xref: /rk3399_rockchip-uboot/lib/sha256.c (revision 49fa68b0dbd5e2cf48ddcd537cf74590eeefd48f) 
1 /*
2  * FIPS-180-2 compliant SHA-256 implementation
3  *
4  * Copyright (C) 2001-2003  Christophe Devine
5  *
6  * SPDX-License-Identifier:	GPL-2.0+
7  */
8 
9 #ifndef USE_HOSTCC
10 #include <common.h>
11 #include <linux/string.h>
12 #include <crypto.h>
13 #else
14 #include <string.h>
15 #endif /* USE_HOSTCC */
16 #include <watchdog.h>
17 #include <u-boot/sha256.h>
18 
19 #include <linux/compiler.h>
20 
21 #ifdef USE_HOSTCC
22 #undef __weak
23 #define __weak
24 #endif
25 
26 const uint8_t sha256_der_prefix[SHA256_DER_LEN] = {
27 	0x30, 0x31, 0x30, 0x0d, 0x06, 0x09, 0x60, 0x86,
28 	0x48, 0x01, 0x65, 0x03, 0x04, 0x02, 0x01, 0x05,
29 	0x00, 0x04, 0x20
30 };
31 
32 /*
33  * 32-bit integer manipulation macros (big endian)
34  */
35 #ifndef GET_UINT32_BE
36 #define GET_UINT32_BE(n,b,i) {				\
37 	(n) = ( (unsigned long) (b)[(i)    ] << 24 )	\
38 	    | ( (unsigned long) (b)[(i) + 1] << 16 )	\
39 	    | ( (unsigned long) (b)[(i) + 2] <<  8 )	\
40 	    | ( (unsigned long) (b)[(i) + 3]       );	\
41 }
42 #endif
43 #ifndef PUT_UINT32_BE
44 #define PUT_UINT32_BE(n,b,i) {				\
45 	(b)[(i)    ] = (unsigned char) ( (n) >> 24 );	\
46 	(b)[(i) + 1] = (unsigned char) ( (n) >> 16 );	\
47 	(b)[(i) + 2] = (unsigned char) ( (n) >>  8 );	\
48 	(b)[(i) + 3] = (unsigned char) ( (n)       );	\
49 }
50 #endif
51 
52 void sha256_starts(sha256_context * ctx)
53 {
54 #if !defined(USE_HOSTCC)
55 #if !CONFIG_IS_ENABLED(ARMV8_CE_SHA256) && CONFIG_IS_ENABLED(DM_CRYPTO)
56 	sha_context cctx;
57 	u32 algo = CRYPTO_SHA256;
58 
59 	ctx->cdev = NULL;
60 	if (ctx->length) {
61 		ctx->cdev = crypto_get_device(algo);
62 		if (ctx->cdev) {
63 			cctx.algo = algo;
64 			cctx.length = ctx->length;
65 			crypto_sha_init(ctx->cdev, &cctx);
66 			return;
67 		}
68 	}
69 #endif
70 #endif
71 	ctx->total[0] = 0;
72 	ctx->total[1] = 0;
73 
74 	ctx->state[0] = 0x6A09E667;
75 	ctx->state[1] = 0xBB67AE85;
76 	ctx->state[2] = 0x3C6EF372;
77 	ctx->state[3] = 0xA54FF53A;
78 	ctx->state[4] = 0x510E527F;
79 	ctx->state[5] = 0x9B05688C;
80 	ctx->state[6] = 0x1F83D9AB;
81 	ctx->state[7] = 0x5BE0CD19;
82 }
83 
84 static void sha256_process_one(sha256_context *ctx, const uint8_t data[64])
85 {
86 	uint32_t temp1, temp2;
87 	uint32_t W[64];
88 	uint32_t A, B, C, D, E, F, G, H;
89 
90 	GET_UINT32_BE(W[0], data, 0);
91 	GET_UINT32_BE(W[1], data, 4);
92 	GET_UINT32_BE(W[2], data, 8);
93 	GET_UINT32_BE(W[3], data, 12);
94 	GET_UINT32_BE(W[4], data, 16);
95 	GET_UINT32_BE(W[5], data, 20);
96 	GET_UINT32_BE(W[6], data, 24);
97 	GET_UINT32_BE(W[7], data, 28);
98 	GET_UINT32_BE(W[8], data, 32);
99 	GET_UINT32_BE(W[9], data, 36);
100 	GET_UINT32_BE(W[10], data, 40);
101 	GET_UINT32_BE(W[11], data, 44);
102 	GET_UINT32_BE(W[12], data, 48);
103 	GET_UINT32_BE(W[13], data, 52);
104 	GET_UINT32_BE(W[14], data, 56);
105 	GET_UINT32_BE(W[15], data, 60);
106 
107 #define SHR(x,n) ((x & 0xFFFFFFFF) >> n)
108 #define ROTR(x,n) (SHR(x,n) | (x << (32 - n)))
109 
110 #define S0(x) (ROTR(x, 7) ^ ROTR(x,18) ^ SHR(x, 3))
111 #define S1(x) (ROTR(x,17) ^ ROTR(x,19) ^ SHR(x,10))
112 
113 #define S2(x) (ROTR(x, 2) ^ ROTR(x,13) ^ ROTR(x,22))
114 #define S3(x) (ROTR(x, 6) ^ ROTR(x,11) ^ ROTR(x,25))
115 
116 #define F0(x,y,z) ((x & y) | (z & (x | y)))
117 #define F1(x,y,z) (z ^ (x & (y ^ z)))
118 
119 #define R(t)					\
120 (						\
121 	W[t] = S1(W[t - 2]) + W[t - 7] +	\
122 		S0(W[t - 15]) + W[t - 16]	\
123 )
124 
125 #define P(a,b,c,d,e,f,g,h,x,K) {		\
126 	temp1 = h + S3(e) + F1(e,f,g) + K + x;	\
127 	temp2 = S2(a) + F0(a,b,c);		\
128 	d += temp1; h = temp1 + temp2;		\
129 }
130 
131 	A = ctx->state[0];
132 	B = ctx->state[1];
133 	C = ctx->state[2];
134 	D = ctx->state[3];
135 	E = ctx->state[4];
136 	F = ctx->state[5];
137 	G = ctx->state[6];
138 	H = ctx->state[7];
139 
140 	P(A, B, C, D, E, F, G, H, W[0], 0x428A2F98);
141 	P(H, A, B, C, D, E, F, G, W[1], 0x71374491);
142 	P(G, H, A, B, C, D, E, F, W[2], 0xB5C0FBCF);
143 	P(F, G, H, A, B, C, D, E, W[3], 0xE9B5DBA5);
144 	P(E, F, G, H, A, B, C, D, W[4], 0x3956C25B);
145 	P(D, E, F, G, H, A, B, C, W[5], 0x59F111F1);
146 	P(C, D, E, F, G, H, A, B, W[6], 0x923F82A4);
147 	P(B, C, D, E, F, G, H, A, W[7], 0xAB1C5ED5);
148 	P(A, B, C, D, E, F, G, H, W[8], 0xD807AA98);
149 	P(H, A, B, C, D, E, F, G, W[9], 0x12835B01);
150 	P(G, H, A, B, C, D, E, F, W[10], 0x243185BE);
151 	P(F, G, H, A, B, C, D, E, W[11], 0x550C7DC3);
152 	P(E, F, G, H, A, B, C, D, W[12], 0x72BE5D74);
153 	P(D, E, F, G, H, A, B, C, W[13], 0x80DEB1FE);
154 	P(C, D, E, F, G, H, A, B, W[14], 0x9BDC06A7);
155 	P(B, C, D, E, F, G, H, A, W[15], 0xC19BF174);
156 	P(A, B, C, D, E, F, G, H, R(16), 0xE49B69C1);
157 	P(H, A, B, C, D, E, F, G, R(17), 0xEFBE4786);
158 	P(G, H, A, B, C, D, E, F, R(18), 0x0FC19DC6);
159 	P(F, G, H, A, B, C, D, E, R(19), 0x240CA1CC);
160 	P(E, F, G, H, A, B, C, D, R(20), 0x2DE92C6F);
161 	P(D, E, F, G, H, A, B, C, R(21), 0x4A7484AA);
162 	P(C, D, E, F, G, H, A, B, R(22), 0x5CB0A9DC);
163 	P(B, C, D, E, F, G, H, A, R(23), 0x76F988DA);
164 	P(A, B, C, D, E, F, G, H, R(24), 0x983E5152);
165 	P(H, A, B, C, D, E, F, G, R(25), 0xA831C66D);
166 	P(G, H, A, B, C, D, E, F, R(26), 0xB00327C8);
167 	P(F, G, H, A, B, C, D, E, R(27), 0xBF597FC7);
168 	P(E, F, G, H, A, B, C, D, R(28), 0xC6E00BF3);
169 	P(D, E, F, G, H, A, B, C, R(29), 0xD5A79147);
170 	P(C, D, E, F, G, H, A, B, R(30), 0x06CA6351);
171 	P(B, C, D, E, F, G, H, A, R(31), 0x14292967);
172 	P(A, B, C, D, E, F, G, H, R(32), 0x27B70A85);
173 	P(H, A, B, C, D, E, F, G, R(33), 0x2E1B2138);
174 	P(G, H, A, B, C, D, E, F, R(34), 0x4D2C6DFC);
175 	P(F, G, H, A, B, C, D, E, R(35), 0x53380D13);
176 	P(E, F, G, H, A, B, C, D, R(36), 0x650A7354);
177 	P(D, E, F, G, H, A, B, C, R(37), 0x766A0ABB);
178 	P(C, D, E, F, G, H, A, B, R(38), 0x81C2C92E);
179 	P(B, C, D, E, F, G, H, A, R(39), 0x92722C85);
180 	P(A, B, C, D, E, F, G, H, R(40), 0xA2BFE8A1);
181 	P(H, A, B, C, D, E, F, G, R(41), 0xA81A664B);
182 	P(G, H, A, B, C, D, E, F, R(42), 0xC24B8B70);
183 	P(F, G, H, A, B, C, D, E, R(43), 0xC76C51A3);
184 	P(E, F, G, H, A, B, C, D, R(44), 0xD192E819);
185 	P(D, E, F, G, H, A, B, C, R(45), 0xD6990624);
186 	P(C, D, E, F, G, H, A, B, R(46), 0xF40E3585);
187 	P(B, C, D, E, F, G, H, A, R(47), 0x106AA070);
188 	P(A, B, C, D, E, F, G, H, R(48), 0x19A4C116);
189 	P(H, A, B, C, D, E, F, G, R(49), 0x1E376C08);
190 	P(G, H, A, B, C, D, E, F, R(50), 0x2748774C);
191 	P(F, G, H, A, B, C, D, E, R(51), 0x34B0BCB5);
192 	P(E, F, G, H, A, B, C, D, R(52), 0x391C0CB3);
193 	P(D, E, F, G, H, A, B, C, R(53), 0x4ED8AA4A);
194 	P(C, D, E, F, G, H, A, B, R(54), 0x5B9CCA4F);
195 	P(B, C, D, E, F, G, H, A, R(55), 0x682E6FF3);
196 	P(A, B, C, D, E, F, G, H, R(56), 0x748F82EE);
197 	P(H, A, B, C, D, E, F, G, R(57), 0x78A5636F);
198 	P(G, H, A, B, C, D, E, F, R(58), 0x84C87814);
199 	P(F, G, H, A, B, C, D, E, R(59), 0x8CC70208);
200 	P(E, F, G, H, A, B, C, D, R(60), 0x90BEFFFA);
201 	P(D, E, F, G, H, A, B, C, R(61), 0xA4506CEB);
202 	P(C, D, E, F, G, H, A, B, R(62), 0xBEF9A3F7);
203 	P(B, C, D, E, F, G, H, A, R(63), 0xC67178F2);
204 
205 	ctx->state[0] += A;
206 	ctx->state[1] += B;
207 	ctx->state[2] += C;
208 	ctx->state[3] += D;
209 	ctx->state[4] += E;
210 	ctx->state[5] += F;
211 	ctx->state[6] += G;
212 	ctx->state[7] += H;
213 }
214 
215 __weak void sha256_process(sha256_context *ctx, const unsigned char *data,
216 			   unsigned int blocks)
217 {
218 	if (!blocks)
219 		return;
220 
221 	while (blocks--) {
222 		sha256_process_one(ctx, data);
223 		data += 64;
224 	}
225 }
226 
227 void sha256_update(sha256_context *ctx, const uint8_t *input, uint32_t length)
228 {
229 	uint32_t left, fill;
230 
231 	if (!length)
232 		return;
233 
234 #if !defined(USE_HOSTCC)
235 #if !CONFIG_IS_ENABLED(ARMV8_CE_SHA256) && CONFIG_IS_ENABLED(DM_CRYPTO)
236 	if (ctx->cdev) {
237 		crypto_sha_update(ctx->cdev, (void *)input, length);
238 		return;
239 	}
240 #endif
241 #endif
242 	left = ctx->total[0] & 0x3F;
243 	fill = 64 - left;
244 
245 	ctx->total[0] += length;
246 	ctx->total[0] &= 0xFFFFFFFF;
247 
248 	if (ctx->total[0] < length)
249 		ctx->total[1]++;
250 
251 	if (left && length >= fill) {
252 		memcpy((void *) (ctx->buffer + left), (void *) input, fill);
253 		sha256_process(ctx, ctx->buffer, 1);
254 		length -= fill;
255 		input += fill;
256 		left = 0;
257 	}
258 
259 	sha256_process(ctx, input, length / 64);
260 	input += length / 64 * 64;
261 	length = length % 64;
262 
263 	if (length)
264 		memcpy((void *) (ctx->buffer + left), (void *) input, length);
265 }
266 
267 static uint8_t sha256_padding[64] = {
268 	0x80, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
269 	   0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
270 	   0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
271 	   0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0
272 };
273 
274 void sha256_finish(sha256_context * ctx, uint8_t digest[32])
275 {
276 	uint32_t last, padn;
277 	uint32_t high, low;
278 	uint8_t msglen[8];
279 
280 #if !defined(USE_HOSTCC)
281 #if !CONFIG_IS_ENABLED(ARMV8_CE_SHA256) && CONFIG_IS_ENABLED(DM_CRYPTO)
282 	sha_context cctx;
283 
284 	if (ctx->cdev) {
285 		cctx.algo = CRYPTO_SHA256;
286 		cctx.length = ctx->length;
287 		crypto_sha_final(ctx->cdev, &cctx, digest);
288 		return;
289 	}
290 #endif
291 #endif
292 	high = ((ctx->total[0] >> 29)
293 		| (ctx->total[1] << 3));
294 	low = (ctx->total[0] << 3);
295 
296 	PUT_UINT32_BE(high, msglen, 0);
297 	PUT_UINT32_BE(low, msglen, 4);
298 
299 	last = ctx->total[0] & 0x3F;
300 	padn = (last < 56) ? (56 - last) : (120 - last);
301 
302 	sha256_update(ctx, sha256_padding, padn);
303 	sha256_update(ctx, msglen, 8);
304 
305 	PUT_UINT32_BE(ctx->state[0], digest, 0);
306 	PUT_UINT32_BE(ctx->state[1], digest, 4);
307 	PUT_UINT32_BE(ctx->state[2], digest, 8);
308 	PUT_UINT32_BE(ctx->state[3], digest, 12);
309 	PUT_UINT32_BE(ctx->state[4], digest, 16);
310 	PUT_UINT32_BE(ctx->state[5], digest, 20);
311 	PUT_UINT32_BE(ctx->state[6], digest, 24);
312 	PUT_UINT32_BE(ctx->state[7], digest, 28);
313 }
314 
315 /*
316  * Output = SHA-256( input buffer ).
317  */
318 void sha256_csum(const unsigned char *input, unsigned int ilen,
319 		 unsigned char *output)
320 {
321 	sha256_context ctx;
322 
323 #if !defined(USE_HOSTCC)
324 #if !CONFIG_IS_ENABLED(ARMV8_CE_SHA256) && CONFIG_IS_ENABLED(DM_CRYPTO)
325 	ctx.length = ilen;
326 #endif
327 #endif
328 	sha256_starts(&ctx);
329 	sha256_update(&ctx, input, ilen);
330 	sha256_finish(&ctx, output);
331 }
332 
333 /*
334  * Output = SHA-256( input buffer ). Trigger the watchdog every 'chunk_sz'
335  * bytes of input processed.
336  */
337 void sha256_csum_wd(const unsigned char *input, unsigned int ilen,
338 		unsigned char *output, unsigned int chunk_sz)
339 {
340 	sha256_context ctx;
341 #if defined(CONFIG_HW_WATCHDOG) || defined(CONFIG_WATCHDOG)
342 	const unsigned char *end;
343 	unsigned char *curr;
344 	int chunk;
345 #endif
346 
347 #if !defined(USE_HOSTCC)
348 #if !CONFIG_IS_ENABLED(ARMV8_CE_SHA256) && CONFIG_IS_ENABLED(DM_CRYPTO)
349 	ctx.length = ilen;
350 #endif
351 #endif
352 	sha256_starts(&ctx);
353 
354 #if defined(CONFIG_HW_WATCHDOG) || defined(CONFIG_WATCHDOG)
355 	curr = (unsigned char *)input;
356 	end = input + ilen;
357 	while (curr < end) {
358 		chunk = end - curr;
359 		if (chunk > chunk_sz)
360 			chunk = chunk_sz;
361 		sha256_update(&ctx, curr, chunk);
362 		curr += chunk;
363 		WATCHDOG_RESET();
364 	}
365 #else
366 	sha256_update(&ctx, input, ilen);
367 #endif
368 
369 	sha256_finish(&ctx, output);
370 }
371