varnish-cache/lib/libvarnish/vsha256.c
1
/*-
2
 * Copyright 2005 Colin Percival
3
 * All rights reserved.
4
 *
5
 * SPDX-License-Identifier: BSD-2-Clause
6
 *
7
 * Redistribution and use in source and binary forms, with or without
8
 * modification, are permitted provided that the following conditions
9
 * are met:
10
 * 1. Redistributions of source code must retain the above copyright
11
 *    notice, this list of conditions and the following disclaimer.
12
 * 2. Redistributions in binary form must reproduce the above copyright
13
 *    notice, this list of conditions and the following disclaimer in the
14
 *    documentation and/or other materials provided with the distribution.
15
 *
16
 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
17
 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
18
 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
19
 * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
20
 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
21
 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
22
 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
23
 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
24
 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
25
 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
26
 * SUCH DAMAGE.
27
 *
28
 * From:
29
 * $FreeBSD: sys/crypto/sha2/sha256c.c 300966 2016-05-29 17:26:40Z cperciva $
30
 */
31
32
#include "config.h"
33
34
#if defined(HAVE_SYS_ENDIAN_H)
35
#  include <sys/types.h>
36
#  include <sys/endian.h>
37
#  define VBYTE_ORDER   _BYTE_ORDER
38
#  define VBIG_ENDIAN   _BIG_ENDIAN
39
#elif defined(HAVE_ENDIAN_H)
40
#  include <endian.h>
41
#  define VBYTE_ORDER   __BYTE_ORDER
42
#  define VBIG_ENDIAN   __BIG_ENDIAN
43
#endif
44
45
#include <stdint.h>
46
#include <string.h>
47
48
#include "vdef.h"
49
50
#include "vas.h"
51
#include "vend.h"
52
#include "vsha256.h"
53
54
#if defined(VBYTE_ORDER) && VBYTE_ORDER == VBIG_ENDIAN
55
56
/* Copy a vector of big-endian uint32_t into a vector of bytes */
57
#define be32enc_vect(dst, src, len)     \
58
        memcpy((void *)dst, (const void *)src, (size_t)len)
59
60
/* Copy a vector of bytes into a vector of big-endian uint32_t */
61
#define be32dec_vect(dst, src, len)     \
62
        memcpy((void *)dst, (const void *)src, (size_t)len)
63
64
#else /* BYTE_ORDER != BIG_ENDIAN or in doubt... */
65
66
/*
67
 * Encode a length len/4 vector of (uint32_t) into a length len vector of
68
 * (unsigned char) in big-endian form.  Assumes len is a multiple of 4.
69
 */
70
static void
71 468156
be32enc_vect(unsigned char *dst, const uint32_t *src, size_t len)
72
{
73
        size_t i;
74
75 4212871
        for (i = 0; i < len / 4; i++)
76 3744702
                vbe32enc(dst + i * 4, src[i]);
77 468146
}
78
79
/*
80
 * Decode a big-endian length len vector of (unsigned char) into a length
81
 * len/4 vector of (uint32_t).  Assumes len is a multiple of 4.
82
 */
83
static void
84 870046
be32dec_vect(uint32_t *dst, const unsigned char *src, size_t len)
85
{
86
        size_t i;
87
88 14788695
        for (i = 0; i < len / 4; i++)
89 13918750
                dst[i] = vbe32dec(src + i * 4);
90 870041
}
91
92
#endif /* BYTE_ORDER != BIG_ENDIAN */
93
94
/* SHA256 round constants. */
95
static const uint32_t K[64] = {
96
        0x428a2f98, 0x71374491, 0xb5c0fbcf, 0xe9b5dba5,
97
        0x3956c25b, 0x59f111f1, 0x923f82a4, 0xab1c5ed5,
98
        0xd807aa98, 0x12835b01, 0x243185be, 0x550c7dc3,
99
        0x72be5d74, 0x80deb1fe, 0x9bdc06a7, 0xc19bf174,
100
        0xe49b69c1, 0xefbe4786, 0x0fc19dc6, 0x240ca1cc,
101
        0x2de92c6f, 0x4a7484aa, 0x5cb0a9dc, 0x76f988da,
102
        0x983e5152, 0xa831c66d, 0xb00327c8, 0xbf597fc7,
103
        0xc6e00bf3, 0xd5a79147, 0x06ca6351, 0x14292967,
104
        0x27b70a85, 0x2e1b2138, 0x4d2c6dfc, 0x53380d13,
105
        0x650a7354, 0x766a0abb, 0x81c2c92e, 0x92722c85,
106
        0xa2bfe8a1, 0xa81a664b, 0xc24b8b70, 0xc76c51a3,
107
        0xd192e819, 0xd6990624, 0xf40e3585, 0x106aa070,
108
        0x19a4c116, 0x1e376c08, 0x2748774c, 0x34b0bcb5,
109
        0x391c0cb3, 0x4ed8aa4a, 0x5b9cca4f, 0x682e6ff3,
110
        0x748f82ee, 0x78a5636f, 0x84c87814, 0x8cc70208,
111
        0x90befffa, 0xa4506ceb, 0xbef9a3f7, 0xc67178f2
112
};
113
114
/* Elementary functions used by SHA256 */
115
#define Ch(x, y, z)     ((x & (y ^ z)) ^ z)
116
#define Maj(x, y, z)    ((x & (y | z)) | (y & z))
117
#define SHR(x, n)       (x >> n)
118
#define ROTR(x, n)      ((x >> n) | (x << (32 - n)))
119
#define S0(x)           (ROTR(x, 2) ^ ROTR(x, 13) ^ ROTR(x, 22))
120
#define S1(x)           (ROTR(x, 6) ^ ROTR(x, 11) ^ ROTR(x, 25))
121
#define s0(x)           (ROTR(x, 7) ^ ROTR(x, 18) ^ SHR(x, 3))
122
#define s1(x)           (ROTR(x, 17) ^ ROTR(x, 19) ^ SHR(x, 10))
123
124
/* SHA256 round function */
125
#define RND(a, b, c, d, e, f, g, h, k)                          \
126
        do {                                                    \
127
                h += S1(e) + Ch(e, f, g) + (k);                 \
128
                d += h;                                         \
129
                h += S0(a) + Maj(a, b, c);                      \
130
        } while (0)
131
132
/* Adjusted round function for rotating state */
133
#define RNDr(S, W, i, ii)                       \
134
        RND(S[(64 - i) % 8], S[(65 - i) % 8],   \
135
            S[(66 - i) % 8], S[(67 - i) % 8],   \
136
            S[(68 - i) % 8], S[(69 - i) % 8],   \
137
            S[(70 - i) % 8], S[(71 - i) % 8],   \
138
            W[i + ii] + K[i + ii])
139
140
/* Message schedule computation */
141
#define MSCH(W, ii, i)                                          \
142
        do {                                                    \
143
                W[i + ii + 16] =                                \
144
                    s1(W[i + ii + 14]) + W[i + ii + 9] +        \
145
                    s0(W[i + ii + 1]) + W[i + ii];              \
146
        } while (0)
147
148
/*
149
 * SHA256 block compression function.  The 256-bit state is transformed via
150
 * the 512-bit input block to produce a new state.
151
 */
152
static void
153 870060
VSHA256_Transform(uint32_t * state, const unsigned char block[64])
154
{
155
        uint32_t W[64];
156
        uint32_t S[8];
157
        int i;
158
159
        /* 1. Prepare the first part of the message schedule W. */
160 870060
        be32dec_vect(W, block, 64);
161
162
        /* 2. Initialize working variables. */
163 870060
        memcpy(S, state, 32);
164
165
        /* 3. Mix. */
166 3480270
        for (i = 0; i < 64; i += 16) {
167 3480246
                RNDr(S, W, 0, i);
168 3480229
                RNDr(S, W, 1, i);
169 3480248
                RNDr(S, W, 2, i);
170 3480236
                RNDr(S, W, 3, i);
171 3480248
                RNDr(S, W, 4, i);
172 3480246
                RNDr(S, W, 5, i);
173 3480251
                RNDr(S, W, 6, i);
174 3480285
                RNDr(S, W, 7, i);
175 3480282
                RNDr(S, W, 8, i);
176 3480254
                RNDr(S, W, 9, i);
177 3480253
                RNDr(S, W, 10, i);
178 3480275
                RNDr(S, W, 11, i);
179 3480277
                RNDr(S, W, 12, i);
180 3480243
                RNDr(S, W, 13, i);
181 3480253
                RNDr(S, W, 14, i);
182 3480272
                RNDr(S, W, 15, i);
183
184 3480271
                if (i == 48)
185 870085
                        break;
186 2610169
                MSCH(W, 0, i);
187 2610179
                MSCH(W, 1, i);
188 2610185
                MSCH(W, 2, i);
189 2610163
                MSCH(W, 3, i);
190 2610188
                MSCH(W, 4, i);
191 2610197
                MSCH(W, 5, i);
192 2610192
                MSCH(W, 6, i);
193 2610169
                MSCH(W, 7, i);
194 2610183
                MSCH(W, 8, i);
195 2610189
                MSCH(W, 9, i);
196 2610194
                MSCH(W, 10, i);
197 2610176
                MSCH(W, 11, i);
198 2610200
                MSCH(W, 12, i);
199 2610212
                MSCH(W, 13, i);
200 2610202
                MSCH(W, 14, i);
201 2610187
                MSCH(W, 15, i);
202 2610212
        }
203
204
        /* 4. Mix local working variables into global state */
205 7830519
        for (i = 0; i < 8; i++)
206 6960424
                state[i] += S[i];
207 870076
}
208
209
static const unsigned char PAD[64] = {
210
        0x80, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
211
        0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
212
        0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
213
        0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0
214
};
215
216
/* Add padding and terminating bit-count. */
217
static void
218 468142
VSHA256_Pad(VSHA256_CTX * ctx)
219
{
220
        size_t r;
221
222
        /* Figure out how many bytes we have buffered. */
223 468142
        r = (ctx->count >> 3) & 0x3f;
224
225
        /* Pad to 56 mod 64, transforming if we finish a block en route. */
226 468142
        if (r < 56) {
227
                /* Pad to 56 mod 64. */
228 429660
                memcpy(&ctx->buf[r], PAD, 56 - r);
229 429660
        } else {
230
                /* Finish the current block and mix. */
231 38480
                memcpy(&ctx->buf[r], PAD, 64 - r);
232 38480
                VSHA256_Transform(ctx->state, ctx->buf);
233
234
                /* The start of the final block is all zeroes. */
235 38480
                memset(&ctx->buf[0], 0, 56);
236
        }
237
238
        /* Add the terminating bit-count. */
239 468138
        vbe64enc(&ctx->buf[56], ctx->count);
240
241
        /* Mix in the final block. */
242 468138
        VSHA256_Transform(ctx->state, ctx->buf);
243 468138
}
244
245
/* SHA-256 initialization.  Begins a SHA-256 operation. */
246
void
247 451524
VSHA256_Init(VSHA256_CTX * ctx)
248
{
249
250
        /* Zero bits processed so far */
251 451524
        ctx->count = 0;
252
253
        /* Magic initialization constants */
254 451524
        ctx->state[0] = 0x6A09E667;
255 451524
        ctx->state[1] = 0xBB67AE85;
256 451524
        ctx->state[2] = 0x3C6EF372;
257 451524
        ctx->state[3] = 0xA54FF53A;
258 451524
        ctx->state[4] = 0x510E527F;
259 451524
        ctx->state[5] = 0x9B05688C;
260 451524
        ctx->state[6] = 0x1F83D9AB;
261 451524
        ctx->state[7] = 0x5BE0CD19;
262 451524
}
263
264
/* Add bytes into the hash */
265
void
266 18443499
VSHA256_Update(VSHA256_CTX * ctx, const void *in, size_t len)
267
{
268
        uint64_t bitlen;
269
        uint32_t r;
270 18443499
        const unsigned char *src = in;
271
272
        /* Number of bytes left in the buffer from previous updates */
273 18443499
        r = (ctx->count >> 3) & 0x3f;
274
275
        /* Convert the length into a number of bits */
276 18443499
        bitlen = len << 3;
277
278
        /* Update number of bits */
279 18443499
        ctx->count += bitlen;
280
281
        /* Handle the case where we don't need to perform any transforms */
282 18443499
        if (len < 64 - r) {
283 18085582
                memcpy(&ctx->buf[r], src, len);
284 18085582
                return;
285
        }
286
287
        /* Finish the current block */
288 357919
        memcpy(&ctx->buf[r], src, 64 - r);
289 357919
        VSHA256_Transform(ctx->state, ctx->buf);
290 357919
        src += 64 - r;
291 357919
        len -= 64 - r;
292
293
        /* Perform complete blocks */
294 363439
        while (len >= 64) {
295 5520
                VSHA256_Transform(ctx->state, src);
296 5520
                src += 64;
297 5520
                len -= 64;
298
        }
299
300
        /* Copy left over data into buffer */
301 357919
        memcpy(ctx->buf, src, len);
302 18443560
}
303
304
/*
305
 * SHA-256 finalization.  Pads the input data, exports the hash value,
306
 * and clears the context state.
307
 */
308
void
309 468143
VSHA256_Final(unsigned char digest[static VSHA256_DIGEST_LENGTH],
310
    VSHA256_CTX *ctx)
311
{
312
313
        /* Add padding */
314 468143
        VSHA256_Pad(ctx);
315
316
        /* Write the hash */
317 468143
        be32enc_vect(digest, ctx->state, VSHA256_DIGEST_LENGTH);
318
319
        /* Clear the context state */
320 468143
        memset((void *)ctx, 0, sizeof(*ctx));
321 468143
}
322
323
/*
324
 * A few test-vectors, just in case
325
 */
326
327
static const struct sha256test {
328
        const char              *input;
329
        const unsigned char     output[32];
330
} sha256test[] = {
331
    { "",
332
        {0xe3, 0xb0, 0xc4, 0x42, 0x98, 0xfc, 0x1c, 0x14, 0x9a, 0xfb, 0xf4,
333
         0xc8, 0x99, 0x6f, 0xb9, 0x24, 0x27, 0xae, 0x41, 0xe4, 0x64, 0x9b,
334
         0x93, 0x4c, 0xa4, 0x95, 0x99, 0x1b, 0x78, 0x52, 0xb8, 0x55} },
335
    { "message digest",
336
        {0xf7, 0x84, 0x6f, 0x55, 0xcf, 0x23, 0xe1, 0x4e, 0xeb, 0xea, 0xb5,
337
         0xb4, 0xe1, 0x55, 0x0c, 0xad, 0x5b, 0x50, 0x9e, 0x33, 0x48, 0xfb,
338
         0xc4, 0xef, 0xa3, 0xa1, 0x41, 0x3d, 0x39, 0x3c, 0xb6, 0x50} },
339
    { "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789",
340
        {0xdb, 0x4b, 0xfc, 0xbd, 0x4d, 0xa0, 0xcd, 0x85, 0xa6, 0x0c, 0x3c,
341
         0x37, 0xd3, 0xfb, 0xd8, 0x80, 0x5c, 0x77, 0xf1, 0x5f, 0xc6, 0xb1,
342
         0xfd, 0xfe, 0x61, 0x4e, 0xe0, 0xa7, 0xc8, 0xfd, 0xb4, 0xc0} },
343
    { NULL }
344
};
345
346
347
void
348 35800
VSHA256_Test(void)
349
{
350
        struct VSHA256Context c;
351
        const struct sha256test *p;
352
        unsigned char o[32];
353
354 143200
        for (p = sha256test; p->input != NULL; p++) {
355 107400
                VSHA256_Init(&c);
356 107400
                VSHA256_Update(&c, p->input, strlen(p->input));
357 107400
                VSHA256_Final(o, &c);
358 107400
                AZ(memcmp(o, p->output, 32));
359 107400
        }
360 35800
}