[SLOF] [PATCH v6 5/7] tpm: Add sha256 implementation
Stefan Berger
stefanb at linux.ibm.com
Thu Jan 16 07:00:46 AEDT 2020
The following patch adds a SHA256 implementation based on the algorithm
description in NIST FIPS PUB 180-4. The patch includes test cases that test
the sha256 implementation and pass on big and little endian ppc64 hosts.
Signed-off-by: Stefan Berger <stefanb at linux.ibm.com>
---
lib/libtpm/Makefile | 2 +-
lib/libtpm/sha256.c | 316 ++++++++++++++++++++++++++++++++++++++++++++
lib/libtpm/sha256.h | 20 +++
3 files changed, 337 insertions(+), 1 deletion(-)
create mode 100644 lib/libtpm/sha256.c
create mode 100644 lib/libtpm/sha256.h
diff --git a/lib/libtpm/Makefile b/lib/libtpm/Makefile
index ff19e1c..7efad28 100644
--- a/lib/libtpm/Makefile
+++ b/lib/libtpm/Makefile
@@ -23,7 +23,7 @@ TARGET = ../libtpm.a
all: $(TARGET)
-SRCS = tpm_drivers.c
+SRCS = tpm_drivers.c sha256.c
OBJS = $(SRCS:%.c=%.o)
diff --git a/lib/libtpm/sha256.c b/lib/libtpm/sha256.c
new file mode 100644
index 0000000..6acff92
--- /dev/null
+++ b/lib/libtpm/sha256.c
@@ -0,0 +1,316 @@
+/*****************************************************************************
+ * Copyright (c) 2015-2020 IBM Corporation
+ * All rights reserved.
+ * This program and the accompanying materials
+ * are made available under the terms of the BSD License
+ * which accompanies this distribution, and is available at
+ * http://www.opensource.org/licenses/bsd-license.php
+ *
+ * Contributors:
+ * IBM Corporation - initial implementation
+ *****************************************************************************/
+
+/*
+ * See: NIST standard for SHA-1 in FIPS PUB 180-4
+ */
+
+#include "byteorder.h"
+#include "sha256.h"
+#include "string.h"
+
+typedef struct _sha256_ctx {
+ uint32_t h[8];
+} sha256_ctx;
+
+static inline uint32_t rotr(uint32_t x, uint8_t n)
+{
+ return (x >> n) | (x << (32 - n));
+}
+
+static inline uint32_t Ch(uint32_t x, uint32_t y, uint32_t z)
+{
+ return (x & y) | ((x ^ 0xffffffff) & z);
+}
+
+static inline uint32_t Maj(uint32_t x, uint32_t y, uint32_t z)
+{
+ return (x & y) | (x & z) | (y & z);
+}
+
+static inline uint32_t sum0(uint32_t x)
+{
+ return rotr(x, 2) ^ rotr(x, 13) ^ rotr(x, 22);
+}
+
+static inline uint32_t sum1(uint32_t x)
+{
+ return rotr(x, 6) ^ rotr(x, 11) ^ rotr(x, 25);
+}
+
+static inline uint32_t sigma0(uint32_t x)
+{
+ return rotr(x, 7) ^ rotr(x, 18) ^ (x >> 3);
+}
+
+static inline uint32_t sigma1(uint32_t x)
+{
+ return rotr(x, 17) ^ rotr(x, 19) ^ (x >> 10);
+}
+
+static void sha256_block(uint32_t *w, sha256_ctx *ctx)
+{
+ uint32_t t;
+ uint32_t a, b, c, d, e, f, g, h;
+ uint32_t T1, T2;
+
+ /*
+ * FIPS 180-4 4.2.2: SHA256 Constants
+ */
+ static const uint32_t sha_ko[64] = {
+ 0x428a2f98, 0x71374491, 0xb5c0fbcf, 0xe9b5dba5,
+ 0x3956c25b, 0x59f111f1, 0x923f82a4, 0xab1c5ed5,
+ 0xd807aa98, 0x12835b01, 0x243185be, 0x550c7dc3,
+ 0x72be5d74, 0x80deb1fe, 0x9bdc06a7, 0xc19bf174,
+ 0xe49b69c1, 0xefbe4786, 0x0fc19dc6, 0x240ca1cc,
+ 0x2de92c6f, 0x4a7484aa, 0x5cb0a9dc, 0x76f988da,
+ 0x983e5152, 0xa831c66d, 0xb00327c8, 0xbf597fc7,
+ 0xc6e00bf3, 0xd5a79147, 0x06ca6351, 0x14292967,
+ 0x27b70a85, 0x2e1b2138, 0x4d2c6dfc, 0x53380d13,
+ 0x650a7354, 0x766a0abb, 0x81c2c92e, 0x92722c85,
+ 0xa2bfe8a1, 0xa81a664b, 0xc24b8b70, 0xc76c51a3,
+ 0xd192e819, 0xd6990624, 0xf40e3585, 0x106aa070,
+ 0x19a4c116, 0x1e376c08, 0x2748774c, 0x34b0bcb5,
+ 0x391c0cb3, 0x4ed8aa4a, 0x5b9cca4f, 0x682e6ff3,
+ 0x748f82ee, 0x78a5636f, 0x84c87814, 0x8cc70208,
+ 0x90befffa, 0xa4506ceb, 0xbef9a3f7, 0xc67178f2
+ };
+
+ /*
+ * FIPS 180-4 6.2.2: step 1
+ *
+ * 0 <= i <= 15:
+ * W(t) = M(t)
+ * 16 <= i <= 79:
+ * W(t) = sigma1(W(t-2)) + W(t-7) + sigma0(W(t-15)) + W(t-16)
+ */
+
+ /* w(0)..w(15) are in big endian format */
+ for (t = 0; t <= 15; t++)
+ w[t] = be32_to_cpu(w[t]);
+
+ for (t = 16; t <= 63; t++)
+ w[t] = sigma1(w[t-2]) + w[t-7] + sigma0(w[t-15]) + w[t-16];
+
+ /*
+ * step 2: a = H0, b = H1, c = H2, d = H3, e = H4, f = H5, g = H6, h = H7
+ */
+ a = ctx->h[0];
+ b = ctx->h[1];
+ c = ctx->h[2];
+ d = ctx->h[3];
+ e = ctx->h[4];
+ f = ctx->h[5];
+ g = ctx->h[6];
+ h = ctx->h[7];
+
+ /*
+ * step 3: For i = 0 to 63:
+ * T1 = h + sum1(e) + Ch(e,f,g) + K(t) + W(t);
+ * T2 = sum0(a) + Maj(a,b,c)
+ * h = g; g = f; f = e; e = d + T1; d = c; c = b; b = a; a + T1 + T2
+ */
+ for (t = 0; t <= 63; t++) {
+ T1 = h + sum1(e) + Ch(e, f, g) + sha_ko[t] + w[t];
+ T2 = sum0(a) + Maj(a, b, c);
+ h = g;
+ g = f;
+ f = e;
+ e = d + T1;
+ d = c;
+ c = b;
+ b = a;
+ a = T1 + T2;
+ }
+
+ /*
+ * step 4:
+ * H0 = a + H0, H1 = b + H1, H2 = c + H2, H3 = d + H3, H4 = e + H4
+ */
+ ctx->h[0] += a;
+ ctx->h[1] += b;
+ ctx->h[2] += c;
+ ctx->h[3] += d;
+ ctx->h[4] += e;
+ ctx->h[5] += f;
+ ctx->h[6] += g;
+ ctx->h[7] += h;
+}
+
+static void sha256_do(sha256_ctx *ctx, const uint8_t *data32, uint32_t length)
+{
+ uint32_t offset;
+ uint16_t num;
+ uint32_t bits = 0;
+ uint32_t w[64];
+ uint64_t tmp;
+
+ /* treat data in 64-byte chunks */
+ for (offset = 0; length - offset >= 64; offset += 64) {
+ memcpy(w, data32 + offset, 64);
+ sha256_block((uint32_t *)w, ctx);
+ bits += (64 * 8);
+ }
+
+ /* last block with less than 64 bytes */
+ num = length - offset;
+ bits += (num << 3);
+
+ memcpy(w, data32 + offset, num);
+ /*
+ * FIPS 180-4 5.1: Padding the Message
+ */
+ ((uint8_t *)w)[num] = 0x80;
+ if (64 - (num + 1) > 0)
+ memset( &((uint8_t *)w)[num + 1], 0, 64 - (num + 1));
+
+ if (num >= 56) {
+ /* cannot append number of bits here */
+ sha256_block((uint32_t *)w, ctx);
+ memset(w, 0, 60);
+ }
+
+ /* write number of bits to end of block */
+ tmp = cpu_to_be64(bits);
+ memcpy(&w[14], &tmp, 8);
+
+ sha256_block(w, ctx);
+
+ /* need to switch result's endianness */
+ for (num = 0; num < 8; num++)
+ ctx->h[num] = cpu_to_be32(ctx->h[num]);
+}
+
+uint32_t sha256(const uint8_t *data, uint32_t length, uint8_t *hash)
+{
+ sha256_ctx ctx = {
+ .h = {
+ /*
+ * FIPS 180-4: 6.2.1
+ * -> 5.3.3: initial hash value
+ */
+ 0x6a09e667,
+ 0xbb67ae85,
+ 0x3c6ef372,
+ 0xa54ff53a,
+ 0x510e527f,
+ 0x9b05688c,
+ 0x1f83d9ab,
+ 0x5be0cd19
+ }
+ };
+
+ sha256_do(&ctx, data, length);
+ memcpy(hash, &ctx.h[0], 32);
+
+ return 0;
+}
+
+#ifdef HAVE_MAIN
+
+/*
+ * Test vectors for sha256
+ * Source: https://csrc.nist.gov/CSRC/media/Projects/Cryptographic-Standards-and-Guidelines/documents/examples/SHA256.pdf
+ *
+ * gcc sha256.c -o sha256 -DHAVE_MAIN -I../../include -I../../slof
+ */
+
+#include <stdio.h>
+#include <stdlib.h>
+
+void check_hash(const char *t,
+ const unsigned char *hash,
+ const unsigned char *expected)
+{
+ unsigned i;
+
+ printf("%s : ", t);
+ if (memcmp(hash, expected, 32)) {
+ printf("fail\nexpected :");
+ for (i = 0; i < 32; i++)
+ printf(" %02x", expected[i]);
+ printf("\nactual:");
+ for (i = 0; i < 32; i++)
+ printf(" %02x", hash[i]);
+ printf("\n");
+ } else {
+ printf("pass\n");
+ }
+}
+
+int main(void)
+{
+ unsigned char hash[32];
+ char *buf;
+
+ sha256("abc", 3, hash);
+ check_hash("Test 1", hash,
+ (unsigned char[]){0xba, 0x78, 0x16, 0xbf,
+ 0x8f, 0x01, 0xcf, 0xea,
+ 0x41, 0x41, 0x40, 0xde,
+ 0x5d, 0xae, 0x22, 0x23,
+ 0xb0, 0x03, 0x61, 0xa3,
+ 0x96, 0x17, 0x7a, 0x9c,
+ 0xb4, 0x10, 0xff, 0x61,
+ 0xf2, 0x00, 0x15, 0xad});
+
+ sha256("", 0, hash);
+ check_hash("Test 2", hash,
+ (unsigned char[]){0xe3, 0xb0, 0xc4, 0x42,
+ 0x98, 0xfc, 0x1c, 0x14,
+ 0x9a, 0xfb, 0xf4, 0xc8,
+ 0x99, 0x6f, 0xb9, 0x24,
+ 0x27, 0xae, 0x41, 0xe4,
+ 0x64, 0x9b, 0x93, 0x4c,
+ 0xa4, 0x95, 0x99, 0x1b,
+ 0x78, 0x52, 0xb8, 0x55});
+
+ sha256("abcdbcdecdefdefgefghfghighijhijkijkljklmklmnlmnomnopnopq",
+ 448 / 8, hash);
+ check_hash("Test 3", hash,
+ (unsigned char[]){0x24, 0x8d, 0x6a, 0x61,
+ 0xd2, 0x06, 0x38, 0xb8,
+ 0xe5, 0xc0, 0x26, 0x93,
+ 0x0c, 0x3e, 0x60, 0x39,
+ 0xa3, 0x3c, 0xe4, 0x59,
+ 0x64, 0xff, 0x21, 0x67,
+ 0xf6, 0xec, 0xed, 0xd4,
+ 0x19, 0xdb, 0x06, 0xc1});
+
+ sha256("abcdefghbcdefghicdefghijdefghijkefghijklfghijklmghijklmn"
+ "hijklmnoijklmnopjklmnopqklmnopqrlmnopqrsmnopqrstnopqrstu",
+ 896 / 8, hash);
+ check_hash("Test 4", hash,
+ (unsigned char[]){0xcf, 0x5b, 0x16, 0xa7,
+ 0x78, 0xaf, 0x83, 0x80,
+ 0x03, 0x6c, 0xe5, 0x9e,
+ 0x7b, 0x04, 0x92, 0x37,
+ 0x0b, 0x24, 0x9b, 0x11,
+ 0xe8, 0xf0, 0x7a, 0x51,
+ 0xaf, 0xac, 0x45, 0x03,
+ 0x7a, 0xfe, 0xe9, 0xd1});
+
+ buf = malloc(1000000);
+ memset(buf, 'a', 1000000);
+ sha256(buf, 1000000, hash);
+ check_hash("Test 5", hash,
+ (unsigned char[]){0xcd, 0xc7, 0x6e, 0x5c,
+ 0x99, 0x14, 0xfb, 0x92,
+ 0x81, 0xa1, 0xc7, 0xe2,
+ 0x84, 0xd7, 0x3e, 0x67,
+ 0xf1, 0x80, 0x9a, 0x48,
+ 0xa4, 0x97, 0x20, 0x0e,
+ 0x04, 0x6d, 0x39, 0xcc,
+ 0xc7, 0x11, 0x2c, 0xd0});
+}
+
+#endif
diff --git a/lib/libtpm/sha256.h b/lib/libtpm/sha256.h
new file mode 100644
index 0000000..66c2187
--- /dev/null
+++ b/lib/libtpm/sha256.h
@@ -0,0 +1,20 @@
+/*****************************************************************************
+ * Copyright (c) 2015-2020 IBM Corporation
+ * All rights reserved.
+ * This program and the accompanying materials
+ * are made available under the terms of the BSD License
+ * which accompanies this distribution, and is available at
+ * http://www.opensource.org/licenses/bsd-license.php
+ *
+ * Contributors:
+ * IBM Corporation - initial implementation
+ *****************************************************************************/
+
+#ifndef __SHA256_H
+#define __SHA256_H
+
+#include "types.h"
+
+uint32_t sha256(const uint8_t *data, uint32_t length, uint8_t *hash);
+
+#endif /* __SHA256_H */
--
2.24.1
More information about the SLOF
mailing list