This repository was archived by the owner on Mar 5, 2024. It is now read-only.
-
Notifications
You must be signed in to change notification settings - Fork 163
Add support for SHA-512 message digest #42
Open
utzig
wants to merge
1
commit into
intel:master
Choose a base branch
from
utzig:add-sha512
base: master
Could not load branches
Branch not found: {{ refName }}
Loading
Could not load tags
Nothing to show
Loading
Are you sure you want to change the base?
Some commits from the old base branch may be removed from the timeline,
and old review comments may become outdated.
Open
Changes from all commits
Commits
File filter
Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
|
|
@@ -17,6 +17,7 @@ OBJS:=aes_decrypt.o \ | |
| hmac.o \ | ||
| hmac_prng.o \ | ||
| sha256.o \ | ||
| sha512.o \ | ||
| ecc.o \ | ||
| ecc_dh.o \ | ||
| ecc_dsa.o \ | ||
|
|
||
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,129 @@ | ||
| /* sha512.h - TinyCrypt interface to a SHA-512 implementation */ | ||
|
|
||
| /* | ||
| * Copyright (C) 2020 by Intel Corporation, All Rights Reserved. | ||
| * | ||
| * Redistribution and use in source and binary forms, with or without | ||
| * modification, are permitted provided that the following conditions are met: | ||
| * | ||
| * - Redistributions of source code must retain the above copyright notice, | ||
| * this list of conditions and the following disclaimer. | ||
| * | ||
| * - Redistributions in binary form must reproduce the above copyright | ||
| * notice, this list of conditions and the following disclaimer in the | ||
| * documentation and/or other materials provided with the distribution. | ||
| * | ||
| * - Neither the name of Intel Corporation nor the names of its contributors | ||
| * may be used to endorse or promote products derived from this software | ||
| * without specific prior written permission. | ||
| * | ||
| * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" | ||
| * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE | ||
| * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE | ||
| * ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE | ||
| * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR | ||
| * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF | ||
| * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS | ||
| * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN | ||
| * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) | ||
| * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE | ||
| * POSSIBILITY OF SUCH DAMAGE. | ||
| */ | ||
|
|
||
| /** | ||
| * @file | ||
| * @brief Interface to a SHA-512 implementation. | ||
| * | ||
| * Overview: SHA-512 is a NIST approved cryptographic hashing algorithm | ||
| * specified in FIPS 180. A hash algorithm maps data of arbitrary | ||
| * size to data of fixed length. | ||
| * | ||
| * Security: SHA-512 provides 256 bits of security against collision attacks | ||
| * and 512 bits of security against pre-image attacks. SHA-512 does | ||
| * NOT behave like a random oracle, but it can be used as one if | ||
| * the string being hashed is prefix-free encoded before hashing. | ||
| * | ||
| * Usage: 1) call tc_sha512_init to initialize a struct | ||
| * tc_sha512_state_struct before hashing a new string. | ||
| * | ||
| * 2) call tc_sha512_update to hash the next string segment; | ||
| * tc_sha512_update can be called as many times as needed to hash | ||
| * all of the segments of a string; the order is important. | ||
| * | ||
| * 3) call tc_sha512_final to out put the digest from a hashing | ||
| * operation. | ||
| */ | ||
|
|
||
| #ifndef __TC_SHA512_H__ | ||
| #define __TC_SHA512_H__ | ||
|
|
||
| #include <stddef.h> | ||
| #include <stdint.h> | ||
|
|
||
| #ifdef __cplusplus | ||
| extern "C" { | ||
| #endif | ||
|
|
||
| #define TC_SHA512_BLOCK_SIZE (128) | ||
| #define TC_SHA512_DIGEST_SIZE (64) | ||
| #define TC_SHA512_STATE_BLOCKS (TC_SHA512_DIGEST_SIZE/8) | ||
|
|
||
| struct tc_sha512_state_struct { | ||
| uint64_t iv[TC_SHA512_STATE_BLOCKS]; | ||
| uint64_t bits_hashed; | ||
| uint8_t leftover[TC_SHA512_BLOCK_SIZE]; | ||
| size_t leftover_offset; | ||
| }; | ||
|
|
||
| typedef struct tc_sha512_state_struct *TCSha512State_t; | ||
|
|
||
| /** | ||
| * @brief SHA512 initialization procedure | ||
| * Initializes s | ||
| * @return returns TC_CRYPTO_SUCCESS (1) | ||
| * returns TC_CRYPTO_FAIL (0) if s == NULL | ||
| * @param s Sha512 state struct | ||
| */ | ||
| int tc_sha512_init(TCSha512State_t s); | ||
|
|
||
| /** | ||
| * @brief SHA512 update procedure | ||
| * Hashes data_length bytes addressed by data into state s | ||
| * @return returns TC_CRYPTO_SUCCESS (1) | ||
| * returns TC_CRYPTO_FAIL (0) if: | ||
| * s == NULL, | ||
| * s->iv == NULL, | ||
| * data == NULL | ||
| * @note Assumes s has been initialized by tc_sha512_init | ||
| * @warning The state buffer 'leftover' is left in memory after processing | ||
| * If your application intends to have sensitive data in this | ||
| * buffer, remind to erase it after the data has been processed | ||
| * @param s Sha512 state struct | ||
| * @param data message to hash | ||
| * @param datalen length of message to hash | ||
| */ | ||
| int tc_sha512_update (TCSha512State_t s, const uint8_t *data, size_t datalen); | ||
|
|
||
| /** | ||
| * @brief SHA512 final procedure | ||
| * Inserts the completed hash computation into digest | ||
| * @return returns TC_CRYPTO_SUCCESS (1) | ||
| * returns TC_CRYPTO_FAIL (0) if: | ||
| * s == NULL, | ||
| * s->iv == NULL, | ||
| * digest == NULL | ||
| * @note Assumes: s has been initialized by tc_sha512_init | ||
| * digest points to at least TC_SHA512_DIGEST_SIZE bytes | ||
| * @warning The state buffer 'leftover' is left in memory after processing | ||
| * If your application intends to have sensitive data in this | ||
| * buffer, remind to erase it after the data has been processed | ||
| * @param digest unsigned eight bit integer | ||
| * @param Sha512 state struct | ||
| */ | ||
| int tc_sha512_final(uint8_t *digest, TCSha512State_t s); | ||
|
|
||
| #ifdef __cplusplus | ||
| } | ||
| #endif | ||
|
|
||
| #endif /* __TC_SHA512_H__ */ |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,234 @@ | ||
| /* sha512.c - TinyCrypt SHA-512 crypto hash algorithm implementation */ | ||
|
|
||
| /* | ||
| * Copyright (C) 2020 by Intel Corporation, All Rights Reserved. | ||
| * | ||
| * Redistribution and use in source and binary forms, with or without | ||
| * modification, are permitted provided that the following conditions are met: | ||
| * | ||
| * - Redistributions of source code must retain the above copyright notice, | ||
| * this list of conditions and the following disclaimer. | ||
| * | ||
| * - Redistributions in binary form must reproduce the above copyright | ||
| * notice, this list of conditions and the following disclaimer in the | ||
| * documentation and/or other materials provided with the distribution. | ||
| * | ||
| * - Neither the name of Intel Corporation nor the names of its contributors | ||
| * may be used to endorse or promote products derived from this software | ||
| * without specific prior written permission. | ||
| * | ||
| * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" | ||
| * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE | ||
| * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE | ||
| * ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE | ||
| * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR | ||
| * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF | ||
| * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS | ||
| * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN | ||
| * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) | ||
| * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE | ||
| * POSSIBILITY OF SUCH DAMAGE. | ||
| */ | ||
|
|
||
| #include <tinycrypt/sha512.h> | ||
| #include <tinycrypt/constants.h> | ||
| #include <tinycrypt/utils.h> | ||
|
|
||
| static void compress(uint64_t *iv, const uint8_t *data); | ||
|
|
||
| int tc_sha512_init(TCSha512State_t s) | ||
| { | ||
| /* input sanity check: */ | ||
| if (s == (TCSha512State_t) 0) { | ||
| return TC_CRYPTO_FAIL; | ||
| } | ||
|
|
||
| /* | ||
| * Setting the initial state values. | ||
| * These values correspond to the first 64 bits of the fractional parts | ||
| * of the square roots of the first 8 primes: 2, 3, 5, 7, 11, 13, 17 | ||
| * and 19. | ||
| */ | ||
| _set((uint8_t *) s, 0x00, sizeof(*s)); | ||
| s->iv[0] = 0x6a09e667f3bcc908; | ||
| s->iv[1] = 0xbb67ae8584caa73b; | ||
| s->iv[2] = 0x3c6ef372fe94f82b; | ||
| s->iv[3] = 0xa54ff53a5f1d36f1; | ||
| s->iv[4] = 0x510e527fade682d1; | ||
| s->iv[5] = 0x9b05688c2b3e6c1f; | ||
| s->iv[6] = 0x1f83d9abfb41bd6b; | ||
| s->iv[7] = 0x5be0cd19137e2179; | ||
|
|
||
| return TC_CRYPTO_SUCCESS; | ||
| } | ||
|
|
||
| int tc_sha512_update(TCSha512State_t s, const uint8_t *data, size_t datalen) | ||
| { | ||
| /* input sanity check: */ | ||
| if (s == (TCSha512State_t) 0 || data == (void *) 0) { | ||
| return TC_CRYPTO_FAIL; | ||
| } else if (datalen == 0) { | ||
| return TC_CRYPTO_SUCCESS; | ||
| } | ||
|
|
||
| while (datalen-- > 0) { | ||
| s->leftover[s->leftover_offset++] = *(data++); | ||
| if (s->leftover_offset >= TC_SHA512_BLOCK_SIZE) { | ||
| compress(s->iv, s->leftover); | ||
| s->leftover_offset = 0; | ||
| s->bits_hashed += (TC_SHA512_BLOCK_SIZE << 3); | ||
| } | ||
| } | ||
|
|
||
| return TC_CRYPTO_SUCCESS; | ||
| } | ||
|
|
||
| int tc_sha512_final(uint8_t *digest, TCSha512State_t s) | ||
| { | ||
| unsigned int i; | ||
|
|
||
| /* input sanity check: */ | ||
| if (digest == (uint8_t *) 0 || s == (TCSha512State_t) 0) { | ||
| return TC_CRYPTO_FAIL; | ||
| } | ||
|
|
||
| s->bits_hashed += (s->leftover_offset << 3); | ||
|
|
||
| s->leftover[s->leftover_offset++] = 0x80; /* always room for one byte */ | ||
| if (s->leftover_offset > (sizeof(s->leftover) - 16)) { | ||
| /* there is not room for all the padding in this block */ | ||
| _set(s->leftover + s->leftover_offset, 0x00, | ||
| sizeof(s->leftover) - s->leftover_offset); | ||
| compress(s->iv, s->leftover); | ||
| s->leftover_offset = 0; | ||
| } | ||
|
|
||
| /* | ||
| * add the padding and the length in big-Endian format | ||
| * | ||
| * NOTE: SHA-512 uses 128 bits for the length of the message, but the | ||
| * current implementation is only using 64 bits for size, leaving the | ||
| * 64 "upper" bits zeroed. | ||
| */ | ||
| _set(s->leftover + s->leftover_offset, 0x00, | ||
| sizeof(s->leftover) - 8 - s->leftover_offset); | ||
| s->leftover[sizeof(s->leftover) - 1] = (uint8_t)(s->bits_hashed); | ||
| s->leftover[sizeof(s->leftover) - 2] = (uint8_t)(s->bits_hashed >> 8); | ||
| s->leftover[sizeof(s->leftover) - 3] = (uint8_t)(s->bits_hashed >> 16); | ||
| s->leftover[sizeof(s->leftover) - 4] = (uint8_t)(s->bits_hashed >> 24); | ||
| s->leftover[sizeof(s->leftover) - 5] = (uint8_t)(s->bits_hashed >> 32); | ||
| s->leftover[sizeof(s->leftover) - 6] = (uint8_t)(s->bits_hashed >> 40); | ||
| s->leftover[sizeof(s->leftover) - 7] = (uint8_t)(s->bits_hashed >> 48); | ||
| s->leftover[sizeof(s->leftover) - 8] = (uint8_t)(s->bits_hashed >> 56); | ||
|
|
||
| /* hash the padding and length */ | ||
| compress(s->iv, s->leftover); | ||
|
|
||
| /* copy the iv out to digest */ | ||
| for (i = 0; i < TC_SHA512_STATE_BLOCKS; ++i) { | ||
| uint64_t t = *((uint64_t *) &s->iv[i]); | ||
| *digest++ = (uint8_t)(t >> 56); | ||
| *digest++ = (uint8_t)(t >> 48); | ||
| *digest++ = (uint8_t)(t >> 40); | ||
| *digest++ = (uint8_t)(t >> 32); | ||
| *digest++ = (uint8_t)(t >> 24); | ||
| *digest++ = (uint8_t)(t >> 16); | ||
| *digest++ = (uint8_t)(t >> 8); | ||
| *digest++ = (uint8_t)(t); | ||
| } | ||
|
|
||
| /* destroy the current state */ | ||
| _set(s, 0, sizeof(*s)); | ||
|
|
||
| return TC_CRYPTO_SUCCESS; | ||
| } | ||
|
|
||
| /* | ||
| * Initializing SHA-512 Hash constant words K. | ||
| * These values correspond to the first 64 bits of the fractional parts of the | ||
| * cube roots of the first 80 primes between 2 and 409. | ||
| */ | ||
| static const uint64_t k512[80] = { | ||
| 0x428a2f98d728ae22, 0x7137449123ef65cd, 0xb5c0fbcfec4d3b2f, 0xe9b5dba58189dbbc, 0x3956c25bf348b538, | ||
| 0x59f111f1b605d019, 0x923f82a4af194f9b, 0xab1c5ed5da6d8118, 0xd807aa98a3030242, 0x12835b0145706fbe, | ||
| 0x243185be4ee4b28c, 0x550c7dc3d5ffb4e2, 0x72be5d74f27b896f, 0x80deb1fe3b1696b1, 0x9bdc06a725c71235, | ||
| 0xc19bf174cf692694, 0xe49b69c19ef14ad2, 0xefbe4786384f25e3, 0x0fc19dc68b8cd5b5, 0x240ca1cc77ac9c65, | ||
| 0x2de92c6f592b0275, 0x4a7484aa6ea6e483, 0x5cb0a9dcbd41fbd4, 0x76f988da831153b5, 0x983e5152ee66dfab, | ||
| 0xa831c66d2db43210, 0xb00327c898fb213f, 0xbf597fc7beef0ee4, 0xc6e00bf33da88fc2, 0xd5a79147930aa725, | ||
| 0x06ca6351e003826f, 0x142929670a0e6e70, 0x27b70a8546d22ffc, 0x2e1b21385c26c926, 0x4d2c6dfc5ac42aed, | ||
| 0x53380d139d95b3df, 0x650a73548baf63de, 0x766a0abb3c77b2a8, 0x81c2c92e47edaee6, 0x92722c851482353b, | ||
| 0xa2bfe8a14cf10364, 0xa81a664bbc423001, 0xc24b8b70d0f89791, 0xc76c51a30654be30, 0xd192e819d6ef5218, | ||
| 0xd69906245565a910, 0xf40e35855771202a, 0x106aa07032bbd1b8, 0x19a4c116b8d2d0c8, 0x1e376c085141ab53, | ||
| 0x2748774cdf8eeb99, 0x34b0bcb5e19b48a8, 0x391c0cb3c5c95a63, 0x4ed8aa4ae3418acb, 0x5b9cca4f7763e373, | ||
| 0x682e6ff3d6b2b8a3, 0x748f82ee5defb2fc, 0x78a5636f43172f60, 0x84c87814a1f0ab72, 0x8cc702081a6439ec, | ||
| 0x90befffa23631e28, 0xa4506cebde82bde9, 0xbef9a3f7b2c67915, 0xc67178f2e372532b, 0xca273eceea26619c, | ||
| 0xd186b8c721c0c207, 0xeada7dd6cde0eb1e, 0xf57d4f7fee6ed178, 0x06f067aa72176fba, 0x0a637dc5a2c898a6, | ||
| 0x113f9804bef90dae, 0x1b710b35131c471b, 0x28db77f523047d84, 0x32caab7b40c72493, 0x3c9ebe0a15c9bebc, | ||
| 0x431d67c49c100d4c, 0x4cc5d4becb3e42b6, 0x597f299cfc657e2a, 0x5fcb6fab3ad6faec, 0x6c44198c4a475817 | ||
| }; | ||
|
|
||
| static inline uint64_t ROTR(uint64_t a, uint64_t n) | ||
| { | ||
| return (((a) >> n) | ((a) << (64 - n))); | ||
| } | ||
|
|
||
| #define Sigma0(a)(ROTR((a), 28) ^ ROTR((a), 34) ^ ROTR((a), 39)) | ||
| #define Sigma1(a)(ROTR((a), 14) ^ ROTR((a), 18) ^ ROTR((a), 41)) | ||
| #define sigma0(a)(ROTR((a), 1) ^ ROTR((a), 8) ^ ((a) >> 7)) | ||
| #define sigma1(a)(ROTR((a), 19) ^ ROTR((a), 61) ^ ((a) >> 6)) | ||
|
|
||
| #define Ch(a, b, c)(((a) & (b)) ^ ((~(a)) & (c))) | ||
| #define Maj(a, b, c)(((a) & (b)) ^ ((a) & (c)) ^ ((b) & (c))) | ||
|
|
||
| static inline uint64_t BigEndian(const uint8_t **c) | ||
| { | ||
| uint64_t n = 0; | ||
|
|
||
| n = (uint64_t)(*((*c)++)) << 56; | ||
| n |= (uint64_t)(*((*c)++)) << 48; | ||
| n |= (uint64_t)(*((*c)++)) << 40; | ||
| n |= (uint64_t)(*((*c)++)) << 32; | ||
| n |= (uint64_t)(*((*c)++)) << 24; | ||
| n |= (uint64_t)(*((*c)++)) << 16; | ||
| n |= (uint64_t)(*((*c)++)) << 8; | ||
| n |= (uint64_t)(*((*c)++)); | ||
| return n; | ||
| } | ||
|
|
||
| static void compress(uint64_t *iv, const uint8_t *data) | ||
| { | ||
| uint64_t a, b, c, d, e, f, g, h; | ||
| uint64_t s0, s1; | ||
| uint64_t t1, t2; | ||
| uint64_t work_space[16]; | ||
| uint64_t n; | ||
| unsigned int i; | ||
|
|
||
| a = iv[0]; b = iv[1]; c = iv[2]; d = iv[3]; | ||
| e = iv[4]; f = iv[5]; g = iv[6]; h = iv[7]; | ||
|
|
||
| for (i = 0; i < 16; ++i) { | ||
| n = BigEndian(&data); | ||
| t1 = work_space[i] = n; | ||
| t1 += h + Sigma1(e) + Ch(e, f, g) + k512[i]; | ||
| t2 = Sigma0(a) + Maj(a, b, c); | ||
| h = g; g = f; f = e; e = d + t1; | ||
| d = c; c = b; b = a; a = t1 + t2; | ||
| } | ||
|
|
||
| for ( ; i < 80; ++i) { | ||
| s0 = work_space[(i+1)&0x0f]; | ||
| s0 = sigma0(s0); | ||
| s1 = work_space[(i+14)&0x0f]; | ||
| s1 = sigma1(s1); | ||
|
|
||
| t1 = work_space[i&0xf] += s0 + s1 + work_space[(i+9)&0xf]; | ||
| t1 += h + Sigma1(e) + Ch(e, f, g) + k512[i]; | ||
| t2 = Sigma0(a) + Maj(a, b, c); | ||
| h = g; g = f; f = e; e = d + t1; | ||
| d = c; c = b; b = a; a = t1 + t2; | ||
| } | ||
|
|
||
| iv[0] += a; iv[1] += b; iv[2] += c; iv[3] += d; | ||
| iv[4] += e; iv[5] += f; iv[6] += g; iv[7] += h; | ||
| } | ||
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Oops, something went wrong.
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
these two macros are exactly the same in
sha256.cmaybe would be better move itutils.hThere was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
IMO it makes more sense to leave them here, because it's just two simple definitions that don't increase code size; it ends up being just a maintenance issue, but since the SHA family of hash primitives is not going to change, these definitions are most probably gonna stay here untouched forever! Also
utils.hfeels a bit too generic, maybe then it would be better to add asha.h(orsha_data.h,sha_priv.h, etc) file underlib/sourceto store the shared code.