ctx->state[4] = 0x510E527F;
258 490225
        ctx->state[5] = 0x9B05688C;
259 490225
        ctx->state[6] = 0x1F83D9AB;
260 490225
        ctx->state[7] = 0x5BE0CD19;
261 490225
}
262
263
/* Add bytes into the hash */
264
void
265 20603902
VSHA256_Update(VSHA256_CTX * ctx, const void *in, size_t len)
266
{
267
        uint64_t bitlen;
268
        uint32_t r;
269 20603902
        const unsigned char *src = in;
270
271
        /* Number of bytes left in the buffer from previous updates */
272 20603902
        r = (ctx->count >> 3) & 0x3f;
273
274
        /* Convert the length into a number of bits */
275 20603902
        bitlen = len << 3;
276
277
        /* Update number of bits */
278 20603902
        ctx->count += bitlen;
279
280
        /* Handle the case where we don't need to perform any transforms */
281 20603902
        if (len < 64 - r) {
282 20201740
                memcpy(&ctx->buf[r], src, len);
283 20201740
                return;
284
        }
285
286
        /* Finish the current block */
287 402162
        memcpy(&ctx->buf[r], src, 64 - r);
288 402162
        VSHA256_Transform(ctx->state, ctx->buf);
289 402162
        src += 64 - r;
290 402162
        len -= 64 - r;
291
292
        /* Perform complete blocks */
293 419082
        while (len >= 64) {
294 16920
                VSHA256_Transform(ctx->state, src);
295 16920
                src += 64;
296 16920
                len -= 64;
297
        }
298
299
        /* Copy left over data into buffer */
300 402162
        memcpy(ctx->buf, src, len);
301 20603902
}
302
303
/*
304
 * SHA-256 finalization.  Pads the input data, exports the hash value,
305
 * and clears the context state.
306
 */
307
void
308 506834
VSHA256_Final(unsigned char digest[static VSHA256_DIGEST_LENGTH],
309
    VSHA256_CTX *ctx)
310
{
311
312
        /* Add padding */
313 506834
        VSHA256_Pad(ctx);
314
315
        /* Write the hash */
316 506834
        be32enc_vect(digest, ctx->state, VSHA256_DIGEST_LENGTH);
317
318
        /* Clear the context state */
319 506834
        memset((void *)ctx, 0, sizeof(*ctx));
320 506834
}
321
322
/*
323
 * A few test-vectors, just in case
324
 */
325
326
static const struct sha256test {
327
        const char              *input;
328
        const unsigned char     output[32];
329
} sha256test[] = {
330
    { "",
331
        {0xe3, 0xb0, 0xc4, 0x42, 0x98, 0xfc, 0x1c, 0x14, 0x9a, 0xfb, 0xf4,
332
         0xc8, 0x99, 0x6f, 0xb9, 0x24, 0x27, 0xae, 0x41, 0xe4, 0x64, 0x9b,
333
         0x93, 0x4c, 0xa4, 0x95, 0x99, 0x1b, 0x78, 0x52, 0xb8, 0x55} },
334
    { "message digest",
335
        {0xf7, 0x84, 0x6f, 0x55, 0xcf, 0x23, 0xe1, 0x4e, 0xeb, 0xea, 0xb5,
336
         0xb4, 0xe1, 0x55, 0x0c, 0xad, 0x5b, 0x50, 0x9e, 0x33, 0x48, 0xfb,
337
         0xc4, 0xef, 0xa3, 0xa1, 0x41, 0x3d, 0x39, 0x3c, 0xb6, 0x50} },
338
    { "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789",
339
        {0xdb, 0x4b, 0xfc, 0xbd, 0x4d, 0xa0, 0xcd, 0x85, 0xa6, 0x0c, 0x3c,
340
         0x37, 0xd3, 0xfb, 0xd8, 0x80, 0x5c, 0x77, 0xf1, 0x5f, 0xc6, 0xb1,
341
         0xfd, 0xfe, 0x61, 0x4e, 0xe0, 0xa7, 0xc8, 0xfd, 0xb4, 0xc0} },
342
    { NULL }
343
};
344
345
346
void
347 39400
VSHA256_Test(void)
348
{
349
        struct VSHA256Context c;
350
        const struct sha256test *p;
351
        unsigned char o[32];
352
353 157600
        for (p = sha256test; p->input != NULL; p++) {
354 118200
                VSHA256_Init(&c);
355 118200
                VSHA256_Update(&c, p->input, strlen(p->input));
356 118200
                VSHA256_Final(o, &c);
357 118200
                AZ(memcmp(o, p->output, 32));
358 118200
        }
359 39400
}