| | varnish-cache/lib/libvarnish/vsha256.c |
|---|
| 0 |
|
/*- |
| 1 |
|
* Copyright 2005 Colin Percival |
| 2 |
|
* All rights reserved. |
| 3 |
|
* |
| 4 |
|
* SPDX-License-Identifier: BSD-2-Clause |
| 5 |
|
* |
| 6 |
|
* Redistribution and use in source and binary forms, with or without |
| 7 |
|
* modification, are permitted provided that the following conditions |
| 8 |
|
* are met: |
| 9 |
|
* 1. Redistributions of source code must retain the above copyright |
| 10 |
|
* notice, this list of conditions and the following disclaimer. |
| 11 |
|
* 2. Redistributions in binary form must reproduce the above copyright |
| 12 |
|
* notice, this list of conditions and the following disclaimer in the |
| 13 |
|
* documentation and/or other materials provided with the distribution. |
| 14 |
|
* |
| 15 |
|
* THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND |
| 16 |
|
* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE |
| 17 |
|
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE |
| 18 |
|
* ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE |
| 19 |
|
* FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL |
| 20 |
|
* DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS |
| 21 |
|
* OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) |
| 22 |
|
* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT |
| 23 |
|
* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY |
| 24 |
|
* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF |
| 25 |
|
* SUCH DAMAGE. |
| 26 |
|
* |
| 27 |
|
* From: |
| 28 |
|
* $FreeBSD: sys/crypto/sha2/sha256c.c 300966 2016-05-29 17:26:40Z cperciva $ |
| 29 |
|
*/ |
| 30 |
|
|
| 31 |
|
#include "config.h" |
| 32 |
|
|
| 33 |
|
#ifndef __DARWIN_BYTE_ORDER |
| 34 |
|
# include <endian.h> |
| 35 |
|
# ifdef _BYTE_ORDER |
| 36 |
|
# define VBYTE_ORDER _BYTE_ORDER |
| 37 |
|
# else |
| 38 |
|
# define VBYTE_ORDER __BYTE_ORDER |
| 39 |
|
# endif |
| 40 |
|
# ifdef _BIG_ENDIAN |
| 41 |
|
# define VBIG_ENDIAN _BIG_ENDIAN |
| 42 |
|
# else |
| 43 |
|
# define VBIG_ENDIAN __BIG_ENDIAN |
| 44 |
|
# endif |
| 45 |
|
#else |
| 46 |
|
# define VBYTE_ORDER __DARWIN_BYTE_ORDER |
| 47 |
|
# define VBIG_ENDIAN __DARWIN_BIG_ENDIAN |
| 48 |
|
#endif |
| 49 |
|
|
| 50 |
|
#ifndef VBYTE_ORDER |
| 51 |
|
# error VBYTE_ORDER not defined |
| 52 |
|
#endif |
| 53 |
|
#ifndef VBIG_ENDIAN |
| 54 |
|
# error VBIG_ENDIAN not defined |
| 55 |
|
#endif |
| 56 |
|
|
| 57 |
|
|
| 58 |
|
#include <sys/types.h> |
| 59 |
|
#include <stdint.h> |
| 60 |
|
#include <string.h> |
| 61 |
|
|
| 62 |
|
#include "vdef.h" |
| 63 |
|
|
| 64 |
|
#include "vas.h" |
| 65 |
|
#include "vend.h" |
| 66 |
|
#include "vsha256.h" |
| 67 |
|
|
| 68 |
|
#if VBYTE_ORDER == VBIG_ENDIAN |
| 69 |
|
|
| 70 |
|
/* Copy a vector of big-endian uint32_t into a vector of bytes */ |
| 71 |
|
#define be32enc_vect(dst, src, len) \ |
| 72 |
|
memcpy((void *)dst, (const void *)src, (size_t)len) |
| 73 |
|
|
| 74 |
|
/* Copy a vector of bytes into a vector of big-endian uint32_t */ |
| 75 |
|
#define be32dec_vect(dst, src, len) \ |
| 76 |
|
memcpy((void *)dst, (const void *)src, (size_t)len) |
| 77 |
|
|
| 78 |
|
#else /* BYTE_ORDER != BIG_ENDIAN or in doubt... */ |
| 79 |
|
|
| 80 |
|
/* |
| 81 |
|
* Encode a length len/4 vector of (uint32_t) into a length len vector of |
| 82 |
|
* (unsigned char) in big-endian form. Assumes len is a multiple of 4. |
| 83 |
|
*/ |
| 84 |
|
static void |
| 85 |
305813 |
be32enc_vect(unsigned char *dst, const uint32_t *src, size_t len) |
| 86 |
|
{ |
| 87 |
|
size_t i; |
| 88 |
|
|
| 89 |
2752114 |
for (i = 0; i < len / 4; i++) |
| 90 |
2446301 |
vbe32enc(dst + i * 4, src[i]); |
| 91 |
305813 |
} |
| 92 |
|
|
| 93 |
|
/* |
| 94 |
|
* Decode a big-endian length len vector of (unsigned char) into a length |
| 95 |
|
* len/4 vector of (uint32_t). Assumes len is a multiple of 4. |
| 96 |
|
*/ |
| 97 |
|
static void |
| 98 |
583014 |
be32dec_vect(uint32_t *dst, const unsigned char *src, size_t len) |
| 99 |
|
{ |
| 100 |
|
size_t i; |
| 101 |
|
|
| 102 |
9910867 |
for (i = 0; i < len / 4; i++) |
| 103 |
9327853 |
dst[i] = vbe32dec(src + i * 4); |
| 104 |
583014 |
} |
| 105 |
|
|
| 106 |
|
#endif /* BYTE_ORDER != BIG_ENDIAN */ |
| 107 |
|
|
| 108 |
|
/* SHA256 round constants. */ |
| 109 |
|
static const uint32_t K[64] = { |
| 110 |
|
0x428a2f98, 0x71374491, 0xb5c0fbcf, 0xe9b5dba5, |
| 111 |
|
0x3956c25b, 0x59f111f1, 0x923f82a4, 0xab1c5ed5, |
| 112 |
|
0xd807aa98, 0x12835b01, 0x243185be, 0x550c7dc3, |
| 113 |
|
0x72be5d74, 0x80deb1fe, 0x9bdc06a7, 0xc19bf174, |
| 114 |
|
0xe49b69c1, 0xefbe4786, 0x0fc19dc6, 0x240ca1cc, |
| 115 |
|
0x2de92c6f, 0x4a7484aa, 0x5cb0a9dc, 0x76f988da, |
| 116 |
|
0x983e5152, 0xa831c66d, 0xb00327c8, 0xbf597fc7, |
| 117 |
|
0xc6e00bf3, 0xd5a79147, 0x06ca6351, 0x14292967, |
| 118 |
|
0x27b70a85, 0x2e1b2138, 0x4d2c6dfc, 0x53380d13, |
| 119 |
|
0x650a7354, 0x766a0abb, 0x81c2c92e, 0x92722c85, |
| 120 |
|
0xa2bfe8a1, 0xa81a664b, 0xc24b8b70, 0xc76c51a3, |
| 121 |
|
0xd192e819, 0xd6990624, 0xf40e3585, 0x106aa070, |
| 122 |
|
0x19a4c116, 0x1e376c08, 0x2748774c, 0x34b0bcb5, |
| 123 |
|
0x391c0cb3, 0x4ed8aa4a, 0x5b9cca4f, 0x682e6ff3, |
| 124 |
|
0x748f82ee, 0x78a5636f, 0x84c87814, 0x8cc70208, |
| 125 |
|
0x90befffa, 0xa4506ceb, 0xbef9a3f7, 0xc67178f2 |
| 126 |
|
}; |
| 127 |
|
|
| 128 |
|
/* Elementary functions used by SHA256 */ |
| 129 |
|
#define Ch(x, y, z) ((x & (y ^ z)) ^ z) |
| 130 |
|
#define Maj(x, y, z) ((x & (y | z)) | (y & z)) |
| 131 |
|
#define SHR(x, n) (x >> n) |
| 132 |
|
#define ROTR(x, n) ((x >> n) | (x << (32 - n))) |
| 133 |
|
#define S0(x) (ROTR(x, 2) ^ ROTR(x, 13) ^ ROTR(x, 22)) |
| 134 |
|
#define S1(x) (ROTR(x, 6) ^ ROTR(x, 11) ^ ROTR(x, 25)) |
| 135 |
|
#define s0(x) (ROTR(x, 7) ^ ROTR(x, 18) ^ SHR(x, 3)) |
| 136 |
|
#define s1(x) (ROTR(x, 17) ^ ROTR(x, 19) ^ SHR(x, 10)) |
| 137 |
|
|
| 138 |
|
/* SHA256 round function */ |
| 139 |
|
#define RND(a, b, c, d, e, f, g, h, k) \ |
| 140 |
|
do { \ |
| 141 |
|
h += S1(e) + Ch(e, f, g) + (k); \ |
| 142 |
|
d += h; \ |
| 143 |
|
h += S0(a) + Maj(a, b, c); \ |
| 144 |
|
} while (0) |
| 145 |
|
|
| 146 |
|
/* Adjusted round function for rotating state */ |
| 147 |
|
#define RNDr(S, W, i, ii) \ |
| 148 |
|
RND(S[(64 - i) % 8], S[(65 - i) % 8], \ |
| 149 |
|
S[(66 - i) % 8], S[(67 - i) % 8], \ |
| 150 |
|
S[(68 - i) % 8], S[(69 - i) % 8], \ |
| 151 |
|
S[(70 - i) % 8], S[(71 - i) % 8], \ |
| 152 |
|
W[i + ii] + K[i + ii]) |
| 153 |
|
|
| 154 |
|
/* Message schedule computation */ |
| 155 |
|
#define MSCH(W, ii, i) \ |
| 156 |
|
do { \ |
| 157 |
|
W[i + ii + 16] = \ |
| 158 |
|
s1(W[i + ii + 14]) + W[i + ii + 9] + \ |
| 159 |
|
s0(W[i + ii + 1]) + W[i + ii]; \ |
| 160 |
|
} while (0) |
| 161 |
|
|
| 162 |
|
/* |
| 163 |
|
* SHA256 block compression function. The 256-bit state is transformed via |
| 164 |
|
* the 512-bit input block to produce a new state. |
| 165 |
|
*/ |
| 166 |
|
static void |
| 167 |
583032 |
VSHA256_Transform(uint32_t * state, const unsigned char block[64]) |
| 168 |
|
{ |
| 169 |
|
uint32_t W[64]; |
| 170 |
|
uint32_t S[8]; |
| 171 |
|
int i; |
| 172 |
|
|
| 173 |
|
/* 1. Prepare the first part of the message schedule W. */ |
| 174 |
583032 |
be32dec_vect(W, block, 64); |
| 175 |
|
|
| 176 |
|
/* 2. Initialize working variables. */ |
| 177 |
583032 |
memcpy(S, state, 32); |
| 178 |
|
|
| 179 |
|
/* 3. Mix. */ |
| 180 |
2332089 |
for (i = 0; i < 64; i += 16) { |
| 181 |
2332089 |
RNDr(S, W, 0, i); |
| 182 |
2332089 |
RNDr(S, W, 1, i); |
| 183 |
2332089 |
RNDr(S, W, 2, i); |
| 184 |
2332089 |
RNDr(S, W, 3, i); |
| 185 |
2332089 |
RNDr(S, W, 4, i); |
| 186 |
2332089 |
RNDr(S, W, 5, i); |
| 187 |
2332089 |
RNDr(S, W, 6, i); |
| 188 |
2332089 |
RNDr(S, W, 7, i); |
| 189 |
2332089 |
RNDr(S, W, 8, i); |
| 190 |
2332089 |
RNDr(S, W, 9, i); |
| 191 |
2332089 |
RNDr(S, W, 10, i); |
| 192 |
2332089 |
RNDr(S, W, 11, i); |
| 193 |
2332089 |
RNDr(S, W, 12, i); |
| 194 |
2332089 |
RNDr(S, W, 13, i); |
| 195 |
2332089 |
RNDr(S, W, 14, i); |
| 196 |
2332089 |
RNDr(S, W, 15, i); |
| 197 |
|
|
| 198 |
2332089 |
if (i == 48) |
| 199 |
583032 |
break; |
| 200 |
1749057 |
MSCH(W, 0, i); |
| 201 |
1749057 |
MSCH(W, 1, i); |
| 202 |
1749057 |
MSCH(W, 2, i); |
| 203 |
1749057 |
MSCH(W, 3, i); |
| 204 |
1749057 |
MSCH(W, 4, i); |
| 205 |
1749057 |
MSCH(W, 5, i); |
| 206 |
1749057 |
MSCH(W, 6, i); |
| 207 |
1749057 |
MSCH(W, 7, i); |
| 208 |
1749057 |
MSCH(W, 8, i); |
| 209 |
1749057 |
MSCH(W, 9, i); |
| 210 |
1749057 |
MSCH(W, 10, i); |
| 211 |
1749057 |
MSCH(W, 11, i); |
| 212 |
1749057 |
MSCH(W, 12, i); |
| 213 |
1749057 |
MSCH(W, 13, i); |
| 214 |
1749057 |
MSCH(W, 14, i); |
| 215 |
1749057 |
MSCH(W, 15, i); |
| 216 |
1749057 |
} |
| 217 |
|
|
| 218 |
|
/* 4. Mix local working variables into global state */ |
| 219 |
5247131 |
for (i = 0; i < 8; i++) |
| 220 |
4664099 |
state[i] += S[i]; |
| 221 |
583032 |
} |
| 222 |
|
|
| 223 |
|
static const unsigned char PAD[64] = { |
| 224 |
|
0x80, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, |
| 225 |
|
0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, |
| 226 |
|
0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, |
| 227 |
|
0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0 |
| 228 |
|
}; |
| 229 |
|
|
| 230 |
|
/* Add padding and terminating bit-count. */ |
| 231 |
|
static void |
| 232 |
305806 |
VSHA256_Pad(VSHA256_CTX * ctx) |
| 233 |
|
{ |
| 234 |
|
size_t r; |
| 235 |
|
|
| 236 |
|
/* Figure out how many bytes we have buffered. */ |
| 237 |
305806 |
r = (ctx->count >> 3) & 0x3f; |
| 238 |
|
|
| 239 |
|
/* Pad to 56 mod 64, transforming if we finish a block en route. */ |
| 240 |
305806 |
if (r < 56) { |
| 241 |
|
/* Pad to 56 mod 64. */ |
| 242 |
280437 |
memcpy(&ctx->buf[r], PAD, 56 - r); |
| 243 |
280437 |
} else { |
| 244 |
|
/* Finish the current block and mix. */ |
| 245 |
25369 |
memcpy(&ctx->buf[r], PAD, 64 - r); |
| 246 |
25369 |
VSHA256_Transform(ctx->state, ctx->buf); |
| 247 |
|
|
| 248 |
|
/* The start of the final block is all zeroes. */ |
| 249 |
25369 |
memset(&ctx->buf[0], 0, 56); |
| 250 |
|
} |
| 251 |
|
|
| 252 |
|
/* Add the terminating bit-count. */ |
| 253 |
305806 |
vbe64enc(&ctx->buf[56], ctx->count); |
| 254 |
|
|
| 255 |
|
/* Mix in the final block. */ |
| 256 |
305806 |
VSHA256_Transform(ctx->state, ctx->buf); |
| 257 |
305806 |
} |
| 258 |
|
|
| 259 |
|
/* SHA-256 initialization. Begins a SHA-256 operation. */ |
| 260 |
|
void |
| 261 |
296224 |
VSHA256_Init(VSHA256_CTX * ctx) |
| 262 |
|
{ |
| 263 |
|
|
| 264 |
|
/* Zero bits processed so far */ |
| 265 |
296224 |
ctx->count = 0; |
| 266 |
|
|
| 267 |
|
/* Magic initialization constants */ |
| 268 |
296224 |
ctx->state[0] = 0x6A09E667; |
| 269 |
296224 |
ctx->state[1] = 0xBB67AE85; |
| 270 |
296224 |
ctx->state[2] = 0x3C6EF372; |
| 271 |
296224 |
ctx->state[3] = 0xA54FF53A; |
| 272 |
296224 |
ctx->state[4] = 0x510E527F; |
| 273 |
296224 |
ctx->state[5] = 0x9B05688C; |
| 274 |
296224 |
ctx->state[6] = 0x1F83D9AB; |
| 275 |
296224 |
ctx->state[7] = 0x5BE0CD19; |
| 276 |
296224 |
} |
| 277 |
|
|
| 278 |
|
/* Add bytes into the hash */ |
| 279 |
|
void |
| 280 |
12444745 |
VSHA256_Update(VSHA256_CTX * ctx, const void *in, size_t len) |
| 281 |
|
{ |
| 282 |
|
uint64_t bitlen; |
| 283 |
|
uint32_t r; |
| 284 |
12444745 |
const unsigned char *src = in; |
| 285 |
|
|
| 286 |
|
/* Number of bytes left in the buffer from previous updates */ |
| 287 |
12444745 |
r = (ctx->count >> 3) & 0x3f; |
| 288 |
|
|
| 289 |
|
/* Convert the length into a number of bits */ |
| 290 |
12444745 |
bitlen = len << 3; |
| 291 |
|
|
| 292 |
|
/* Update number of bits */ |
| 293 |
12444745 |
ctx->count += bitlen; |
| 294 |
|
|
| 295 |
|
/* Handle the case where we don't need to perform any transforms */ |
| 296 |
12444745 |
if (len < 64 - r) { |
| 297 |
12202632 |
memcpy(&ctx->buf[r], src, len); |
| 298 |
12202632 |
return; |
| 299 |
|
} |
| 300 |
|
|
| 301 |
|
/* Finish the current block */ |
| 302 |
242113 |
memcpy(&ctx->buf[r], src, 64 - r); |
| 303 |
242113 |
VSHA256_Transform(ctx->state, ctx->buf); |
| 304 |
242113 |
src += 64 - r; |
| 305 |
242113 |
len -= 64 - r; |
| 306 |
|
|
| 307 |
|
/* Perform complete blocks */ |
| 308 |
251842 |
while (len >= 64) { |
| 309 |
9729 |
VSHA256_Transform(ctx->state, src); |
| 310 |
9729 |
src += 64; |
| 311 |
9729 |
len -= 64; |
| 312 |
|
} |
| 313 |
|
|
| 314 |
|
/* Copy left over data into buffer */ |
| 315 |
242113 |
memcpy(ctx->buf, src, len); |
| 316 |
12444745 |
} |
| 317 |
|
|
| 318 |
|
/* |
| 319 |
|
* SHA-256 finalization. Pads the input data, exports the hash value, |
| 320 |
|
* and clears the context state. |
| 321 |
|
*/ |
| 322 |
|
void |
| 323 |
305804 |
VSHA256_Final(unsigned char digest[static VSHA256_DIGEST_LENGTH], |
| 324 |
|
VSHA256_CTX *ctx) |
| 325 |
|
{ |
| 326 |
|
|
| 327 |
|
/* Add padding */ |
| 328 |
305804 |
VSHA256_Pad(ctx); |
| 329 |
|
|
| 330 |
|
/* Write the hash */ |
| 331 |
305804 |
be32enc_vect(digest, ctx->state, VSHA256_DIGEST_LENGTH); |
| 332 |
|
|
| 333 |
|
/* Clear the context state */ |
| 334 |
305804 |
memset((void *)ctx, 0, sizeof(*ctx)); |
| 335 |
305804 |
} |
| 336 |
|
|
| 337 |
|
/* |
| 338 |
|
* A few test-vectors, just in case |
| 339 |
|
*/ |
| 340 |
|
|
| 341 |
|
static const struct sha256test { |
| 342 |
|
const char *input; |
| 343 |
|
const unsigned char output[32]; |
| 344 |
|
} sha256test[] = { |
| 345 |
|
{ "", |
| 346 |
|
{0xe3, 0xb0, 0xc4, 0x42, 0x98, 0xfc, 0x1c, 0x14, 0x9a, 0xfb, 0xf4, |
| 347 |
|
0xc8, 0x99, 0x6f, 0xb9, 0x24, 0x27, 0xae, 0x41, 0xe4, 0x64, 0x9b, |
| 348 |
|
0x93, 0x4c, 0xa4, 0x95, 0x99, 0x1b, 0x78, 0x52, 0xb8, 0x55} }, |
| 349 |
|
{ "message digest", |
| 350 |
|
{0xf7, 0x84, 0x6f, 0x55, 0xcf, 0x23, 0xe1, 0x4e, 0xeb, 0xea, 0xb5, |
| 351 |
|
0xb4, 0xe1, 0x55, 0x0c, 0xad, 0x5b, 0x50, 0x9e, 0x33, 0x48, 0xfb, |
| 352 |
|
0xc4, 0xef, 0xa3, 0xa1, 0x41, 0x3d, 0x39, 0x3c, 0xb6, 0x50} }, |
| 353 |
|
{ "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789", |
| 354 |
|
{0xdb, 0x4b, 0xfc, 0xbd, 0x4d, 0xa0, 0xcd, 0x85, 0xa6, 0x0c, 0x3c, |
| 355 |
|
0x37, 0xd3, 0xfb, 0xd8, 0x80, 0x5c, 0x77, 0xf1, 0x5f, 0xc6, 0xb1, |
| 356 |
|
0xfd, 0xfe, 0x61, 0x4e, 0xe0, 0xa7, 0xc8, 0xfd, 0xb4, 0xc0} }, |
| 357 |
|
{ NULL } |
| 358 |
|
}; |
| 359 |
|
|
| 360 |
|
|
| 361 |
|
void |
| 362 |
23828 |
VSHA256_Test(void) |
| 363 |
|
{ |
| 364 |
|
struct VSHA256Context c; |
| 365 |
|
const struct sha256test *p; |
| 366 |
|
unsigned char o[32]; |
| 367 |
|
|
| 368 |
95312 |
for (p = sha256test; p->input != NULL; p++) { |
| 369 |
71484 |
VSHA256_Init(&c); |
| 370 |
71484 |
VSHA256_Update(&c, p->input, strlen(p->input)); |
| 371 |
71484 |
VSHA256_Final(o, &c); |
| 372 |
71484 |
AZ(memcmp(o, p->output, 32)); |
| 373 |
71484 |
} |
| 374 |
23828 |
} |