Embedded SDK
Embedded SDK
cx_sha256.c
Go to the documentation of this file.
1 
2 /*******************************************************************************
3  * Ledger Nano S - Secure firmware
4  * (c) 2022 Ledger
5  *
6  * Licensed under the Apache License, Version 2.0 (the "License");
7  * you may not use this file except in compliance with the License.
8  * You may obtain a copy of the License at
9  *
10  * http://www.apache.org/licenses/LICENSE-2.0
11  *
12  * Unless required by applicable law or agreed to in writing, software
13  * distributed under the License is distributed on an "AS IS" BASIS,
14  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
15  * See the License for the specific language governing permissions and
16  * limitations under the License.
17  ********************************************************************************/
18 
19 #include "app_config.h"
20 
21 #if defined(HAVE_SHA256) || defined(HAVE_SHA224)
22 
23 #include "cx_sha256.h"
24 
25 #include "cx_ram.h"
26 #include "cx_utils.h"
27 #include <stdint.h>
28 #include <string.h>
29 
30 #ifdef HAVE_SHA224
31 const cx_hash_info_t cx_sha224_info
32  = {CX_SHA224,
33  CX_SHA224_SIZE,
34  SHA256_BLOCK_SIZE,
35  sizeof(cx_sha256_t),
36  (cx_err_t(*)(cx_hash_t * ctx)) cx_sha224_init_no_throw,
37  (cx_err_t(*)(cx_hash_t * ctx, const uint8_t *data, size_t len)) cx_sha256_update,
38  (cx_err_t(*)(cx_hash_t * ctx, uint8_t *digest)) cx_sha256_final,
39  NULL,
40  NULL};
41 #endif // HAVE_SHA224
42 
43 #ifdef HAVE_SHA256
44 const cx_hash_info_t cx_sha256_info
45  = {CX_SHA256,
46  CX_SHA256_SIZE,
47  SHA256_BLOCK_SIZE,
48  sizeof(cx_sha256_t),
49  (cx_err_t(*)(cx_hash_t * ctx)) cx_sha256_init_no_throw,
50  (cx_err_t(*)(cx_hash_t * ctx, const uint8_t *data, size_t len)) cx_sha256_update,
51  (cx_err_t(*)(cx_hash_t * ctx, uint8_t *digest)) cx_sha256_final,
52  NULL,
53  NULL};
54 #endif // HAVE_SHA256
55 
56 static const uint32_t primeSqrt[] = {
57  0x428a2f98, 0x71374491, 0xb5c0fbcf, 0xe9b5dba5, 0x3956c25b, 0x59f111f1, 0x923f82a4, 0xab1c5ed5,
58  0xd807aa98, 0x12835b01, 0x243185be, 0x550c7dc3, 0x72be5d74, 0x80deb1fe, 0x9bdc06a7, 0xc19bf174,
59  0xe49b69c1, 0xefbe4786, 0x0fc19dc6, 0x240ca1cc, 0x2de92c6f, 0x4a7484aa, 0x5cb0a9dc, 0x76f988da,
60  0x983e5152, 0xa831c66d, 0xb00327c8, 0xbf597fc7, 0xc6e00bf3, 0xd5a79147, 0x06ca6351, 0x14292967,
61  0x27b70a85, 0x2e1b2138, 0x4d2c6dfc, 0x53380d13, 0x650a7354, 0x766a0abb, 0x81c2c92e, 0x92722c85,
62  0xa2bfe8a1, 0xa81a664b, 0xc24b8b70, 0xc76c51a3, 0xd192e819, 0xd6990624, 0xf40e3585, 0x106aa070,
63  0x19a4c116, 0x1e376c08, 0x2748774c, 0x34b0bcb5, 0x391c0cb3, 0x4ed8aa4a, 0x5b9cca4f, 0x682e6ff3,
64  0x748f82ee, 0x78a5636f, 0x84c87814, 0x8cc70208, 0x90befffa, 0xa4506ceb, 0xbef9a3f7, 0xc67178f2,
65 };
66 
67 #if defined(HAVE_SHA224)
68 static const uint32_t hzero_224[] = {0xc1059ed8,
69  0x367cd507,
70  0x3070dd17,
71  0xf70e5939,
72  0xffc00b31,
73  0x68581511,
74  0x64f98fa7,
75  0xbefa4fa4};
76 #endif
77 
78 static const uint32_t hzero[] = {0x6a09e667,
79  0xbb67ae85,
80  0x3c6ef372,
81  0xa54ff53a,
82  0x510e527f,
83  0x9b05688c,
84  0x1f83d9ab,
85  0x5be0cd19};
86 
87 #define sig256(x, a, b, c) (cx_rotr((x), a) ^ cx_rotr((x), b) ^ cx_shr((x), c))
88 #define sum256(x, a, b, c) (cx_rotr((x), a) ^ cx_rotr((x), b) ^ cx_rotr((x), c))
89 
90 #define sigma0(x) sig256(x, 7, 18, 3)
91 #define sigma1(x) sig256(x, 17, 19, 10)
92 #define sum0(x) sum256(x, 2, 13, 22)
93 #define sum1(x) sum256(x, 6, 11, 25)
94 
95 // #define ch(x, y, z) (((x) & (y)) ^ (~(x) & (z)))
96 // #define maj(x, y, z) (((x) & (y)) ^ ((x) & (z)) ^ ((y) & (z)))
97 
98 #define ch(x, y, z) (z ^ (x & (y ^ z)))
99 #define maj(x, y, z) ((x & y) | (z & (x | y)))
100 
101 #if defined(HAVE_SHA224)
102 cx_err_t cx_sha224_init_no_throw(cx_sha256_t *hash)
103 {
104  memset(hash, 0, sizeof(cx_sha256_t));
105  hash->header.info = &cx_sha224_info;
106  memmove(hash->acc, hzero_224, sizeof(hzero));
107  return CX_OK;
108 }
109 #endif
110 
111 cx_err_t cx_sha256_init_no_throw(cx_sha256_t *hash)
112 {
113  memset(hash, 0, sizeof(cx_sha256_t));
114  hash->header.info = &cx_sha256_info;
115  memmove(hash->acc, hzero, sizeof(hzero));
116  return CX_OK;
117 }
118 
119 static void cx_sha256_block(cx_sha256_t *hash)
120 {
121  uint32_t t1, t2;
122 
123  uint32_t ACC[8];
124  uint32_t *accumulator;
125  uint32_t *X;
126 
127 #define A ACC[0]
128 #define B ACC[1]
129 #define C ACC[2]
130 #define D ACC[3]
131 #define E ACC[4]
132 #define F ACC[5]
133 #define G ACC[6]
134 #define H ACC[7]
135 
136  // init
137  X = ((uint32_t *) &hash->block[0]);
138  accumulator = (uint32_t *) &hash->acc[0];
139  memmove(ACC, accumulator, sizeof(ACC));
140 
141 #ifdef ARCH_LITTLE_ENDIAN
142  cx_swap_buffer32(X, 16);
143 #endif
144 
145  /*
146  * T1 = Sum_1_256(e) + Chg(e,f,g) + K_t_256 + Wt
147  * T2 = Sum_0_256(a) + Maj(abc)
148  * h = g ;
149  * g = f;
150  * f = e;
151  * e = d + T1;
152  * d = c;
153  * c = b;
154  * b = a;
155  * a = T1 + T2;
156  */
157  for (int j = 0; j < 64; j++) {
158  /* for j in 16 to 63, Xj <- (Sigma_1_256( Xj-2) + Xj-7 + Sigma_0_256(Xj-15)
159  * + Xj-16 ). */
160  if (j >= 16) {
161  X[j & 0xF] = (sigma1(X[(j - 2) & 0xF]) + X[(j - 7) & 0xF] + sigma0(X[(j - 15) & 0xF])
162  + X[(j - 16) & 0xF]);
163  }
164 
165  t1 = H + sum1(E) + ch(E, F, G) + primeSqrt[j] + X[j & 0xF];
166  t2 = sum0(A) + maj(A, B, C);
167  /*
168  H = G ;
169  G = F;
170  F = E;
171  E = D+t1;
172  D = C;
173  C = B;
174  B = A;
175  A = t1+t2;
176  */
177  memmove(&ACC[1], &ACC[0], sizeof(ACC) - sizeof(uint32_t));
178  E += t1;
179  A = t1 + t2;
180  }
181 
182  //(update chaining values) (H1 , H2 , H3 , H4 ) <- (H1 + A, H2 + B, H3 + C, H4
183  //+ D...)
184  accumulator[0] += A;
185  accumulator[1] += B;
186  accumulator[2] += C;
187  accumulator[3] += D;
188  accumulator[4] += E;
189  accumulator[5] += F;
190  accumulator[6] += G;
191  accumulator[7] += H;
192 }
193 
194 cx_err_t cx_sha256_update(cx_sha256_t *ctx, const uint8_t *data, size_t len)
195 {
196  size_t r;
197  size_t blen;
198 
199  if (ctx == NULL) {
200  return CX_INVALID_PARAMETER;
201  }
202  if (data == NULL && len != 0) {
203  return CX_INVALID_PARAMETER;
204  }
205 
206  // --- init locals ---
207  blen = ctx->blen;
208  ctx->blen = 0;
209 
210  if (blen >= 64) {
211  return CX_INVALID_PARAMETER;
212  }
213 
214  // --- append input data and process all blocks ---
215  if (blen + len >= 64) {
216  r = 64 - blen;
217  do {
218  // if (ctx->header.counter == CX_HASH_MAX_BLOCK_COUNT) {
219  // return CX_INVALID_PARAMETER;
220  // }
221  memcpy(ctx->block + blen, data, r);
222  cx_sha256_block(ctx);
223 
224  blen = 0;
225  ctx->header.counter++;
226  data += r;
227  len -= r;
228  r = 64;
229  } while (len >= 64);
230  }
231 
232  // --- remind rest data---
233  memcpy(ctx->block + blen, data, len);
234  blen += len;
235  ctx->blen = blen;
236  return CX_OK;
237 }
238 
239 cx_err_t cx_sha256_final(cx_sha256_t *ctx, uint8_t *digest)
240 {
241  uint64_t bitlen;
242 
243  // --- init locals ---
244  uint8_t *block = ctx->block;
245 
246  block[ctx->blen] = 0x80;
247  ctx->blen++;
248 
249  bitlen = (((uint64_t) ctx->header.counter) * 64UL + (uint64_t) ctx->blen - 1UL) * 8UL;
250  // one more block?
251  if (64 - ctx->blen < 8) {
252  memset(block + ctx->blen, 0, 64 - ctx->blen);
253  cx_sha256_block(ctx);
254  ctx->blen = 0;
255  }
256  // last block!
257  memset(block + ctx->blen, 0, 64 - ctx->blen);
258 #ifdef ARCH_LITTLE_ENDIAN
259  *(uint64_t *) &block[64 - 8] = cx_swap_uint64(bitlen);
260 #else
261  (*(uint64_t *) &block[64 - 8]) = bitlen;
262 #endif
263  cx_sha256_block(ctx);
264  // provide result
265 #ifdef ARCH_LITTLE_ENDIAN
266  cx_swap_buffer32((uint32_t *) ctx->acc, 8);
267 #endif
268 
269 #if defined(HAVE_SHA224)
270  if (ctx->header.info->md_type == CX_SHA224) {
271  memcpy(digest, ctx->acc, CX_SHA224_SIZE);
272  }
273  else
274 #endif
275  {
276  memcpy(digest, ctx->acc, CX_SHA256_SIZE);
277  }
278  return CX_OK;
279 }
280 
281 size_t cx_hash_sha256(const uint8_t *in, size_t in_len, uint8_t *out, size_t out_len)
282 {
283  if (out_len < CX_SHA256_SIZE) {
284  return 0;
285  }
286  cx_sha256_init_no_throw(&G_cx.sha256);
287  if (cx_sha256_update(&G_cx.sha256, in, in_len) != CX_OK) {
288  return 0;
289  }
290  cx_sha256_final(&G_cx.sha256, out);
291  explicit_bzero(&G_cx.sha256, sizeof(cx_sha256_t));
292  return CX_SHA256_SIZE;
293 }
294 
295 #endif // defined(HAVE_SHA255) || defined(HAVE_SHA224)
union cx_u G_cx
Definition: cx_ram.c:21
void cx_swap_uint64(uint64bits_t *v)
Definition: cx_utils.c:118
void cx_swap_buffer32(uint32_t *v, size_t len)
Definition: cx_utils.c:47
unsigned char uint8_t
Definition: usbd_conf.h:53