varnish-cache/lib/libvarnish/vsha256.c
1
/*-
2
 * Copyright 2005 Colin Percival
3
 * All rights reserved.
4
 *
5
 * Redistribution and use in source and binary forms, with or without
6
 * modification, are permitted provided that the following conditions
7
 * are met:
8
 * 1. Redistributions of source code must retain the above copyright
9
 *    notice, this list of conditions and the following disclaimer.
10
 * 2. Redistributions in binary form must reproduce the above copyright
11
 *    notice, this list of conditions and the following disclaimer in the
12
 *    documentation and/or other materials provided with the distribution.
13
 *
14
 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
15
 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
16
 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
17
 * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
18
 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
19
 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
20
 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
21
 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
22
 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
23
 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
24
 * SUCH DAMAGE.
25
 *
26
 * From:
27
 * $FreeBSD: sys/crypto/sha2/sha256c.c 300966 2016-05-29 17:26:40Z cperciva $
28
 */
29
30
#include "config.h"
31
32
#if defined(HAVE_SYS_ENDIAN_H)
33
#  include <sys/types.h>
34
#  include <sys/endian.h>
35
#  define VBYTE_ORDER   _BYTE_ORDER
36
#  define VBIG_ENDIAN   _BIG_ENDIAN
37
#elif defined(HAVE_ENDIAN_H)
38
#  include <endian.h>
39
#  define VBYTE_ORDER   __BYTE_ORDER
40
#  define VBIG_ENDIAN   __BIG_ENDIAN
41
#endif
42
43
#include <stdint.h>
44
#include <string.h>
45
46
#include "vdef.h"
47
48
#include "vas.h"
49
#include "vend.h"
50
#include "vsha256.h"
51
52
#if defined(VBYTE_ORDER) && VBYTE_ORDER == VBIG_ENDIAN
53
54
/* Copy a vector of big-endian uint32_t into a vector of bytes */
55
#define be32enc_vect(dst, src, len)     \
56
        memcpy((void *)dst, (const void *)src, (size_t)len)
57
58
/* Copy a vector of bytes into a vector of big-endian uint32_t */
59
#define be32dec_vect(dst, src, len)     \
60
        memcpy((void *)dst, (const void *)src, (size_t)len)
61
62
#else /* BYTE_ORDER != BIG_ENDIAN or in doubt... */
63
64
/*
65
 * Encode a length len/4 vector of (uint32_t) into a length len vector of
66
 * (unsigned char) in big-endian form.  Assumes len is a multiple of 4.
67
 */
68
static void
69 17161
be32enc_vect(unsigned char *dst, const uint32_t *src, size_t len)
70
{
71
        size_t i;
72
73 154413
        for (i = 0; i < len / 4; i++)
74 137255
                vbe32enc(dst + i * 4, src[i]);
75 17158
}
76
77
/*
78
 * Decode a big-endian length len vector of (unsigned char) into a length
79
 * len/4 vector of (uint32_t).  Assumes len is a multiple of 4.
80
 */
81
static void
82 34709
be32dec_vect(uint32_t *dst, const unsigned char *src, size_t len)
83
{
84
        size_t i;
85
86 590054
        for (i = 0; i < len / 4; i++)
87 555343
                dst[i] = vbe32dec(src + i * 4);
88 34711
}
89
90
#endif /* BYTE_ORDER != BIG_ENDIAN */
91
92
/* SHA256 round constants. */
93
static const uint32_t K[64] = {
94
        0x428a2f98, 0x71374491, 0xb5c0fbcf, 0xe9b5dba5,
95
        0x3956c25b, 0x59f111f1, 0x923f82a4, 0xab1c5ed5,
96
        0xd807aa98, 0x12835b01, 0x243185be, 0x550c7dc3,
97
        0x72be5d74, 0x80deb1fe, 0x9bdc06a7, 0xc19bf174,
98
        0xe49b69c1, 0xefbe4786, 0x0fc19dc6, 0x240ca1cc,
99
        0x2de92c6f, 0x4a7484aa, 0x5cb0a9dc, 0x76f988da,
100
        0x983e5152, 0xa831c66d, 0xb00327c8, 0xbf597fc7,
101
        0xc6e00bf3, 0xd5a79147, 0x06ca6351, 0x14292967,
102
        0x27b70a85, 0x2e1b2138, 0x4d2c6dfc, 0x53380d13,
103
        0x650a7354, 0x766a0abb, 0x81c2c92e, 0x92722c85,
104
        0xa2bfe8a1, 0xa81a664b, 0xc24b8b70, 0xc76c51a3,
105
        0xd192e819, 0xd6990624, 0xf40e3585, 0x106aa070,
106
        0x19a4c116, 0x1e376c08, 0x2748774c, 0x34b0bcb5,
107
        0x391c0cb3, 0x4ed8aa4a, 0x5b9cca4f, 0x682e6ff3,
108
        0x748f82ee, 0x78a5636f, 0x84c87814, 0x8cc70208,
109
        0x90befffa, 0xa4506ceb, 0xbef9a3f7, 0xc67178f2
110
};
111
112
/* Elementary functions used by SHA256 */
113
#define Ch(x, y, z)     ((x & (y ^ z)) ^ z)
114
#define Maj(x, y, z)    ((x & (y | z)) | (y & z))
115
#define SHR(x, n)       (x >> n)
116
#define ROTR(x, n)      ((x >> n) | (x << (32 - n)))
117
#define S0(x)           (ROTR(x, 2) ^ ROTR(x, 13) ^ ROTR(x, 22))
118
#define S1(x)           (ROTR(x, 6) ^ ROTR(x, 11) ^ ROTR(x, 25))
119
#define s0(x)           (ROTR(x, 7) ^ ROTR(x, 18) ^ SHR(x, 3))
120
#define s1(x)           (ROTR(x, 17) ^ ROTR(x, 19) ^ SHR(x, 10))
121
122
/* SHA256 round function */
123
#define RND(a, b, c, d, e, f, g, h, k)                          \
124
        do {                                                    \
125
                h += S1(e) + Ch(e, f, g) + (k);                 \
126
                d += h;                                         \
127
                h += S0(a) + Maj(a, b, c);                      \
128
        } while (0)
129
130
/* Adjusted round function for rotating state */
131
#define RNDr(S, W, i, ii)                       \
132
        RND(S[(64 - i) % 8], S[(65 - i) % 8],   \
133
            S[(66 - i) % 8], S[(67 - i) % 8],   \
134
            S[(68 - i) % 8], S[(69 - i) % 8],   \
135
            S[(70 - i) % 8], S[(71 - i) % 8],   \
136
            W[i + ii] + K[i + ii])
137
138
/* Message schedule computation */
139
#define MSCH(W, ii, i)                                          \
140
        do {                                                    \
141
                W[i + ii + 16] =                                \
142
                    s1(W[i + ii + 14]) + W[i + ii + 9] +        \
143
                    s0(W[i + ii + 1]) + W[i + ii];              \
144
        } while (0)
145
146
/*
147
 * SHA256 block compression function.  The 256-bit state is transformed via
148
 * the 512-bit input block to produce a new state.
149
 */
150
static void
151 34712
VSHA256_Transform(uint32_t * state, const unsigned char block[64])
152
{
153
        uint32_t W[64];
154
        uint32_t S[8];
155
        int i;
156
157
        /* 1. Prepare the first part of the message schedule W. */
158 34712
        be32dec_vect(W, block, 64);
159
160
        /* 2. Initialize working variables. */
161 34712
        memcpy(S, state, 32);
162
163
        /* 3. Mix. */
164 138842
        for (i = 0; i < 64; i += 16) {
165 138840
                RNDr(S, W, 0, i);
166 138840
                RNDr(S, W, 1, i);
167 138840
                RNDr(S, W, 2, i);
168 138840
                RNDr(S, W, 3, i);
169 138840
                RNDr(S, W, 4, i);
170 138840
                RNDr(S, W, 5, i);
171 138840
                RNDr(S, W, 6, i);
172 138840
                RNDr(S, W, 7, i);
173 138840
                RNDr(S, W, 8, i);
174 138840
                RNDr(S, W, 9, i);
175 138840
                RNDr(S, W, 10, i);
176 138840
                RNDr(S, W, 11, i);
177 138840
                RNDr(S, W, 12, i);
178 138840
                RNDr(S, W, 13, i);
179 138840
                RNDr(S, W, 14, i);
180 138840
                RNDr(S, W, 15, i);
181
182 138840
                if (i == 48)
183 34710
                        break;
184 104130
                MSCH(W, 0, i);
185 104130
                MSCH(W, 1, i);
186 104130
                MSCH(W, 2, i);
187 104130
                MSCH(W, 3, i);
188 104130
                MSCH(W, 4, i);
189 104130
                MSCH(W, 5, i);
190 104130
                MSCH(W, 6, i);
191 104130
                MSCH(W, 7, i);
192 104130
                MSCH(W, 8, i);
193 104130
                MSCH(W, 9, i);
194 104130
                MSCH(W, 10, i);
195 104130
                MSCH(W, 11, i);
196 104130
                MSCH(W, 12, i);
197 104130
                MSCH(W, 13, i);
198 104130
                MSCH(W, 14, i);
199 104130
                MSCH(W, 15, i);
200
        }
201
202
        /* 4. Mix local working variables into global state */
203 312399
        for (i = 0; i < 8; i++)
204 277687
                state[i] += S[i];
205 34712
}
206
207
static const unsigned char PAD[64] = {
208
        0x80, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
209
        0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
210
        0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
211
        0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0
212
};
213
214
/* Add padding and terminating bit-count. */
215
static void
216 17156
VSHA256_Pad(VSHA256_CTX * ctx)
217
{
218
        size_t r;
219
220
        /* Figure out how many bytes we have buffered. */
221 17156
        r = (ctx->count >> 3) & 0x3f;
222
223
        /* Pad to 56 mod 64, transforming if we finish a block en route. */
224 17156
        if (r < 56) {
225
                /* Pad to 56 mod 64. */
226 15530
                memcpy(&ctx->buf[r], PAD, 56 - r);
227
        } else {
228
                /* Finish the current block and mix. */
229 1626
                memcpy(&ctx->buf[r], PAD, 64 - r);
230 1626
                VSHA256_Transform(ctx->state, ctx->buf);
231
232
                /* The start of the final block is all zeroes. */
233 1626
                memset(&ctx->buf[0], 0, 56);
234
        }
235
236
        /* Add the terminating bit-count. */
237 17156
        vbe64enc(&ctx->buf[56], ctx->count);
238
239
        /* Mix in the final block. */
240 17158
        VSHA256_Transform(ctx->state, ctx->buf);
241 17158
}
242
243
/* SHA-256 initialization.  Begins a SHA-256 operation. */
244
void
245 16323
VSHA256_Init(VSHA256_CTX * ctx)
246
{
247
248
        /* Zero bits processed so far */
249 16323
        ctx->count = 0;
250
251
        /* Magic initialization constants */
252 16323
        ctx->state[0] = 0x6A09E667;
253 16323
        ctx->state[1] = 0xBB67AE85;
254 16323
        ctx->state[2] = 0x3C6EF372;
255 16323
        ctx->state[3] = 0xA54FF53A;
256 16323
        ctx->state[4] = 0x510E527F;
257 16323
        ctx->state[5] = 0x9B05688C;
258 16323
        ctx->state[6] = 0x1F83D9AB;
259 16323
        ctx->state[7] = 0x5BE0CD19;
260 16323
}
261
262
/* Add bytes into the hash */
263
void
264 789925
VSHA256_Update(VSHA256_CTX * ctx, const void *in, size_t len)
265
{
266
        uint64_t bitlen;
267
        uint32_t r;
268 789925
        const unsigned char *src = in;
269
270
        /* Number of bytes left in the buffer from previous updates */
271 789925
        r = (ctx->count >> 3) & 0x3f;
272
273
        /* Convert the length into a number of bits */
274 789925
        bitlen = len << 3;
275
276
        /* Update number of bits */
277 789925
        ctx->count += bitlen;
278
279
        /* Handle the case where we don't need to perform any transforms */
280 789925
        if (len < 64 - r) {
281 774277
                memcpy(&ctx->buf[r], src, len);
282 774277
                return;
283
        }
284
285
        /* Finish the current block */
286 15648
        memcpy(&ctx->buf[r], src, 64 - r);
287 15648
        VSHA256_Transform(ctx->state, ctx->buf);
288 15648
        src += 64 - r;
289 15648
        len -= 64 - r;
290
291
        /* Perform complete blocks */
292 31576
        while (len >= 64) {
293 280
                VSHA256_Transform(ctx->state, src);
294 280
                src += 64;
295 280
                len -= 64;
296
        }
297
298
        /* Copy left over data into buffer */
299 15648
        memcpy(ctx->buf, src, len);
300
}
301
302
/*
303
 * SHA-256 finalization.  Pads the input data, exports the hash value,
304
 * and clears the context state.
305
 */
306
void
307 17156
VSHA256_Final(unsigned char digest[static VSHA256_DIGEST_LENGTH],
308
    VSHA256_CTX *ctx)
309
{
310
311
        /* Add padding */
312 17156
        VSHA256_Pad(ctx);
313
314
        /* Write the hash */
315 17158
        be32enc_vect(digest, ctx->state, VSHA256_DIGEST_LENGTH);
316
317
        /* Clear the context state */
318 17158
        memset((void *)ctx, 0, sizeof(*ctx));
319 17158
}
320
321
/*
322
 * A few test-vectors, just in case
323
 */
324
325
static const struct sha256test {
326
        const char              *input;
327
        const unsigned char     output[32];
328
} sha256test[] = {
329
    { "",
330
        {0xe3, 0xb0, 0xc4, 0x42, 0x98, 0xfc, 0x1c, 0x14, 0x9a, 0xfb, 0xf4,
331
         0xc8, 0x99, 0x6f, 0xb9, 0x24, 0x27, 0xae, 0x41, 0xe4, 0x64, 0x9b,
332
         0x93, 0x4c, 0xa4, 0x95, 0x99, 0x1b, 0x78, 0x52, 0xb8, 0x55} },
333
    { "message digest",
334
        {0xf7, 0x84, 0x6f, 0x55, 0xcf, 0x23, 0xe1, 0x4e, 0xeb, 0xea, 0xb5,
335
         0xb4, 0xe1, 0x55, 0x0c, 0xad, 0x5b, 0x50, 0x9e, 0x33, 0x48, 0xfb,
336
         0xc4, 0xef, 0xa3, 0xa1, 0x41, 0x3d, 0x39, 0x3c, 0xb6, 0x50} },
337
    { "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789",
338
        {0xdb, 0x4b, 0xfc, 0xbd, 0x4d, 0xa0, 0xcd, 0x85, 0xa6, 0x0c, 0x3c,
339
         0x37, 0xd3, 0xfb, 0xd8, 0x80, 0x5c, 0x77, 0xf1, 0x5f, 0xc6, 0xb1,
340
         0xfd, 0xfe, 0x61, 0x4e, 0xe0, 0xa7, 0xc8, 0xfd, 0xb4, 0xc0} },
341
    { NULL }
342
};
343
344
345
void
346 1578
VSHA256_Test(void)
347
{
348
        struct VSHA256Context c;
349
        const struct sha256test *p;
350
        unsigned char o[32];
351
352 6312
        for (p = sha256test; p->input != NULL; p++) {
353 4734
                VSHA256_Init(&c);
354 4734
                VSHA256_Update(&c, p->input, strlen(p->input));
355 4734
                VSHA256_Final(o, &c);
356 4734
                AZ(memcmp(o, p->output, 32));
357
        }
358 1578
}