varnish-cache/lib/libvarnish/vsha256.c
0
/*-
1
 * Copyright 2005 Colin Percival
2
 * All rights reserved.
3
 *
4
 * SPDX-License-Identifier: BSD-2-Clause
5
 *
6
 * Redistribution and use in source and binary forms, with or without
7
 * modification, are permitted provided that the following conditions
8
 * are met:
9
 * 1. Redistributions of source code must retain the above copyright
10
 *    notice, this list of conditions and the following disclaimer.
11
 * 2. Redistributions in binary form must reproduce the above copyright
12
 *    notice, this list of conditions and the following disclaimer in the
13
 *    documentation and/or other materials provided with the distribution.
14
 *
15
 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
16
 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
17
 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
18
 * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
19
 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
20
 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
21
 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
22
 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
23
 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
24
 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
25
 * SUCH DAMAGE.
26
 *
27
 * From:
28
 * $FreeBSD: sys/crypto/sha2/sha256c.c 300966 2016-05-29 17:26:40Z cperciva $
29
 */
30
31
#include "config.h"
32
33
#if defined(HAVE_SYS_ENDIAN_H)
34
#  include <sys/types.h>
35
#  include <sys/endian.h>
36
#  define VBYTE_ORDER   _BYTE_ORDER
37
#  define VBIG_ENDIAN   _BIG_ENDIAN
38
#elif defined(HAVE_ENDIAN_H)
39
#  include <endian.h>
40
#  define VBYTE_ORDER   __BYTE_ORDER
41
#  define VBIG_ENDIAN   __BIG_ENDIAN
42
#endif
43
44
#include <stdint.h>
45
#include <string.h>
46
47
#include "vdef.h"
48
49
#include "vas.h"
50
#include "vend.h"
51
#include "vsha256.h"
52
53
#if defined(VBYTE_ORDER) && VBYTE_ORDER == VBIG_ENDIAN
54
55
/* Copy a vector of big-endian uint32_t into a vector of bytes */
56
#define be32enc_vect(dst, src, len)     \
57
        memcpy((void *)dst, (const void *)src, (size_t)len)
58
59
/* Copy a vector of bytes into a vector of big-endian uint32_t */
60
#define be32dec_vect(dst, src, len)     \
61
        memcpy((void *)dst, (const void *)src, (size_t)len)
62
63
#else /* BYTE_ORDER != BIG_ENDIAN or in doubt... */
64
65
/*
66
 * Encode a length len/4 vector of (uint32_t) into a length len vector of
67
 * (unsigned char) in big-endian form.  Assumes len is a multiple of 4.
68
 */
69
static void
70 332377
be32enc_vect(unsigned char *dst, const uint32_t *src, size_t len)
71
{
72
        size_t i;
73
74 2991214
        for (i = 0; i < len / 4; i++)
75 2658837
                vbe32enc(dst + i * 4, src[i]);
76 332377
}
77
78
/*
79
 * Decode a big-endian length len vector of (unsigned char) into a length
80
 * len/4 vector of (uint32_t).  Assumes len is a multiple of 4.
81
 */
82
static void
83 635046
be32dec_vect(uint32_t *dst, const unsigned char *src, size_t len)
84
{
85
        size_t i;
86
87 10795439
        for (i = 0; i < len / 4; i++)
88 10160393
                dst[i] = vbe32dec(src + i * 4);
89 635046
}
90
91
#endif /* BYTE_ORDER != BIG_ENDIAN */
92
93
/* SHA256 round constants. */
94
static const uint32_t K[64] = {
95
        0x428a2f98, 0x71374491, 0xb5c0fbcf, 0xe9b5dba5,
96
        0x3956c25b, 0x59f111f1, 0x923f82a4, 0xab1c5ed5,
97
        0xd807aa98, 0x12835b01, 0x243185be, 0x550c7dc3,
98
        0x72be5d74, 0x80deb1fe, 0x9bdc06a7, 0xc19bf174,
99
        0xe49b69c1, 0xefbe4786, 0x0fc19dc6, 0x240ca1cc,
100
        0x2de92c6f, 0x4a7484aa, 0x5cb0a9dc, 0x76f988da,
101
        0x983e5152, 0xa831c66d, 0xb00327c8, 0xbf597fc7,
102
        0xc6e00bf3, 0xd5a79147, 0x06ca6351, 0x14292967,
103
        0x27b70a85, 0x2e1b2138, 0x4d2c6dfc, 0x53380d13,
104
        0x650a7354, 0x766a0abb, 0x81c2c92e, 0x92722c85,
105
        0xa2bfe8a1, 0xa81a664b, 0xc24b8b70, 0xc76c51a3,
106
        0xd192e819, 0xd6990624, 0xf40e3585, 0x106aa070,
107
        0x19a4c116, 0x1e376c08, 0x2748774c, 0x34b0bcb5,
108
        0x391c0cb3, 0x4ed8aa4a, 0x5b9cca4f, 0x682e6ff3,
109
        0x748f82ee, 0x78a5636f, 0x84c87814, 0x8cc70208,
110
        0x90befffa, 0xa4506ceb, 0xbef9a3f7, 0xc67178f2
111
};
112
113
/* Elementary functions used by SHA256 */
114
#define Ch(x, y, z)     ((x & (y ^ z)) ^ z)
115
#define Maj(x, y, z)    ((x & (y | z)) | (y & z))
116
#define SHR(x, n)       (x >> n)
117
#define ROTR(x, n)      ((x >> n) | (x << (32 - n)))
118
#define S0(x)           (ROTR(x, 2) ^ ROTR(x, 13) ^ ROTR(x, 22))
119
#define S1(x)           (ROTR(x, 6) ^ ROTR(x, 11) ^ ROTR(x, 25))
120
#define s0(x)           (ROTR(x, 7) ^ ROTR(x, 18) ^ SHR(x, 3))
121
#define s1(x)           (ROTR(x, 17) ^ ROTR(x, 19) ^ SHR(x, 10))
122
123
/* SHA256 round function */
124
#define RND(a, b, c, d, e, f, g, h, k)                          \
125
        do {                                                    \
126
                h += S1(e) + Ch(e, f, g) + (k);                 \
127
                d += h;                                         \
128
                h += S0(a) + Maj(a, b, c);                      \
129
        } while (0)
130
131
/* Adjusted round function for rotating state */
132
#define RNDr(S, W, i, ii)                       \
133
        RND(S[(64 - i) % 8], S[(65 - i) % 8],   \
134
            S[(66 - i) % 8], S[(67 - i) % 8],   \
135
            S[(68 - i) % 8], S[(69 - i) % 8],   \
136
            S[(70 - i) % 8], S[(71 - i) % 8],   \
137
            W[i + ii] + K[i + ii])
138
139
/* Message schedule computation */
140
#define MSCH(W, ii, i)                                          \
141
        do {                                                    \
142
                W[i + ii + 16] =                                \
143
                    s1(W[i + ii + 14]) + W[i + ii + 9] +        \
144
                    s0(W[i + ii + 1]) + W[i + ii];              \
145
        } while (0)
146
147
/*
148
 * SHA256 block compression function.  The 256-bit state is transformed via
149
 * the 512-bit input block to produce a new state.
150
 */
151
static void
152 635059
VSHA256_Transform(uint32_t * state, const unsigned char block[64])
153
{
154
        uint32_t W[64];
155
        uint32_t S[8];
156
        int i;
157
158
        /* 1. Prepare the first part of the message schedule W. */
159 635059
        be32dec_vect(W, block, 64);
160
161
        /* 2. Initialize working variables. */
162 635059
        memcpy(S, state, 32);
163
164
        /* 3. Mix. */
165 2540175
        for (i = 0; i < 64; i += 16) {
166 2540173
                RNDr(S, W, 0, i);
167 2540173
                RNDr(S, W, 1, i);
168 2540173
                RNDr(S, W, 2, i);
169 2540173
                RNDr(S, W, 3, i);
170 2540173
                RNDr(S, W, 4, i);
171 2540173
                RNDr(S, W, 5, i);
172 2540173
                RNDr(S, W, 6, i);
173 2540173
                RNDr(S, W, 7, i);
174 2540173
                RNDr(S, W, 8, i);
175 2540173
                RNDr(S, W, 9, i);
176 2540173
                RNDr(S, W, 10, i);
177 2540173
                RNDr(S, W, 11, i);
178 2540173
                RNDr(S, W, 12, i);
179 2540173
                RNDr(S, W, 13, i);
180 2540173
                RNDr(S, W, 14, i);
181 2540173
                RNDr(S, W, 15, i);
182
183 2540173
                if (i == 48)
184 635057
                        break;
185 1905116
                MSCH(W, 0, i);
186 1905116
                MSCH(W, 1, i);
187 1905116
                MSCH(W, 2, i);
188 1905116
                MSCH(W, 3, i);
189 1905116
                MSCH(W, 4, i);
190 1905116
                MSCH(W, 5, i);
191 1905116
                MSCH(W, 6, i);
192 1905116
                MSCH(W, 7, i);
193 1905116
                MSCH(W, 8, i);
194 1905116
                MSCH(W, 9, i);
195 1905116
                MSCH(W, 10, i);
196 1905116
                MSCH(W, 11, i);
197 1905116
                MSCH(W, 12, i);
198 1905116
                MSCH(W, 13, i);
199 1905116
                MSCH(W, 14, i);
200 1905116
                MSCH(W, 15, i);
201 1905116
        }
202
203
        /* 4. Mix local working variables into global state */
204 5715313
        for (i = 0; i < 8; i++)
205 5080254
                state[i] += S[i];
206 635059
}
207
208
static const unsigned char PAD[64] = {
209
        0x80, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
210
        0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
211
        0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
212
        0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0
213
};
214
215
/* Add padding and terminating bit-count. */
216
static void
217 332376
VSHA256_Pad(VSHA256_CTX * ctx)
218
{
219
        size_t r;
220
221
        /* Figure out how many bytes we have buffered. */
222 332376
        r = (ctx->count >> 3) & 0x3f;
223
224
        /* Pad to 56 mod 64, transforming if we finish a block en route. */
225 332376
        if (r < 56) {
226
                /* Pad to 56 mod 64. */
227 304836
                memcpy(&ctx->buf[r], PAD, 56 - r);
228 304836
        } else {
229
                /* Finish the current block and mix. */
230 27540
                memcpy(&ctx->buf[r], PAD, 64 - r);
231 27540
                VSHA256_Transform(ctx->state, ctx->buf);
232
233
                /* The start of the final block is all zeroes. */
234 27540
                memset(&ctx->buf[0], 0, 56);
235
        }
236
237
        /* Add the terminating bit-count. */
238 332376
        vbe64enc(&ctx->buf[56], ctx->count);
239
240
        /* Mix in the final block. */
241 332376
        VSHA256_Transform(ctx->state, ctx->buf);
242 332376
}
243
244
/* SHA-256 initialization.  Begins a SHA-256 operation. */
245
void
246 321171
VSHA256_Init(VSHA256_CTX * ctx)
247
{
248
249
        /* Zero bits processed so far */
250 321171
        ctx->count = 0;
251
252
        /* Magic initialization constants */
253 321171
        ctx->state[0] = 0x6A09E667;
254 321171
        ctx->state[1] = 0xBB67AE85;
255 321171
        ctx->state[2] = 0x3C6EF372;
256 321171
        ctx->state[3] = 0xA54FF53A;
257 321171
        ctx->state[4] = 0x510E527F;
258 321171
        ctx->state[5] = 0x9B05688C;
259 321171
        ctx->state[6] = 0x1F83D9AB;
260 321171
        ctx->state[7] = 0x5BE0CD19;
261 321171
}
262
263
/* Add bytes into the hash */
264
void
265 13490951
VSHA256_Update(VSHA256_CTX * ctx, const void *in, size_t len)
266
{
267
        uint64_t bitlen;
268
        uint32_t r;
269 13490951
        const unsigned char *src = in;
270
271
        /* Number of bytes left in the buffer from previous updates */
272 13490951
        r = (ctx->count >> 3) & 0x3f;
273
274
        /* Convert the length into a number of bits */
275 13490951
        bitlen = len << 3;
276
277
        /* Update number of bits */
278 13490951
        ctx->count += bitlen;
279
280
        /* Handle the case where we don't need to perform any transforms */
281 13490951
        if (len < 64 - r) {
282 13227243
                memcpy(&ctx->buf[r], src, len);
283 13227243
                return;
284
        }
285
286
        /* Finish the current block */
287 263708
        memcpy(&ctx->buf[r], src, 64 - r);
288 263708
        VSHA256_Transform(ctx->state, ctx->buf);
289 263708
        src += 64 - r;
290 263708
        len -= 64 - r;
291
292
        /* Perform complete blocks */
293 275129
        while (len >= 64) {
294 11421
                VSHA256_Transform(ctx->state, src);
295 11421
                src += 64;
296 11421
                len -= 64;
297
        }
298
299
        /* Copy left over data into buffer */
300 263708
        memcpy(ctx->buf, src, len);
301 13490951
}
302
303
/*
304
 * SHA-256 finalization.  Pads the input data, exports the hash value,
305
 * and clears the context state.
306
 */
307
void
308 332375
VSHA256_Final(unsigned char digest[static VSHA256_DIGEST_LENGTH],
309
    VSHA256_CTX *ctx)
310
{
311
312
        /* Add padding */
313 332375
        VSHA256_Pad(ctx);
314
315
        /* Write the hash */
316 332375
        be32enc_vect(digest, ctx->state, VSHA256_DIGEST_LENGTH);
317
318
        /* Clear the context state */
319 332375
        memset((void *)ctx, 0, sizeof(*ctx));
320 332375
}
321
322
/*
323
 * A few test-vectors, just in case
324
 */
325
326
static const struct sha256test {
327
        const char              *input;
328
        const unsigned char     output[32];
329
} sha256test[] = {
330
    { "",
331
        {0xe3, 0xb0, 0xc4, 0x42, 0x98, 0xfc, 0x1c, 0x14, 0x9a, 0xfb, 0xf4,
332
         0xc8, 0x99, 0x6f, 0xb9, 0x24, 0x27, 0xae, 0x41, 0xe4, 0x64, 0x9b,
333
         0x93, 0x4c, 0xa4, 0x95, 0x99, 0x1b, 0x78, 0x52, 0xb8, 0x55} },
334
    { "message digest",
335
        {0xf7, 0x84, 0x6f, 0x55, 0xcf, 0x23, 0xe1, 0x4e, 0xeb, 0xea, 0xb5,
336
         0xb4, 0xe1, 0x55, 0x0c, 0xad, 0x5b, 0x50, 0x9e, 0x33, 0x48, 0xfb,
337
         0xc4, 0xef, 0xa3, 0xa1, 0x41, 0x3d, 0x39, 0x3c, 0xb6, 0x50} },
338
    { "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789",
339
        {0xdb, 0x4b, 0xfc, 0xbd, 0x4d, 0xa0, 0xcd, 0x85, 0xa6, 0x0c, 0x3c,
340
         0x37, 0xd3, 0xfb, 0xd8, 0x80, 0x5c, 0x77, 0xf1, 0x5f, 0xc6, 0xb1,
341
         0xfd, 0xfe, 0x61, 0x4e, 0xe0, 0xa7, 0xc8, 0xfd, 0xb4, 0xc0} },
342
    { NULL }
343
};
344
345
346
void
347 25758
VSHA256_Test(void)
348
{
349
        struct VSHA256Context c;
350
        const struct sha256test *p;
351
        unsigned char o[32];
352
353 103032
        for (p = sha256test; p->input != NULL; p++) {
354 77274
                VSHA256_Init(&c);
355 77274
                VSHA256_Update(&c, p->input, strlen(p->input));
356 77274
                VSHA256_Final(o, &c);
357 77274
                AZ(memcmp(o, p->output, 32));
358 77274
        }
359 25758
}