xref: /openbmc/u-boot/lib/sha256.c (revision 7b384eccc785b596f68448b155cbda26df57fb23) 
1  // SPDX-License-Identifier: GPL-2.0+
2  /*
3   * FIPS-180-2 compliant SHA-256 implementation
4   *
5   * Copyright (C) 2001-2003  Christophe Devine
6   */
7  
8  #ifndef USE_HOSTCC
9  #include <common.h>
10  #include <linux/string.h>
11  #else
12  #include <string.h>
13  #endif /* USE_HOSTCC */
14  #include <watchdog.h>
15  #include <u-boot/sha256.h>
16  
17  const uint8_t sha256_der_prefix[SHA256_DER_LEN] = {
18  	0x30, 0x31, 0x30, 0x0d, 0x06, 0x09, 0x60, 0x86,
19  	0x48, 0x01, 0x65, 0x03, 0x04, 0x02, 0x01, 0x05,
20  	0x00, 0x04, 0x20
21  };
22  
23  /*
24   * 32-bit integer manipulation macros (big endian)
25   */
26  #ifndef GET_UINT32_BE
27  #define GET_UINT32_BE(n,b,i) {				\
28  	(n) = ( (unsigned long) (b)[(i)    ] << 24 )	\
29  	    | ( (unsigned long) (b)[(i) + 1] << 16 )	\
30  	    | ( (unsigned long) (b)[(i) + 2] <<  8 )	\
31  	    | ( (unsigned long) (b)[(i) + 3]       );	\
32  }
33  #endif
34  #ifndef PUT_UINT32_BE
35  #define PUT_UINT32_BE(n,b,i) {				\
36  	(b)[(i)    ] = (unsigned char) ( (n) >> 24 );	\
37  	(b)[(i) + 1] = (unsigned char) ( (n) >> 16 );	\
38  	(b)[(i) + 2] = (unsigned char) ( (n) >>  8 );	\
39  	(b)[(i) + 3] = (unsigned char) ( (n)       );	\
40  }
41  #endif
42  
43  void sha256_starts(sha256_context * ctx)
44  {
45  	ctx->total[0] = 0;
46  	ctx->total[1] = 0;
47  
48  	ctx->state[0] = 0x6A09E667;
49  	ctx->state[1] = 0xBB67AE85;
50  	ctx->state[2] = 0x3C6EF372;
51  	ctx->state[3] = 0xA54FF53A;
52  	ctx->state[4] = 0x510E527F;
53  	ctx->state[5] = 0x9B05688C;
54  	ctx->state[6] = 0x1F83D9AB;
55  	ctx->state[7] = 0x5BE0CD19;
56  }
57  
58  static void sha256_process(sha256_context *ctx, const uint8_t data[64])
59  {
60  	uint32_t temp1, temp2;
61  	uint32_t W[64];
62  	uint32_t A, B, C, D, E, F, G, H;
63  
64  	GET_UINT32_BE(W[0], data, 0);
65  	GET_UINT32_BE(W[1], data, 4);
66  	GET_UINT32_BE(W[2], data, 8);
67  	GET_UINT32_BE(W[3], data, 12);
68  	GET_UINT32_BE(W[4], data, 16);
69  	GET_UINT32_BE(W[5], data, 20);
70  	GET_UINT32_BE(W[6], data, 24);
71  	GET_UINT32_BE(W[7], data, 28);
72  	GET_UINT32_BE(W[8], data, 32);
73  	GET_UINT32_BE(W[9], data, 36);
74  	GET_UINT32_BE(W[10], data, 40);
75  	GET_UINT32_BE(W[11], data, 44);
76  	GET_UINT32_BE(W[12], data, 48);
77  	GET_UINT32_BE(W[13], data, 52);
78  	GET_UINT32_BE(W[14], data, 56);
79  	GET_UINT32_BE(W[15], data, 60);
80  
81  #define SHR(x,n) ((x & 0xFFFFFFFF) >> n)
82  #define ROTR(x,n) (SHR(x,n) | (x << (32 - n)))
83  
84  #define S0(x) (ROTR(x, 7) ^ ROTR(x,18) ^ SHR(x, 3))
85  #define S1(x) (ROTR(x,17) ^ ROTR(x,19) ^ SHR(x,10))
86  
87  #define S2(x) (ROTR(x, 2) ^ ROTR(x,13) ^ ROTR(x,22))
88  #define S3(x) (ROTR(x, 6) ^ ROTR(x,11) ^ ROTR(x,25))
89  
90  #define F0(x,y,z) ((x & y) | (z & (x | y)))
91  #define F1(x,y,z) (z ^ (x & (y ^ z)))
92  
93  #define R(t)					\
94  (						\
95  	W[t] = S1(W[t - 2]) + W[t - 7] +	\
96  		S0(W[t - 15]) + W[t - 16]	\
97  )
98  
99  #define P(a,b,c,d,e,f,g,h,x,K) {		\
100  	temp1 = h + S3(e) + F1(e,f,g) + K + x;	\
101  	temp2 = S2(a) + F0(a,b,c);		\
102  	d += temp1; h = temp1 + temp2;		\
103  }
104  
105  	A = ctx->state[0];
106  	B = ctx->state[1];
107  	C = ctx->state[2];
108  	D = ctx->state[3];
109  	E = ctx->state[4];
110  	F = ctx->state[5];
111  	G = ctx->state[6];
112  	H = ctx->state[7];
113  
114  	P(A, B, C, D, E, F, G, H, W[0], 0x428A2F98);
115  	P(H, A, B, C, D, E, F, G, W[1], 0x71374491);
116  	P(G, H, A, B, C, D, E, F, W[2], 0xB5C0FBCF);
117  	P(F, G, H, A, B, C, D, E, W[3], 0xE9B5DBA5);
118  	P(E, F, G, H, A, B, C, D, W[4], 0x3956C25B);
119  	P(D, E, F, G, H, A, B, C, W[5], 0x59F111F1);
120  	P(C, D, E, F, G, H, A, B, W[6], 0x923F82A4);
121  	P(B, C, D, E, F, G, H, A, W[7], 0xAB1C5ED5);
122  	P(A, B, C, D, E, F, G, H, W[8], 0xD807AA98);
123  	P(H, A, B, C, D, E, F, G, W[9], 0x12835B01);
124  	P(G, H, A, B, C, D, E, F, W[10], 0x243185BE);
125  	P(F, G, H, A, B, C, D, E, W[11], 0x550C7DC3);
126  	P(E, F, G, H, A, B, C, D, W[12], 0x72BE5D74);
127  	P(D, E, F, G, H, A, B, C, W[13], 0x80DEB1FE);
128  	P(C, D, E, F, G, H, A, B, W[14], 0x9BDC06A7);
129  	P(B, C, D, E, F, G, H, A, W[15], 0xC19BF174);
130  	P(A, B, C, D, E, F, G, H, R(16), 0xE49B69C1);
131  	P(H, A, B, C, D, E, F, G, R(17), 0xEFBE4786);
132  	P(G, H, A, B, C, D, E, F, R(18), 0x0FC19DC6);
133  	P(F, G, H, A, B, C, D, E, R(19), 0x240CA1CC);
134  	P(E, F, G, H, A, B, C, D, R(20), 0x2DE92C6F);
135  	P(D, E, F, G, H, A, B, C, R(21), 0x4A7484AA);
136  	P(C, D, E, F, G, H, A, B, R(22), 0x5CB0A9DC);
137  	P(B, C, D, E, F, G, H, A, R(23), 0x76F988DA);
138  	P(A, B, C, D, E, F, G, H, R(24), 0x983E5152);
139  	P(H, A, B, C, D, E, F, G, R(25), 0xA831C66D);
140  	P(G, H, A, B, C, D, E, F, R(26), 0xB00327C8);
141  	P(F, G, H, A, B, C, D, E, R(27), 0xBF597FC7);
142  	P(E, F, G, H, A, B, C, D, R(28), 0xC6E00BF3);
143  	P(D, E, F, G, H, A, B, C, R(29), 0xD5A79147);
144  	P(C, D, E, F, G, H, A, B, R(30), 0x06CA6351);
145  	P(B, C, D, E, F, G, H, A, R(31), 0x14292967);
146  	P(A, B, C, D, E, F, G, H, R(32), 0x27B70A85);
147  	P(H, A, B, C, D, E, F, G, R(33), 0x2E1B2138);
148  	P(G, H, A, B, C, D, E, F, R(34), 0x4D2C6DFC);
149  	P(F, G, H, A, B, C, D, E, R(35), 0x53380D13);
150  	P(E, F, G, H, A, B, C, D, R(36), 0x650A7354);
151  	P(D, E, F, G, H, A, B, C, R(37), 0x766A0ABB);
152  	P(C, D, E, F, G, H, A, B, R(38), 0x81C2C92E);
153  	P(B, C, D, E, F, G, H, A, R(39), 0x92722C85);
154  	P(A, B, C, D, E, F, G, H, R(40), 0xA2BFE8A1);
155  	P(H, A, B, C, D, E, F, G, R(41), 0xA81A664B);
156  	P(G, H, A, B, C, D, E, F, R(42), 0xC24B8B70);
157  	P(F, G, H, A, B, C, D, E, R(43), 0xC76C51A3);
158  	P(E, F, G, H, A, B, C, D, R(44), 0xD192E819);
159  	P(D, E, F, G, H, A, B, C, R(45), 0xD6990624);
160  	P(C, D, E, F, G, H, A, B, R(46), 0xF40E3585);
161  	P(B, C, D, E, F, G, H, A, R(47), 0x106AA070);
162  	P(A, B, C, D, E, F, G, H, R(48), 0x19A4C116);
163  	P(H, A, B, C, D, E, F, G, R(49), 0x1E376C08);
164  	P(G, H, A, B, C, D, E, F, R(50), 0x2748774C);
165  	P(F, G, H, A, B, C, D, E, R(51), 0x34B0BCB5);
166  	P(E, F, G, H, A, B, C, D, R(52), 0x391C0CB3);
167  	P(D, E, F, G, H, A, B, C, R(53), 0x4ED8AA4A);
168  	P(C, D, E, F, G, H, A, B, R(54), 0x5B9CCA4F);
169  	P(B, C, D, E, F, G, H, A, R(55), 0x682E6FF3);
170  	P(A, B, C, D, E, F, G, H, R(56), 0x748F82EE);
171  	P(H, A, B, C, D, E, F, G, R(57), 0x78A5636F);
172  	P(G, H, A, B, C, D, E, F, R(58), 0x84C87814);
173  	P(F, G, H, A, B, C, D, E, R(59), 0x8CC70208);
174  	P(E, F, G, H, A, B, C, D, R(60), 0x90BEFFFA);
175  	P(D, E, F, G, H, A, B, C, R(61), 0xA4506CEB);
176  	P(C, D, E, F, G, H, A, B, R(62), 0xBEF9A3F7);
177  	P(B, C, D, E, F, G, H, A, R(63), 0xC67178F2);
178  
179  	ctx->state[0] += A;
180  	ctx->state[1] += B;
181  	ctx->state[2] += C;
182  	ctx->state[3] += D;
183  	ctx->state[4] += E;
184  	ctx->state[5] += F;
185  	ctx->state[6] += G;
186  	ctx->state[7] += H;
187  }
188  
189  void sha256_update(sha256_context *ctx, const uint8_t *input, uint32_t length)
190  {
191  	uint32_t left, fill;
192  
193  	if (!length)
194  		return;
195  
196  	left = ctx->total[0] & 0x3F;
197  	fill = 64 - left;
198  
199  	ctx->total[0] += length;
200  	ctx->total[0] &= 0xFFFFFFFF;
201  
202  	if (ctx->total[0] < length)
203  		ctx->total[1]++;
204  
205  	if (left && length >= fill) {
206  		memcpy((void *) (ctx->buffer + left), (void *) input, fill);
207  		sha256_process(ctx, ctx->buffer);
208  		length -= fill;
209  		input += fill;
210  		left = 0;
211  	}
212  
213  	while (length >= 64) {
214  		sha256_process(ctx, input);
215  		length -= 64;
216  		input += 64;
217  	}
218  
219  	if (length)
220  		memcpy((void *) (ctx->buffer + left), (void *) input, length);
221  }
222  
223  static uint8_t sha256_padding[64] = {
224  	0x80, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
225  	   0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
226  	   0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
227  	   0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0
228  };
229  
230  void sha256_finish(sha256_context * ctx, uint8_t digest[32])
231  {
232  	uint32_t last, padn;
233  	uint32_t high, low;
234  	uint8_t msglen[8];
235  
236  	high = ((ctx->total[0] >> 29)
237  		| (ctx->total[1] << 3));
238  	low = (ctx->total[0] << 3);
239  
240  	PUT_UINT32_BE(high, msglen, 0);
241  	PUT_UINT32_BE(low, msglen, 4);
242  
243  	last = ctx->total[0] & 0x3F;
244  	padn = (last < 56) ? (56 - last) : (120 - last);
245  
246  	sha256_update(ctx, sha256_padding, padn);
247  	sha256_update(ctx, msglen, 8);
248  
249  	PUT_UINT32_BE(ctx->state[0], digest, 0);
250  	PUT_UINT32_BE(ctx->state[1], digest, 4);
251  	PUT_UINT32_BE(ctx->state[2], digest, 8);
252  	PUT_UINT32_BE(ctx->state[3], digest, 12);
253  	PUT_UINT32_BE(ctx->state[4], digest, 16);
254  	PUT_UINT32_BE(ctx->state[5], digest, 20);
255  	PUT_UINT32_BE(ctx->state[6], digest, 24);
256  	PUT_UINT32_BE(ctx->state[7], digest, 28);
257  }
258  
259  /*
260   * Output = SHA-256( input buffer ). Trigger the watchdog every 'chunk_sz'
261   * bytes of input processed.
262   */
263  void sha256_csum_wd(const unsigned char *input, unsigned int ilen,
264  		unsigned char *output, unsigned int chunk_sz)
265  {
266  	sha256_context ctx;
267  #if defined(CONFIG_HW_WATCHDOG) || defined(CONFIG_WATCHDOG)
268  	const unsigned char *end;
269  	unsigned char *curr;
270  	int chunk;
271  #endif
272  
273  	sha256_starts(&ctx);
274  
275  #if defined(CONFIG_HW_WATCHDOG) || defined(CONFIG_WATCHDOG)
276  	curr = (unsigned char *)input;
277  	end = input + ilen;
278  	while (curr < end) {
279  		chunk = end - curr;
280  		if (chunk > chunk_sz)
281  			chunk = chunk_sz;
282  		sha256_update(&ctx, curr, chunk);
283  		curr += chunk;
284  		WATCHDOG_RESET();
285  	}
286  #else
287  	sha256_update(&ctx, input, ilen);
288  #endif
289  
290  	sha256_finish(&ctx, output);
291  }
292