varnish-cache/lib/libvarnish/vsha256.c
1
/*-
2
 * Copyright 2005 Colin Percival
3
 * All rights reserved.
4
 *
5
 * Redistribution and use in source and binary forms, with or without
6
 * modification, are permitted provided that the following conditions
7
 * are met:
8
 * 1. Redistributions of source code must retain the above copyright
9
 *    notice, this list of conditions and the following disclaimer.
10
 * 2. Redistributions in binary form must reproduce the above copyright
11
 *    notice, this list of conditions and the following disclaimer in the
12
 *    documentation and/or other materials provided with the distribution.
13
 *
14
 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
15
 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
16
 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
17
 * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
18
 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
19
 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
20
 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
21
 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
22
 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
23
 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
24
 * SUCH DAMAGE.
25
 *
26
 * From:
27
 * $FreeBSD: sys/crypto/sha2/sha256c.c 300966 2016-05-29 17:26:40Z cperciva $
28
 */
29
30
#include "config.h"
31
32
#if defined(HAVE_SYS_ENDIAN_H)
33
#  include <sys/types.h>
34
#  include <sys/endian.h>
35
#  define VBYTE_ORDER   _BYTE_ORDER
36
#  define VBIG_ENDIAN   _BIG_ENDIAN
37
#elif defined(HAVE_ENDIAN_H)
38
#  include <endian.h>
39
#  define VBYTE_ORDER   __BYTE_ORDER
40
#  define VBIG_ENDIAN   __BIG_ENDIAN
41
#endif
42
43
#include <stdint.h>
44
#include <string.h>
45
46
#include "vdef.h"
47
48
#include "vas.h"
49
#include "vend.h"
50
#include "vsha256.h"
51
52
#if defined(VBYTE_ORDER) && VBYTE_ORDER == VBIG_ENDIAN
53
54
/* Copy a vector of big-endian uint32_t into a vector of bytes */
55
#define be32enc_vect(dst, src, len)     \
56
        memcpy((void *)dst, (const void *)src, (size_t)len)
57
58
/* Copy a vector of bytes into a vector of big-endian uint32_t */
59
#define be32dec_vect(dst, src, len)     \
60
        memcpy((void *)dst, (const void *)src, (size_t)len)
61
62
#else /* BYTE_ORDER != BIG_ENDIAN or in doubt... */
63
64
/*
65
 * Encode a length len/4 vector of (uint32_t) into a length len vector of
66
 * (unsigned char) in big-endian form.  Assumes len is a multiple of 4.
67
 */
68
static void
69 8605
be32enc_vect(unsigned char *dst, const uint32_t *src, size_t len)
70
{
71
        size_t i;
72
73 77445
        for (i = 0; i < len / 4; i++)
74 68840
                vbe32enc(dst + i * 4, src[i]);
75 8605
}
76
77
/*
78
 * Decode a big-endian length len vector of (unsigned char) into a length
79
 * len/4 vector of (uint32_t).  Assumes len is a multiple of 4.
80
 */
81
static void
82 17351
be32dec_vect(uint32_t *dst, const unsigned char *src, size_t len)
83
{
84
        size_t i;
85
86 294941
        for (i = 0; i < len / 4; i++)
87 277591
                dst[i] = vbe32dec(src + i * 4);
88 17350
}
89
90
#endif /* BYTE_ORDER != BIG_ENDIAN */
91
92
/* SHA256 round constants. */
93
static const uint32_t K[64] = {
94
        0x428a2f98, 0x71374491, 0xb5c0fbcf, 0xe9b5dba5,
95
        0x3956c25b, 0x59f111f1, 0x923f82a4, 0xab1c5ed5,
96
        0xd807aa98, 0x12835b01, 0x243185be, 0x550c7dc3,
97
        0x72be5d74, 0x80deb1fe, 0x9bdc06a7, 0xc19bf174,
98
        0xe49b69c1, 0xefbe4786, 0x0fc19dc6, 0x240ca1cc,
99
        0x2de92c6f, 0x4a7484aa, 0x5cb0a9dc, 0x76f988da,
100
        0x983e5152, 0xa831c66d, 0xb00327c8, 0xbf597fc7,
101
        0xc6e00bf3, 0xd5a79147, 0x06ca6351, 0x14292967,
102
        0x27b70a85, 0x2e1b2138, 0x4d2c6dfc, 0x53380d13,
103
        0x650a7354, 0x766a0abb, 0x81c2c92e, 0x92722c85,
104
        0xa2bfe8a1, 0xa81a664b, 0xc24b8b70, 0xc76c51a3,
105
        0xd192e819, 0xd6990624, 0xf40e3585, 0x106aa070,
106
        0x19a4c116, 0x1e376c08, 0x2748774c, 0x34b0bcb5,
107
        0x391c0cb3, 0x4ed8aa4a, 0x5b9cca4f, 0x682e6ff3,
108
        0x748f82ee, 0x78a5636f, 0x84c87814, 0x8cc70208,
109
        0x90befffa, 0xa4506ceb, 0xbef9a3f7, 0xc67178f2
110
};
111
112
/* Elementary functions used by SHA256 */
113
#define Ch(x, y, z)     ((x & (y ^ z)) ^ z)
114
#define Maj(x, y, z)    ((x & (y | z)) | (y & z))
115
#define SHR(x, n)       (x >> n)
116
#define ROTR(x, n)      ((x >> n) | (x << (32 - n)))
117
#define S0(x)           (ROTR(x, 2) ^ ROTR(x, 13) ^ ROTR(x, 22))
118
#define S1(x)           (ROTR(x, 6) ^ ROTR(x, 11) ^ ROTR(x, 25))
119
#define s0(x)           (ROTR(x, 7) ^ ROTR(x, 18) ^ SHR(x, 3))
120
#define s1(x)           (ROTR(x, 17) ^ ROTR(x, 19) ^ SHR(x, 10))
121
122
/* SHA256 round function */
123
#define RND(a, b, c, d, e, f, g, h, k)                          \
124
        do {                                                    \
125
                h += S1(e) + Ch(e, f, g) + (k);                 \
126
                d += h;                                         \
127
                h += S0(a) + Maj(a, b, c);                      \
128
        } while (0)
129
130
/* Adjusted round function for rotating state */
131
#define RNDr(S, W, i, ii)                       \
132
        RND(S[(64 - i) % 8], S[(65 - i) % 8],   \
133
            S[(66 - i) % 8], S[(67 - i) % 8],   \
134
            S[(68 - i) % 8], S[(69 - i) % 8],   \
135
            S[(70 - i) % 8], S[(71 - i) % 8],   \
136
            W[i + ii] + K[i + ii])
137
138
/* Message schedule computation */
139
#define MSCH(W, ii, i)                                          \
140
        do {                                                    \
141
                W[i + ii + 16] =                                \
142
                    s1(W[i + ii + 14]) + W[i + ii + 9] +        \
143
                    s0(W[i + ii + 1]) + W[i + ii];              \
144
        } while (0)
145
146
/*
147
 * SHA256 block compression function.  The 256-bit state is transformed via
148
 * the 512-bit input block to produce a new state.
149
 */
150
static void
151 17350
VSHA256_Transform(uint32_t * state, const unsigned char block[64])
152
{
153
        uint32_t W[64];
154
        uint32_t S[8];
155
        int i;
156
157
        /* 1. Prepare the first part of the message schedule W. */
158 17350
        be32dec_vect(W, block, 64);
159
160
        /* 2. Initialize working variables. */
161 17350
        memcpy(S, state, 32);
162
163
        /* 3. Mix. */
164 69398
        for (i = 0; i < 64; i += 16) {
165 69398
                RNDr(S, W, 0, i);
166 69398
                RNDr(S, W, 1, i);
167 69398
                RNDr(S, W, 2, i);
168 69398
                RNDr(S, W, 3, i);
169 69398
                RNDr(S, W, 4, i);
170 69398
                RNDr(S, W, 5, i);
171 69398
                RNDr(S, W, 6, i);
172 69398
                RNDr(S, W, 7, i);
173 69398
                RNDr(S, W, 8, i);
174 69398
                RNDr(S, W, 9, i);
175 69398
                RNDr(S, W, 10, i);
176 69398
                RNDr(S, W, 11, i);
177 69398
                RNDr(S, W, 12, i);
178 69398
                RNDr(S, W, 13, i);
179 69398
                RNDr(S, W, 14, i);
180 69398
                RNDr(S, W, 15, i);
181
182 69398
                if (i == 48)
183 17350
                        break;
184 52048
                MSCH(W, 0, i);
185 52048
                MSCH(W, 1, i);
186 52048
                MSCH(W, 2, i);
187 52048
                MSCH(W, 3, i);
188 52048
                MSCH(W, 4, i);
189 52048
                MSCH(W, 5, i);
190 52048
                MSCH(W, 6, i);
191 52048
                MSCH(W, 7, i);
192 52048
                MSCH(W, 8, i);
193 52048
                MSCH(W, 9, i);
194 52048
                MSCH(W, 10, i);
195 52048
                MSCH(W, 11, i);
196 52048
                MSCH(W, 12, i);
197 52048
                MSCH(W, 13, i);
198 52048
                MSCH(W, 14, i);
199 52048
                MSCH(W, 15, i);
200
        }
201
202
        /* 4. Mix local working variables into global state */
203 156150
        for (i = 0; i < 8; i++)
204 138800
                state[i] += S[i];
205 17350
}
206
207
static const unsigned char PAD[64] = {
208
        0x80, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
209
        0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
210
        0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
211
        0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0
212
};
213
214
/* Add padding and terminating bit-count. */
215
static void
216 8605
VSHA256_Pad(VSHA256_CTX * ctx)
217
{
218
        size_t r;
219
220
        /* Figure out how many bytes we have buffered. */
221 8605
        r = (ctx->count >> 3) & 0x3f;
222
223
        /* Pad to 56 mod 64, transforming if we finish a block en route. */
224 8605
        if (r < 56) {
225
                /* Pad to 56 mod 64. */
226 7769
                memcpy(&ctx->buf[r], PAD, 56 - r);
227
        } else {
228
                /* Finish the current block and mix. */
229 836
                memcpy(&ctx->buf[r], PAD, 64 - r);
230 836
                VSHA256_Transform(ctx->state, ctx->buf);
231
232
                /* The start of the final block is all zeroes. */
233 836
                memset(&ctx->buf[0], 0, 56);
234
        }
235
236
        /* Add the terminating bit-count. */
237 8605
        vbe64enc(&ctx->buf[56], ctx->count);
238
239
        /* Mix in the final block. */
240 8605
        VSHA256_Transform(ctx->state, ctx->buf);
241 8605
}
242
243
/* SHA-256 initialization.  Begins a SHA-256 operation. */
244
void
245 8188
VSHA256_Init(VSHA256_CTX * ctx)
246
{
247
248
        /* Zero bits processed so far */
249 8188
        ctx->count = 0;
250
251
        /* Magic initialization constants */
252 8188
        ctx->state[0] = 0x6A09E667;
253 8188
        ctx->state[1] = 0xBB67AE85;
254 8188
        ctx->state[2] = 0x3C6EF372;
255 8188
        ctx->state[3] = 0xA54FF53A;
256 8188
        ctx->state[4] = 0x510E527F;
257 8188
        ctx->state[5] = 0x9B05688C;
258 8188
        ctx->state[6] = 0x1F83D9AB;
259 8188
        ctx->state[7] = 0x5BE0CD19;
260 8188
}
261
262
/* Add bytes into the hash */
263
void
264 392044
VSHA256_Update(VSHA256_CTX * ctx, const void *in, size_t len)
265
{
266
        uint64_t bitlen;
267
        uint32_t r;
268 392044
        const unsigned char *src = in;
269
270
        /* Number of bytes left in the buffer from previous updates */
271 392044
        r = (ctx->count >> 3) & 0x3f;
272
273
        /* Convert the length into a number of bits */
274 392044
        bitlen = len << 3;
275
276
        /* Update number of bits */
277 392044
        ctx->count += bitlen;
278
279
        /* Handle the case where we don't need to perform any transforms */
280 392044
        if (len < 64 - r) {
281 384275
                memcpy(&ctx->buf[r], src, len);
282 384275
                return;
283
        }
284
285
        /* Finish the current block */
286 7769
        memcpy(&ctx->buf[r], src, 64 - r);
287 7769
        VSHA256_Transform(ctx->state, ctx->buf);
288 7769
        src += 64 - r;
289 7769
        len -= 64 - r;
290
291
        /* Perform complete blocks */
292 15678
        while (len >= 64) {
293 140
                VSHA256_Transform(ctx->state, src);
294 140
                src += 64;
295 140
                len -= 64;
296
        }
297
298
        /* Copy left over data into buffer */
299 7769
        memcpy(ctx->buf, src, len);
300
}
301
302
/*
303
 * SHA-256 finalization.  Pads the input data, exports the hash value,
304
 * and clears the context state.
305
 */
306
void
307 8605
VSHA256_Final(unsigned char digest[static VSHA256_DIGEST_LENGTH],
308
    VSHA256_CTX *ctx)
309
{
310
311
        /* Add padding */
312 8605
        VSHA256_Pad(ctx);
313
314
        /* Write the hash */
315 8605
        be32enc_vect(digest, ctx->state, VSHA256_DIGEST_LENGTH);
316
317
        /* Clear the context state */
318 8605
        memset((void *)ctx, 0, sizeof(*ctx));
319 8605
}
320
321
/*
322
 * A few test-vectors, just in case
323
 */
324
325
static const struct sha256test {
326
        const char              *input;
327
        const unsigned char     output[32];
328
} sha256test[] = {
329
    { "",
330
        {0xe3, 0xb0, 0xc4, 0x42, 0x98, 0xfc, 0x1c, 0x14, 0x9a, 0xfb, 0xf4,
331
         0xc8, 0x99, 0x6f, 0xb9, 0x24, 0x27, 0xae, 0x41, 0xe4, 0x64, 0x9b,
332
         0x93, 0x4c, 0xa4, 0x95, 0x99, 0x1b, 0x78, 0x52, 0xb8, 0x55} },
333
    { "message digest",
334
        {0xf7, 0x84, 0x6f, 0x55, 0xcf, 0x23, 0xe1, 0x4e, 0xeb, 0xea, 0xb5,
335
         0xb4, 0xe1, 0x55, 0x0c, 0xad, 0x5b, 0x50, 0x9e, 0x33, 0x48, 0xfb,
336
         0xc4, 0xef, 0xa3, 0xa1, 0x41, 0x3d, 0x39, 0x3c, 0xb6, 0x50} },
337
    { "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789",
338
        {0xdb, 0x4b, 0xfc, 0xbd, 0x4d, 0xa0, 0xcd, 0x85, 0xa6, 0x0c, 0x3c,
339
         0x37, 0xd3, 0xfb, 0xd8, 0x80, 0x5c, 0x77, 0xf1, 0x5f, 0xc6, 0xb1,
340
         0xfd, 0xfe, 0x61, 0x4e, 0xe0, 0xa7, 0xc8, 0xfd, 0xb4, 0xc0} },
341
    { NULL }
342
};
343
344
345
void
346 812
VSHA256_Test(void)
347
{
348
        struct VSHA256Context c;
349
        const struct sha256test *p;
350
        unsigned char o[32];
351
352 3248
        for (p = sha256test; p->input != NULL; p++) {
353 2436
                VSHA256_Init(&c);
354 2436
                VSHA256_Update(&c, p->input, strlen(p->input));
355 2436
                VSHA256_Final(o, &c);
356 2436
                AZ(memcmp(o, p->output, 32));
357
        }
358 812
}