xref: /openbmc/u-boot/lib/sha256.c (revision ae485b54)
1 // SPDX-License-Identifier: GPL-2.0+
2 /*
3  * FIPS-180-2 compliant SHA-256 implementation
4  *
5  * Copyright (C) 2001-2003  Christophe Devine
6  */
7 
8 #ifndef USE_HOSTCC
9 #include <common.h>
10 #include <linux/string.h>
11 #else
12 #include <string.h>
13 #endif /* USE_HOSTCC */
14 #include <watchdog.h>
15 #include <u-boot/sha256.h>
16 
17 const uint8_t sha256_der_prefix[SHA256_DER_LEN] = {
18 	0x30, 0x31, 0x30, 0x0d, 0x06, 0x09, 0x60, 0x86,
19 	0x48, 0x01, 0x65, 0x03, 0x04, 0x02, 0x01, 0x05,
20 	0x00, 0x04, 0x20
21 };
22 
23 /*
24  * 32-bit integer manipulation macros (big endian)
25  */
26 #ifndef GET_UINT32_BE
27 #define GET_UINT32_BE(n,b,i) {				\
28 	(n) = ( (unsigned long) (b)[(i)    ] << 24 )	\
29 	    | ( (unsigned long) (b)[(i) + 1] << 16 )	\
30 	    | ( (unsigned long) (b)[(i) + 2] <<  8 )	\
31 	    | ( (unsigned long) (b)[(i) + 3]       );	\
32 }
33 #endif
34 #ifndef PUT_UINT32_BE
35 #define PUT_UINT32_BE(n,b,i) {				\
36 	(b)[(i)    ] = (unsigned char) ( (n) >> 24 );	\
37 	(b)[(i) + 1] = (unsigned char) ( (n) >> 16 );	\
38 	(b)[(i) + 2] = (unsigned char) ( (n) >>  8 );	\
39 	(b)[(i) + 3] = (unsigned char) ( (n)       );	\
40 }
41 #endif
42 
43 void sha256_starts(sha256_context * ctx)
44 {
45 	ctx->total[0] = 0;
46 	ctx->total[1] = 0;
47 
48 	ctx->state[0] = 0x6A09E667;
49 	ctx->state[1] = 0xBB67AE85;
50 	ctx->state[2] = 0x3C6EF372;
51 	ctx->state[3] = 0xA54FF53A;
52 	ctx->state[4] = 0x510E527F;
53 	ctx->state[5] = 0x9B05688C;
54 	ctx->state[6] = 0x1F83D9AB;
55 	ctx->state[7] = 0x5BE0CD19;
56 }
57 
58 static void sha256_process(sha256_context *ctx, const uint8_t data[64])
59 {
60 	uint32_t temp1, temp2;
61 	uint32_t W[64];
62 	uint32_t A, B, C, D, E, F, G, H;
63 
64 	GET_UINT32_BE(W[0], data, 0);
65 	GET_UINT32_BE(W[1], data, 4);
66 	GET_UINT32_BE(W[2], data, 8);
67 	GET_UINT32_BE(W[3], data, 12);
68 	GET_UINT32_BE(W[4], data, 16);
69 	GET_UINT32_BE(W[5], data, 20);
70 	GET_UINT32_BE(W[6], data, 24);
71 	GET_UINT32_BE(W[7], data, 28);
72 	GET_UINT32_BE(W[8], data, 32);
73 	GET_UINT32_BE(W[9], data, 36);
74 	GET_UINT32_BE(W[10], data, 40);
75 	GET_UINT32_BE(W[11], data, 44);
76 	GET_UINT32_BE(W[12], data, 48);
77 	GET_UINT32_BE(W[13], data, 52);
78 	GET_UINT32_BE(W[14], data, 56);
79 	GET_UINT32_BE(W[15], data, 60);
80 
81 #define SHR(x,n) ((x & 0xFFFFFFFF) >> n)
82 #define ROTR(x,n) (SHR(x,n) | (x << (32 - n)))
83 
84 #define S0(x) (ROTR(x, 7) ^ ROTR(x,18) ^ SHR(x, 3))
85 #define S1(x) (ROTR(x,17) ^ ROTR(x,19) ^ SHR(x,10))
86 
87 #define S2(x) (ROTR(x, 2) ^ ROTR(x,13) ^ ROTR(x,22))
88 #define S3(x) (ROTR(x, 6) ^ ROTR(x,11) ^ ROTR(x,25))
89 
90 #define F0(x,y,z) ((x & y) | (z & (x | y)))
91 #define F1(x,y,z) (z ^ (x & (y ^ z)))
92 
93 #define R(t)					\
94 (						\
95 	W[t] = S1(W[t - 2]) + W[t - 7] +	\
96 		S0(W[t - 15]) + W[t - 16]	\
97 )
98 
99 #define P(a,b,c,d,e,f,g,h,x,K) {		\
100 	temp1 = h + S3(e) + F1(e,f,g) + K + x;	\
101 	temp2 = S2(a) + F0(a,b,c);		\
102 	d += temp1; h = temp1 + temp2;		\
103 }
104 
105 	A = ctx->state[0];
106 	B = ctx->state[1];
107 	C = ctx->state[2];
108 	D = ctx->state[3];
109 	E = ctx->state[4];
110 	F = ctx->state[5];
111 	G = ctx->state[6];
112 	H = ctx->state[7];
113 
114 	P(A, B, C, D, E, F, G, H, W[0], 0x428A2F98);
115 	P(H, A, B, C, D, E, F, G, W[1], 0x71374491);
116 	P(G, H, A, B, C, D, E, F, W[2], 0xB5C0FBCF);
117 	P(F, G, H, A, B, C, D, E, W[3], 0xE9B5DBA5);
118 	P(E, F, G, H, A, B, C, D, W[4], 0x3956C25B);
119 	P(D, E, F, G, H, A, B, C, W[5], 0x59F111F1);
120 	P(C, D, E, F, G, H, A, B, W[6], 0x923F82A4);
121 	P(B, C, D, E, F, G, H, A, W[7], 0xAB1C5ED5);
122 	P(A, B, C, D, E, F, G, H, W[8], 0xD807AA98);
123 	P(H, A, B, C, D, E, F, G, W[9], 0x12835B01);
124 	P(G, H, A, B, C, D, E, F, W[10], 0x243185BE);
125 	P(F, G, H, A, B, C, D, E, W[11], 0x550C7DC3);
126 	P(E, F, G, H, A, B, C, D, W[12], 0x72BE5D74);
127 	P(D, E, F, G, H, A, B, C, W[13], 0x80DEB1FE);
128 	P(C, D, E, F, G, H, A, B, W[14], 0x9BDC06A7);
129 	P(B, C, D, E, F, G, H, A, W[15], 0xC19BF174);
130 	P(A, B, C, D, E, F, G, H, R(16), 0xE49B69C1);
131 	P(H, A, B, C, D, E, F, G, R(17), 0xEFBE4786);
132 	P(G, H, A, B, C, D, E, F, R(18), 0x0FC19DC6);
133 	P(F, G, H, A, B, C, D, E, R(19), 0x240CA1CC);
134 	P(E, F, G, H, A, B, C, D, R(20), 0x2DE92C6F);
135 	P(D, E, F, G, H, A, B, C, R(21), 0x4A7484AA);
136 	P(C, D, E, F, G, H, A, B, R(22), 0x5CB0A9DC);
137 	P(B, C, D, E, F, G, H, A, R(23), 0x76F988DA);
138 	P(A, B, C, D, E, F, G, H, R(24), 0x983E5152);
139 	P(H, A, B, C, D, E, F, G, R(25), 0xA831C66D);
140 	P(G, H, A, B, C, D, E, F, R(26), 0xB00327C8);
141 	P(F, G, H, A, B, C, D, E, R(27), 0xBF597FC7);
142 	P(E, F, G, H, A, B, C, D, R(28), 0xC6E00BF3);
143 	P(D, E, F, G, H, A, B, C, R(29), 0xD5A79147);
144 	P(C, D, E, F, G, H, A, B, R(30), 0x06CA6351);
145 	P(B, C, D, E, F, G, H, A, R(31), 0x14292967);
146 	P(A, B, C, D, E, F, G, H, R(32), 0x27B70A85);
147 	P(H, A, B, C, D, E, F, G, R(33), 0x2E1B2138);
148 	P(G, H, A, B, C, D, E, F, R(34), 0x4D2C6DFC);
149 	P(F, G, H, A, B, C, D, E, R(35), 0x53380D13);
150 	P(E, F, G, H, A, B, C, D, R(36), 0x650A7354);
151 	P(D, E, F, G, H, A, B, C, R(37), 0x766A0ABB);
152 	P(C, D, E, F, G, H, A, B, R(38), 0x81C2C92E);
153 	P(B, C, D, E, F, G, H, A, R(39), 0x92722C85);
154 	P(A, B, C, D, E, F, G, H, R(40), 0xA2BFE8A1);
155 	P(H, A, B, C, D, E, F, G, R(41), 0xA81A664B);
156 	P(G, H, A, B, C, D, E, F, R(42), 0xC24B8B70);
157 	P(F, G, H, A, B, C, D, E, R(43), 0xC76C51A3);
158 	P(E, F, G, H, A, B, C, D, R(44), 0xD192E819);
159 	P(D, E, F, G, H, A, B, C, R(45), 0xD6990624);
160 	P(C, D, E, F, G, H, A, B, R(46), 0xF40E3585);
161 	P(B, C, D, E, F, G, H, A, R(47), 0x106AA070);
162 	P(A, B, C, D, E, F, G, H, R(48), 0x19A4C116);
163 	P(H, A, B, C, D, E, F, G, R(49), 0x1E376C08);
164 	P(G, H, A, B, C, D, E, F, R(50), 0x2748774C);
165 	P(F, G, H, A, B, C, D, E, R(51), 0x34B0BCB5);
166 	P(E, F, G, H, A, B, C, D, R(52), 0x391C0CB3);
167 	P(D, E, F, G, H, A, B, C, R(53), 0x4ED8AA4A);
168 	P(C, D, E, F, G, H, A, B, R(54), 0x5B9CCA4F);
169 	P(B, C, D, E, F, G, H, A, R(55), 0x682E6FF3);
170 	P(A, B, C, D, E, F, G, H, R(56), 0x748F82EE);
171 	P(H, A, B, C, D, E, F, G, R(57), 0x78A5636F);
172 	P(G, H, A, B, C, D, E, F, R(58), 0x84C87814);
173 	P(F, G, H, A, B, C, D, E, R(59), 0x8CC70208);
174 	P(E, F, G, H, A, B, C, D, R(60), 0x90BEFFFA);
175 	P(D, E, F, G, H, A, B, C, R(61), 0xA4506CEB);
176 	P(C, D, E, F, G, H, A, B, R(62), 0xBEF9A3F7);
177 	P(B, C, D, E, F, G, H, A, R(63), 0xC67178F2);
178 
179 	ctx->state[0] += A;
180 	ctx->state[1] += B;
181 	ctx->state[2] += C;
182 	ctx->state[3] += D;
183 	ctx->state[4] += E;
184 	ctx->state[5] += F;
185 	ctx->state[6] += G;
186 	ctx->state[7] += H;
187 }
188 
189 void sha256_update(sha256_context *ctx, const uint8_t *input, uint32_t length)
190 {
191 	uint32_t left, fill;
192 
193 	if (!length)
194 		return;
195 
196 	left = ctx->total[0] & 0x3F;
197 	fill = 64 - left;
198 
199 	ctx->total[0] += length;
200 	ctx->total[0] &= 0xFFFFFFFF;
201 
202 	if (ctx->total[0] < length)
203 		ctx->total[1]++;
204 
205 	if (left && length >= fill) {
206 		memcpy((void *) (ctx->buffer + left), (void *) input, fill);
207 		sha256_process(ctx, ctx->buffer);
208 		length -= fill;
209 		input += fill;
210 		left = 0;
211 	}
212 
213 	while (length >= 64) {
214 		sha256_process(ctx, input);
215 		length -= 64;
216 		input += 64;
217 	}
218 
219 	if (length)
220 		memcpy((void *) (ctx->buffer + left), (void *) input, length);
221 }
222 
223 static uint8_t sha256_padding[64] = {
224 	0x80, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
225 	   0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
226 	   0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
227 	   0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0
228 };
229 
230 void sha256_finish(sha256_context * ctx, uint8_t digest[32])
231 {
232 	uint32_t last, padn;
233 	uint32_t high, low;
234 	uint8_t msglen[8];
235 
236 	high = ((ctx->total[0] >> 29)
237 		| (ctx->total[1] << 3));
238 	low = (ctx->total[0] << 3);
239 
240 	PUT_UINT32_BE(high, msglen, 0);
241 	PUT_UINT32_BE(low, msglen, 4);
242 
243 	last = ctx->total[0] & 0x3F;
244 	padn = (last < 56) ? (56 - last) : (120 - last);
245 
246 	sha256_update(ctx, sha256_padding, padn);
247 	sha256_update(ctx, msglen, 8);
248 
249 	PUT_UINT32_BE(ctx->state[0], digest, 0);
250 	PUT_UINT32_BE(ctx->state[1], digest, 4);
251 	PUT_UINT32_BE(ctx->state[2], digest, 8);
252 	PUT_UINT32_BE(ctx->state[3], digest, 12);
253 	PUT_UINT32_BE(ctx->state[4], digest, 16);
254 	PUT_UINT32_BE(ctx->state[5], digest, 20);
255 	PUT_UINT32_BE(ctx->state[6], digest, 24);
256 	PUT_UINT32_BE(ctx->state[7], digest, 28);
257 }
258 
259 /*
260  * Output = SHA-256( input buffer ). Trigger the watchdog every 'chunk_sz'
261  * bytes of input processed.
262  */
263 void sha256_csum_wd(const unsigned char *input, unsigned int ilen,
264 		unsigned char *output, unsigned int chunk_sz)
265 {
266 	sha256_context ctx;
267 #if defined(CONFIG_HW_WATCHDOG) || defined(CONFIG_WATCHDOG)
268 	const unsigned char *end;
269 	unsigned char *curr;
270 	int chunk;
271 #endif
272 
273 	sha256_starts(&ctx);
274 
275 #if defined(CONFIG_HW_WATCHDOG) || defined(CONFIG_WATCHDOG)
276 	curr = (unsigned char *)input;
277 	end = input + ilen;
278 	while (curr < end) {
279 		chunk = end - curr;
280 		if (chunk > chunk_sz)
281 			chunk = chunk_sz;
282 		sha256_update(&ctx, curr, chunk);
283 		curr += chunk;
284 		WATCHDOG_RESET();
285 	}
286 #else
287 	sha256_update(&ctx, input, ilen);
288 #endif
289 
290 	sha256_finish(&ctx, output);
291 }
292