Replace SJCL-powered SHA-256 HMAC in crypto-sha256-js with a handrolled one inspired by it

Author: jeskew

packages/crypto-sha256-js/package.json

@@ -12,14 +12,11 @@
     "author": "[email protected]",
     "license": "Apache-2.0",
     "dependencies": {
-        "@aws/crypto-sjcl-bitArray": "^0.0.1",
-        "@aws/crypto-sjcl-codecArrayBuffer": "^0.0.1",
-        "@aws/crypto-sjcl-codecString": "^0.0.1",
-        "@aws/crypto-sjcl-hmac": "^0.0.1",
-        "@aws/crypto-sjcl-sha256": "^0.0.1",
-        "@aws/types": "^0.0.1"
+        "@aws/types": "^0.0.1",
+        "@aws/util-utf8-browser": "^0.0.1"
     },
     "devDependencies": {
+        "@aws/util-hex-encoding": "^0.0.1",
         "@types/jest": "^20.0.2",
         "jest": "^20.0.4",
         "typescript": "^2.3"

packages/crypto-sha256-js/src/RawSha256.spec.ts

@@ -0,0 +1,13 @@
+import {hashTestVectors} from './knownHashes.fixture';
+import {RawSha256} from './RawSha256';
+
+describe('Hash', () => {
+    let idx = 0;
+    for (const [input, result] of hashTestVectors) {
+        it('should match known hash calculations: ' + idx++, () => {
+            const hash = new RawSha256;
+            hash.update(input);
+            expect(hash.digest()).toEqual(result);
+        });
+    }
+});

packages/crypto-sha256-js/src/RawSha256.ts

@@ -0,0 +1,176 @@
+import {
+    BLOCK_SIZE,
+    DIGEST_LENGTH,
+    INIT,
+    KEY,
+    MAX_HASHABLE_LENGTH,
+} from './constants';
+
+/**
+ * @internal
+ */
+export class RawSha256 {
+    private state: Int32Array = Int32Array.from(INIT);
+    private temp: Int32Array = new Int32Array(64);
+    private buffer: Uint8Array = new Uint8Array(64);
+    private bufferLength: number  = 0;
+    private bytesHashed: number = 0;
+
+    /**
+     * @internal
+     */
+    finished: boolean = false;
+
+    update(data: Uint8Array): void {
+        if (this.finished) {
+            throw new Error("Attempted to update an already finished hash.");
+        }
+
+        let position = 0;
+        let {byteLength} = data;
+        this.bytesHashed += byteLength;
+
+        if (this.bytesHashed * 8 > MAX_HASHABLE_LENGTH) {
+            throw new Error("Cannot hash more than 2^53 - 1 bits");
+        }
+
+        while (byteLength > 0) {
+            this.buffer[this.bufferLength++] = data[position++];
+            byteLength--;
+
+            if (this.bufferLength === BLOCK_SIZE) {
+                this.hashBuffer();
+                this.bufferLength = 0;
+            }
+        }
+    }
+
+    digest(): Uint8Array {
+        if (!this.finished) {
+            const bitsHashed = this.bytesHashed * 8;
+            const bufferView = new DataView(
+                this.buffer.buffer,
+                this.buffer.byteOffset,
+                this.buffer.byteLength
+            );
+
+            const undecoratedLength = this.bufferLength;
+            bufferView.setUint8(this.bufferLength++, 0x80);
+
+            // Ensure the final block has enough room for the hashed length
+            if (undecoratedLength % BLOCK_SIZE >= BLOCK_SIZE - 8) {
+                for (let i = this.bufferLength; i < BLOCK_SIZE; i++) {
+                    bufferView.setUint8(i, 0);
+                }
+                this.hashBuffer();
+                this.bufferLength = 0;
+            }
+
+            for (let i = this.bufferLength; i < BLOCK_SIZE - 8; i++) {
+                bufferView.setUint8(i, 0);
+            }
+            bufferView.setUint32(
+                BLOCK_SIZE - 8,
+                Math.floor(bitsHashed / 0x100000000),
+                true
+            );
+            bufferView.setUint32(
+                BLOCK_SIZE - 4,
+                bitsHashed
+            );
+
+            this.hashBuffer();
+
+            this.finished = true;
+        }
+
+        // The value in state is little-endian rather than big-endian, so flip
+        // each word into a new Uint8Array
+        const out = new Uint8Array(DIGEST_LENGTH);
+        for (let i = 0; i < 8; i++) {
+            out[i * 4] = (this.state[i] >>> 24) & 0xff;
+            out[i * 4 + 1] = (this.state[i] >>> 16) & 0xff;
+            out[i * 4 + 2] = (this.state[i] >>>  8) & 0xff;
+            out[i * 4 + 3] = (this.state[i] >>>  0) & 0xff;
+        }
+
+        return out;
+    }
+
+    private hashBuffer(): void {
+        const {buffer, state} = this;
+
+        let state0 = state[0],
+            state1 = state[1],
+            state2 = state[2],
+            state3 = state[3],
+            state4 = state[4],
+            state5 = state[5],
+            state6 = state[6],
+            state7 = state[7];
+
+        for (let i = 0; i < BLOCK_SIZE; i++) {
+            if (i < 16) {
+                this.temp[i] = (
+                    ((buffer[i * 4] & 0xff) << 24) |
+                    ((buffer[(i * 4) + 1] & 0xff) << 16) |
+                    ((buffer[(i * 4) + 2] & 0xff) <<  8) |
+                    (buffer[(i * 4) + 3] & 0xff)
+                );
+            } else {
+                let u = this.temp[i - 2];
+                const t1 = (u >>> 17 | u << 15) ^
+                    (u >>> 19 | u << 13) ^
+                    (u >>> 10);
+
+                u = this.temp[i - 15];
+                const t2 = (u >>> 7 | u << 25) ^
+                    (u >>> 18 | u << 14) ^
+                    (u >>> 3);
+
+                this.temp[i] = (t1 + this.temp[i - 7] | 0) +
+                    (t2 + this.temp[i - 16] | 0);
+            }
+
+            const t1 = (
+                (
+                    (
+                        (
+                            (state4 >>> 6 | state4 << 26) ^
+                            (state4 >>> 11 | state4 << 21) ^
+                            (state4 >>> 25 | state4 << 7)
+                        )
+                            + ((state4 & state5) ^ (~state4 & state6))
+                    ) | 0
+                )
+                    + ((state7 + ((KEY[i] + this.temp[i]) | 0)) | 0)
+            ) | 0;
+
+            const t2 = (
+                (
+                    (state0 >>> 2 | state0 << 30) ^
+                    (state0 >>> 13 | state0 << 19) ^
+                    (state0 >>> 22 | state0 << 10)
+                ) + ((state0 & state1) ^ (state0 & state2) ^ (state1 & state2))
+            ) | 0;
+
+            state7 = state6;
+            state6 = state5;
+            state5 = state4;
+            state4 = (state3 + t1) | 0;
+            state3 = state2;
+            state2 = state1;
+            state1 = state0;
+            state0 = (t1 + t2) | 0;
+        }
+
+        state[0] += state0;
+        state[1] += state1;
+        state[2] += state2;
+        state[3] += state3;
+        state[4] += state4;
+        state[5] += state5;
+        state[6] += state6;
+        state[7] += state7;
+    }
+}

packages/crypto-sha256-js/src/constants.ts

@@ -0,0 +1,98 @@
+/**
+ * @internal
+ */
+export const BLOCK_SIZE: number = 64;
+
+/**
+ * @internal
+ */
+export const DIGEST_LENGTH: number = 32;
+
+/**
+ * @internal
+ */
+export const KEY = new Uint32Array([
+    0x428a2f98,
+    0x71374491,
+    0xb5c0fbcf,
+    0xe9b5dba5,
+    0x3956c25b,
+    0x59f111f1,
+    0x923f82a4,
+    0xab1c5ed5,
+    0xd807aa98,
+    0x12835b01,
+    0x243185be,
+    0x550c7dc3,
+    0x72be5d74,
+    0x80deb1fe,
+    0x9bdc06a7,
+    0xc19bf174,
+    0xe49b69c1,
+    0xefbe4786,
+    0x0fc19dc6,
+    0x240ca1cc,
+    0x2de92c6f,
+    0x4a7484aa,
+    0x5cb0a9dc,
+    0x76f988da,
+    0x983e5152,
+    0xa831c66d,
+    0xb00327c8,
+    0xbf597fc7,
+    0xc6e00bf3,
+    0xd5a79147,
+    0x06ca6351,
+    0x14292967,
+    0x27b70a85,
+    0x2e1b2138,
+    0x4d2c6dfc,
+    0x53380d13,
+    0x650a7354,
+    0x766a0abb,
+    0x81c2c92e,
+    0x92722c85,
+    0xa2bfe8a1,
+    0xa81a664b,
+    0xc24b8b70,
+    0xc76c51a3,
+    0xd192e819,
+    0xd6990624,
+    0xf40e3585,
+    0x106aa070,
+    0x19a4c116,
+    0x1e376c08,
+    0x2748774c,
+    0x34b0bcb5,
+    0x391c0cb3,
+    0x4ed8aa4a,
+    0x5b9cca4f,
+    0x682e6ff3,
+    0x748f82ee,
+    0x78a5636f,
+    0x84c87814,
+    0x8cc70208,
+    0x90befffa,
+    0xa4506ceb,
+    0xbef9a3f7,
+    0xc67178f2
+]);
+
+/**
+ * @internal
+ */
+export const INIT = [
+    0x6a09e667,
+    0xbb67ae85,
+    0x3c6ef372,
+    0xa54ff53a,
+    0x510e527f,
+    0x9b05688c,
+    0x1f83d9ab,
+    0x5be0cd19,
+];
+
+/**
+ * @internal
+ */
+export const MAX_HASHABLE_LENGTH = 2 ** 53 - 1;

packages/crypto-sha256-js/src/jsSha256.spec.ts

@@ -1,26 +1,25 @@
 import {Sha256} from './jsSha256';
-import SjclSha256 = require('@aws/crypto-sjcl-sha256');
-import SjclHmac = require('@aws/crypto-sjcl-hmac');
+import {RawSha256} from './RawSha256';
+import {hashTestVectors, hmacTestVectors} from './knownHashes.fixture';
 
 describe('Sha256', () => {
-    it('should create an instance of SjclSha256 by default', () => {
+    it('should create an instance of RawSha256 by default', () => {
         const sha256 = new Sha256();
-        expect((sha256 as any).hash).toBeInstanceOf(SjclSha256);
+        expect((sha256 as any).hash).toBeInstanceOf(RawSha256);
     });
 
-    it('should create an instance of SjclHmac if a secret is present', () => {
+    it('should create an outer hash if a secret is present', () => {
         const sha256 = new Sha256('foo');
-        expect((sha256 as any).hash).toBeInstanceOf(SjclHmac);
+        expect((sha256 as any).hash).toBeInstanceOf(RawSha256);
+        expect((sha256 as any).outer).toBeInstanceOf(RawSha256);
     });
 
     it('should accept ArrayBufferView secrets', () => {
         const sha256 = new Sha256(Uint8Array.from([0xde, 0xad]));
-        expect((sha256 as any).hash).toBeInstanceOf(SjclHmac);
     });
 
     it('should accept ArrayBuffer secrets', () => {
         const sha256 = new Sha256(Uint8Array.from([0xde, 0xad]).buffer);
-        expect((sha256 as any).hash).toBeInstanceOf(SjclHmac);
     });
 
     it('should call update when given data', () => {
@@ -54,25 +53,9 @@ describe('Sha256', () => {
         );
     });
 
-    it('should call finalize when creating SHA-256 digests', () => {
-        const sha256 = new Sha256();
-        const spy = jest.spyOn((sha256 as any).hash, 'finalize');
-
-        sha256.digest();
-        expect(spy.mock.calls.length).toBe(1);
-    });
-
-    it('should call digest when creating SHA-256 HMACs', () => {
-        const sha256 = new Sha256('secret');
-        const spy = jest.spyOn((sha256 as any).hash, 'digest');
-
-        sha256.digest();
-        expect(spy.mock.calls.length).toBe(1);
-    });
-
     it('should trap finalization errors', async () => {
         const sha256 = new Sha256();
-        jest.spyOn((sha256 as any).hash, 'finalize')
+        jest.spyOn((sha256 as any).hash, 'digest')
             .mockImplementation(() => {
                 throw new Error('PANIC');
             });
@@ -82,4 +65,22 @@ describe('Sha256', () => {
             () => { /* Promise rejected, just as expected */ }
         );
     });
+
+    let idx = 0;
+    for (const [input, result] of hashTestVectors) {
+        it('should match known hash calculations: ' + idx++, async () => {
+            const hash = new Sha256();
+            hash.update(input);
+            expect(await hash.digest()).toEqual(result);
+        });
+    }
+
+    idx = 0;
+    for (const [key, data, result] of hmacTestVectors) {
+        it('should match known hash calculations: ' + idx++, async () => {
+            const hash = new Sha256(key);
+            hash.update(data);
+            expect(await hash.digest()).toEqual(result);
+        });
+    }
 });