varnish-cache/lib/libvarnish/vsha256.c
0
/*-
1
 * Copyright 2005 Colin Percival
2
 * All rights reserved.
3
 *
4
 * SPDX-License-Identifier: BSD-2-Clause
5
 *
6
 * Redistribution and use in source and binary forms, with or without
7
 * modification, are permitted provided that the following conditions
8
 * are met:
9
 * 1. Redistributions of source code must retain the above copyright
10
 *    notice, this list of conditions and the following disclaimer.
11
 * 2. Redistributions in binary form must reproduce the above copyright
12
 *    notice, this list of conditions and the following disclaimer in the
13
 *    documentation and/or other materials provided with the distribution.
14
 *
15
 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
16
 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
17
 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
18
 * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
19
 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
20
 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
21
 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
22
 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
23
 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
24
 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
25
 * SUCH DAMAGE.
26
 *
27
 * From:
28
 * $FreeBSD: sys/crypto/sha2/sha256c.c 300966 2016-05-29 17:26:40Z cperciva $
29
 */
30
31
#include "config.h"
32
33
#ifndef __APPLE__
34
#  include <endian.h>
35
#  ifdef _BYTE_ORDER
36
#    define VBYTE_ORDER _BYTE_ORDER
37
#  else
38
#    define VBYTE_ORDER __BYTE_ORDER
39
#  endif
40
#  ifdef _BIG_ENDIAN
41
#    define VBIG_ENDIAN _BIG_ENDIAN
42
#  else
43
#    define VBIG_ENDIAN __BIG_ENDIAN
44
#  endif
45
#else
46
#  define VBYTE_ORDER   __DARWIN_BYTE_ORDER
47
#  define VBIG_ENDIAN   __DARWIN_BIG_ENDIAN
48
#endif
49
50
#ifndef VBYTE_ORDER
51
# error VBYTE_ORDER not defined
52
#endif
53
#ifndef VBIG_ENDIAN
54
# error VBIG_ENDIAN not defined
55
#endif
56
57
58
#include <sys/types.h>
59
#include <stdint.h>
60
#include <string.h>
61
62
#include "vdef.h"
63
64
#include "vas.h"
65
#include "vend.h"
66
#include "vsha256.h"
67
68
#if VBYTE_ORDER == VBIG_ENDIAN
69
70
/* Copy a vector of big-endian uint32_t into a vector of bytes */
71
#define be32enc_vect(dst, src, len)     \
72
        memcpy((void *)dst, (const void *)src, (size_t)len)
73
74
/* Copy a vector of bytes into a vector of big-endian uint32_t */
75
#define be32dec_vect(dst, src, len)     \
76
        memcpy((void *)dst, (const void *)src, (size_t)len)
77
78
#else /* BYTE_ORDER != BIG_ENDIAN or in doubt... */
79
80
/*
81
 * Encode a length len/4 vector of (uint32_t) into a length len vector of
82
 * (unsigned char) in big-endian form.  Assumes len is a multiple of 4.
83
 */
84
static void
85 26942
be32enc_vect(unsigned char *dst, const uint32_t *src, size_t len)
86
{
87
        size_t i;
88
89 242462
        for (i = 0; i < len / 4; i++)
90 215520
                vbe32enc(dst + i * 4, src[i]);
91 26942
}
92
93
/*
94
 * Decode a big-endian length len vector of (unsigned char) into a length
95
 * len/4 vector of (uint32_t).  Assumes len is a multiple of 4.
96
 */
97
static void
98 51356
be32dec_vect(uint32_t *dst, const unsigned char *src, size_t len)
99
{
100
        size_t i;
101
102 873030
        for (i = 0; i < len / 4; i++)
103 821674
                dst[i] = vbe32dec(src + i * 4);
104 51356
}
105
106
#endif /* BYTE_ORDER != BIG_ENDIAN */
107
108
/* SHA256 round constants. */
109
static const uint32_t K[64] = {
110
        0x428a2f98, 0x71374491, 0xb5c0fbcf, 0xe9b5dba5,
111
        0x3956c25b, 0x59f111f1, 0x923f82a4, 0xab1c5ed5,
112
        0xd807aa98, 0x12835b01, 0x243185be, 0x550c7dc3,
113
        0x72be5d74, 0x80deb1fe, 0x9bdc06a7, 0xc19bf174,
114
        0xe49b69c1, 0xefbe4786, 0x0fc19dc6, 0x240ca1cc,
115
        0x2de92c6f, 0x4a7484aa, 0x5cb0a9dc, 0x76f988da,
116
        0x983e5152, 0xa831c66d, 0xb00327c8, 0xbf597fc7,
117
        0xc6e00bf3, 0xd5a79147, 0x06ca6351, 0x14292967,
118
        0x27b70a85, 0x2e1b2138, 0x4d2c6dfc, 0x53380d13,
119
        0x650a7354, 0x766a0abb, 0x81c2c92e, 0x92722c85,
120
        0xa2bfe8a1, 0xa81a664b, 0xc24b8b70, 0xc76c51a3,
121
        0xd192e819, 0xd6990624, 0xf40e3585, 0x106aa070,
122
        0x19a4c116, 0x1e376c08, 0x2748774c, 0x34b0bcb5,
123
        0x391c0cb3, 0x4ed8aa4a, 0x5b9cca4f, 0x682e6ff3,
124
        0x748f82ee, 0x78a5636f, 0x84c87814, 0x8cc70208,
125
        0x90befffa, 0xa4506ceb, 0xbef9a3f7, 0xc67178f2
126
};
127
128
/* Elementary functions used by SHA256 */
129
#define Ch(x, y, z)     ((x & (y ^ z)) ^ z)
130
#define Maj(x, y, z)    ((x & (y | z)) | (y & z))
131
#define SHR(x, n)       (x >> n)
132
#define ROTR(x, n)      ((x >> n) | (x << (32 - n)))
133
#define S0(x)           (ROTR(x, 2) ^ ROTR(x, 13) ^ ROTR(x, 22))
134
#define S1(x)           (ROTR(x, 6) ^ ROTR(x, 11) ^ ROTR(x, 25))
135
#define s0(x)           (ROTR(x, 7) ^ ROTR(x, 18) ^ SHR(x, 3))
136
#define s1(x)           (ROTR(x, 17) ^ ROTR(x, 19) ^ SHR(x, 10))
137
138
/* SHA256 round function */
139
#define RND(a, b, c, d, e, f, g, h, k)                          \
140
        do {                                                    \
141
                h += S1(e) + Ch(e, f, g) + (k);                 \
142
                d += h;                                         \
143
                h += S0(a) + Maj(a, b, c);                      \
144
        } while (0)
145
146
/* Adjusted round function for rotating state */
147
#define RNDr(S, W, i, ii)                       \
148
        RND(S[(64 - i) % 8], S[(65 - i) % 8],   \
149
            S[(66 - i) % 8], S[(67 - i) % 8],   \
150
            S[(68 - i) % 8], S[(69 - i) % 8],   \
151
            S[(70 - i) % 8], S[(71 - i) % 8],   \
152
            W[i + ii] + K[i + ii])
153
154
/* Message schedule computation */
155
#define MSCH(W, ii, i)                                          \
156
        do {                                                    \
157
                W[i + ii + 16] =                                \
158
                    s1(W[i + ii + 14]) + W[i + ii + 9] +        \
159
                    s0(W[i + ii + 1]) + W[i + ii];              \
160
        } while (0)
161
162
/*
163
 * SHA256 block compression function.  The 256-bit state is transformed via
164
 * the 512-bit input block to produce a new state.
165
 */
166
static void
167 51356
VSHA256_Transform(uint32_t * state, const unsigned char block[64])
168
{
169
        uint32_t W[64];
170
        uint32_t S[8];
171
        int i;
172
173
        /* 1. Prepare the first part of the message schedule W. */
174 51356
        be32dec_vect(W, block, 64);
175
176
        /* 2. Initialize working variables. */
177 51356
        memcpy(S, state, 32);
178
179
        /* 3. Mix. */
180 205418
        for (i = 0; i < 64; i += 16) {
181 205418
                RNDr(S, W, 0, i);
182 205418
                RNDr(S, W, 1, i);
183 205418
                RNDr(S, W, 2, i);
184 205418
                RNDr(S, W, 3, i);
185 205418
                RNDr(S, W, 4, i);
186 205418
                RNDr(S, W, 5, i);
187 205418
                RNDr(S, W, 6, i);
188 205418
                RNDr(S, W, 7, i);
189 205418
                RNDr(S, W, 8, i);
190 205418
                RNDr(S, W, 9, i);
191 205418
                RNDr(S, W, 10, i);
192 205418
                RNDr(S, W, 11, i);
193 205418
                RNDr(S, W, 12, i);
194 205418
                RNDr(S, W, 13, i);
195 205418
                RNDr(S, W, 14, i);
196 205418
                RNDr(S, W, 15, i);
197
198 205418
                if (i == 48)
199 51356
                        break;
200 154062
                MSCH(W, 0, i);
201 154062
                MSCH(W, 1, i);
202 154062
                MSCH(W, 2, i);
203 154062
                MSCH(W, 3, i);
204 154062
                MSCH(W, 4, i);
205 154062
                MSCH(W, 5, i);
206 154062
                MSCH(W, 6, i);
207 154062
                MSCH(W, 7, i);
208 154062
                MSCH(W, 8, i);
209 154062
                MSCH(W, 9, i);
210 154062
                MSCH(W, 10, i);
211 154062
                MSCH(W, 11, i);
212 154062
                MSCH(W, 12, i);
213 154062
                MSCH(W, 13, i);
214 154062
                MSCH(W, 14, i);
215 154062
                MSCH(W, 15, i);
216 154062
        }
217
218
        /* 4. Mix local working variables into global state */
219 462191
        for (i = 0; i < 8; i++)
220 410835
                state[i] += S[i];
221 51356
}
222
223
static const unsigned char PAD[64] = {
224
        0x80, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
225
        0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
226
        0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
227
        0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0
228
};
229
230
/* Add padding and terminating bit-count. */
231
static void
232 26941
VSHA256_Pad(VSHA256_CTX * ctx)
233
{
234
        size_t r;
235
236
        /* Figure out how many bytes we have buffered. */
237 26941
        r = (ctx->count >> 3) & 0x3f;
238
239
        /* Pad to 56 mod 64, transforming if we finish a block en route. */
240 26941
        if (r < 56) {
241
                /* Pad to 56 mod 64. */
242 24705
                memcpy(&ctx->buf[r], PAD, 56 - r);
243 24705
        } else {
244
                /* Finish the current block and mix. */
245 2236
                memcpy(&ctx->buf[r], PAD, 64 - r);
246 2236
                VSHA256_Transform(ctx->state, ctx->buf);
247
248
                /* The start of the final block is all zeroes. */
249 2236
                memset(&ctx->buf[0], 0, 56);
250
        }
251
252
        /* Add the terminating bit-count. */
253 26941
        vbe64enc(&ctx->buf[56], ctx->count);
254
255
        /* Mix in the final block. */
256 26941
        VSHA256_Transform(ctx->state, ctx->buf);
257 26941
}
258
259
/* SHA-256 initialization.  Begins a SHA-256 operation. */
260
void
261 26110
VSHA256_Init(VSHA256_CTX * ctx)
262
{
263
264
        /* Zero bits processed so far */
265 26110
        ctx->count = 0;
266
267
        /* Magic initialization constants */
268 26110
        ctx->state[0] = 0x6A09E667;
269 26110
        ctx->state[1] = 0xBB67AE85;
270 26110
        ctx->state[2] = 0x3C6EF372;
271 26110
        ctx->state[3] = 0xA54FF53A;
272 26110
        ctx->state[4] = 0x510E527F;
273 26110
        ctx->state[5] = 0x9B05688C;
274 26110
        ctx->state[6] = 0x1F83D9AB;
275 26110
        ctx->state[7] = 0x5BE0CD19;
276 26110
}
277
278
/* Add bytes into the hash */
279
void
280 1097406
VSHA256_Update(VSHA256_CTX * ctx, const void *in, size_t len)
281
{
282
        uint64_t bitlen;
283
        uint32_t r;
284 1097406
        const unsigned char *src = in;
285
286
        /* Number of bytes left in the buffer from previous updates */
287 1097406
        r = (ctx->count >> 3) & 0x3f;
288
289
        /* Convert the length into a number of bits */
290 1097406
        bitlen = len << 3;
291
292
        /* Update number of bits */
293 1097406
        ctx->count += bitlen;
294
295
        /* Handle the case where we don't need to perform any transforms */
296 1097406
        if (len < 64 - r) {
297 1076074
                memcpy(&ctx->buf[r], src, len);
298 1076074
                return;
299
        }
300
301
        /* Finish the current block */
302 21332
        memcpy(&ctx->buf[r], src, 64 - r);
303 21332
        VSHA256_Transform(ctx->state, ctx->buf);
304 21332
        src += 64 - r;
305 21332
        len -= 64 - r;
306
307
        /* Perform complete blocks */
308 22178
        while (len >= 64) {
309 846
                VSHA256_Transform(ctx->state, src);
310 846
                src += 64;
311 846
                len -= 64;
312
        }
313
314
        /* Copy left over data into buffer */
315 21332
        memcpy(ctx->buf, src, len);
316 1097406
}
317
318
/*
319
 * SHA-256 finalization.  Pads the input data, exports the hash value,
320
 * and clears the context state.
321
 */
322
void
323 26941
VSHA256_Final(unsigned char digest[static VSHA256_DIGEST_LENGTH],
324
    VSHA256_CTX *ctx)
325
{
326
327
        /* Add padding */
328 26941
        VSHA256_Pad(ctx);
329
330
        /* Write the hash */
331 26941
        be32enc_vect(digest, ctx->state, VSHA256_DIGEST_LENGTH);
332
333
        /* Clear the context state */
334 26941
        memset((void *)ctx, 0, sizeof(*ctx));
335 26941
}
336
337
/*
338
 * A few test-vectors, just in case
339
 */
340
341
static const struct sha256test {
342
        const char              *input;
343
        const unsigned char     output[32];
344
} sha256test[] = {
345
    { "",
346
        {0xe3, 0xb0, 0xc4, 0x42, 0x98, 0xfc, 0x1c, 0x14, 0x9a, 0xfb, 0xf4,
347
         0xc8, 0x99, 0x6f, 0xb9, 0x24, 0x27, 0xae, 0x41, 0xe4, 0x64, 0x9b,
348
         0x93, 0x4c, 0xa4, 0x95, 0x99, 0x1b, 0x78, 0x52, 0xb8, 0x55} },
349
    { "message digest",
350
        {0xf7, 0x84, 0x6f, 0x55, 0xcf, 0x23, 0xe1, 0x4e, 0xeb, 0xea, 0xb5,
351
         0xb4, 0xe1, 0x55, 0x0c, 0xad, 0x5b, 0x50, 0x9e, 0x33, 0x48, 0xfb,
352
         0xc4, 0xef, 0xa3, 0xa1, 0x41, 0x3d, 0x39, 0x3c, 0xb6, 0x50} },
353
    { "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789",
354
        {0xdb, 0x4b, 0xfc, 0xbd, 0x4d, 0xa0, 0xcd, 0x85, 0xa6, 0x0c, 0x3c,
355
         0x37, 0xd3, 0xfb, 0xd8, 0x80, 0x5c, 0x77, 0xf1, 0x5f, 0xc6, 0xb1,
356
         0xfd, 0xfe, 0x61, 0x4e, 0xe0, 0xa7, 0xc8, 0xfd, 0xb4, 0xc0} },
357
    { NULL }
358
};
359
360
361
void
362 2102
VSHA256_Test(void)
363
{
364
        struct VSHA256Context c;
365
        const struct sha256test *p;
366
        unsigned char o[32];
367
368 8408
        for (p = sha256test; p->input != NULL; p++) {
369 6306
                VSHA256_Init(&c);
370 6306
                VSHA256_Update(&c, p->input, strlen(p->input));
371 6306
                VSHA256_Final(o, &c);
372 6306
                AZ(memcmp(o, p->output, 32));
373 6306
        }
374 2102
}