GitBucket
Newer
/* mbed Microcontroller Library
* Copyright (c) 2015-2016 Nuvoton
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
#if !defined(MBEDTLS_CONFIG_FILE)
#include "mbedtls/config.h"
#else
#include MBEDTLS_CONFIG_FILE
#endif
#if defined(MBEDTLS_SHA1_C) || defined(MBEDTLS_SHA256_C) || defined(MBEDTLS_SHA512_C)
#if defined(MBEDTLS_SHA1_ALT) || defined(MBEDTLS_SHA256_ALT) || defined(MBEDTLS_SHA512_ALT)
#if defined(MBEDTLS_SHA1_ALT)
#include "sha1_alt.h"
#endif /* MBEDTLS_SHA1_ALT */
#if defined(MBEDTLS_SHA256_ALT)
#include "sha256_alt.h"
#endif /* MBEDTLS_SHA256_ALT */
#if defined(MBEDTLS_SHA512_ALT)
#include "sha512_alt.h"
#endif /* MBEDTLS_SHA512_ALT */
#include "nu_bitutil.h"
#include "mbed_assert.h"
#include "crypto-misc.h"
#include <string.h>
void crypto_sha_update(crypto_sha_context *ctx, const unsigned char *input, size_t ilen);
void crypto_sha_update_nobuf(crypto_sha_context *ctx, const unsigned char *input, size_t ilen, int islast);
void crypto_sha_getinternstate(unsigned char output[], size_t olen);
#endif /* MBEDTLS_SHA1_ALT || MBEDTLS_SHA256_ALT || MBEDTLS_SHA512_ALT */
#if defined(MBEDTLS_SHA1_C)
#if defined(MBEDTLS_SHA1_ALT)
void mbedtls_sha1_hw_init(crypto_sha_context *ctx)
{
crypto_init();
memset(ctx, 0, sizeof(crypto_sha_context));
}
void mbedtls_sha1_hw_free(crypto_sha_context *ctx)
{
if (ctx == NULL) {
return;
}
crypto_zeroize(ctx, sizeof(crypto_sha_context));
}
void mbedtls_sha1_hw_clone(crypto_sha_context *dst,
const crypto_sha_context *src)
{
*dst = *src;
}
void mbedtls_sha1_hw_starts(crypto_sha_context *ctx)
{
// NOTE: mbedtls may call mbedtls_shaXXX_starts multiple times and then call the ending mbedtls_shaXXX_finish. Guard from it.
CRPT->HMAC_CTL |= CRPT_HMAC_CTL_STOP_Msk;
ctx->total = 0;
ctx->buffer_left = 0;
ctx->blocksize = 64;
ctx->blocksize_mask = 0x3F;
SHA_Open(SHA_MODE_SHA1, SHA_NO_SWAP, 0);
// Ensure we have correct initial internal states in SHA_DGST registers even though SHA H/W is not actually started.
CRPT->HMAC_CTL |= CRPT_HMAC_CTL_START_Msk;
return;
}
void mbedtls_sha1_hw_update(crypto_sha_context *ctx, const unsigned char *input, size_t ilen)
{
crypto_sha_update(ctx, input, ilen);
}
void mbedtls_sha1_hw_finish(crypto_sha_context *ctx, unsigned char output[20])
{
// H/W SHA cannot handle zero data well. Fall back to S/W SHA.
if (ctx->total) {
crypto_sha_update_nobuf(ctx, ctx->buffer, ctx->buffer_left, 1);
ctx->buffer_left = 0;
crypto_sha_getinternstate(output, 20);
CRPT->HMAC_CTL |= CRPT_HMAC_CTL_STOP_Msk;
}
else {
mbedtls_sha1_sw_context ctx_sw;
mbedtls_sha1_sw_init(&ctx_sw);
mbedtls_sha1_sw_starts(&ctx_sw);
mbedtls_sha1_sw_finish(&ctx_sw, output);
mbedtls_sha1_sw_free(&ctx_sw);
}
}
void mbedtls_sha1_hw_process(crypto_sha_context *ctx, const unsigned char data[64])
{
mbedtls_sha1_hw_update(ctx, data, 64);
}
#endif /* MBEDTLS_SHA1_ALT */
#endif /* MBEDTLS_SHA1_C */
#if defined(MBEDTLS_SHA256_C)
#if defined(MBEDTLS_SHA256_ALT)
void mbedtls_sha256_hw_init(crypto_sha_context *ctx)
{
crypto_init();
memset(ctx, 0, sizeof(crypto_sha_context));
}
void mbedtls_sha256_hw_free(crypto_sha_context *ctx)
{
if (ctx == NULL) {
return;
}
crypto_zeroize(ctx, sizeof(crypto_sha_context));
}
void mbedtls_sha256_hw_clone(crypto_sha_context *dst,
const crypto_sha_context *src)
{
*dst = *src;
}
void mbedtls_sha256_hw_starts( crypto_sha_context *ctx, int is224)
{
// NOTE: mbedtls may call mbedtls_shaXXX_starts multiple times and then call the ending mbedtls_shaXXX_finish. Guard from it.
CRPT->HMAC_CTL |= CRPT_HMAC_CTL_STOP_Msk;
ctx->total = 0;
ctx->buffer_left = 0;
ctx->blocksize = 64;
ctx->blocksize_mask = 0x3F;
ctx->is224_384 = is224;
SHA_Open(is224 ? SHA_MODE_SHA224 : SHA_MODE_SHA256, SHA_NO_SWAP, 0);
// Ensure we have correct initial inernal states in SHA_DGST registers even though SHA H/W is not actually started.
CRPT->HMAC_CTL |= CRPT_HMAC_CTL_START_Msk;
return;
}
void mbedtls_sha256_hw_update(crypto_sha_context *ctx, const unsigned char *input, size_t ilen)
{
crypto_sha_update(ctx, input, ilen);
}
void mbedtls_sha256_hw_finish(crypto_sha_context *ctx, unsigned char output[32])
{
// H/W SHA cannot handle zero data well. Fall back to S/W SHA.
if (ctx->total) {
crypto_sha_update_nobuf(ctx, ctx->buffer, ctx->buffer_left, 1);
ctx->buffer_left = 0;
crypto_sha_getinternstate(output, ctx->is224_384 ? 28 : 32);
CRPT->HMAC_CTL |= CRPT_HMAC_CTL_STOP_Msk;
}
else {
mbedtls_sha256_sw_context ctx_sw;
mbedtls_sha256_sw_init(&ctx_sw);
mbedtls_sha256_sw_starts(&ctx_sw, ctx->is224_384);
mbedtls_sha256_sw_finish(&ctx_sw, output);
mbedtls_sha256_sw_free(&ctx_sw);
}
}
void mbedtls_sha256_hw_process(crypto_sha_context *ctx, const unsigned char data[64])
{
mbedtls_sha256_hw_update(ctx, data, 64);
}
#endif /* MBEDTLS_SHA256_ALT */
#endif /* MBEDTLS_SHA256_C */
#if defined(MBEDTLS_SHA512_C)
#if defined(MBEDTLS_SHA512_ALT)
void mbedtls_sha512_hw_init(crypto_sha_context *ctx)
{
crypto_init();
memset(ctx, 0, sizeof(crypto_sha_context));
}
void mbedtls_sha512_hw_free(crypto_sha_context *ctx)
{
if (ctx == NULL) {
return;
}
crypto_zeroize(ctx, sizeof(crypto_sha_context));
}
void mbedtls_sha512_hw_clone(crypto_sha_context *dst,
const crypto_sha_context *src)
{
*dst = *src;
}
void mbedtls_sha512_hw_starts( crypto_sha_context *ctx, int is384)
{
// NOTE: mbedtls may call mbedtls_shaXXX_starts multiple times and then call the ending mbedtls_shaXXX_finish. Guard from it.
CRPT->HMAC_CTL |= CRPT_HMAC_CTL_STOP_Msk;
ctx->total = 0;
ctx->buffer_left = 0;
ctx->blocksize = 128;
ctx->blocksize_mask = 0x7F;
ctx->is224_384 = is384;
SHA_Open(is384 ? SHA_MODE_SHA384 : SHA_MODE_SHA512, SHA_NO_SWAP, 0);
// Ensure we have correct initial inernal states in SHA_DGST registers even though SHA H/W is not actually started.
CRPT->HMAC_CTL |= CRPT_HMAC_CTL_START_Msk;
return;
}
void mbedtls_sha512_hw_update(crypto_sha_context *ctx, const unsigned char *input, size_t ilen)
{
crypto_sha_update(ctx, input, ilen);
}
void mbedtls_sha512_hw_finish(crypto_sha_context *ctx, unsigned char output[64])
{
// H/W SHA cannot handle zero data well. Fall back to S/W SHA.
if (ctx->total) {
crypto_sha_update_nobuf(ctx, ctx->buffer, ctx->buffer_left, 1);
ctx->buffer_left = 0;
crypto_sha_getinternstate(output, ctx->is224_384 ? 48 : 64);
CRPT->HMAC_CTL |= CRPT_HMAC_CTL_STOP_Msk;
}
else {
mbedtls_sha512_sw_context ctx_sw;
mbedtls_sha512_sw_init(&ctx_sw);
mbedtls_sha512_sw_starts(&ctx_sw, ctx->is224_384);
mbedtls_sha512_sw_finish(&ctx_sw, output);
mbedtls_sha512_sw_free(&ctx_sw);
}
}
void mbedtls_sha512_hw_process(crypto_sha_context *ctx, const unsigned char data[128])
{
mbedtls_sha512_hw_update(ctx, data, 128);
}
#endif /* MBEDTLS_SHA512_ALT */
#endif /* MBEDTLS_SHA512_C */
#if defined(MBEDTLS_SHA1_C) || defined(MBEDTLS_SHA256_C) || defined(MBEDTLS_SHA512_C)
#if defined(MBEDTLS_SHA1_ALT) || defined(MBEDTLS_SHA256_ALT) || defined(MBEDTLS_SHA512_ALT)
void crypto_sha_update(crypto_sha_context *ctx, const unsigned char *input, size_t ilen)
{
if (ilen == 0) {
return;
}
size_t fill = ctx->blocksize - ctx->buffer_left;
ctx->total += (uint32_t) ilen;
if (ctx->buffer_left && ilen >= fill) {
memcpy((void *) (ctx->buffer + ctx->buffer_left), input, fill);
input += fill;
ilen -= fill;
ctx->buffer_left += fill;
if (ilen) {
crypto_sha_update_nobuf(ctx, ctx->buffer, ctx->buffer_left, 0);
ctx->buffer_left = 0;
}
}
while (ilen > ctx->blocksize) {
crypto_sha_update_nobuf(ctx, input, ctx->blocksize, 0);
input += ctx->blocksize;
ilen -= ctx->blocksize;
}
if (ilen > 0) {
memcpy((void *) (ctx->buffer + ctx->buffer_left), input, ilen);
ctx->buffer_left += ilen;
}
}
void crypto_sha_update_nobuf(crypto_sha_context *ctx, const unsigned char *input, size_t ilen, int islast)
{
// Accept only:
// 1. Last block which may be incomplete
// 2. Non-last block which is complete
MBED_ASSERT(islast || ilen == ctx->blocksize);
const unsigned char *in_pos = input;
int rmn = ilen;
uint32_t sha_ctl_start = (CRPT->HMAC_CTL & ~(CRPT_HMAC_CTL_DMALAST_Msk | CRPT_HMAC_CTL_DMAEN_Msk | CRPT_HMAC_CTL_HMACEN_Msk)) | CRPT_HMAC_CTL_START_Msk;
uint32_t sha_opmode = (CRPT->HMAC_CTL & CRPT_HMAC_CTL_OPMODE_Msk) >> CRPT_HMAC_CTL_OPMODE_Pos;
uint32_t DGST0_old = 0, DGST1_old = 0, DGST2_old = 0, DGST3_old = 0, DGST4_old = 0, DGST5_old = 0, DGST6_old = 0, DGST7_old = 0,
DGST8_old = 0, DGST9_old = 0, DGST10_old = 0, DGST11_old = 0, DGST12_old = 0, DGST13_old = 0, DGST14_old = 0, DGST15_old = 0;
while (rmn > 0) {
CRPT->HMAC_CTL = sha_ctl_start;
uint32_t data = nu_get32_be(in_pos);
if (rmn <= 4) { // Last word of a (in)complete block
if (islast) {
uint32_t lastblock_size = ctx->total & ctx->blocksize_mask;
if (lastblock_size == 0) {
lastblock_size = ctx->blocksize;
}
CRPT->HMAC_DMACNT = lastblock_size;
CRPT->HMAC_CTL = sha_ctl_start | CRPT_HMAC_CTL_DMALAST_Msk;
}
else {
switch (sha_opmode) {
case SHA_MODE_SHA512:
DGST15_old = CRPT->HMAC_DGST[15];
DGST14_old = CRPT->HMAC_DGST[14];
DGST13_old = CRPT->HMAC_DGST[13];
DGST12_old = CRPT->HMAC_DGST[12];
case SHA_MODE_SHA384:
DGST11_old = CRPT->HMAC_DGST[11];
DGST10_old = CRPT->HMAC_DGST[10];
DGST9_old = CRPT->HMAC_DGST[9];
DGST8_old = CRPT->HMAC_DGST[8];
case SHA_MODE_SHA256:
DGST7_old = CRPT->HMAC_DGST[7];
case SHA_MODE_SHA224:
DGST5_old = CRPT->HMAC_DGST[5];
DGST6_old = CRPT->HMAC_DGST[6];
case SHA_MODE_SHA1:
DGST0_old = CRPT->HMAC_DGST[0];
DGST1_old = CRPT->HMAC_DGST[1];
DGST2_old = CRPT->HMAC_DGST[2];
DGST3_old = CRPT->HMAC_DGST[3];
DGST4_old = CRPT->HMAC_DGST[4];
}
CRPT->HMAC_CTL = sha_ctl_start;
}
}
else { // Non-last word of a complete block
CRPT->HMAC_CTL = sha_ctl_start;
}
while (! (CRPT->HMAC_STS & CRPT_HMAC_STS_DATINREQ_Msk));
CRPT->HMAC_DATIN = data;
in_pos += 4;
rmn -= 4;
}
if (islast) { // Finish of last block
while (CRPT->HMAC_STS & CRPT_HMAC_STS_BUSY_Msk);
}
else { // Finish of non-last block
// No H/W flag to indicate finish of non-last block process.
// Values of SHA_DGSTx registers will change as last word of the block is input, so use it for judgement.
int isfinish = 0;
while (! isfinish) {
switch (sha_opmode) {
case SHA_MODE_SHA512:
if (DGST12_old != CRPT->HMAC_DGST[12] || DGST13_old != CRPT->HMAC_DGST[13] || DGST14_old != CRPT->HMAC_DGST[14] ||
DGST15_old != CRPT->HMAC_DGST[15]) {
isfinish = 1;
break;
}
case SHA_MODE_SHA384:
if (DGST8_old != CRPT->HMAC_DGST[8] || DGST9_old != CRPT->HMAC_DGST[9] || DGST10_old != CRPT->HMAC_DGST[10] ||
DGST11_old != CRPT->HMAC_DGST[11]) {
isfinish = 1;
break;
}
case SHA_MODE_SHA256:
if (DGST7_old != CRPT->HMAC_DGST[7]) {
isfinish = 1;
break;
}
case SHA_MODE_SHA224:
if (DGST5_old != CRPT->HMAC_DGST[5] || DGST6_old != CRPT->HMAC_DGST[6]) {
isfinish = 1;
break;
}
case SHA_MODE_SHA1:
if (DGST0_old != CRPT->HMAC_DGST[0] || DGST1_old != CRPT->HMAC_DGST[1] || DGST2_old != CRPT->HMAC_DGST[2] ||
DGST3_old != CRPT->HMAC_DGST[3] || DGST4_old != CRPT->HMAC_DGST[4]) {
isfinish = 1;
break;
}
}
}
}
}
void crypto_sha_getinternstate(unsigned char output[], size_t olen)
{
uint32_t *in_pos = (uint32_t *) &CRPT->HMAC_DGST[0];
unsigned char *out_pos = output;
uint32_t rmn = olen;
while (rmn) {
uint32_t val = *in_pos ++;
nu_set32_be(out_pos, val);
out_pos += 4;
rmn -= 4;
}
}
#endif /* MBEDTLS_SHA1_ALT || MBEDTLS_SHA256_ALT || MBEDTLS_SHA512_ALT */
#endif /* MBEDTLS_SHA1_C || MBEDTLS_SHA256_C || MBEDTLS_SHA512_C */
#endif /* MBEDTLS_SHA1_C || MBEDTLS_SHA256_C || MBEDTLS_SHA512_C */