scottk/OpenCellular
1
0
Fork 0
mirror of https://github.com/Telecominfraproject/OpenCellular.git synced 2025-11-27 03:33:50 +00:00
Code Issues Packages Projects Releases Wiki Activity

RSA signature verification and SHA-1/256/512 reference implementation for verified boot.

Browse Source 
Also contains some preliminary tests for these primitives.

Review URL: http://codereview.chromium.org/553023
This commit is contained in:
Gaurav Shah
2010-01-28 15:01:23 -08:00
commit 322536d2f9
21 changed files with 2479 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

21
Makefile Normal file
View File

@@ -0,0 +1,21 @@
# Copyright (c) 2010 The Chromium OS Authors. All rights reserved.
# Use of this source code is governed by a BSD-style license that can be
# found in the LICENSE file.
export CC=gcc
export CFLAGS=-Wall -ansi
export TOP=$(shell pwd)
export INCLUDEDIR=$(TOP)/include
export INCLUDES=-I$(INCLUDEDIR)
SUBDIRS=common crypto utils tests
all:
for i in $(SUBDIRS); do \
( cd $$i ; $(MAKE)) ; \
done
clean:
for i in $(SUBDIRS); do \
( cd $$i ; make clean) ; \
done

17
common/Makefile Normal file
View File

@@ -0,0 +1,17 @@
# Copyright (c) 2010 The Chromium OS Authors. All rights reserved.
# Use of this source code is governed by a BSD-style license that can be
# found in the LICENSE file.
SRCS=utility_stub.c
OBJS=$(SRCS:.c=.o)
all: libcommon.a
libcommon.a: $(OBJS)
ar rs $@ $<
.c.o: $(OBJS)
$(CC) $(CFLAGS) $(INCLUDES) -c $< -o $@
clean:
rm -f $(OBJS) libcommon.a

44
common/utility_stub.c Normal file
View File

@@ -0,0 +1,44 @@
/* Copyright (c) 2010 The Chromium OS Authors. All rights reserved.
* Use of this source code is governed by a BSD-style license that can be
* found in the LICENSE file.
*
* Stub implementations of utility functions which call their linux-specific
* equivalents.
*/
#include "utility.h"
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
void* Malloc(size_t size) {
void* p = malloc(size);
if (!p) {
/* Fatal Error. We must abort. */
abort();
}
return p;
}
void Free(void* ptr) {
free(ptr);
}
void* Memcpy(void* dest, const void* src, size_t n) {
return memcpy(dest, src, n);
}
int SafeMemcmp(const void* s1, const void* s2, size_t n) {
int match = 1;
const unsigned char* us1 = s1;
const unsigned char* us2 = s2;
while (n--) {
if (*us1++ != *us2++)
match = 0;
else
match = 1;
}
return match;
}

20
crypto/Makefile Normal file
View File

@@ -0,0 +1,20 @@
# Copyright (c) 2010 The Chromium OS Authors. All rights reserved.
# Use of this source code is governed by a BSD-style license that can be
# found in the LICENSE file.
SRCS=rsa.c sha1.c sha2.c padding.c
OBJS=$(SRCS:.c=.o)
all: libcrypto.a
libcrypto.a: $(OBJS)
ar rs libcrypto.a $(OBJS)
padding.c: genpadding.sh
./genpadding.sh >$@
.c.o: $(OBJS)
$(CC) $(CFLAGS) $(INCLUDES) -c $< -o $@
clean:
rm -f $(OBJS) libcrypto.a

169
crypto/genpadding.sh Executable file
View File

@@ -0,0 +1,169 @@
#!/bin/bash
# Copyright (c) 2010 The Chromium OS Authors. All rights reserved.
# Use of this source code is governed by a BSD-style license that can be
# found in the LICENSE file.
# Script to generate padding.c containing PKCS 1.5 padding byte arrays for
# various combinations of RSA key lengths and message digest algorithms.
Pad_Preamble="0x00,0x01"
SHA1_Suffix="0x30,0x21,0x30,0x09,0x06,0x05,0x2b,0x0e,0x03,0x02,0x1a,0x05"\
",0x00,0x04,0x14"
SHA256_Suffix="0x30,0x31,0x30,0x0d,0x06,0x09,0x60,0x86,0x48,0x01,0x65,0x03"\
",0x04,0x02,0x01,0x05,0x00,0x04,0x20"
SHA512_Suffix="0x30,0x51,0x30,0x0d,0x06,0x09,0x60,0x86,0x48,0x01,0x65,0x03"\
",0x04,0x02,0x03,0x05,0x00,0x04,0x40"
RSA1024_Len=128
RSA2048_Len=256
RSA4096_Len=512
RSA8192_Len=1024
SHA1_T_Len=35
SHA256_T_Len=51
SHA512_T_Len=83
HashAlgos=( SHA1 SHA256 SHA512 )
RSAAlgos=( RSA1024 RSA2048 RSA4096 RSA8192 )
function genFFOctets {
count=$1
while [ $count -gt 0 ]; do
echo -n "0xff,"
let count=count-1
done
}
cat <<EOF
/*
* DO NOT MODIFY THIS FILE DIRECTLY.
*
* This file is automatically generated by genpadding.sh and contains padding
* arrays corresponding to various combinations of algorithms for RSA signatures.
*/
EOF
echo '#include "rsa.h"'
echo '#include "sha.h"'
echo
echo
cat <<EOF
/*
* PKCS 1.5 padding (from the RSA PKCS#1 v2.1 standard)
*
* Depending on the RSA key size and hash function, the padding is calculated
* as follows:
*
* 0x00 || 0x01 || PS || 0x00 || T
*
* T: DER Encoded DigestInfo value which depends on the hash function used.
*
* SHA-1: (0x)30 21 30 09 06 05 2b 0e 03 02 1a 05 00 04 14 || H.
* SHA-256: (0x)30 31 30 0d 06 09 60 86 48 01 65 03 04 02 01 05 00 04 20 || H.
* SHA-512: (0x)30 51 30 0d 06 09 60 86 48 01 65 03 04 02 03 05 00 04 40 || H.
*
* Length(T) = 35 octets for SHA-1
* Length(T) = 51 octets for SHA-256
* Length(T) = 83 octets for SHA-512
*
* PS: octet string consisting of {Length(RSA Key) - Length(T) - 3} 0xFF
*
*/
EOF
echo
echo
# Generate padding arrays.
algorithmcounter=0
for rsaalgo in ${RSAAlgos[@]}
do
for hashalgo in ${HashAlgos[@]}
do
echo "/* Algorithm Type $algorithmcounter */"
let algorithmcounter=algorithmcounter+1
eval rsalen=${rsaalgo}_Len
eval hashlen=${hashalgo}_T_Len
let nums=rsalen-hashlen-3
echo "const uint8_t padding${rsaalgo}_${hashalgo}[${rsaalgo}NUMBYTES - ${hashalgo}_DIGEST_SIZE] = {"
echo -n $Pad_Preamble,
genFFOctets $nums
echo -n "0x00,"
eval suffix=\$${hashalgo}_Suffix
echo $suffix
echo "};"
echo
done
done
echo "const int kNumAlgorithms = $algorithmcounter;";
echo "#define NUMALGORITHMS $algorithmcounter"
echo
# Generate algorithm signature length map
echo "const int siglen_map[NUMALGORITHMS] = {"
for rsaalgo in ${RSAAlgos[@]}
do
for hashalgo in ${HashAlgos[@]}
do
echo ${rsaalgo}NUMWORDS,
done
done
echo "};"
echo
# Generate algorithm padding array map
echo "const uint8_t* padding_map[NUMALGORITHMS] = {"
for rsaalgo in ${RSAAlgos[@]}
do
for hashalgo in ${HashAlgos[@]}
do
echo padding${rsaalgo}_${hashalgo},
done
done
echo "};"
echo
# Generate algorithm padding size map
echo "const int padding_size_map[NUMALGORITHMS] = {"
for rsaalgo in ${RSAAlgos[@]}
do
for hashalgo in ${HashAlgos[@]}
do
echo ${rsaalgo}NUMBYTES - ${hashalgo}_DIGEST_SIZE,
done
done
echo "};"
echo
# Generate algorithm message digest's input block size.
echo "const int hash_blocksize_map[NUMALGORITHMS] = {"
for rsaalgo in ${RSAAlgos[@]}
do
for hashalgo in ${HashAlgos[@]}
do
echo ${hashalgo}_BLOCK_SIZE,
done
done
echo "};"
echo
# Generate algorithm description strings.
echo "const char* algo_strings[NUMALGORITHMS] = {"
for rsaalgo in ${RSAAlgos[@]}
do
for hashalgo in ${HashAlgos[@]}
do
echo \"${rsaalgo} ${hashalgo}\",
done
done
echo "};"
echo
#echo "#endif /* VBOOT_REFERENCE_PADDING_H_ */"

172
crypto/padding.c Normal file
View File

File diff suppressed because one or more lines are too long

190
crypto/rsa.c Normal file
View File

@@ -0,0 +1,190 @@
/* Copyright (c) 2010 The Chromium OS Authors. All rights reserved.
* Use of this source code is governed by a BSD-style license that can be
* found in the LICENSE file.
*/
/* Implementation of RSA signature verification which uses a pre-processed
* key for computation. The code extends Android's RSA verification code to
* support multiple RSA key lengths and hash digest algorithms.
*/
#include <stdio.h>
#include "padding.h"
#include "rsa.h"
#include "utility.h"
/* a[] -= mod */
static void subM(const RSAPublicKey *key, uint32_t *a) {
int64_t A = 0;
int i;
for (i = 0; i < key->len; ++i) {
A += (uint64_t)a[i] - key->n[i];
a[i] = (uint32_t)A;
A >>= 32;
}
}
/* return a[] >= mod */
static int geM(const RSAPublicKey *key, uint32_t *a) {
int i;
for (i = key->len; i;) {
--i;
if (a[i] < key->n[i]) return 0;
if (a[i] > key->n[i]) return 1;
}
return 1; /* equal */
}
/* montgomery c[] += a * b[] / R % mod */
static void montMulAdd(const RSAPublicKey *key,
uint32_t* c,
const uint32_t a,
const uint32_t* b) {
uint64_t A = (uint64_t)a * b[0] + c[0];
uint32_t d0 = (uint32_t)A * key->n0inv;
uint64_t B = (uint64_t)d0 * key->n[0] + (uint32_t)A;
int i;
for (i = 1; i < key->len; ++i) {
A = (A >> 32) + (uint64_t)a * b[i] + c[i];
B = (B >> 32) + (uint64_t)d0 * key->n[i] + (uint32_t)A;
c[i - 1] = (uint32_t)B;
}
A = (A >> 32) + (B >> 32);
c[i - 1] = (uint32_t)A;
if (A >> 32) {
subM(key, c);
}
}
/* montgomery c[] = a[] * b[] / R % mod */
static void montMul(const RSAPublicKey *key,
uint32_t* c,
uint32_t* a,
uint32_t* b) {
int i;
for (i = 0; i < key->len; ++i) {
c[i] = 0;
}
for (i = 0; i < key->len; ++i) {
montMulAdd(key, c, a[i], b);
}
}
/* In-place public exponentiation. (65537}
* Input and output big-endian byte array in inout.
*/
static void modpowF4(const RSAPublicKey *key,
uint8_t* inout) {
uint32_t* a = (uint32_t*) Malloc(key->len * sizeof(uint32_t));
uint32_t* aR = (uint32_t*) Malloc(key->len * sizeof(uint32_t));
uint32_t* aaR = (uint32_t*) Malloc(key->len * sizeof(uint32_t));
uint32_t* aaa = aaR; /* Re-use location. */
int i;
/* Convert from big endian byte array to little endian word array. */
for (i = 0; i < key->len; ++i) {
uint32_t tmp =
(inout[((key->len - 1 - i) * 4) + 0] << 24) |
(inout[((key->len - 1 - i) * 4) + 1] << 16) |
(inout[((key->len - 1 - i) * 4) + 2] << 8) |
(inout[((key->len - 1 - i) * 4) + 3] << 0);
a[i] = tmp;
}
montMul(key, aR, a, key->rr); /* aR = a * RR / R mod M */
for (i = 0; i < 16; i+=2) {
montMul(key, aaR, aR, aR); /* aaR = aR * aR / R mod M */
montMul(key, aR, aaR, aaR); /* aR = aaR * aaR / R mod M */
}
montMul(key, aaa, aR, a); /* aaa = aR * a / R mod M */
/* Make sure aaa < mod; aaa is at most 1x mod too large. */
if (geM(key, aaa)) {
subM(key, aaa);
}
/* Convert to bigendian byte array */
for (i = key->len - 1; i >= 0; --i) {
uint32_t tmp = aaa[i];
*inout++ = tmp >> 24;
*inout++ = tmp >> 16;
*inout++ = tmp >> 8;
*inout++ = tmp >> 0;
}
Free(a);
Free(aR);
Free(aaR);
}
/* Verify a RSA PKCS1.5 signature against an expected hash.
* Returns 0 on failure, 1 on success.
*/
int RSA_verify(const RSAPublicKey *key,
const uint8_t *sig,
const int sig_len,
const uint8_t sig_type,
const uint8_t *hash) {
int i;
uint8_t* buf;
const uint8_t* padding;
int success = 1;
if (sig_len != (key->len * sizeof(uint32_t))) {
fprintf(stderr, "Signature is of incorrect length!\n");
return 0;
}
if (sig_type >= kNumAlgorithms) {
fprintf(stderr, "Invalid signature type!\n");
return 0;
}
if (key->len != siglen_map[sig_type]) {
fprintf(stderr, "Wrong key passed in!\n");
return 0;
}
buf = (uint8_t*) Malloc(sig_len);
Memcpy(buf, sig, sig_len);
modpowF4(key, buf);
/* Determine padding to use depending on the signature type. */
padding = padding_map[sig_type];
/* Check pkcs1.5 padding bytes. */
for (i = 0; i < padding_size_map[sig_type]; ++i) {
if (buf[i] != padding[i]) {
#ifndef NDEBUG
/* TODO(gauravsh): Replace with a macro call for logging. */
fprintf(stderr, "Padding: Expecting = %02x Got = %02x\n", padding[i],
buf[i]);
#endif
success = 0;
}
}
/* Check if digest matches. */
for (; i < sig_len; ++i) {
if (buf[i] != *hash++) {
#ifndef NDEBUG
/* TODO(gauravsh): Replace with a macro call for logging. */
fprintf(stderr, "Digest: Expecting = %02x Got = %02x\n", padding[i],
buf[i]);
#endif
success = 0;
}
}
Free(buf);
return success;
}

289
crypto/sha1.c Normal file
View File

@@ -0,0 +1,289 @@
/* Copyright (c) 2010 The Chromium OS Authors. All rights reserved.
* Use of this source code is governed by a BSD-style license that can be
* found in the LICENSE file.
*/
/* SHA-1 implementation largely based on libmincrypt in the the Android
* Open Source Project (platorm/system/core.git/libmincrypt/sha.c
*/
#include "sha.h"
/* Some machines lack byteswap.h and endian.h. These have to use the
* slower code, even if they're little-endian.
*/
#if defined(HAVE_ENDIAN_H) && defined(HAVE_LITTLE_ENDIAN)
#include <byteswap.h>
#include <memory.h>
/* This version is about 28% faster than the generic version below,
* but assumes little-endianness.
*/
static inline uint32_t ror27(uint32_t val) {
return (val >> 27) | (val << 5);
}
static inline uint32_t ror2(uint32_t val) {
return (val >> 2) | (val << 30);
}
static inline uint32_t ror31(uint32_t val) {
return (val >> 31) | (val << 1);
}
static void SHA1_Transform(SHA_CTX* ctx) {
uint32_t W[80];
register uint32_t A, B, C, D, E;
int t;
A = ctx->state[0];
B = ctx->state[1];
C = ctx->state[2];
D = ctx->state[3];
E = ctx->state[4];
#define SHA_F1(A,B,C,D,E,t) \
E += ror27(A) + \
(W[t] = bswap_32(ctx->buf.w[t])) + \
(D^(B&(C^D))) + 0x5A827999; \
B = ror2(B);
for (t = 0; t < 15; t += 5) {
SHA_F1(A,B,C,D,E,t + 0);
SHA_F1(E,A,B,C,D,t + 1);
SHA_F1(D,E,A,B,C,t + 2);
SHA_F1(C,D,E,A,B,t + 3);
SHA_F1(B,C,D,E,A,t + 4);
}
SHA_F1(A,B,C,D,E,t + 0); /* 16th one, t == 15 */
#undef SHA_F1
#define SHA_F1(A,B,C,D,E,t) \
E += ror27(A) + \
(W[t] = ror31(W[t-3] ^ W[t-8] ^ W[t-14] ^ W[t-16])) + \
(D^(B&(C^D))) + 0x5A827999; \
B = ror2(B);
SHA_F1(E,A,B,C,D,t + 1);
SHA_F1(D,E,A,B,C,t + 2);
SHA_F1(C,D,E,A,B,t + 3);
SHA_F1(B,C,D,E,A,t + 4);
#undef SHA_F1
#define SHA_F2(A,B,C,D,E,t) \
E += ror27(A) + \
(W[t] = ror31(W[t-3] ^ W[t-8] ^ W[t-14] ^ W[t-16])) + \
(B^C^D) + 0x6ED9EBA1; \
B = ror2(B);
for (t = 20; t < 40; t += 5) {
SHA_F2(A,B,C,D,E,t + 0);
SHA_F2(E,A,B,C,D,t + 1);
SHA_F2(D,E,A,B,C,t + 2);
SHA_F2(C,D,E,A,B,t + 3);
SHA_F2(B,C,D,E,A,t + 4);
}
#undef SHA_F2
#define SHA_F3(A,B,C,D,E,t) \
E += ror27(A) + \
(W[t] = ror31(W[t-3] ^ W[t-8] ^ W[t-14] ^ W[t-16])) + \
((B&C)|(D&(B|C))) + 0x8F1BBCDC; \
B = ror2(B);
for (; t < 60; t += 5) {
SHA_F3(A,B,C,D,E,t + 0);
SHA_F3(E,A,B,C,D,t + 1);
SHA_F3(D,E,A,B,C,t + 2);
SHA_F3(C,D,E,A,B,t + 3);
SHA_F3(B,C,D,E,A,t + 4);
}
#undef SHA_F3
#define SHA_F4(A,B,C,D,E,t) \
E += ror27(A) + \
(W[t] = ror31(W[t-3] ^ W[t-8] ^ W[t-14] ^ W[t-16])) + \
(B^C^D) + 0xCA62C1D6; \
B = ror2(B);
for (; t < 80; t += 5) {
SHA_F4(A,B,C,D,E,t + 0);
SHA_F4(E,A,B,C,D,t + 1);
SHA_F4(D,E,A,B,C,t + 2);
SHA_F4(C,D,E,A,B,t + 3);
SHA_F4(B,C,D,E,A,t + 4);
}
#undef SHA_F4
ctx->state[0] += A;
ctx->state[1] += B;
ctx->state[2] += C;
ctx->state[3] += D;
ctx->state[4] += E;
}
void SHA1_update(SHA1_CTX* ctx, const uint8_t* data, size_t len) {
int i = ctx->count % sizeof(ctx->buf);
const uint8_t* p = (const uint8_t*)data;
ctx->count += len;
while (len > sizeof(ctx->buf) - i) {
memcpy(&ctx->buf.b[i], p, sizeof(ctx->buf) - i);
len -= sizeof(ctx->buf) - i;
p += sizeof(ctx->buf) - i;
SHA1_Transform(ctx);
i = 0;
}
while (len--) {
ctx->buf.b[i++] = *p++;
if (i == sizeof(ctx->buf)) {
SHA1_Transform(ctx);
i = 0;
}
}
}
uint8_t* SHA1_final(SHA_CTX* ctx) {
uint64_t cnt = ctx->count * 8;
int i;
SHA1_update(ctx, (uint8_t*)"\x80", 1);
while ((ctx->count % sizeof(ctx->buf)) != (sizeof(ctx->buf) - 8)) {
SHA1_update(ctx, (uint8_t*)"\0", 1);
}
for (i = 0; i < 8; ++i) {
uint8_t tmp = cnt >> ((7 - i) * 8);
SHA1_update(ctx, &tmp, 1);
}
for (i = 0; i < 5; i++) {
ctx->buf.w[i] = bswap_32(ctx->state[i]);
}
return ctx->buf.b;
}
#else /* #if defined(HAVE_ENDIAN_H) && defined(HAVE_LITTLE_ENDIAN) */
#define rol(bits, value) (((value) << (bits)) | ((value) >> (32 - (bits))))
static void SHA1_transform(SHA1_CTX *ctx) {
uint32_t W[80];
uint32_t A, B, C, D, E;
uint8_t *p = ctx->buf;
int t;
for(t = 0; t < 16; ++t) {
uint32_t tmp = *p++ << 24;
tmp |= *p++ << 16;
tmp |= *p++ << 8;
tmp |= *p++;
W[t] = tmp;
}
for(; t < 80; t++) {
W[t] = rol(1,W[t-3] ^ W[t-8] ^ W[t-14] ^ W[t-16]);
}
A = ctx->state[0];
B = ctx->state[1];
C = ctx->state[2];
D = ctx->state[3];
E = ctx->state[4];
for(t = 0; t < 80; t++) {
uint32_t tmp = rol(5,A) + E + W[t];
if (t < 20)
tmp += (D^(B&(C^D))) + 0x5A827999;
else if ( t < 40)
tmp += (B^C^D) + 0x6ED9EBA1;
else if ( t < 60)
tmp += ((B&C)|(D&(B|C))) + 0x8F1BBCDC;
else
tmp += (B^C^D) + 0xCA62C1D6;
E = D;
D = C;
C = rol(30,B);
B = A;
A = tmp;
}
ctx->state[0] += A;
ctx->state[1] += B;
ctx->state[2] += C;
ctx->state[3] += D;
ctx->state[4] += E;
}
void SHA1_update(SHA1_CTX *ctx, const uint8_t *data, int len) {
int i = ctx->count % sizeof(ctx->buf);
const uint8_t* p = (const uint8_t*) data;
ctx->count += len;
while (len--) {
ctx->buf[i++] = *p++;
if (i == sizeof(ctx->buf)) {
SHA1_transform(ctx);
i = 0;
}
}
}
uint8_t* SHA1_final(SHA1_CTX *ctx) {
uint8_t *p = ctx->buf;
uint64_t cnt = ctx->count * 8;
int i;
SHA1_update(ctx, (uint8_t*)"\x80", 1);
while ((ctx->count % sizeof(ctx->buf)) != (sizeof(ctx->buf) - 8)) {
SHA1_update(ctx, (uint8_t*)"\0", 1);
}
for (i = 0; i < 8; ++i) {
uint8_t tmp = cnt >> ((7 - i) * 8);
SHA1_update(ctx, &tmp, 1);
}
for (i = 0; i < 5; i++) {
uint32_t tmp = ctx->state[i];
*p++ = tmp >> 24;
*p++ = tmp >> 16;
*p++ = tmp >> 8;
*p++ = tmp >> 0;
}
return ctx->buf;
}
#endif /* endianness */
void SHA1_init(SHA1_CTX* ctx) {
ctx->state[0] = 0x67452301;
ctx->state[1] = 0xEFCDAB89;
ctx->state[2] = 0x98BADCFE;
ctx->state[3] = 0x10325476;
ctx->state[4] = 0xC3D2E1F0;
ctx->count = 0;
}
uint8_t* SHA1(const void *data, int len, uint8_t *digest) {
const uint8_t *p;
int i;
SHA1_CTX ctx;
SHA1_init(&ctx);
SHA1_update(&ctx, data, len);
p = SHA1_final(&ctx);
for (i = 0; i < SHA1_DIGEST_SIZE; ++i) {
digest[i] = *p++;
}
return digest;
}

623
crypto/sha2.c Normal file
View File

@@ -0,0 +1,623 @@
/* SHA-256 and SHA-512 implementation based on code by Oliver Gay
* <olivier.gay@a3.epfl.ch> under a BSD-style license. See below.
*/
/*
* FIPS 180-2 SHA-224/256/384/512 implementation
* Last update: 02/02/2007
* Issue date: 04/30/2005
*
* Copyright (C) 2005, 2007 Olivier Gay <olivier.gay@a3.epfl.ch>
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
* 1. Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in the
* documentation and/or other materials provided with the distribution.
* 3. Neither the name of the project nor the names of its contributors
* may be used to endorse or promote products derived from this software
* without specific prior written permission.
*
* THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND
* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
* ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE
* FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
* DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
* OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
* SUCH DAMAGE.
*/
#include "sha.h"
#include <string.h>
#define SHFR(x, n) (x >> n)
#define ROTR(x, n) ((x >> n) | (x << ((sizeof(x) << 3) - n)))
#define ROTL(x, n) ((x << n) | (x >> ((sizeof(x) << 3) - n)))
#define CH(x, y, z) ((x & y) ^ (~x & z))
#define MAJ(x, y, z) ((x & y) ^ (x & z) ^ (y & z))
#define SHA256_F1(x) (ROTR(x, 2) ^ ROTR(x, 13) ^ ROTR(x, 22))
#define SHA256_F2(x) (ROTR(x, 6) ^ ROTR(x, 11) ^ ROTR(x, 25))
#define SHA256_F3(x) (ROTR(x, 7) ^ ROTR(x, 18) ^ SHFR(x, 3))
#define SHA256_F4(x) (ROTR(x, 17) ^ ROTR(x, 19) ^ SHFR(x, 10))
#define SHA512_F1(x) (ROTR(x, 28) ^ ROTR(x, 34) ^ ROTR(x, 39))
#define SHA512_F2(x) (ROTR(x, 14) ^ ROTR(x, 18) ^ ROTR(x, 41))
#define SHA512_F3(x) (ROTR(x, 1) ^ ROTR(x, 8) ^ SHFR(x, 7))
#define SHA512_F4(x) (ROTR(x, 19) ^ ROTR(x, 61) ^ SHFR(x, 6))
#define UNPACK32(x, str) \
{ \
*((str) + 3) = (uint8_t) ((x) ); \
*((str) + 2) = (uint8_t) ((x) >> 8); \
*((str) + 1) = (uint8_t) ((x) >> 16); \
*((str) + 0) = (uint8_t) ((x) >> 24); \
}
#define PACK32(str, x) \
{ \
*(x) = ((uint32_t) *((str) + 3) ) \
| ((uint32_t) *((str) + 2) << 8) \
| ((uint32_t) *((str) + 1) << 16) \
| ((uint32_t) *((str) + 0) << 24); \
}
#define UNPACK64(x, str) \
{ \
*((str) + 7) = (uint8_t) ((x) ); \
*((str) + 6) = (uint8_t) ((x) >> 8); \
*((str) + 5) = (uint8_t) ((x) >> 16); \
*((str) + 4) = (uint8_t) ((x) >> 24); \
*((str) + 3) = (uint8_t) ((x) >> 32); \
*((str) + 2) = (uint8_t) ((x) >> 40); \
*((str) + 1) = (uint8_t) ((x) >> 48); \
*((str) + 0) = (uint8_t) ((x) >> 56); \
}
#define PACK64(str, x) \
{ \
*(x) = ((uint64_t) *((str) + 7) ) \
| ((uint64_t) *((str) + 6) << 8) \
| ((uint64_t) *((str) + 5) << 16) \
| ((uint64_t) *((str) + 4) << 24) \
| ((uint64_t) *((str) + 3) << 32) \
| ((uint64_t) *((str) + 2) << 40) \
| ((uint64_t) *((str) + 1) << 48) \
| ((uint64_t) *((str) + 0) << 56); \
}
/* Macros used for loops unrolling */
#define SHA256_SCR(i) \
{ \
w[i] = SHA256_F4(w[i - 2]) + w[i - 7] \
+ SHA256_F3(w[i - 15]) + w[i - 16]; \
}
#define SHA512_SCR(i) \
{ \
w[i] = SHA512_F4(w[i - 2]) + w[i - 7] \
+ SHA512_F3(w[i - 15]) + w[i - 16]; \
}
#define SHA256_EXP(a, b, c, d, e, f, g, h, j) \
{ \
t1 = wv[h] + SHA256_F2(wv[e]) + CH(wv[e], wv[f], wv[g]) \
+ sha256_k[j] + w[j]; \
t2 = SHA256_F1(wv[a]) + MAJ(wv[a], wv[b], wv[c]); \
wv[d] += t1; \
wv[h] = t1 + t2; \
}
#define SHA512_EXP(a, b, c, d, e, f, g ,h, j) \
{ \
t1 = wv[h] + SHA512_F2(wv[e]) + CH(wv[e], wv[f], wv[g]) \
+ sha512_k[j] + w[j]; \
t2 = SHA512_F1(wv[a]) + MAJ(wv[a], wv[b], wv[c]); \
wv[d] += t1; \
wv[h] = t1 + t2; \
}
uint32_t sha256_h0[8] = {
0x6a09e667, 0xbb67ae85, 0x3c6ef372, 0xa54ff53a,
0x510e527f, 0x9b05688c, 0x1f83d9ab, 0x5be0cd19};
uint64_t sha512_h0[8] = {
0x6a09e667f3bcc908ULL, 0xbb67ae8584caa73bULL,
0x3c6ef372fe94f82bULL, 0xa54ff53a5f1d36f1ULL,
0x510e527fade682d1ULL, 0x9b05688c2b3e6c1fULL,
0x1f83d9abfb41bd6bULL, 0x5be0cd19137e2179ULL};
uint32_t sha256_k[64] = {
0x428a2f98, 0x71374491, 0xb5c0fbcf, 0xe9b5dba5,
0x3956c25b, 0x59f111f1, 0x923f82a4, 0xab1c5ed5,
0xd807aa98, 0x12835b01, 0x243185be, 0x550c7dc3,
0x72be5d74, 0x80deb1fe, 0x9bdc06a7, 0xc19bf174,
0xe49b69c1, 0xefbe4786, 0x0fc19dc6, 0x240ca1cc,
0x2de92c6f, 0x4a7484aa, 0x5cb0a9dc, 0x76f988da,
0x983e5152, 0xa831c66d, 0xb00327c8, 0xbf597fc7,
0xc6e00bf3, 0xd5a79147, 0x06ca6351, 0x14292967,
0x27b70a85, 0x2e1b2138, 0x4d2c6dfc, 0x53380d13,
0x650a7354, 0x766a0abb, 0x81c2c92e, 0x92722c85,
0xa2bfe8a1, 0xa81a664b, 0xc24b8b70, 0xc76c51a3,
0xd192e819, 0xd6990624, 0xf40e3585, 0x106aa070,
0x19a4c116, 0x1e376c08, 0x2748774c, 0x34b0bcb5,
0x391c0cb3, 0x4ed8aa4a, 0x5b9cca4f, 0x682e6ff3,
0x748f82ee, 0x78a5636f, 0x84c87814, 0x8cc70208,
0x90befffa, 0xa4506ceb, 0xbef9a3f7, 0xc67178f2};
uint64_t sha512_k[80] = {
0x428a2f98d728ae22ULL, 0x7137449123ef65cdULL,
0xb5c0fbcfec4d3b2fULL, 0xe9b5dba58189dbbcULL,
0x3956c25bf348b538ULL, 0x59f111f1b605d019ULL,
0x923f82a4af194f9bULL, 0xab1c5ed5da6d8118ULL,
0xd807aa98a3030242ULL, 0x12835b0145706fbeULL,
0x243185be4ee4b28cULL, 0x550c7dc3d5ffb4e2ULL,
0x72be5d74f27b896fULL, 0x80deb1fe3b1696b1ULL,
0x9bdc06a725c71235ULL, 0xc19bf174cf692694ULL,
0xe49b69c19ef14ad2ULL, 0xefbe4786384f25e3ULL,
0x0fc19dc68b8cd5b5ULL, 0x240ca1cc77ac9c65ULL,
0x2de92c6f592b0275ULL, 0x4a7484aa6ea6e483ULL,
0x5cb0a9dcbd41fbd4ULL, 0x76f988da831153b5ULL,
0x983e5152ee66dfabULL, 0xa831c66d2db43210ULL,
0xb00327c898fb213fULL, 0xbf597fc7beef0ee4ULL,
0xc6e00bf33da88fc2ULL, 0xd5a79147930aa725ULL,
0x06ca6351e003826fULL, 0x142929670a0e6e70ULL,
0x27b70a8546d22ffcULL, 0x2e1b21385c26c926ULL,
0x4d2c6dfc5ac42aedULL, 0x53380d139d95b3dfULL,
0x650a73548baf63deULL, 0x766a0abb3c77b2a8ULL,
0x81c2c92e47edaee6ULL, 0x92722c851482353bULL,
0xa2bfe8a14cf10364ULL, 0xa81a664bbc423001ULL,
0xc24b8b70d0f89791ULL, 0xc76c51a30654be30ULL,
0xd192e819d6ef5218ULL, 0xd69906245565a910ULL,
0xf40e35855771202aULL, 0x106aa07032bbd1b8ULL,
0x19a4c116b8d2d0c8ULL, 0x1e376c085141ab53ULL,
0x2748774cdf8eeb99ULL, 0x34b0bcb5e19b48a8ULL,
0x391c0cb3c5c95a63ULL, 0x4ed8aa4ae3418acbULL,
0x5b9cca4f7763e373ULL, 0x682e6ff3d6b2b8a3ULL,
0x748f82ee5defb2fcULL, 0x78a5636f43172f60ULL,
0x84c87814a1f0ab72ULL, 0x8cc702081a6439ecULL,
0x90befffa23631e28ULL, 0xa4506cebde82bde9ULL,
0xbef9a3f7b2c67915ULL, 0xc67178f2e372532bULL,
0xca273eceea26619cULL, 0xd186b8c721c0c207ULL,
0xeada7dd6cde0eb1eULL, 0xf57d4f7fee6ed178ULL,
0x06f067aa72176fbaULL, 0x0a637dc5a2c898a6ULL,
0x113f9804bef90daeULL, 0x1b710b35131c471bULL,
0x28db77f523047d84ULL, 0x32caab7b40c72493ULL,
0x3c9ebe0a15c9bebcULL, 0x431d67c49c100d4cULL,
0x4cc5d4becb3e42b6ULL, 0x597f299cfc657e2aULL,
0x5fcb6fab3ad6faecULL, 0x6c44198c4a475817ULL};
/* SHA-256 implementation */
void SHA256_init(SHA256_CTX *ctx) {
#ifndef UNROLL_LOOPS
int i;
for (i = 0; i < 8; i++) {
ctx->h[i] = sha256_h0[i];
}
#else
ctx->h[0] = sha256_h0[0]; ctx->h[1] = sha256_h0[1];
ctx->h[2] = sha256_h0[2]; ctx->h[3] = sha256_h0[3];
ctx->h[4] = sha256_h0[4]; ctx->h[5] = sha256_h0[5];
ctx->h[6] = sha256_h0[6]; ctx->h[7] = sha256_h0[7];
#endif /* !UNROLL_LOOPS */
ctx->len = 0;
ctx->tot_len = 0;
}
static void SHA256_transform(SHA256_CTX* ctx, const uint8_t* message,
unsigned int block_nb) {
uint32_t w[64];
uint32_t wv[8];
uint32_t t1, t2;
const unsigned char *sub_block;
int i;
#ifndef UNROLL_LOOPS
int j;
#endif
for (i = 0; i < (int) block_nb; i++) {
sub_block = message + (i << 6);
#ifndef UNROLL_LOOPS
for (j = 0; j < 16; j++) {
PACK32(&sub_block[j << 2], &w[j]);
}
for (j = 16; j < 64; j++) {
SHA256_SCR(j);
}
for (j = 0; j < 8; j++) {
wv[j] = ctx->h[j];
}
for (j = 0; j < 64; j++) {
t1 = wv[7] + SHA256_F2(wv[4]) + CH(wv[4], wv[5], wv[6])
+ sha256_k[j] + w[j];
t2 = SHA256_F1(wv[0]) + MAJ(wv[0], wv[1], wv[2]);
wv[7] = wv[6];
wv[6] = wv[5];
wv[5] = wv[4];
wv[4] = wv[3] + t1;
wv[3] = wv[2];
wv[2] = wv[1];
wv[1] = wv[0];
wv[0] = t1 + t2;
}
for (j = 0; j < 8; j++) {
ctx->h[j] += wv[j];
}
#else
PACK32(&sub_block[ 0], &w[ 0]); PACK32(&sub_block[ 4], &w[ 1]);
PACK32(&sub_block[ 8], &w[ 2]); PACK32(&sub_block[12], &w[ 3]);
PACK32(&sub_block[16], &w[ 4]); PACK32(&sub_block[20], &w[ 5]);
PACK32(&sub_block[24], &w[ 6]); PACK32(&sub_block[28], &w[ 7]);
PACK32(&sub_block[32], &w[ 8]); PACK32(&sub_block[36], &w[ 9]);
PACK32(&sub_block[40], &w[10]); PACK32(&sub_block[44], &w[11]);
PACK32(&sub_block[48], &w[12]); PACK32(&sub_block[52], &w[13]);
PACK32(&sub_block[56], &w[14]); PACK32(&sub_block[60], &w[15]);
SHA256_SCR(16); SHA256_SCR(17); SHA256_SCR(18); SHA256_SCR(19);
SHA256_SCR(20); SHA256_SCR(21); SHA256_SCR(22); SHA256_SCR(23);
SHA256_SCR(24); SHA256_SCR(25); SHA256_SCR(26); SHA256_SCR(27);
SHA256_SCR(28); SHA256_SCR(29); SHA256_SCR(30); SHA256_SCR(31);
SHA256_SCR(32); SHA256_SCR(33); SHA256_SCR(34); SHA256_SCR(35);
SHA256_SCR(36); SHA256_SCR(37); SHA256_SCR(38); SHA256_SCR(39);
SHA256_SCR(40); SHA256_SCR(41); SHA256_SCR(42); SHA256_SCR(43);
SHA256_SCR(44); SHA256_SCR(45); SHA256_SCR(46); SHA256_SCR(47);
SHA256_SCR(48); SHA256_SCR(49); SHA256_SCR(50); SHA256_SCR(51);
SHA256_SCR(52); SHA256_SCR(53); SHA256_SCR(54); SHA256_SCR(55);
SHA256_SCR(56); SHA256_SCR(57); SHA256_SCR(58); SHA256_SCR(59);
SHA256_SCR(60); SHA256_SCR(61); SHA256_SCR(62); SHA256_SCR(63);
wv[0] = ctx->h[0]; wv[1] = ctx->h[1];
wv[2] = ctx->h[2]; wv[3] = ctx->h[3];
wv[4] = ctx->h[4]; wv[5] = ctx->h[5];
wv[6] = ctx->h[6]; wv[7] = ctx->h[7];
SHA256_EXP(0,1,2,3,4,5,6,7, 0); SHA256_EXP(7,0,1,2,3,4,5,6, 1);
SHA256_EXP(6,7,0,1,2,3,4,5, 2); SHA256_EXP(5,6,7,0,1,2,3,4, 3);
SHA256_EXP(4,5,6,7,0,1,2,3, 4); SHA256_EXP(3,4,5,6,7,0,1,2, 5);
SHA256_EXP(2,3,4,5,6,7,0,1, 6); SHA256_EXP(1,2,3,4,5,6,7,0, 7);
SHA256_EXP(0,1,2,3,4,5,6,7, 8); SHA256_EXP(7,0,1,2,3,4,5,6, 9);
SHA256_EXP(6,7,0,1,2,3,4,5,10); SHA256_EXP(5,6,7,0,1,2,3,4,11);
SHA256_EXP(4,5,6,7,0,1,2,3,12); SHA256_EXP(3,4,5,6,7,0,1,2,13);
SHA256_EXP(2,3,4,5,6,7,0,1,14); SHA256_EXP(1,2,3,4,5,6,7,0,15);
SHA256_EXP(0,1,2,3,4,5,6,7,16); SHA256_EXP(7,0,1,2,3,4,5,6,17);
SHA256_EXP(6,7,0,1,2,3,4,5,18); SHA256_EXP(5,6,7,0,1,2,3,4,19);
SHA256_EXP(4,5,6,7,0,1,2,3,20); SHA256_EXP(3,4,5,6,7,0,1,2,21);
SHA256_EXP(2,3,4,5,6,7,0,1,22); SHA256_EXP(1,2,3,4,5,6,7,0,23);
SHA256_EXP(0,1,2,3,4,5,6,7,24); SHA256_EXP(7,0,1,2,3,4,5,6,25);
SHA256_EXP(6,7,0,1,2,3,4,5,26); SHA256_EXP(5,6,7,0,1,2,3,4,27);
SHA256_EXP(4,5,6,7,0,1,2,3,28); SHA256_EXP(3,4,5,6,7,0,1,2,29);
SHA256_EXP(2,3,4,5,6,7,0,1,30); SHA256_EXP(1,2,3,4,5,6,7,0,31);
SHA256_EXP(0,1,2,3,4,5,6,7,32); SHA256_EXP(7,0,1,2,3,4,5,6,33);
SHA256_EXP(6,7,0,1,2,3,4,5,34); SHA256_EXP(5,6,7,0,1,2,3,4,35);
SHA256_EXP(4,5,6,7,0,1,2,3,36); SHA256_EXP(3,4,5,6,7,0,1,2,37);
SHA256_EXP(2,3,4,5,6,7,0,1,38); SHA256_EXP(1,2,3,4,5,6,7,0,39);
SHA256_EXP(0,1,2,3,4,5,6,7,40); SHA256_EXP(7,0,1,2,3,4,5,6,41);
SHA256_EXP(6,7,0,1,2,3,4,5,42); SHA256_EXP(5,6,7,0,1,2,3,4,43);
SHA256_EXP(4,5,6,7,0,1,2,3,44); SHA256_EXP(3,4,5,6,7,0,1,2,45);
SHA256_EXP(2,3,4,5,6,7,0,1,46); SHA256_EXP(1,2,3,4,5,6,7,0,47);
SHA256_EXP(0,1,2,3,4,5,6,7,48); SHA256_EXP(7,0,1,2,3,4,5,6,49);
SHA256_EXP(6,7,0,1,2,3,4,5,50); SHA256_EXP(5,6,7,0,1,2,3,4,51);
SHA256_EXP(4,5,6,7,0,1,2,3,52); SHA256_EXP(3,4,5,6,7,0,1,2,53);
SHA256_EXP(2,3,4,5,6,7,0,1,54); SHA256_EXP(1,2,3,4,5,6,7,0,55);
SHA256_EXP(0,1,2,3,4,5,6,7,56); SHA256_EXP(7,0,1,2,3,4,5,6,57);
SHA256_EXP(6,7,0,1,2,3,4,5,58); SHA256_EXP(5,6,7,0,1,2,3,4,59);
SHA256_EXP(4,5,6,7,0,1,2,3,60); SHA256_EXP(3,4,5,6,7,0,1,2,61);
SHA256_EXP(2,3,4,5,6,7,0,1,62); SHA256_EXP(1,2,3,4,5,6,7,0,63);
ctx->h[0] += wv[0]; ctx->h[1] += wv[1];
ctx->h[2] += wv[2]; ctx->h[3] += wv[3];
ctx->h[4] += wv[4]; ctx->h[5] += wv[5];
ctx->h[6] += wv[6]; ctx->h[7] += wv[7];
#endif /* !UNROLL_LOOPS */
}
}
void SHA256_update(SHA256_CTX* ctx, const uint8_t* data, int len) {
unsigned int block_nb;
unsigned int new_len, rem_len, tmp_len;
const uint8_t *shifted_data;
tmp_len = SHA256_BLOCK_SIZE - ctx->len;
rem_len = len < tmp_len ? len : tmp_len;
memcpy(&ctx->block[ctx->len], data, rem_len);
if (ctx->len + len < SHA256_BLOCK_SIZE) {
ctx->len += len;
return;
}
new_len = len - rem_len;
block_nb = new_len / SHA256_BLOCK_SIZE;
shifted_data = data + rem_len;
SHA256_transform(ctx, ctx->block, 1);
SHA256_transform(ctx, shifted_data, block_nb);
rem_len = new_len % SHA256_BLOCK_SIZE;
memcpy(ctx->block, &shifted_data[block_nb << 6],
rem_len);
ctx->len = rem_len;
ctx->tot_len += (block_nb + 1) << 6;
}
uint8_t* SHA256_final(SHA256_CTX* ctx) {
unsigned int block_nb;
unsigned int pm_len;
unsigned int len_b;
#ifndef UNROLL_LOOPS
int i;
#endif
block_nb = (1 + ((SHA256_BLOCK_SIZE - 9)
< (ctx->len % SHA256_BLOCK_SIZE)));
len_b = (ctx->tot_len + ctx->len) << 3;
pm_len = block_nb << 6;
memset(ctx->block + ctx->len, 0, pm_len - ctx->len);
ctx->block[ctx->len] = 0x80;
UNPACK32(len_b, ctx->block + pm_len - 4);
SHA256_transform(ctx, ctx->block, block_nb);
#ifndef UNROLL_LOOPS
for (i = 0 ; i < 8; i++) {
UNPACK32(ctx->h[i], &ctx->buf[i << 2]);
}
#else
UNPACK32(ctx->h[0], &ctx->buf[ 0]);
UNPACK32(ctx->h[1], &ctx->buf[ 4]);
UNPACK32(ctx->h[2], &ctx->buf[ 8]);
UNPACK32(ctx->h[3], &ctx->buf[12]);
UNPACK32(ctx->h[4], &ctx->buf[16]);
UNPACK32(ctx->h[5], &ctx->buf[20]);
UNPACK32(ctx->h[6], &ctx->buf[24]);
UNPACK32(ctx->h[7], &ctx->buf[28]);
#endif /* !UNROLL_LOOPS */
return ctx->buf;
}
/* SHA-512 implementation */
void SHA512_init(SHA512_CTX *ctx) {
#ifndef UNROLL_LOOPS
int i;
for (i = 0; i < 8; i++) {
ctx->h[i] = sha512_h0[i];
}
#else
ctx->h[0] = sha512_h0[0]; ctx->h[1] = sha512_h0[1];
ctx->h[2] = sha512_h0[2]; ctx->h[3] = sha512_h0[3];
ctx->h[4] = sha512_h0[4]; ctx->h[5] = sha512_h0[5];
ctx->h[6] = sha512_h0[6]; ctx->h[7] = sha512_h0[7];
#endif /* !UNROLL_LOOPS */
ctx->len = 0;
ctx->tot_len = 0;
}
static void SHA512_transform(SHA512_CTX* ctx, const uint8_t* message,
unsigned int block_nb)
{
uint64_t w[80];
uint64_t wv[8];
uint64_t t1, t2;
const uint8_t *sub_block;
int i, j;
for (i = 0; i < (int) block_nb; i++) {
sub_block = message + (i << 7);
#ifndef UNROLL_LOOPS
for (j = 0; j < 16; j++) {
PACK64(&sub_block[j << 3], &w[j]);
}
for (j = 16; j < 80; j++) {
SHA512_SCR(j);
}
for (j = 0; j < 8; j++) {
wv[j] = ctx->h[j];
}
for (j = 0; j < 80; j++) {
t1 = wv[7] + SHA512_F2(wv[4]) + CH(wv[4], wv[5], wv[6])
+ sha512_k[j] + w[j];
t2 = SHA512_F1(wv[0]) + MAJ(wv[0], wv[1], wv[2]);
wv[7] = wv[6];
wv[6] = wv[5];
wv[5] = wv[4];
wv[4] = wv[3] + t1;
wv[3] = wv[2];
wv[2] = wv[1];
wv[1] = wv[0];
wv[0] = t1 + t2;
}
for (j = 0; j < 8; j++) {
ctx->h[j] += wv[j];
}
#else
PACK64(&sub_block[ 0], &w[ 0]); PACK64(&sub_block[ 8], &w[ 1]);
PACK64(&sub_block[ 16], &w[ 2]); PACK64(&sub_block[ 24], &w[ 3]);
PACK64(&sub_block[ 32], &w[ 4]); PACK64(&sub_block[ 40], &w[ 5]);
PACK64(&sub_block[ 48], &w[ 6]); PACK64(&sub_block[ 56], &w[ 7]);
PACK64(&sub_block[ 64], &w[ 8]); PACK64(&sub_block[ 72], &w[ 9]);
PACK64(&sub_block[ 80], &w[10]); PACK64(&sub_block[ 88], &w[11]);
PACK64(&sub_block[ 96], &w[12]); PACK64(&sub_block[104], &w[13]);
PACK64(&sub_block[112], &w[14]); PACK64(&sub_block[120], &w[15]);
SHA512_SCR(16); SHA512_SCR(17); SHA512_SCR(18); SHA512_SCR(19);
SHA512_SCR(20); SHA512_SCR(21); SHA512_SCR(22); SHA512_SCR(23);
SHA512_SCR(24); SHA512_SCR(25); SHA512_SCR(26); SHA512_SCR(27);
SHA512_SCR(28); SHA512_SCR(29); SHA512_SCR(30); SHA512_SCR(31);
SHA512_SCR(32); SHA512_SCR(33); SHA512_SCR(34); SHA512_SCR(35);
SHA512_SCR(36); SHA512_SCR(37); SHA512_SCR(38); SHA512_SCR(39);
SHA512_SCR(40); SHA512_SCR(41); SHA512_SCR(42); SHA512_SCR(43);
SHA512_SCR(44); SHA512_SCR(45); SHA512_SCR(46); SHA512_SCR(47);
SHA512_SCR(48); SHA512_SCR(49); SHA512_SCR(50); SHA512_SCR(51);
SHA512_SCR(52); SHA512_SCR(53); SHA512_SCR(54); SHA512_SCR(55);
SHA512_SCR(56); SHA512_SCR(57); SHA512_SCR(58); SHA512_SCR(59);
SHA512_SCR(60); SHA512_SCR(61); SHA512_SCR(62); SHA512_SCR(63);
SHA512_SCR(64); SHA512_SCR(65); SHA512_SCR(66); SHA512_SCR(67);
SHA512_SCR(68); SHA512_SCR(69); SHA512_SCR(70); SHA512_SCR(71);
SHA512_SCR(72); SHA512_SCR(73); SHA512_SCR(74); SHA512_SCR(75);
SHA512_SCR(76); SHA512_SCR(77); SHA512_SCR(78); SHA512_SCR(79);
wv[0] = ctx->h[0]; wv[1] = ctx->h[1];
wv[2] = ctx->h[2]; wv[3] = ctx->h[3];
wv[4] = ctx->h[4]; wv[5] = ctx->h[5];
wv[6] = ctx->h[6]; wv[7] = ctx->h[7];
j = 0;
do {
SHA512_EXP(0,1,2,3,4,5,6,7,j); j++;
SHA512_EXP(7,0,1,2,3,4,5,6,j); j++;
SHA512_EXP(6,7,0,1,2,3,4,5,j); j++;
SHA512_EXP(5,6,7,0,1,2,3,4,j); j++;
SHA512_EXP(4,5,6,7,0,1,2,3,j); j++;
SHA512_EXP(3,4,5,6,7,0,1,2,j); j++;
SHA512_EXP(2,3,4,5,6,7,0,1,j); j++;
SHA512_EXP(1,2,3,4,5,6,7,0,j); j++;
} while (j < 80);
ctx->h[0] += wv[0]; ctx->h[1] += wv[1];
ctx->h[2] += wv[2]; ctx->h[3] += wv[3];
ctx->h[4] += wv[4]; ctx->h[5] += wv[5];
ctx->h[6] += wv[6]; ctx->h[7] += wv[7];
#endif /* !UNROLL_LOOPS */
}
}
void SHA512_update(SHA512_CTX* ctx, const uint8_t* data,
int len) {
unsigned int block_nb;
unsigned int new_len, rem_len, tmp_len;
const uint8_t* shifted_data;
tmp_len = SHA512_BLOCK_SIZE - ctx->len;
rem_len = len < tmp_len ? len : tmp_len;
memcpy(&ctx->block[ctx->len], data, rem_len);
if (ctx->len + len < SHA512_BLOCK_SIZE) {
ctx->len += len;
return;
}
new_len = len - rem_len;
block_nb = new_len / SHA512_BLOCK_SIZE;
shifted_data = data + rem_len;
SHA512_transform(ctx, ctx->block, 1);
SHA512_transform(ctx, shifted_data, block_nb);
rem_len = new_len % SHA512_BLOCK_SIZE;
memcpy(ctx->block, &shifted_data[block_nb << 7],
rem_len);
ctx->len = rem_len;
ctx->tot_len += (block_nb + 1) << 7;
}
uint8_t* SHA512_final(SHA512_CTX* ctx)
{
unsigned int block_nb;
unsigned int pm_len;
unsigned int len_b;
#ifndef UNROLL_LOOPS
int i;
#endif
block_nb = 1 + ((SHA512_BLOCK_SIZE - 17)
< (ctx->len % SHA512_BLOCK_SIZE));
len_b = (ctx->tot_len + ctx->len) << 3;
pm_len = block_nb << 7;
memset(ctx->block + ctx->len, 0, pm_len - ctx->len);
ctx->block[ctx->len] = 0x80;
UNPACK32(len_b, ctx->block + pm_len - 4);
SHA512_transform(ctx, ctx->block, block_nb);
#ifndef UNROLL_LOOPS
for (i = 0 ; i < 8; i++) {
UNPACK64(ctx->h[i], &ctx->buf[i << 3]);
}
#else
UNPACK64(ctx->h[0], &ctx->buf[ 0]);
UNPACK64(ctx->h[1], &ctx->buf[ 8]);
UNPACK64(ctx->h[2], &ctx->buf[16]);
UNPACK64(ctx->h[3], &ctx->buf[24]);
UNPACK64(ctx->h[4], &ctx->buf[32]);
UNPACK64(ctx->h[5], &ctx->buf[40]);
UNPACK64(ctx->h[6], &ctx->buf[48]);
UNPACK64(ctx->h[7], &ctx->buf[56]);
#endif /* !UNROLL_LOOPS */
return ctx->buf;
}
/* Convenient functions. */
uint8_t* SHA256(const uint8_t* data, int len, uint8_t* digest) {
const uint8_t* p;
int i;
SHA256_CTX ctx;
SHA256_init(&ctx);
SHA256_update(&ctx, data, len);
p = SHA256_final(&ctx);
for (i = 0; i < SHA256_DIGEST_SIZE; ++i) {
digest[i] = *p++;
}
return digest;
}
uint8_t* SHA512(const uint8_t* data, int len, uint8_t* digest) {
const uint8_t* p;
int i;
SHA512_CTX ctx;
SHA512_init(&ctx);
SHA512_update(&ctx, data, len);
p = SHA512_final(&ctx);
for (i = 0; i < SHA512_DIGEST_SIZE; ++i) {
digest[i] = *p++;
}
return digest;
}

27
include/padding.h Normal file
View File

@@ -0,0 +1,27 @@
#ifndef VBOOT_REFERENCE_PADDING_H_
#define VBOOT_REFERENCE_PADDING_H_
#include <inttypes.h>
extern const uint8_t paddingRSA1024_SHA1[];
extern const uint8_t paddingRSA1024_SHA256[];
extern const uint8_t paddingRSA1024_SHA512[];
extern const uint8_t paddingRSA2048_SHA1[];
extern const uint8_t paddingRSA2048_SHA256[];
extern const uint8_t paddingRSA2048_SHA512[];
extern const uint8_t paddingRSA4096_SHA1[];
extern const uint8_t paddingRSA4096_SHA256[];
extern const uint8_t paddingRSA4096_SHA512[];
extern const uint8_t paddingRSA8192_SHA1[];
extern const uint8_t paddingRSA8192_SHA256[];
extern const uint8_t paddingRSA8192_SHA512[];
extern const int kNumAlgorithms;
extern const int siglen_map[];
extern const uint8_t* padding_map[];
extern const int padding_size_map[];
extern const int hash_blocksize_map[];
extern const char* algo_strings[];
#endif /* VBOOT_REFERENCE_PADDING_H_ */

37
include/rsa.h Normal file
View File

@@ -0,0 +1,37 @@
/* Copyright (c) 2010 The Chromium OS Authors. All rights reserved.
* Use of this source code is governed by a BSD-style license that can be
* found in the LICENSE file.
*/
#ifndef VBOOT_REFERENCE_RSA_H_
#define VBOOT_REFERENCE_RSA_H_
#include <inttypes.h>
#define RSA1024NUMBYTES 128 /* 1024 bit key length */
#define RSA2048NUMBYTES 256 /* 2048 bit key length */
#define RSA4096NUMBYTES 512 /* 4096 bit key length */
#define RSA8192NUMBYTES 1024 /* 8192 bit key length */
#define RSA1024NUMWORDS (RSA1024NUMBYTES / sizeof(uint32_t))
#define RSA2048NUMWORDS (RSA2048NUMBYTES / sizeof(uint32_t))
#define RSA4096NUMWORDS (RSA4096NUMBYTES / sizeof(uint32_t))
#define RSA8192NUMWORDS (RSA8192NUMBYTES / sizeof(uint32_t))
typedef struct RSAPublicKey {
int len; /* Length of n[] in number of uint32_t */
uint32_t n0inv; /* -1 / n[0] mod 2^32 */
uint32_t* n; /* modulus as little endian array */
uint32_t* rr; /* R^2 as little endian array */
} RSAPublicKey;
/* Verify a RSA PKCS1.5 signature [sig] of [sig_type] and length [sig_len]
* against an expected [hash] using [key]. Returns 0 on failure, 1 on success.
*/
int RSA_verify(const RSAPublicKey *key,
const uint8_t* sig,
const int sig_len,
const uint8_t sig_type,
const uint8_t* hash);
#endif /* VBOOT_REFERENCE_RSA_H_ */

73
include/sha.h Normal file
View File

@@ -0,0 +1,73 @@
/* Copyright (c) 2010 The Chromium OS Authors. All rights reserved.
* Use of this source code is governed by a BSD-style license that can be
* found in the LICENSE file.
*/
/* SHA-1, 256 and 512 functions. */
#ifndef VBOOT_REFERENCE_SHA_H_
#define VBOOT_REFERENCE_SHA_H_
#include <inttypes.h>
#include <string.h>
#define SHA1_DIGEST_SIZE 20
#define SHA1_BLOCK_SIZE 64
#define SHA256_DIGEST_SIZE 32
#define SHA256_BLOCK_SIZE 64
#define SHA512_DIGEST_SIZE 64
#define SHA512_BLOCK_SIZE 128
typedef struct SHA1_CTX {
uint64_t count;
uint32_t state[5];
#if defined(HAVE_ENDIAN_H) && defined(HAVE_LITTLE_ENDIAN)
union {
uint8_t b[64];
uint32_t w[16];
} buf;
#else
uint8_t buf[64];
#endif
} SHA1_CTX;
typedef struct {
uint32_t h[8];
uint32_t tot_len;
uint32_t len;
uint8_t block[2 * SHA256_BLOCK_SIZE];
uint8_t buf[SHA256_DIGEST_SIZE]; /* Used for storing the final digest. */
} SHA256_CTX;
typedef struct {
uint64_t h[8];
uint32_t tot_len;
uint32_t len;
uint8_t block[2 * SHA512_BLOCK_SIZE];
uint8_t buf[SHA512_DIGEST_SIZE]; /* Used for storing the final digest. */
} SHA512_CTX;
void SHA1_init(SHA1_CTX* ctx);
void SHA1_update(SHA1_CTX* ctx, const uint8_t* data, int len);
uint8_t* SHA1_final(SHA1_CTX* ctx);
/* Convenience function for SHA-1. Computes hash on [data] of length [len].
* and stores it into [digest]. [digest] should be pre-allocated to
* SHA1_DIGEST_SIZE bytes.
*/
uint8_t* SHA1(const void* data, int len, uint8_t* digest);
void SHA256_init(SHA256_CTX* ctx);
void SHA256_update(SHA256_CTX* ctx, const uint8_t* data, int len);
uint8_t* SHA256_final(SHA256_CTX* ctx);
uint8_t* SHA256(const uint8_t* data, int len, uint8_t* digest);
void SHA512_init(SHA512_CTX* ctx);
void SHA512_update(SHA512_CTX* ctx, const uint8_t* data, int len);
uint8_t* SHA512_final(SHA512_CTX* ctx);
uint8_t* SHA512(const uint8_t* data, int len, uint8_t* digest);
#endif /* VBOOT_REFERENCE_SHA_H_ */

32
include/utility.h Normal file
View File

@@ -0,0 +1,32 @@
/* Copyright (c) 2010 The Chromium OS Authors. All rights reserved.
* Use of this source code is governed by a BSD-style license that can be
* found in the LICENSE file.
*/
/* Helper functions/wrappers for memory allocations, manipulation and
* comparison.
*/
#ifndef VBOOT_REFERENCE_UTILITY_H_
#define VBOOT_REFERENCE_UTILITY_H_
#include <string.h>
/* Allocate [size] bytes and return a pointer to the allocated memory. Abort
* on error.
*/
void* Malloc(size_t size);
/* Free memory pointed by [ptr] previously allocated by Malloc(). */
void Free(void* ptr);
/* Copy [n] bytes from [src] to [dest]. */
void* Memcpy(void* dest, const void* src, size_t n);
/* Compare [n] bytes starting at [s1] with [s2] and return 1 if they match,
* 0 if they don't. Time taken to perform the comparison is only dependent on
* [n] and not on the relationship of the match between [s1] and [s2].
*/
int SafeMemcmp(const void* s1, const void* s2, size_t n);
#endif /* VBOOT_REFERENCE_UTILITY_H_ */

18
tests/Makefile Normal file
View File

@@ -0,0 +1,18 @@
# Copyright (c) 2010 The Chromium OS Authors. All rights reserved.
# Use of this source code is governed by a BSD-style license that can be
# found in the LICENSE file.
SRCS=sha_tests.c verify_data.c
OBJS=$(SRCS:.c=.o)
LIBS=$(TOP)/crypto/libcrypto.a $(TOP)/common/libcommon.a
tests: sha_tests verify_data
sha_tests: sha_tests.c
$(CC) $(CFLAGS) $(INCLUDES) $< -o $@ $(LIBS)
verify_data: verify_data.c
$(CC) $(CFLAGS) $(INCLUDES) $< -o $@ $(LIBS)
clean:
rm -f $(OBJS) sha_tests verify_data

83
tests/run_tests.sh Executable file
View File

@@ -0,0 +1,83 @@
#!/bin/bash
# Copyright (c) 2010 The Chromium OS Authors. All rights reserved.
# Use of this source code is governed by a BSD-style license that can be
# found in the LICENSE file.
# Run tests for cryptographic routine implementations - Message digests
# and RSA Signature verification.
hash_algos=( sha1 sha256 sha512 )
key_lengths=( 1024 2048 4096 8192 )
TEST_FILE=test_file
TEST_FILE_SIZE=1000000
UTILDIR=../utils/
# Generate RSA test keys of various lengths.
function generate_keys {
for i in ${key_lengths[@]}
do
openssl genrsa -F4 -out key_rsa$i.pem $i
# Generate self-signed certificate from key.
openssl req -batch -new -x509 -key key_rsa$i.pem -out key_rsa$i.crt
# Generate pre-processed key for use by RSA signature verification code.
${UTILDIR}/dumpRSAPublicKey key_rsa$i.crt > key_rsa$i.keyb
done
}
# Generate public key signatures on an input file for various combinations
# of message digest algorithms and RSA key sizes.
function generate_signatures {
for i in ${hash_algos[@]}
do
for j in ${key_lengths[@]}
do
openssl dgst -binary -$i $1 >$1.digest.$i
openssl pkeyutl -in $1.digest.$i -inkey key_rsa$j.pem \
-pkeyopt digest:$i > $1.rsa$j\_$i.sig
done
done
}
function test_signatures {
algorithmcounter=0
for rsaalgo in ${key_lengths[@]}
do
for hashalgo in ${hash_algos[@]}
do
echo "For RSA-$rsaalgo and $hashalgo:"
./verify_data $algorithmcounter key_rsa${rsaalgo}.keyb \
${TEST_FILE}.rsa${rsaalgo}_${hashalgo}.sig ${TEST_FILE}
let algorithmcounter=algorithmcounter+1
done
done
}
function pre_work {
# Generate a file with random bytes for signature tests.
echo "Generating test file..."
dd if=/dev/urandom of=${TEST_FILE} bs=${TEST_FILE_SIZE} count=1
echo "Generating test keys..."
generate_keys
echo "Generating signatures..."
generate_signatures $TEST_FILE
}
function cleanup {
rm ${TEST_FILE} ${TEST_FILE}.digest.* ${TEST_FILE}.*.sig key_rsa*.*
}
echo "Testing message digests..."
./sha_tests
echo
echo "Testing signature verification..."
pre_work
test_signatures
echo
echo "Cleaning up..."
cleanup

93
tests/sha_test_vectors.h Normal file
View File

@@ -0,0 +1,93 @@
/* Copyright (c) 2010 The Chromium OS Authors. All rights reserved.
* Use of this source code is governed by a BSD-style license that can be
* found in the LICENSE file.
*/
/* FIPS 180-2 test vectors for SHA-1, SHA-256 and SHA-512 */
#ifndef VBOOT_REFERENCE_SHA_TEST_VECTORS_H_
#define VBOOT_REFERENCE_SHA_TEST_VECTORS_H_
#include "sha.h"
char *oneblock_msg = "abc";
char *multiblock_msg1 = "abcdbcdecdefdefgefghfghighijhijkijkl"
"jklmklmnlmnomnopnopq";
char *multiblock_msg2= "abcdefghbcdefghicdefghijdefghijkefghi"
"jklfghijklmghijklmnhijklmnoijklmnopjklmnopqklmnopqrlmnop"
"qrsmnopqrstnopqrstu";
char *long_msg;
uint8_t sha1_results[][SHA1_DIGEST_SIZE] = {
{
0xa9,0x99,0x3e,0x36,0x47,0x06,0x81,0x6a,
0xba,0x3e,0x25,0x71,0x78,0x50,0xc2,0x6c,
0x9c,0xd0,0xd8,0x9d
},
{
0x84,0x98,0x3e,0x44,0x1c,0x3b,0xd2,0x6e,
0xba,0xae,0x4a,0xa1,0xf9,0x51,0x29,0xe5,
0xe5,0x46,0x70,0xf1
},
{
0x34,0xaa,0x97,0x3c,0xd4,0xc4,0xda,0xa4,
0xf6,0x1e,0xeb,0x2b,0xdb,0xad,0x27,0x31,
0x65,0x34,0x01,0x6f
}
};
uint8_t sha256_results[][SHA256_DIGEST_SIZE] = {
{
0xba,0x78,0x16,0xbf,0x8f,0x01,0xcf,0xea,
0x41,0x41,0x40,0xde,0x5d,0xae,0x22,0x23,
0xb0,0x03,0x61,0xa3,0x96,0x17,0x7a,0x9c,
0xb4,0x10,0xff,0x61,0xf2,0x00,0x15,0xad
},
{
0x24,0x8d,0x6a,0x61,0xd2,0x06,0x38,0xb8,
0xe5,0xc0,0x26,0x93,0x0c,0x3e,0x60,0x39,
0xa3,0x3c,0xe4,0x59,0x64,0xff,0x21,0x67,
0xf6,0xec,0xed,0xd4,0x19,0xdb,0x06,0xc1
},
{
0xcd,0xc7,0x6e,0x5c,0x99,0x14,0xfb,0x92,
0x81,0xa1,0xc7,0xe2,0x84,0xd7,0x3e,0x67,
0xf1,0x80,0x9a,0x48,0xa4,0x97,0x20,0x0e,
0x04,0x6d,0x39,0xcc,0xc7,0x11,0x2c,0xd0
}
};
uint8_t sha512_results[][SHA512_DIGEST_SIZE] = {
{
0xdd,0xaf,0x35,0xa1,0x93,0x61,0x7a,0xba,
0xcc,0x41,0x73,0x49,0xae,0x20,0x41,0x31,
0x12,0xe6,0xfa,0x4e,0x89,0xa9,0x7e,0xa2,
0x0a,0x9e,0xee,0xe6,0x4b,0x55,0xd3,0x9a,
0x21,0x92,0x99,0x2a,0x27,0x4f,0xc1,0xa8,
0x36,0xba,0x3c,0x23,0xa3,0xfe,0xeb,0xbd,
0x45,0x4d,0x44,0x23,0x64,0x3c,0xe8,0x0e,
0x2a,0x9a,0xc9,0x4f,0xa5,0x4c,0xa4,0x9f
},
{
0x8e,0x95,0x9b,0x75,0xda,0xe3,0x13,0xda,
0x8c,0xf4,0xf7,0x28,0x14,0xfc,0x14,0x3f,
0x8f,0x77,0x79,0xc6,0xeb,0x9f,0x7f,0xa1,
0x72,0x99,0xae,0xad,0xb6,0x88,0x90,0x18,
0x50,0x1d,0x28,0x9e,0x49,0x00,0xf7,0xe4,
0x33,0x1b,0x99,0xde,0xc4,0xb5,0x43,0x3a,
0xc7,0xd3,0x29,0xee,0xb6,0xdd,0x26,0x54,
0x5e,0x96,0xe5,0x5b,0x87,0x4b,0xe9,0x09
},
{
0xe7,0x18,0x48,0x3d,0x0c,0xe7,0x69,0x64,
0x4e,0x2e,0x42,0xc7,0xbc,0x15,0xb4,0x63,
0x8e,0x1f,0x98,0xb1,0x3b,0x20,0x44,0x28,
0x56,0x32,0xa8,0x03,0xaf,0xa9,0x73,0xeb,
0xde,0x0f,0xf2,0x44,0x87,0x7e,0xa6,0x0a,
0x4c,0xb0,0x43,0x2c,0xe5,0x77,0xc3,0x1b,
0xeb,0x00,0x9c,0x5c,0x2c,0x49,0xaa,0x2e,
0x4e,0xad,0xb2,0x17,0xad,0x8c,0xc0,0x9b
}
};
#endif /* VBOOT_REFERENCE_SHA_TEST_VECTORS_H_ */

99
tests/sha_tests.c Normal file
View File

@@ -0,0 +1,99 @@
/* Copyright (c) 2010 The Chromium OS Authors. All rights reserved.
* Use of this source code is governed by a BSD-style license that can be
* found in the LICENSE file.
*/
/* FIPS 180-2 Tests for message digest functions. */
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include "sha.h"
#include "sha_test_vectors.h"
int SHA1_tests(void) {
int i, success = 1;
uint8_t sha1_digest[SHA1_DIGEST_SIZE];
uint8_t* test_inputs[3];
test_inputs[0] = (uint8_t *) oneblock_msg;
test_inputs[1] = (uint8_t *) multiblock_msg1;
test_inputs[2] = (uint8_t *) long_msg;
for (i = 0; i < 3; i++) {
SHA1(test_inputs[i], strlen((char *)test_inputs[i]),
sha1_digest);
if (!memcmp(sha1_digest, sha1_results[i], SHA1_DIGEST_SIZE)) {
fprintf(stderr, "Test vector %d PASSED for SHA-1\n", i+1);
}
else {
fprintf(stderr, "Test vector %d FAILED for SHA-1\n", i+1);
success = 0;
}
}
return success;
}
int SHA256_tests(void) {
int i, success = 1;
uint8_t sha256_digest[SHA256_DIGEST_SIZE];
uint8_t* test_inputs[3];
test_inputs[0] = (uint8_t *) oneblock_msg;
test_inputs[1] = (uint8_t *) multiblock_msg1;
test_inputs[2] = (uint8_t *) long_msg;
for (i = 0; i < 3; i++) {
SHA256(test_inputs[i], strlen((char *)test_inputs[i]),
sha256_digest);
if (!memcmp(sha256_digest, sha256_results[i], SHA256_DIGEST_SIZE)) {
fprintf(stderr, "Test vector %d PASSED for SHA-256\n", i+1);
}
else {
fprintf(stderr, "Test vector %d FAILED for SHA-256\n", i+1);
success = 0;
}
}
return success;
}
int SHA512_tests(void) {
int i, success = 1;
uint8_t sha512_digest[SHA512_DIGEST_SIZE];
uint8_t* test_inputs[3];
test_inputs[0] = (uint8_t *) oneblock_msg;
test_inputs[1] = (uint8_t *) multiblock_msg2;
test_inputs[2] = (uint8_t *) long_msg;
for (i = 0; i < 3; i++) {
SHA512(test_inputs[i], strlen((char *)test_inputs[i]),
sha512_digest);
if (!memcmp(sha512_digest, sha512_results[i], SHA512_DIGEST_SIZE)) {
fprintf(stderr, "Test vector %d PASSED for SHA-512\n", i+1);
}
else {
fprintf(stderr, "Test vector %d FAILED for SHA-512\n", i+1);
success = 0;
}
}
return success;
}
int main(int argc, char* argv[]) {
int success = 1;
/* Initialize long_msg with 'a' x 1,000,000 */
long_msg = (char *) malloc(1000001);
memset(long_msg, 'a', 1000000);
long_msg[1000000]=0;
if (!SHA1_tests())
success = 0;
if (!SHA256_tests())
success = 0;
if (!SHA512_tests())
success = 0;
free(long_msg);
return !success;
}

243
tests/verify_data.c Normal file
View File

@@ -0,0 +1,243 @@
/* Copyright (c) 2010 The Chromium OS Authors. All rights reserved.
* Use of this source code is governed by a BSD-style license that can be
* found in the LICENSE file.
*/
/* Routines for verifying a file's signature. Useful in testing the core
* RSA verification implementation.
*/
#include <fcntl.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <sys/stat.h>
#include <sys/types.h>
#include <unistd.h>
#include "padding.h"
#include "rsa.h"
#include "sha.h"
#include "verify_data.h"
RSAPublicKey* read_RSAkey(char *input_file, int len) {
int key_fd;
RSAPublicKey *key = NULL;
if ((key_fd = open(input_file, O_RDONLY)) == -1) {
fprintf(stderr, "Couldn't open pre-processed key file\n");
return NULL;
}
key = (RSAPublicKey *) malloc(sizeof(RSAPublicKey));
if (!key)
return NULL;
/* Read the pre-processed RSA key into a RSAPublicKey structure */
/* TODO(gauravsh): Add error checking here? */
read(key_fd, &key->len, sizeof(key->len));
read(key_fd, &key->n0inv, sizeof(key->n0inv));
#ifndef NDEBUG
fprintf(stderr, "%d\n", key->len);
fprintf(stderr, "%d\n", key->n0inv);
#endif
key->n = (uint32_t *) malloc(len);
read(key_fd, key->n, len);
key->rr = (uint32_t *) malloc(len);
read(key_fd, key->rr, len);
#ifndef NDEBUG
{
int i;
for(i=0; i<key->len; i++) {
fprintf(stderr, "%d,", key->n[i]);
}
fprintf(stderr, "\n");
for(i=0; i<key->len; i++) {
fprintf(stderr, "%d,", key->rr[i]);
}
fprintf(stderr, "\n");
}
#endif
close(key_fd);
return key;
}
uint8_t* SHA1_file(char *input_file) {
int i, input_fd, len;
uint8_t data[SHA1_BLOCK_SIZE], *digest = NULL, *p = NULL;
SHA1_CTX ctx;
if( (input_fd = open(input_file, O_RDONLY)) == -1 ) {
fprintf(stderr, "Couldn't open input file.\n");
return NULL;
}
/* Calculate SHA1 hash of input blocks, reading one block at a time. */
SHA1_init(&ctx);
while ( (len = read(input_fd, data, SHA1_BLOCK_SIZE)) == SHA1_BLOCK_SIZE)
SHA1_update(&ctx, data, len);
if (len != -1)
SHA1_update(&ctx, data, len);
p = SHA1_final(&ctx);
close(input_fd);
digest = (uint8_t*) malloc(SHA1_DIGEST_SIZE);
if (!digest)
return NULL;
for (i=0; i < SHA1_DIGEST_SIZE; i++)
digest[i] = *p++;
return digest;
}
uint8_t* SHA256_file(char *input_file) {
int i, input_fd, len;
uint8_t data[SHA256_BLOCK_SIZE], *digest = NULL, *p = NULL;
SHA256_CTX ctx;
if( (input_fd = open(input_file, O_RDONLY)) == -1 ) {
fprintf(stderr, "Couldn't open input file.\n");
return NULL;
}
/* Calculate SHA256 hash of file, reading one block at a time. */
SHA256_init(&ctx);
while ( (len = read(input_fd, data, SHA256_BLOCK_SIZE)) == SHA256_BLOCK_SIZE)
SHA256_update(&ctx, data, len);
if (len != -1)
SHA256_update(&ctx, data, len);
p = SHA256_final(&ctx);
close(input_fd);
digest = (uint8_t*) malloc(SHA256_DIGEST_SIZE);
if (!digest)
return NULL;
for (i=0; i < SHA256_DIGEST_SIZE; i++)
digest[i] = *p++;
return digest;
}
uint8_t* SHA512_file(char* input_file) {
int input_fd;
uint8_t data[SHA512_BLOCK_SIZE], *digest = NULL, *p = NULL;
int i, len;
SHA512_CTX ctx;
if( (input_fd = open(input_file, O_RDONLY)) == -1 ) {
fprintf(stderr, "Couldn't open input file.\n");
return NULL;
}
/* Calculate SHA512 hash of file, reading one block at a time. */
SHA512_init(&ctx);
while ( (len = read(input_fd, data, SHA512_BLOCK_SIZE)) == SHA512_BLOCK_SIZE)
SHA512_update(&ctx, data, len);
if (len != -1)
SHA512_update(&ctx, data, len);
p = SHA512_final(&ctx);
close(input_fd);
digest = (uint8_t*) malloc(SHA512_DIGEST_SIZE);
if (!digest)
return NULL;
for (i=0; i < SHA512_DIGEST_SIZE; i++)
digest[i] = *p++;
return digest;
}
uint8_t* calculate_digest(char *input_file, int algorithm) {
typedef uint8_t* (*Hash_file_ptr) (char*);
Hash_file_ptr hash_file[] = {
SHA1_file, /* RSA 1024 */
SHA256_file,
SHA512_file,
SHA1_file, /* RSA 2048 */
SHA256_file,
SHA512_file,
SHA1_file, /* RSA 4096 */
SHA256_file,
SHA512_file,
SHA1_file, /* RSA 8192 */
SHA256_file,
SHA512_file,
};
return hash_file[algorithm](input_file);
}
uint8_t* read_signature(char *input_file, int len) {
int i, sigfd;
uint8_t *signature = NULL;
if ((sigfd = open(input_file, O_RDONLY)) == -1) {
fprintf(stderr, "Couldn't open signature file\n");
return NULL;
}
/* Read the signature into a buffer*/
signature = (uint8_t*) malloc(len);
if (!signature)
return NULL;
if( (i = read(sigfd, signature, len)) != len ) {
fprintf(stderr, "Wrong signature length - Expected = %d, Received = %d\n",
len, i);
close(sigfd);
return NULL;
}
close(sigfd);
return signature;
}
int main(int argc, char* argv[]) {
int i, algorithm, sig_len;
uint8_t *digest = NULL, *signature = NULL;
RSAPublicKey* key = NULL;
if (argc!=5) {
fprintf(stderr, "Usage: %s <algorithm> <key file> <signature file>"
" <input file>\n\n", argv[0]);
fprintf(stderr, "where <algorithm> depends on the signature algorithm"
" used:\n");
for(i = 0; i<kNumAlgorithms; i++)
fprintf(stderr, "\t%d for %s\n", i, algo_strings[i]);
return -1;
}
algorithm = atoi(argv[1]);
if (algorithm >= kNumAlgorithms) {
fprintf(stderr, "Invalid Algorithm!\n");
return 0;
}
/* Length of the RSA Signature/RSA Key */
sig_len = siglen_map[algorithm] * sizeof(uint32_t);
if (!(key = read_RSAkey(argv[2], sig_len)))
goto failure;
if (!(signature = read_signature(argv[3], sig_len)))
goto failure;
if (!(digest = calculate_digest(argv[4], algorithm)))
goto failure;
if(RSA_verify(key, signature, sig_len, algorithm, digest))
fprintf(stderr, "Signature Verification SUCCEEDED.\n");
else
fprintf(stderr, "Signature Verification FAILED!\n");
failure:
free(key);
free(signature);
free(digest);
return 0;
}

41
tests/verify_data.h Normal file
View File

@@ -0,0 +1,41 @@
/* Copyright (c) 2010 The Chromium OS Authors. All rights reserved.
* Use of this source code is governed by a BSD-style license that can be
* found in the LICENSE file.
*/
#ifndef VBOOT_REFERENCE_VERIFY_DATA_H_
#define VBOOT_REFERENCE_VERIFY_DATA_H_
/* Reads a pre-processed key of a [len] bytes from [input_file] and
* returns it in a RSAPublicKey structure.
* Caller owns the returned key and must free it.
*/
RSAPublicKey* read_RSAkey(char *input_file, int len);
/* Returns the SHA-1 digest of [input_file].
* Caller owns the returned digest and must free it.
*/
uint8_t* SHA1_file(char *input_file);
/* Returns the SHA-256 digest of [input_file].
* Caller owns the returned digest and must free it.
*/
uint8_t* SHA256_file(char *input_file);
/* Returns the SHA-512 digest of [input_file].
* Caller owns the returned digest and must free it.
*/
uint8_t* SHA512_file(char *input_file);
/* Returns the appropriate digest for the [input_file] based on the
* signature [algorithm].
* Caller owns the returned digest and must free it.
*/
uint8_t* calculate_digest(char *input_file, int algorithm);
/* Return a signature of [len] bytes read from [input_file].
* Caller owns the returned signature and must free it.
*/
uint8_t* read_signature(char *input_file, int len);
#endif /* VBOOT_REFERENCE_VERIFY_DATA_H_ */

13
utils/Makefile Normal file
View File

@@ -0,0 +1,13 @@
# Copyright (c) 2010 The Chromium OS Authors. All rights reserved.
# Use of this source code is governed by a BSD-style license that can be
# found in the LICENSE file.
LIBS=-lcrypto
all: dumpRSAPublicKey
dumpRSAPublicKey: dumpRSAPublicKey.c
$(CC) $(CFLAGS) $(LIBS) $< -o $@
clean:
rm -f dumpRSAPublicKey

175
utils/dumpRSAPublicKey.c Normal file
View File

@@ -0,0 +1,175 @@
/* Copyright (c) 2010 The Chromium OS Authors. All rights reserved.
* Use of this source code is governed by a BSD-style license that can be
* found in the LICENSE file.
*/
/* C port of DumpPublicKey.java from the Android Open source project with
* support for additional RSA key sizes. (platform/system/core,git/libmincrypt
* /tools/DumpPublicKey.java). Uses the OpenSSL X509 and BIGNUM library.
*/
#include <inttypes.h>
#include <openssl/bn.h>
#include <openssl/evp.h>
#include <openssl/pem.h>
#include <openssl/x509.h>
#include <string.h>
#include <unistd.h>
/* Command line tool to extract RSA public keys from X.509 certificates
* and output a pre-processed version of keys for use by RSA verification
* routines.
*/
int check(RSA* key) {
int public_exponent = BN_get_word(key->e);
int modulus = BN_num_bits(key->n);
if (public_exponent != 65537) {
fprintf(stderr, "WARNING: Public exponent should be 65537 (but is %d).\n",
public_exponent);
}
if (modulus != 1024 && modulus != 2048 && modulus != 4096
&& modulus != 8192) {
fprintf(stderr, "ERROR: Unknown modulus length = %d.\n", modulus);
return 0;
}
return 1;
}
/* Pre-processes and outputs RSA public key to standard out.
*/
void output(RSA* key) {
int i, nwords;
BIGNUM *N = key->n;
BIGNUM *Big1, *Big2, *Big32, *BigMinus1;
BIGNUM *B;
BIGNUM *N0inv, *R, *RR, *RRTemp, *NnumBits;
BIGNUM *n, *rr;
BN_CTX *bn_ctx = BN_CTX_new();
uint32_t n0invout;
N = key->n;
/* Output size of RSA key in 32-bit words */
nwords = BN_num_bits(N) / 32;
write(1, &nwords, sizeof(nwords));
/* Initialize BIGNUMs */
Big1 = BN_new();
Big2 = BN_new();
Big32 = BN_new();
BigMinus1 = BN_new();
N0inv= BN_new();
R = BN_new();
RR = BN_new();
RRTemp = BN_new();
NnumBits = BN_new();
n = BN_new();
rr = BN_new();
BN_set_word(Big1, 1L);
BN_set_word(Big2, 2L);
BN_set_word(Big32, 32L);
BN_sub(BigMinus1, Big1, Big2);
B = BN_new();
BN_exp(B, Big2, Big32, bn_ctx); /* B = 2^32 */
/* Calculate and output N0inv = -1 / N[0] mod 2^32 */
BN_mod_inverse(N0inv, N, B, bn_ctx);
BN_sub(N0inv, B, N0inv);
n0invout = BN_get_word(N0inv);
write(1, &n0invout, sizeof(n0invout));
/* Calculate R = 2^(# of key bits) */
BN_set_word(NnumBits, BN_num_bits(N));
BN_exp(R, Big2, NnumBits, bn_ctx);
/* Calculate RR = R^2 mod N */
BN_copy(RR, R);
BN_mul(RRTemp, RR, R, bn_ctx);
BN_mod(RR, RRTemp, N, bn_ctx);
/* Write out modulus as little endian array of integers. */
for (i = 0; i < nwords; ++i) {
uint32_t nout;
BN_mod(n, N, B, bn_ctx); /* n = N mod B */
nout = BN_get_word(n);
write(1, &nout, sizeof(nout));
BN_rshift(N, N, 32); /* N = N/B */
}
/* Write R^2 as little endian array of integers. */
for (i = 0; i < nwords; ++i) {
uint32_t rrout;
BN_mod(rr, RR, B, bn_ctx); /* rr = RR mod B */
rrout = BN_get_word(rr);
write(1, &rrout, sizeof(rrout));
BN_rshift(RR, RR, 32); /* RR = RR/B */
}
/* Free BIGNUMs. */
BN_free(Big1);
BN_free(Big2);
BN_free(Big32);
BN_free(BigMinus1);
BN_free(N0inv);
BN_free(R);
BN_free(RRTemp);
BN_free(NnumBits);
BN_free(n);
BN_free(rr);
}
int main(int argc, char* argv[]) {
FILE* fp;
X509* cert = NULL;
RSA* pubkey = NULL;
EVP_PKEY* key;
if (argc != 2) {
fprintf(stderr, "Usage: %s <certfile>\n", argv[0]);
return -1;
}
fp = fopen(argv[1], "r");
if (!fp) {
fprintf(stderr, "Couldn't open certificate file!\n");
return -1;
}
/* Read the certificate */
if (!PEM_read_X509(fp, &cert, NULL, NULL)) {
fprintf(stderr, "Couldn't read certificate.\n");
goto fail;
}
/* Get the public key from the certificate. */
key = X509_get_pubkey(cert);
/* Convert to a RSA_style key. */
if (!(pubkey = EVP_PKEY_get1_RSA(key))) {
fprintf(stderr, "Couldn't convert to a RSA style key.\n");
goto fail;
}
if (check(pubkey)) {
output (pubkey);
}
fail:
X509_free(cert);
RSA_free(pubkey);
fclose(fp);
return 0;
}