ledger-secure-sdk/cx__sha256_8c_source.html

/*******************************************************************************

 *   Ledger Nano S - Secure firmware

 *   (c) 2022 Ledger

 *

 *  Licensed under the Apache License, Version 2.0 (the "License");

 *  you may not use this file except in compliance with the License.

 *  You may obtain a copy of the License at

 *

 *      http://www.apache.org/licenses/LICENSE-2.0

 *

 *  Unless required by applicable law or agreed to in writing, software

 *  distributed under the License is distributed on an "AS IS" BASIS,

 *  WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.

 *  See the License for the specific language governing permissions and

 *  limitations under the License.

 ********************************************************************************/


#include "app_config.h"


#if defined(HAVE_SHA256) || defined(HAVE_SHA224)


#include "cx_sha256.h"


#include "cx_ram.h"

#include "cx_utils.h"

#include <stdint.h>

#include <string.h>


#ifdef HAVE_SHA224

const cx_hash_info_t cx_sha224_info

    = {CX_SHA224,

       CX_SHA224_SIZE,

       SHA256_BLOCK_SIZE,

       sizeof(cx_sha256_t),

       (cx_err_t(*)(cx_hash_t * ctx)) cx_sha224_init_no_throw,

       (cx_err_t(*)(cx_hash_t * ctx, const uint8_t *data, size_t len)) cx_sha256_update,

       (cx_err_t(*)(cx_hash_t * ctx, uint8_t *digest)) cx_sha256_final,

       NULL,

       NULL};

#endif  // HAVE_SHA224


#ifdef HAVE_SHA256

const cx_hash_info_t cx_sha256_info

    = {CX_SHA256,

       CX_SHA256_SIZE,

       SHA256_BLOCK_SIZE,

       sizeof(cx_sha256_t),

       (cx_err_t(*)(cx_hash_t * ctx)) cx_sha256_init_no_throw,

       (cx_err_t(*)(cx_hash_t * ctx, const uint8_t *data, size_t len)) cx_sha256_update,

       (cx_err_t(*)(cx_hash_t * ctx, uint8_t *digest)) cx_sha256_final,

       NULL,

       NULL};

#endif  // HAVE_SHA256


static const uint32_t primeSqrt[] = {

    0x428a2f98, 0x71374491, 0xb5c0fbcf, 0xe9b5dba5, 0x3956c25b, 0x59f111f1, 0x923f82a4, 0xab1c5ed5,

    0xd807aa98, 0x12835b01, 0x243185be, 0x550c7dc3, 0x72be5d74, 0x80deb1fe, 0x9bdc06a7, 0xc19bf174,

    0xe49b69c1, 0xefbe4786, 0x0fc19dc6, 0x240ca1cc, 0x2de92c6f, 0x4a7484aa, 0x5cb0a9dc, 0x76f988da,

    0x983e5152, 0xa831c66d, 0xb00327c8, 0xbf597fc7, 0xc6e00bf3, 0xd5a79147, 0x06ca6351, 0x14292967,

    0x27b70a85, 0x2e1b2138, 0x4d2c6dfc, 0x53380d13, 0x650a7354, 0x766a0abb, 0x81c2c92e, 0x92722c85,

    0xa2bfe8a1, 0xa81a664b, 0xc24b8b70, 0xc76c51a3, 0xd192e819, 0xd6990624, 0xf40e3585, 0x106aa070,

    0x19a4c116, 0x1e376c08, 0x2748774c, 0x34b0bcb5, 0x391c0cb3, 0x4ed8aa4a, 0x5b9cca4f, 0x682e6ff3,

    0x748f82ee, 0x78a5636f, 0x84c87814, 0x8cc70208, 0x90befffa, 0xa4506ceb, 0xbef9a3f7, 0xc67178f2,

};


#if defined(HAVE_SHA224)

static const uint32_t hzero_224[] = {0xc1059ed8,

                                     0x367cd507,

                                     0x3070dd17,

                                     0xf70e5939,

                                     0xffc00b31,

                                     0x68581511,

                                     0x64f98fa7,

                                     0xbefa4fa4};

#endif


static const uint32_t hzero[] = {0x6a09e667,

                                 0xbb67ae85,

                                 0x3c6ef372,

                                 0xa54ff53a,

                                 0x510e527f,

                                 0x9b05688c,

                                 0x1f83d9ab,

                                 0x5be0cd19};


#define sig256(x, a, b, c) (cx_rotr((x), a) ^ cx_rotr((x), b) ^ cx_shr((x), c))

#define sum256(x, a, b, c) (cx_rotr((x), a) ^ cx_rotr((x), b) ^ cx_rotr((x), c))


#define sigma0(x) sig256(x, 7, 18, 3)

#define sigma1(x) sig256(x, 17, 19, 10)

#define sum0(x)   sum256(x, 2, 13, 22)

#define sum1(x)   sum256(x, 6, 11, 25)


// #define ch(x, y, z) (((x) & (y)) ^ (~(x) & (z)))

// #define maj(x, y, z) (((x) & (y)) ^ ((x) & (z)) ^ ((y) & (z)))


#define ch(x, y, z)  (z ^ (x & (y ^ z)))

#define maj(x, y, z) ((x & y) | (z & (x | y)))


#if defined(HAVE_SHA224)

cx_err_t cx_sha224_init_no_throw(cx_sha256_t *hash)

{

    memset(hash, 0, sizeof(cx_sha256_t));

    hash->header.info = &cx_sha224_info;

    memmove(hash->acc, hzero_224, sizeof(hzero));

    return CX_OK;

}

#endif


cx_err_t cx_sha256_init_no_throw(cx_sha256_t *hash)

{

    memset(hash, 0, sizeof(cx_sha256_t));

    hash->header.info = &cx_sha256_info;

    memmove(hash->acc, hzero, sizeof(hzero));

    return CX_OK;

}


static void cx_sha256_block(cx_sha256_t *hash)

{

    uint32_t t1, t2;


    uint32_t  ACC[8];

    uint32_t *accumulator;

    uint32_t *X;


#define A ACC[0]

#define B ACC[1]

#define C ACC[2]

#define D ACC[3]

#define E ACC[4]

#define F ACC[5]

#define G ACC[6]

#define H ACC[7]


    // init

    X           = ((uint32_t *) &hash->block[0]);

    accumulator = (uint32_t *) &hash->acc[0];

    memmove(ACC, accumulator, sizeof(ACC));


#ifdef ARCH_LITTLE_ENDIAN

    cx_swap_buffer32(X, 16);

#endif


    /*

     * T1 = Sum_1_256(e) + Chg(e,f,g) + K_t_256 + Wt

     * T2 = Sum_0_256(a) + Maj(abc)

     * h = g ;

     * g = f;

     * f = e;

     * e = d + T1;

     * d = c;

     * c = b;

     * b = a;

     * a = T1 + T2;

     */

    for (int j = 0; j < 64; j++) {

        /* for j in 16 to 63, Xj <- (Sigma_1_256( Xj-2) + Xj-7 + Sigma_0_256(Xj-15)

         * + Xj-16 ). */

        if (j >= 16) {

            X[j & 0xF] = (sigma1(X[(j - 2) & 0xF]) + X[(j - 7) & 0xF] + sigma0(X[(j - 15) & 0xF])

                          + X[(j - 16) & 0xF]);

        }


        t1 = H + sum1(E) + ch(E, F, G) + primeSqrt[j] + X[j & 0xF];

        t2 = sum0(A) + maj(A, B, C);

        /*

        H = G ;

        G = F;

        F = E;

        E = D+t1;

        D = C;

        C = B;

        B = A;

        A = t1+t2;

        */

        memmove(&ACC[1], &ACC[0], sizeof(ACC) - sizeof(uint32_t));

        E += t1;

        A = t1 + t2;

    }


    //(update chaining values) (H1 , H2 , H3 , H4 ) <- (H1 + A, H2 + B, H3 + C, H4

    //+ D...)

    accumulator[0] += A;

    accumulator[1] += B;

    accumulator[2] += C;

    accumulator[3] += D;

    accumulator[4] += E;

    accumulator[5] += F;

    accumulator[6] += G;

    accumulator[7] += H;

}


cx_err_t cx_sha256_update(cx_sha256_t *ctx, const uint8_t *data, size_t len)

{

    size_t r;

    size_t blen;


    if (ctx == NULL) {

        return CX_INVALID_PARAMETER;

    }

    if (data == NULL && len != 0) {

        return CX_INVALID_PARAMETER;

    }


    // --- init locals ---

    blen      = ctx->blen;

    ctx->blen = 0;


    if (blen >= 64) {

        return CX_INVALID_PARAMETER;

    }


    // --- append input data and process all blocks ---

    if (blen + len >= 64) {

        r = 64 - blen;

        do {

            // if (ctx->header.counter == CX_HASH_MAX_BLOCK_COUNT) {

            //   return CX_INVALID_PARAMETER;

            // }

            memcpy(ctx->block + blen, data, r);

            cx_sha256_block(ctx);


            blen = 0;

            ctx->header.counter++;

            data += r;

            len -= r;

            r = 64;

        } while (len >= 64);

    }


    // --- remind rest data---

    memcpy(ctx->block + blen, data, len);

    blen += len;

    ctx->blen = blen;

    return CX_OK;

}


cx_err_t cx_sha256_final(cx_sha256_t *ctx, uint8_t *digest)

{

    uint64_t bitlen;


    // --- init locals ---

    uint8_t *block = ctx->block;


    block[ctx->blen] = 0x80;

    ctx->blen++;


    bitlen = (((uint64_t) ctx->header.counter) * 64UL + (uint64_t) ctx->blen - 1UL) * 8UL;

    // one more block?

    if (64 - ctx->blen < 8) {

        memset(block + ctx->blen, 0, 64 - ctx->blen);

        cx_sha256_block(ctx);

        ctx->blen = 0;

    }

    // last block!

    memset(block + ctx->blen, 0, 64 - ctx->blen);

#ifdef ARCH_LITTLE_ENDIAN

    *(uint64_t *) &block[64 - 8] = cx_swap_uint64(bitlen);

#else

    (*(uint64_t *) &block[64 - 8]) = bitlen;

#endif

    cx_sha256_block(ctx);

    // provide result

#ifdef ARCH_LITTLE_ENDIAN

    cx_swap_buffer32((uint32_t *) ctx->acc, 8);

#endif


#if defined(HAVE_SHA224)

    if (ctx->header.info->md_type == CX_SHA224) {

        memcpy(digest, ctx->acc, CX_SHA224_SIZE);

    }

    else

#endif

    {

        memcpy(digest, ctx->acc, CX_SHA256_SIZE);

    }

    return CX_OK;

}


size_t cx_hash_sha256(const uint8_t *in, size_t in_len, uint8_t *out, size_t out_len)

{

    if (out_len < CX_SHA256_SIZE) {

        return 0;

    }

    cx_sha256_init_no_throw(&G_cx.sha256);

    if (cx_sha256_update(&G_cx.sha256, in, in_len) != CX_OK) {

        return 0;

    }

    cx_sha256_final(&G_cx.sha256, out);

    explicit_bzero(&G_cx.sha256, sizeof(cx_sha256_t));

    return CX_SHA256_SIZE;

}


#endif  // defined(HAVE_SHA255) || defined(HAVE_SHA224)

G_cx
union cx_u G_cx
Definition cx_ram.c:21

cx_ram.h

cx_sha256.h

cx_swap_uint64
void cx_swap_uint64(uint64bits_t *v)
Definition cx_utils.c:118

cx_swap_buffer32
void cx_swap_buffer32(uint32_t *v, size_t len)
Definition cx_utils.c:47

cx_utils.h

uint8_t
unsigned char uint8_t
Definition usbd_conf.h:53