[SLOF] [PATCH v6 5/7] tpm: Add sha256 implementation
Alexey Kardashevskiy
aik at ozlabs.ru
Mon Jan 20 19:10:04 AEDT 2020
On 16/01/2020 07:00, Stefan Berger wrote:
> The following patch adds a SHA256 implementation based on the algorithm
> description in NIST FIPS PUB 180-4. The patch includes test cases that test
> the sha256 implementation and pass on big and little endian ppc64 hosts.
>
> Signed-off-by: Stefan Berger <stefanb at linux.ibm.com>
> ---
> lib/libtpm/Makefile | 2 +-
> lib/libtpm/sha256.c | 316 ++++++++++++++++++++++++++++++++++++++++++++
> lib/libtpm/sha256.h | 20 +++
> 3 files changed, 337 insertions(+), 1 deletion(-)
> create mode 100644 lib/libtpm/sha256.c
> create mode 100644 lib/libtpm/sha256.h
>
> diff --git a/lib/libtpm/Makefile b/lib/libtpm/Makefile
> index ff19e1c..7efad28 100644
> --- a/lib/libtpm/Makefile
> +++ b/lib/libtpm/Makefile
> @@ -23,7 +23,7 @@ TARGET = ../libtpm.a
>
> all: $(TARGET)
>
> -SRCS = tpm_drivers.c
> +SRCS = tpm_drivers.c sha256.c
>
> OBJS = $(SRCS:%.c=%.o)
>
> diff --git a/lib/libtpm/sha256.c b/lib/libtpm/sha256.c
> new file mode 100644
> index 0000000..6acff92
> --- /dev/null
> +++ b/lib/libtpm/sha256.c
> @@ -0,0 +1,316 @@
> +/*****************************************************************************
> + * Copyright (c) 2015-2020 IBM Corporation
> + * All rights reserved.
> + * This program and the accompanying materials
> + * are made available under the terms of the BSD License
> + * which accompanies this distribution, and is available at
> + * http://www.opensource.org/licenses/bsd-license.php
> + *
> + * Contributors:
> + * IBM Corporation - initial implementation
> + *****************************************************************************/
> +
> +/*
> + * See: NIST standard for SHA-1 in FIPS PUB 180-4
> + */
> +
> +#include "byteorder.h"
> +#include "sha256.h"
> +#include "string.h"
> +
> +typedef struct _sha256_ctx {
> + uint32_t h[8];
> +} sha256_ctx;
> +
> +static inline uint32_t rotr(uint32_t x, uint8_t n)
> +{
> + return (x >> n) | (x << (32 - n));
> +}
> +
> +static inline uint32_t Ch(uint32_t x, uint32_t y, uint32_t z)
> +{
> + return (x & y) | ((x ^ 0xffffffff) & z);
> +}
> +
> +static inline uint32_t Maj(uint32_t x, uint32_t y, uint32_t z)
> +{
> + return (x & y) | (x & z) | (y & z);
> +}
> +
> +static inline uint32_t sum0(uint32_t x)
> +{
> + return rotr(x, 2) ^ rotr(x, 13) ^ rotr(x, 22);
> +}
> +
> +static inline uint32_t sum1(uint32_t x)
> +{
> + return rotr(x, 6) ^ rotr(x, 11) ^ rotr(x, 25);
> +}
> +
> +static inline uint32_t sigma0(uint32_t x)
> +{
> + return rotr(x, 7) ^ rotr(x, 18) ^ (x >> 3);
> +}
> +
> +static inline uint32_t sigma1(uint32_t x)
> +{
> + return rotr(x, 17) ^ rotr(x, 19) ^ (x >> 10);
> +}
> +
> +static void sha256_block(uint32_t *w, sha256_ctx *ctx)
> +{
> + uint32_t t;
> + uint32_t a, b, c, d, e, f, g, h;
> + uint32_t T1, T2;
> +
> + /*
> + * FIPS 180-4 4.2.2: SHA256 Constants
> + */
> + static const uint32_t sha_ko[64] = {
> + 0x428a2f98, 0x71374491, 0xb5c0fbcf, 0xe9b5dba5,
> + 0x3956c25b, 0x59f111f1, 0x923f82a4, 0xab1c5ed5,
> + 0xd807aa98, 0x12835b01, 0x243185be, 0x550c7dc3,
> + 0x72be5d74, 0x80deb1fe, 0x9bdc06a7, 0xc19bf174,
> + 0xe49b69c1, 0xefbe4786, 0x0fc19dc6, 0x240ca1cc,
> + 0x2de92c6f, 0x4a7484aa, 0x5cb0a9dc, 0x76f988da,
> + 0x983e5152, 0xa831c66d, 0xb00327c8, 0xbf597fc7,
> + 0xc6e00bf3, 0xd5a79147, 0x06ca6351, 0x14292967,
> + 0x27b70a85, 0x2e1b2138, 0x4d2c6dfc, 0x53380d13,
> + 0x650a7354, 0x766a0abb, 0x81c2c92e, 0x92722c85,
> + 0xa2bfe8a1, 0xa81a664b, 0xc24b8b70, 0xc76c51a3,
> + 0xd192e819, 0xd6990624, 0xf40e3585, 0x106aa070,
> + 0x19a4c116, 0x1e376c08, 0x2748774c, 0x34b0bcb5,
> + 0x391c0cb3, 0x4ed8aa4a, 0x5b9cca4f, 0x682e6ff3,
> + 0x748f82ee, 0x78a5636f, 0x84c87814, 0x8cc70208,
> + 0x90befffa, 0xa4506ceb, 0xbef9a3f7, 0xc67178f2
> + };
> +
> + /*
> + * FIPS 180-4 6.2.2: step 1
> + *
> + * 0 <= i <= 15:
> + * W(t) = M(t)
> + * 16 <= i <= 79:
> + * W(t) = sigma1(W(t-2)) + W(t-7) + sigma0(W(t-15)) + W(t-16)
> + */
> +
> + /* w(0)..w(15) are in big endian format */
> + for (t = 0; t <= 15; t++)
> + w[t] = be32_to_cpu(w[t]);
> +
> + for (t = 16; t <= 63; t++)
> + w[t] = sigma1(w[t-2]) + w[t-7] + sigma0(w[t-15]) + w[t-16];
> +
> + /*
> + * step 2: a = H0, b = H1, c = H2, d = H3, e = H4, f = H5, g = H6, h = H7
> + */
> + a = ctx->h[0];
> + b = ctx->h[1];
> + c = ctx->h[2];
> + d = ctx->h[3];
> + e = ctx->h[4];
> + f = ctx->h[5];
> + g = ctx->h[6];
> + h = ctx->h[7];
> +
> + /*
> + * step 3: For i = 0 to 63:
> + * T1 = h + sum1(e) + Ch(e,f,g) + K(t) + W(t);
> + * T2 = sum0(a) + Maj(a,b,c)
> + * h = g; g = f; f = e; e = d + T1; d = c; c = b; b = a; a + T1 + T2
> + */
> + for (t = 0; t <= 63; t++) {
> + T1 = h + sum1(e) + Ch(e, f, g) + sha_ko[t] + w[t];
> + T2 = sum0(a) + Maj(a, b, c);
> + h = g;
> + g = f;
> + f = e;
> + e = d + T1;
> + d = c;
> + c = b;
> + b = a;
> + a = T1 + T2;
> + }
> +
> + /*
> + * step 4:
> + * H0 = a + H0, H1 = b + H1, H2 = c + H2, H3 = d + H3, H4 = e + H4
> + */
> + ctx->h[0] += a;
> + ctx->h[1] += b;
> + ctx->h[2] += c;
> + ctx->h[3] += d;
> + ctx->h[4] += e;
> + ctx->h[5] += f;
> + ctx->h[6] += g;
> + ctx->h[7] += h;
> +}
> +
> +static void sha256_do(sha256_ctx *ctx, const uint8_t *data32, uint32_t length)
> +{
> + uint32_t offset;
> + uint16_t num;
> + uint32_t bits = 0;
> + uint32_t w[64];
> + uint64_t tmp;
> +
> + /* treat data in 64-byte chunks */
> + for (offset = 0; length - offset >= 64; offset += 64) {
> + memcpy(w, data32 + offset, 64);
> + sha256_block((uint32_t *)w, ctx);
> + bits += (64 * 8);
> + }
> +
> + /* last block with less than 64 bytes */
> + num = length - offset;
> + bits += (num << 3);
> +
> + memcpy(w, data32 + offset, num);
> + /*
> + * FIPS 180-4 5.1: Padding the Message
> + */
> + ((uint8_t *)w)[num] = 0x80;
> + if (64 - (num + 1) > 0)
> + memset( &((uint8_t *)w)[num + 1], 0, 64 - (num + 1));
> +
> + if (num >= 56) {
> + /* cannot append number of bits here */
> + sha256_block((uint32_t *)w, ctx);
> + memset(w, 0, 60);
> + }
> +
> + /* write number of bits to end of block */
> + tmp = cpu_to_be64(bits);
> + memcpy(&w[14], &tmp, 8);
> +
> + sha256_block(w, ctx);
> +
> + /* need to switch result's endianness */
> + for (num = 0; num < 8; num++)
> + ctx->h[num] = cpu_to_be32(ctx->h[num]);
> +}
> +
> +uint32_t sha256(const uint8_t *data, uint32_t length, uint8_t *hash)
> +{
> + sha256_ctx ctx = {
> + .h = {
> + /*
> + * FIPS 180-4: 6.2.1
> + * -> 5.3.3: initial hash value
> + */
> + 0x6a09e667,
> + 0xbb67ae85,
> + 0x3c6ef372,
> + 0xa54ff53a,
> + 0x510e527f,
> + 0x9b05688c,
> + 0x1f83d9ab,
> + 0x5be0cd19
> + }
> + };
> +
> + sha256_do(&ctx, data, length);
> + memcpy(hash, &ctx.h[0], 32);
s/32/sizeof(ctx)/ ? I
> +
> + return 0;
Make sha256() return void then?
> +}
> +
> +#ifdef HAVE_MAIN
I suppose the tests have passed so we do not really need the tests in
the SLOF tree, no? I strongly suspect nobody will ever run this. Thanks,
> +
> +/*
> + * Test vectors for sha256
> + * Source: https://csrc.nist.gov/CSRC/media/Projects/Cryptographic-Standards-and-Guidelines/documents/examples/SHA256.pdf
> + *
> + * gcc sha256.c -o sha256 -DHAVE_MAIN -I../../include -I../../slof
> + */
> +
> +#include <stdio.h>
> +#include <stdlib.h>
> +
> +void check_hash(const char *t,
> + const unsigned char *hash,
> + const unsigned char *expected)
> +{
> + unsigned i;
> +
> + printf("%s : ", t);
> + if (memcmp(hash, expected, 32)) {
> + printf("fail\nexpected :");
> + for (i = 0; i < 32; i++)
> + printf(" %02x", expected[i]);
> + printf("\nactual:");
> + for (i = 0; i < 32; i++)
> + printf(" %02x", hash[i]);
> + printf("\n");
> + } else {
> + printf("pass\n");
> + }
> +}
> +
> +int main(void)
> +{
> + unsigned char hash[32];
> + char *buf;
> +
> + sha256("abc", 3, hash);
> + check_hash("Test 1", hash,
> + (unsigned char[]){0xba, 0x78, 0x16, 0xbf,
> + 0x8f, 0x01, 0xcf, 0xea,
> + 0x41, 0x41, 0x40, 0xde,
> + 0x5d, 0xae, 0x22, 0x23,
> + 0xb0, 0x03, 0x61, 0xa3,
> + 0x96, 0x17, 0x7a, 0x9c,
> + 0xb4, 0x10, 0xff, 0x61,
> + 0xf2, 0x00, 0x15, 0xad});
> +
> + sha256("", 0, hash);
> + check_hash("Test 2", hash,
> + (unsigned char[]){0xe3, 0xb0, 0xc4, 0x42,
> + 0x98, 0xfc, 0x1c, 0x14,
> + 0x9a, 0xfb, 0xf4, 0xc8,
> + 0x99, 0x6f, 0xb9, 0x24,
> + 0x27, 0xae, 0x41, 0xe4,
> + 0x64, 0x9b, 0x93, 0x4c,
> + 0xa4, 0x95, 0x99, 0x1b,
> + 0x78, 0x52, 0xb8, 0x55});
> +
> + sha256("abcdbcdecdefdefgefghfghighijhijkijkljklmklmnlmnomnopnopq",
> + 448 / 8, hash);
> + check_hash("Test 3", hash,
> + (unsigned char[]){0x24, 0x8d, 0x6a, 0x61,
> + 0xd2, 0x06, 0x38, 0xb8,
> + 0xe5, 0xc0, 0x26, 0x93,
> + 0x0c, 0x3e, 0x60, 0x39,
> + 0xa3, 0x3c, 0xe4, 0x59,
> + 0x64, 0xff, 0x21, 0x67,
> + 0xf6, 0xec, 0xed, 0xd4,
> + 0x19, 0xdb, 0x06, 0xc1});
> +
> + sha256("abcdefghbcdefghicdefghijdefghijkefghijklfghijklmghijklmn"
> + "hijklmnoijklmnopjklmnopqklmnopqrlmnopqrsmnopqrstnopqrstu",
> + 896 / 8, hash);
> + check_hash("Test 4", hash,
> + (unsigned char[]){0xcf, 0x5b, 0x16, 0xa7,
> + 0x78, 0xaf, 0x83, 0x80,
> + 0x03, 0x6c, 0xe5, 0x9e,
> + 0x7b, 0x04, 0x92, 0x37,
> + 0x0b, 0x24, 0x9b, 0x11,
> + 0xe8, 0xf0, 0x7a, 0x51,
> + 0xaf, 0xac, 0x45, 0x03,
> + 0x7a, 0xfe, 0xe9, 0xd1});
> +
> + buf = malloc(1000000);
> + memset(buf, 'a', 1000000);
> + sha256(buf, 1000000, hash);
> + check_hash("Test 5", hash,
> + (unsigned char[]){0xcd, 0xc7, 0x6e, 0x5c,
> + 0x99, 0x14, 0xfb, 0x92,
> + 0x81, 0xa1, 0xc7, 0xe2,
> + 0x84, 0xd7, 0x3e, 0x67,
> + 0xf1, 0x80, 0x9a, 0x48,
> + 0xa4, 0x97, 0x20, 0x0e,
> + 0x04, 0x6d, 0x39, 0xcc,
> + 0xc7, 0x11, 0x2c, 0xd0});
> +}
> +
> +#endif
> diff --git a/lib/libtpm/sha256.h b/lib/libtpm/sha256.h
> new file mode 100644
> index 0000000..66c2187
> --- /dev/null
> +++ b/lib/libtpm/sha256.h
> @@ -0,0 +1,20 @@
> +/*****************************************************************************
> + * Copyright (c) 2015-2020 IBM Corporation
> + * All rights reserved.
> + * This program and the accompanying materials
> + * are made available under the terms of the BSD License
> + * which accompanies this distribution, and is available at
> + * http://www.opensource.org/licenses/bsd-license.php
> + *
> + * Contributors:
> + * IBM Corporation - initial implementation
> + *****************************************************************************/
> +
> +#ifndef __SHA256_H
> +#define __SHA256_H
> +
> +#include "types.h"
> +
> +uint32_t sha256(const uint8_t *data, uint32_t length, uint8_t *hash);
> +
> +#endif /* __SHA256_H */
>
--
Alexey
More information about the SLOF
mailing list