varnish-cache/lib/libvarnish/vsha256.c
1
/*-
2
 * Copyright 2005 Colin Percival
3
 * All rights reserved.
4
 *
5
 * Redistribution and use in source and binary forms, with or without
6
 * modification, are permitted provided that the following conditions
7
 * are met:
8
 * 1. Redistributions of source code must retain the above copyright
9
 *    notice, this list of conditions and the following disclaimer.
10
 * 2. Redistributions in binary form must reproduce the above copyright
11
 *    notice, this list of conditions and the following disclaimer in the
12
 *    documentation and/or other materials provided with the distribution.
13
 *
14
 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
15
 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
16
 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
17
 * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
18
 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
19
 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
20
 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
21
 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
22
 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
23
 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
24
 * SUCH DAMAGE.
25
 *
26
 * From:
27
 * $FreeBSD: sys/crypto/sha2/sha256c.c 300966 2016-05-29 17:26:40Z cperciva $
28
 */
29
30
#include "config.h"
31
32
#if defined(HAVE_SYS_ENDIAN_H)
33
#  include <sys/types.h>
34
#  include <sys/endian.h>
35
#  define VBYTE_ORDER   _BYTE_ORDER
36
#  define VBIG_ENDIAN   _BIG_ENDIAN
37
#elif defined(HAVE_ENDIAN_H)
38
#  include <endian.h>
39
#  define VBYTE_ORDER   __BYTE_ORDER
40
#  define VBIG_ENDIAN   __BIG_ENDIAN
41
#endif
42
43
#include <stdint.h>
44
#include <string.h>
45
46
#include "vdef.h"
47
48
#include "vas.h"
49
#include "vend.h"
50
#include "vsha256.h"
51
52
#if defined(VBYTE_ORDER) && VBYTE_ORDER == VBIG_ENDIAN
53
54
/* Copy a vector of big-endian uint32_t into a vector of bytes */
55
#define be32enc_vect(dst, src, len)     \
56
        memcpy((void *)dst, (const void *)src, (size_t)len)
57
58
/* Copy a vector of bytes into a vector of big-endian uint32_t */
59
#define be32dec_vect(dst, src, len)     \
60
        memcpy((void *)dst, (const void *)src, (size_t)len)
61
62
#else /* BYTE_ORDER != BIG_ENDIAN or in doubt... */
63
64
/*
65
 * Encode a length len/4 vector of (uint32_t) into a length len vector of
66
 * (unsigned char) in big-endian form.  Assumes len is a multiple of 4.
67
 */
68
static void
69 7508
be32enc_vect(unsigned char *dst, const uint32_t *src, size_t len)
70
{
71
        size_t i;
72
73 67552
        for (i = 0; i < len / 4; i++)
74 60045
                vbe32enc(dst + i * 4, src[i]);
75 7507
}
76
77
/*
78
 * Decode a big-endian length len vector of (unsigned char) into a length
79
 * len/4 vector of (uint32_t).  Assumes len is a multiple of 4.
80
 */
81
static void
82 15233
be32dec_vect(uint32_t *dst, const unsigned char *src, size_t len)
83
{
84
        size_t i;
85
86 258867
        for (i = 0; i < len / 4; i++)
87 243638
                dst[i] = vbe32dec(src + i * 4);
88 15229
}
89
90
#endif /* BYTE_ORDER != BIG_ENDIAN */
91
92
/* SHA256 round constants. */
93
static const uint32_t K[64] = {
94
        0x428a2f98, 0x71374491, 0xb5c0fbcf, 0xe9b5dba5,
95
        0x3956c25b, 0x59f111f1, 0x923f82a4, 0xab1c5ed5,
96
        0xd807aa98, 0x12835b01, 0x243185be, 0x550c7dc3,
97
        0x72be5d74, 0x80deb1fe, 0x9bdc06a7, 0xc19bf174,
98
        0xe49b69c1, 0xefbe4786, 0x0fc19dc6, 0x240ca1cc,
99
        0x2de92c6f, 0x4a7484aa, 0x5cb0a9dc, 0x76f988da,
100
        0x983e5152, 0xa831c66d, 0xb00327c8, 0xbf597fc7,
101
        0xc6e00bf3, 0xd5a79147, 0x06ca6351, 0x14292967,
102
        0x27b70a85, 0x2e1b2138, 0x4d2c6dfc, 0x53380d13,
103
        0x650a7354, 0x766a0abb, 0x81c2c92e, 0x92722c85,
104
        0xa2bfe8a1, 0xa81a664b, 0xc24b8b70, 0xc76c51a3,
105
        0xd192e819, 0xd6990624, 0xf40e3585, 0x106aa070,
106
        0x19a4c116, 0x1e376c08, 0x2748774c, 0x34b0bcb5,
107
        0x391c0cb3, 0x4ed8aa4a, 0x5b9cca4f, 0x682e6ff3,
108
        0x748f82ee, 0x78a5636f, 0x84c87814, 0x8cc70208,
109
        0x90befffa, 0xa4506ceb, 0xbef9a3f7, 0xc67178f2
110
};
111
112
/* Elementary functions used by SHA256 */
113
#define Ch(x, y, z)     ((x & (y ^ z)) ^ z)
114
#define Maj(x, y, z)    ((x & (y | z)) | (y & z))
115
#define SHR(x, n)       (x >> n)
116
#define ROTR(x, n)      ((x >> n) | (x << (32 - n)))
117
#define S0(x)           (ROTR(x, 2) ^ ROTR(x, 13) ^ ROTR(x, 22))
118
#define S1(x)           (ROTR(x, 6) ^ ROTR(x, 11) ^ ROTR(x, 25))
119
#define s0(x)           (ROTR(x, 7) ^ ROTR(x, 18) ^ SHR(x, 3))
120
#define s1(x)           (ROTR(x, 17) ^ ROTR(x, 19) ^ SHR(x, 10))
121
122
/* SHA256 round function */
123
#define RND(a, b, c, d, e, f, g, h, k)                          \
124
        do {                                                    \
125
                h += S1(e) + Ch(e, f, g) + (k);                 \
126
                d += h;                                         \
127
                h += S0(a) + Maj(a, b, c);                      \
128
        } while (0)
129
130
/* Adjusted round function for rotating state */
131
#define RNDr(S, W, i, ii)                       \
132
        RND(S[(64 - i) % 8], S[(65 - i) % 8],   \
133
            S[(66 - i) % 8], S[(67 - i) % 8],   \
134
            S[(68 - i) % 8], S[(69 - i) % 8],   \
135
            S[(70 - i) % 8], S[(71 - i) % 8],   \
136
            W[i + ii] + K[i + ii])
137
138
/* Message schedule computation */
139
#define MSCH(W, ii, i)                                          \
140
        do {                                                    \
141
                W[i + ii + 16] =                                \
142
                    s1(W[i + ii + 14]) + W[i + ii + 9] +        \
143
                    s0(W[i + ii + 1]) + W[i + ii];              \
144
        } while (0)
145
146
/*
147
 * SHA256 block compression function.  The 256-bit state is transformed via
148
 * the 512-bit input block to produce a new state.
149
 */
150
static void
151 15227
VSHA256_Transform(uint32_t * state, const unsigned char block[64])
152
{
153
        uint32_t W[64];
154
        uint32_t S[8];
155
        int i;
156
157
        /* 1. Prepare the first part of the message schedule W. */
158 15227
        be32dec_vect(W, block, 64);
159
160
        /* 2. Initialize working variables. */
161 15229
        memcpy(S, state, 32);
162
163
        /* 3. Mix. */
164 60919
        for (i = 0; i < 64; i += 16) {
165 60920
                RNDr(S, W, 0, i);
166 60920
                RNDr(S, W, 1, i);
167 60920
                RNDr(S, W, 2, i);
168 60920
                RNDr(S, W, 3, i);
169 60920
                RNDr(S, W, 4, i);
170 60920
                RNDr(S, W, 5, i);
171 60920
                RNDr(S, W, 6, i);
172 60920
                RNDr(S, W, 7, i);
173 60920
                RNDr(S, W, 8, i);
174 60920
                RNDr(S, W, 9, i);
175 60920
                RNDr(S, W, 10, i);
176 60920
                RNDr(S, W, 11, i);
177 60920
                RNDr(S, W, 12, i);
178 60920
                RNDr(S, W, 13, i);
179 60920
                RNDr(S, W, 14, i);
180 60920
                RNDr(S, W, 15, i);
181
182 60920
                if (i == 48)
183 15230
                        break;
184 45690
                MSCH(W, 0, i);
185 45690
                MSCH(W, 1, i);
186 45690
                MSCH(W, 2, i);
187 45690
                MSCH(W, 3, i);
188 45690
                MSCH(W, 4, i);
189 45690
                MSCH(W, 5, i);
190 45690
                MSCH(W, 6, i);
191 45690
                MSCH(W, 7, i);
192 45690
                MSCH(W, 8, i);
193 45690
                MSCH(W, 9, i);
194 45690
                MSCH(W, 10, i);
195 45690
                MSCH(W, 11, i);
196 45690
                MSCH(W, 12, i);
197 45690
                MSCH(W, 13, i);
198 45690
                MSCH(W, 14, i);
199 45690
                MSCH(W, 15, i);
200
        }
201
202
        /* 4. Mix local working variables into global state */
203 137058
        for (i = 0; i < 8; i++)
204 121829
                state[i] += S[i];
205 15229
}
206
207
static const unsigned char PAD[64] = {
208
        0x80, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
209
        0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
210
        0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
211
        0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0
212
};
213
214
/* Add padding and terminating bit-count. */
215
static void
216 7506
VSHA256_Pad(VSHA256_CTX * ctx)
217
{
218
        size_t r;
219
220
        /* Figure out how many bytes we have buffered. */
221 7506
        r = (ctx->count >> 3) & 0x3f;
222
223
        /* Pad to 56 mod 64, transforming if we finish a block en route. */
224 7506
        if (r < 56) {
225
                /* Pad to 56 mod 64. */
226 6689
                memcpy(&ctx->buf[r], PAD, 56 - r);
227
        } else {
228
                /* Finish the current block and mix. */
229 817
                memcpy(&ctx->buf[r], PAD, 64 - r);
230 817
                VSHA256_Transform(ctx->state, ctx->buf);
231
232
                /* The start of the final block is all zeroes. */
233 817
                memset(&ctx->buf[0], 0, 56);
234
        }
235
236
        /* Add the terminating bit-count. */
237 7506
        vbe64enc(&ctx->buf[56], ctx->count);
238
239
        /* Mix in the final block. */
240 7507
        VSHA256_Transform(ctx->state, ctx->buf);
241 7507
}
242
243
/* SHA-256 initialization.  Begins a SHA-256 operation. */
244
void
245 7089
VSHA256_Init(VSHA256_CTX * ctx)
246
{
247
248
        /* Zero bits processed so far */
249 7089
        ctx->count = 0;
250
251
        /* Magic initialization constants */
252 7089
        ctx->state[0] = 0x6A09E667;
253 7089
        ctx->state[1] = 0xBB67AE85;
254 7089
        ctx->state[2] = 0x3C6EF372;
255 7089
        ctx->state[3] = 0xA54FF53A;
256 7089
        ctx->state[4] = 0x510E527F;
257 7089
        ctx->state[5] = 0x9B05688C;
258 7089
        ctx->state[6] = 0x1F83D9AB;
259 7089
        ctx->state[7] = 0x5BE0CD19;
260 7089
}
261
262
/* Add bytes into the hash */
263
void
264 341942
VSHA256_Update(VSHA256_CTX * ctx, const void *in, size_t len)
265
{
266
        uint64_t bitlen;
267
        uint32_t r;
268 341942
        const unsigned char *src = in;
269
270
        /* Number of bytes left in the buffer from previous updates */
271 341942
        r = (ctx->count >> 3) & 0x3f;
272
273
        /* Convert the length into a number of bits */
274 341942
        bitlen = len << 3;
275
276
        /* Update number of bits */
277 341942
        ctx->count += bitlen;
278
279
        /* Handle the case where we don't need to perform any transforms */
280 341942
        if (len < 64 - r) {
281 335166
                memcpy(&ctx->buf[r], src, len);
282 677108
                return;
283
        }
284
285
        /* Finish the current block */
286 6776
        memcpy(&ctx->buf[r], src, 64 - r);
287 6776
        VSHA256_Transform(ctx->state, ctx->buf);
288 6776
        src += 64 - r;
289 6776
        len -= 64 - r;
290
291
        /* Perform complete blocks */
292 13681
        while (len >= 64) {
293 129
                VSHA256_Transform(ctx->state, src);
294 129
                src += 64;
295 129
                len -= 64;
296
        }
297
298
        /* Copy left over data into buffer */
299 6776
        memcpy(ctx->buf, src, len);
300
}
301
302
/*
303
 * SHA-256 finalization.  Pads the input data, exports the hash value,
304
 * and clears the context state.
305
 */
306
void
307 7506
VSHA256_Final(unsigned char digest[static VSHA256_DIGEST_LENGTH],
308
    VSHA256_CTX *ctx)
309
{
310
311
        /* Add padding */
312 7506
        VSHA256_Pad(ctx);
313
314
        /* Write the hash */
315 7507
        be32enc_vect(digest, ctx->state, VSHA256_DIGEST_LENGTH);
316
317
        /* Clear the context state */
318 7507
        memset((void *)ctx, 0, sizeof(*ctx));
319 7507
}
320
321
/*
322
 * A few test-vectors, just in case
323
 */
324
325
static const struct sha256test {
326
        const char              *input;
327
        const unsigned char     output[32];
328
} sha256test[] = {
329
    { "",
330
        {0xe3, 0xb0, 0xc4, 0x42, 0x98, 0xfc, 0x1c, 0x14, 0x9a, 0xfb, 0xf4,
331
         0xc8, 0x99, 0x6f, 0xb9, 0x24, 0x27, 0xae, 0x41, 0xe4, 0x64, 0x9b,
332
         0x93, 0x4c, 0xa4, 0x95, 0x99, 0x1b, 0x78, 0x52, 0xb8, 0x55} },
333
    { "message digest",
334
        {0xf7, 0x84, 0x6f, 0x55, 0xcf, 0x23, 0xe1, 0x4e, 0xeb, 0xea, 0xb5,
335
         0xb4, 0xe1, 0x55, 0x0c, 0xad, 0x5b, 0x50, 0x9e, 0x33, 0x48, 0xfb,
336
         0xc4, 0xef, 0xa3, 0xa1, 0x41, 0x3d, 0x39, 0x3c, 0xb6, 0x50} },
337
    { "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789",
338
        {0xdb, 0x4b, 0xfc, 0xbd, 0x4d, 0xa0, 0xcd, 0x85, 0xa6, 0x0c, 0x3c,
339
         0x37, 0xd3, 0xfb, 0xd8, 0x80, 0x5c, 0x77, 0xf1, 0x5f, 0xc6, 0xb1,
340
         0xfd, 0xfe, 0x61, 0x4e, 0xe0, 0xa7, 0xc8, 0xfd, 0xb4, 0xc0} },
341
    { NULL }
342
};
343
344
345
void
346 702
VSHA256_Test(void)
347
{
348
        struct VSHA256Context c;
349
        const struct sha256test *p;
350
        unsigned char o[32];
351
352 2808
        for (p = sha256test; p->input != NULL; p++) {
353 2106
                VSHA256_Init(&c);
354 2106
                VSHA256_Update(&c, p->input, strlen(p->input));
355 2106
                VSHA256_Final(o, &c);
356 2106
                AZ(memcmp(o, p->output, 32));
357
        }
358 702
}