1 /*
2 * FIPS-180-2 compliant SHA-256 implementation
3 *
4 * Copyright (C) 2001-2003 Christophe Devine
5 *
6 * SPDX-License-Identifier: GPL-2.0+
7 */
8
9 #ifndef USE_HOSTCC
10 #include <common.h>
11 #include <linux/string.h>
12 #include <crypto.h>
13 #else
14 #include <string.h>
15 #endif /* USE_HOSTCC */
16 #include <watchdog.h>
17 #include <u-boot/sha256.h>
18
19 #include <linux/compiler.h>
20
21 #ifdef USE_HOSTCC
22 #undef __weak
23 #define __weak
24 #endif
25
26 const uint8_t sha256_der_prefix[SHA256_DER_LEN] = {
27 0x30, 0x31, 0x30, 0x0d, 0x06, 0x09, 0x60, 0x86,
28 0x48, 0x01, 0x65, 0x03, 0x04, 0x02, 0x01, 0x05,
29 0x00, 0x04, 0x20
30 };
31
32 /*
33 * 32-bit integer manipulation macros (big endian)
34 */
35 #ifndef GET_UINT32_BE
36 #define GET_UINT32_BE(n,b,i) { \
37 (n) = ( (unsigned long) (b)[(i) ] << 24 ) \
38 | ( (unsigned long) (b)[(i) + 1] << 16 ) \
39 | ( (unsigned long) (b)[(i) + 2] << 8 ) \
40 | ( (unsigned long) (b)[(i) + 3] ); \
41 }
42 #endif
43 #ifndef PUT_UINT32_BE
44 #define PUT_UINT32_BE(n,b,i) { \
45 (b)[(i) ] = (unsigned char) ( (n) >> 24 ); \
46 (b)[(i) + 1] = (unsigned char) ( (n) >> 16 ); \
47 (b)[(i) + 2] = (unsigned char) ( (n) >> 8 ); \
48 (b)[(i) + 3] = (unsigned char) ( (n) ); \
49 }
50 #endif
51
sha256_starts(sha256_context * ctx)52 void sha256_starts(sha256_context * ctx)
53 {
54 #if !defined(USE_HOSTCC)
55 #if !CONFIG_IS_ENABLED(ARMV8_CE_SHA256) && CONFIG_IS_ENABLED(DM_CRYPTO)
56 sha_context cctx;
57 u32 algo = CRYPTO_SHA256;
58
59 ctx->cdev = NULL;
60 if (ctx->length) {
61 ctx->cdev = crypto_get_device(algo);
62 if (ctx->cdev) {
63 cctx.algo = algo;
64 cctx.length = ctx->length;
65 crypto_sha_init(ctx->cdev, &cctx);
66 return;
67 }
68 }
69 #endif
70 #endif
71 ctx->total[0] = 0;
72 ctx->total[1] = 0;
73
74 ctx->state[0] = 0x6A09E667;
75 ctx->state[1] = 0xBB67AE85;
76 ctx->state[2] = 0x3C6EF372;
77 ctx->state[3] = 0xA54FF53A;
78 ctx->state[4] = 0x510E527F;
79 ctx->state[5] = 0x9B05688C;
80 ctx->state[6] = 0x1F83D9AB;
81 ctx->state[7] = 0x5BE0CD19;
82 }
83
sha256_process_one(sha256_context * ctx,const uint8_t data[64])84 static void sha256_process_one(sha256_context *ctx, const uint8_t data[64])
85 {
86 uint32_t temp1, temp2;
87 uint32_t W[64];
88 uint32_t A, B, C, D, E, F, G, H;
89
90 GET_UINT32_BE(W[0], data, 0);
91 GET_UINT32_BE(W[1], data, 4);
92 GET_UINT32_BE(W[2], data, 8);
93 GET_UINT32_BE(W[3], data, 12);
94 GET_UINT32_BE(W[4], data, 16);
95 GET_UINT32_BE(W[5], data, 20);
96 GET_UINT32_BE(W[6], data, 24);
97 GET_UINT32_BE(W[7], data, 28);
98 GET_UINT32_BE(W[8], data, 32);
99 GET_UINT32_BE(W[9], data, 36);
100 GET_UINT32_BE(W[10], data, 40);
101 GET_UINT32_BE(W[11], data, 44);
102 GET_UINT32_BE(W[12], data, 48);
103 GET_UINT32_BE(W[13], data, 52);
104 GET_UINT32_BE(W[14], data, 56);
105 GET_UINT32_BE(W[15], data, 60);
106
107 #define SHR(x,n) ((x & 0xFFFFFFFF) >> n)
108 #define ROTR(x,n) (SHR(x,n) | (x << (32 - n)))
109
110 #define S0(x) (ROTR(x, 7) ^ ROTR(x,18) ^ SHR(x, 3))
111 #define S1(x) (ROTR(x,17) ^ ROTR(x,19) ^ SHR(x,10))
112
113 #define S2(x) (ROTR(x, 2) ^ ROTR(x,13) ^ ROTR(x,22))
114 #define S3(x) (ROTR(x, 6) ^ ROTR(x,11) ^ ROTR(x,25))
115
116 #define F0(x,y,z) ((x & y) | (z & (x | y)))
117 #define F1(x,y,z) (z ^ (x & (y ^ z)))
118
119 #define R(t) \
120 ( \
121 W[t] = S1(W[t - 2]) + W[t - 7] + \
122 S0(W[t - 15]) + W[t - 16] \
123 )
124
125 #define P(a,b,c,d,e,f,g,h,x,K) { \
126 temp1 = h + S3(e) + F1(e,f,g) + K + x; \
127 temp2 = S2(a) + F0(a,b,c); \
128 d += temp1; h = temp1 + temp2; \
129 }
130
131 A = ctx->state[0];
132 B = ctx->state[1];
133 C = ctx->state[2];
134 D = ctx->state[3];
135 E = ctx->state[4];
136 F = ctx->state[5];
137 G = ctx->state[6];
138 H = ctx->state[7];
139
140 P(A, B, C, D, E, F, G, H, W[0], 0x428A2F98);
141 P(H, A, B, C, D, E, F, G, W[1], 0x71374491);
142 P(G, H, A, B, C, D, E, F, W[2], 0xB5C0FBCF);
143 P(F, G, H, A, B, C, D, E, W[3], 0xE9B5DBA5);
144 P(E, F, G, H, A, B, C, D, W[4], 0x3956C25B);
145 P(D, E, F, G, H, A, B, C, W[5], 0x59F111F1);
146 P(C, D, E, F, G, H, A, B, W[6], 0x923F82A4);
147 P(B, C, D, E, F, G, H, A, W[7], 0xAB1C5ED5);
148 P(A, B, C, D, E, F, G, H, W[8], 0xD807AA98);
149 P(H, A, B, C, D, E, F, G, W[9], 0x12835B01);
150 P(G, H, A, B, C, D, E, F, W[10], 0x243185BE);
151 P(F, G, H, A, B, C, D, E, W[11], 0x550C7DC3);
152 P(E, F, G, H, A, B, C, D, W[12], 0x72BE5D74);
153 P(D, E, F, G, H, A, B, C, W[13], 0x80DEB1FE);
154 P(C, D, E, F, G, H, A, B, W[14], 0x9BDC06A7);
155 P(B, C, D, E, F, G, H, A, W[15], 0xC19BF174);
156 P(A, B, C, D, E, F, G, H, R(16), 0xE49B69C1);
157 P(H, A, B, C, D, E, F, G, R(17), 0xEFBE4786);
158 P(G, H, A, B, C, D, E, F, R(18), 0x0FC19DC6);
159 P(F, G, H, A, B, C, D, E, R(19), 0x240CA1CC);
160 P(E, F, G, H, A, B, C, D, R(20), 0x2DE92C6F);
161 P(D, E, F, G, H, A, B, C, R(21), 0x4A7484AA);
162 P(C, D, E, F, G, H, A, B, R(22), 0x5CB0A9DC);
163 P(B, C, D, E, F, G, H, A, R(23), 0x76F988DA);
164 P(A, B, C, D, E, F, G, H, R(24), 0x983E5152);
165 P(H, A, B, C, D, E, F, G, R(25), 0xA831C66D);
166 P(G, H, A, B, C, D, E, F, R(26), 0xB00327C8);
167 P(F, G, H, A, B, C, D, E, R(27), 0xBF597FC7);
168 P(E, F, G, H, A, B, C, D, R(28), 0xC6E00BF3);
169 P(D, E, F, G, H, A, B, C, R(29), 0xD5A79147);
170 P(C, D, E, F, G, H, A, B, R(30), 0x06CA6351);
171 P(B, C, D, E, F, G, H, A, R(31), 0x14292967);
172 P(A, B, C, D, E, F, G, H, R(32), 0x27B70A85);
173 P(H, A, B, C, D, E, F, G, R(33), 0x2E1B2138);
174 P(G, H, A, B, C, D, E, F, R(34), 0x4D2C6DFC);
175 P(F, G, H, A, B, C, D, E, R(35), 0x53380D13);
176 P(E, F, G, H, A, B, C, D, R(36), 0x650A7354);
177 P(D, E, F, G, H, A, B, C, R(37), 0x766A0ABB);
178 P(C, D, E, F, G, H, A, B, R(38), 0x81C2C92E);
179 P(B, C, D, E, F, G, H, A, R(39), 0x92722C85);
180 P(A, B, C, D, E, F, G, H, R(40), 0xA2BFE8A1);
181 P(H, A, B, C, D, E, F, G, R(41), 0xA81A664B);
182 P(G, H, A, B, C, D, E, F, R(42), 0xC24B8B70);
183 P(F, G, H, A, B, C, D, E, R(43), 0xC76C51A3);
184 P(E, F, G, H, A, B, C, D, R(44), 0xD192E819);
185 P(D, E, F, G, H, A, B, C, R(45), 0xD6990624);
186 P(C, D, E, F, G, H, A, B, R(46), 0xF40E3585);
187 P(B, C, D, E, F, G, H, A, R(47), 0x106AA070);
188 P(A, B, C, D, E, F, G, H, R(48), 0x19A4C116);
189 P(H, A, B, C, D, E, F, G, R(49), 0x1E376C08);
190 P(G, H, A, B, C, D, E, F, R(50), 0x2748774C);
191 P(F, G, H, A, B, C, D, E, R(51), 0x34B0BCB5);
192 P(E, F, G, H, A, B, C, D, R(52), 0x391C0CB3);
193 P(D, E, F, G, H, A, B, C, R(53), 0x4ED8AA4A);
194 P(C, D, E, F, G, H, A, B, R(54), 0x5B9CCA4F);
195 P(B, C, D, E, F, G, H, A, R(55), 0x682E6FF3);
196 P(A, B, C, D, E, F, G, H, R(56), 0x748F82EE);
197 P(H, A, B, C, D, E, F, G, R(57), 0x78A5636F);
198 P(G, H, A, B, C, D, E, F, R(58), 0x84C87814);
199 P(F, G, H, A, B, C, D, E, R(59), 0x8CC70208);
200 P(E, F, G, H, A, B, C, D, R(60), 0x90BEFFFA);
201 P(D, E, F, G, H, A, B, C, R(61), 0xA4506CEB);
202 P(C, D, E, F, G, H, A, B, R(62), 0xBEF9A3F7);
203 P(B, C, D, E, F, G, H, A, R(63), 0xC67178F2);
204
205 ctx->state[0] += A;
206 ctx->state[1] += B;
207 ctx->state[2] += C;
208 ctx->state[3] += D;
209 ctx->state[4] += E;
210 ctx->state[5] += F;
211 ctx->state[6] += G;
212 ctx->state[7] += H;
213 }
214
sha256_process(sha256_context * ctx,const unsigned char * data,unsigned int blocks)215 __weak void sha256_process(sha256_context *ctx, const unsigned char *data,
216 unsigned int blocks)
217 {
218 if (!blocks)
219 return;
220
221 while (blocks--) {
222 sha256_process_one(ctx, data);
223 data += 64;
224 }
225 }
226
sha256_update(sha256_context * ctx,const uint8_t * input,uint32_t length)227 void sha256_update(sha256_context *ctx, const uint8_t *input, uint32_t length)
228 {
229 uint32_t left, fill;
230
231 if (!length)
232 return;
233
234 #if !defined(USE_HOSTCC)
235 #if !CONFIG_IS_ENABLED(ARMV8_CE_SHA256) && CONFIG_IS_ENABLED(DM_CRYPTO)
236 if (ctx->cdev) {
237 crypto_sha_update(ctx->cdev, (void *)input, length);
238 return;
239 }
240 #endif
241 #endif
242 left = ctx->total[0] & 0x3F;
243 fill = 64 - left;
244
245 ctx->total[0] += length;
246 ctx->total[0] &= 0xFFFFFFFF;
247
248 if (ctx->total[0] < length)
249 ctx->total[1]++;
250
251 if (left && length >= fill) {
252 memcpy((void *) (ctx->buffer + left), (void *) input, fill);
253 sha256_process(ctx, ctx->buffer, 1);
254 length -= fill;
255 input += fill;
256 left = 0;
257 }
258
259 sha256_process(ctx, input, length / 64);
260 input += length / 64 * 64;
261 length = length % 64;
262
263 if (length)
264 memcpy((void *) (ctx->buffer + left), (void *) input, length);
265 }
266
267 static uint8_t sha256_padding[64] = {
268 0x80, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
269 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
270 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
271 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0
272 };
273
sha256_finish(sha256_context * ctx,uint8_t digest[32])274 void sha256_finish(sha256_context * ctx, uint8_t digest[32])
275 {
276 uint32_t last, padn;
277 uint32_t high, low;
278 uint8_t msglen[8];
279
280 #if !defined(USE_HOSTCC)
281 #if !CONFIG_IS_ENABLED(ARMV8_CE_SHA256) && CONFIG_IS_ENABLED(DM_CRYPTO)
282 sha_context cctx;
283
284 if (ctx->cdev) {
285 cctx.algo = CRYPTO_SHA256;
286 cctx.length = ctx->length;
287 crypto_sha_final(ctx->cdev, &cctx, digest);
288 return;
289 }
290 #endif
291 #endif
292 high = ((ctx->total[0] >> 29)
293 | (ctx->total[1] << 3));
294 low = (ctx->total[0] << 3);
295
296 PUT_UINT32_BE(high, msglen, 0);
297 PUT_UINT32_BE(low, msglen, 4);
298
299 last = ctx->total[0] & 0x3F;
300 padn = (last < 56) ? (56 - last) : (120 - last);
301
302 sha256_update(ctx, sha256_padding, padn);
303 sha256_update(ctx, msglen, 8);
304
305 PUT_UINT32_BE(ctx->state[0], digest, 0);
306 PUT_UINT32_BE(ctx->state[1], digest, 4);
307 PUT_UINT32_BE(ctx->state[2], digest, 8);
308 PUT_UINT32_BE(ctx->state[3], digest, 12);
309 PUT_UINT32_BE(ctx->state[4], digest, 16);
310 PUT_UINT32_BE(ctx->state[5], digest, 20);
311 PUT_UINT32_BE(ctx->state[6], digest, 24);
312 PUT_UINT32_BE(ctx->state[7], digest, 28);
313 }
314
315 /*
316 * Output = SHA-256( input buffer ).
317 */
sha256_csum(const unsigned char * input,unsigned int ilen,unsigned char * output)318 void sha256_csum(const unsigned char *input, unsigned int ilen,
319 unsigned char *output)
320 {
321 sha256_context ctx;
322
323 #if !defined(USE_HOSTCC)
324 #if !CONFIG_IS_ENABLED(ARMV8_CE_SHA256) && CONFIG_IS_ENABLED(DM_CRYPTO)
325 ctx.length = ilen;
326 #endif
327 #endif
328 sha256_starts(&ctx);
329 sha256_update(&ctx, input, ilen);
330 sha256_finish(&ctx, output);
331 }
332
333 /*
334 * Output = SHA-256( input buffer ). Trigger the watchdog every 'chunk_sz'
335 * bytes of input processed.
336 */
sha256_csum_wd(const unsigned char * input,unsigned int ilen,unsigned char * output,unsigned int chunk_sz)337 void sha256_csum_wd(const unsigned char *input, unsigned int ilen,
338 unsigned char *output, unsigned int chunk_sz)
339 {
340 sha256_context ctx;
341 #if defined(CONFIG_HW_WATCHDOG) || defined(CONFIG_WATCHDOG)
342 const unsigned char *end;
343 unsigned char *curr;
344 int chunk;
345 #endif
346
347 #if !defined(USE_HOSTCC)
348 #if !CONFIG_IS_ENABLED(ARMV8_CE_SHA256) && CONFIG_IS_ENABLED(DM_CRYPTO)
349 ctx.length = ilen;
350 #endif
351 #endif
352 sha256_starts(&ctx);
353
354 #if defined(CONFIG_HW_WATCHDOG) || defined(CONFIG_WATCHDOG)
355 curr = (unsigned char *)input;
356 end = input + ilen;
357 while (curr < end) {
358 chunk = end - curr;
359 if (chunk > chunk_sz)
360 chunk = chunk_sz;
361 sha256_update(&ctx, curr, chunk);
362 curr += chunk;
363 WATCHDOG_RESET();
364 }
365 #else
366 sha256_update(&ctx, input, ilen);
367 #endif
368
369 sha256_finish(&ctx, output);
370 }
371