144e104a1e
current implementation $ ls -al build/versatilpb/arch/arm/pbl/zbarebox.bin -rw-r--r-- 1 root root 211095 Mar 24 13:21 build/versatilpb/arch/arm/pbl/zbarebox.bin linux generic implementation $ ls -al build/versatilpb/arch/arm/pbl/zbarebox.bin -rw-r--r-- 1 root root 210829 Mar 24 13:21 build/versatilpb/arch/arm/pbl/zbarebox.bin on a compressed lzo barebox we will 266 bytes Signed-off-by: Jean-Christophe PLAGNIOL-VILLARD <plagnioj@jcrosoft.com> Signed-off-by: Sascha Hauer <s.hauer@pengutronix.de>
306 lines
8.3 KiB
C
306 lines
8.3 KiB
C
/*
|
|
* Cryptographic API.
|
|
*
|
|
* SHA1 Secure Hash Algorithm.
|
|
*
|
|
* Derived from cryptoapi implementation, adapted for in-place
|
|
* scatterlist interface.
|
|
*
|
|
* Copyright (c) Alan Smithee.
|
|
* Copyright (c) Andrew McDonald <andrew@mcdonald.org.uk>
|
|
* Copyright (c) Jean-Francois Dive <jef@linuxbe.org>
|
|
*
|
|
* This program is free software; you can redistribute it and/or modify it
|
|
* under the terms of the GNU General Public License as published by the Free
|
|
* Software Foundation; either version 2 of the License, or (at your option)
|
|
* any later version.
|
|
*
|
|
*/
|
|
|
|
#include <common.h>
|
|
#include <digest.h>
|
|
#include <init.h>
|
|
#include <linux/string.h>
|
|
#include <asm/unaligned.h>
|
|
#include <asm/byteorder.h>
|
|
|
|
#include <crypto/sha.h>
|
|
#include <crypto/internal.h>
|
|
|
|
#define SHA_WORKSPACE_WORDS 16
|
|
|
|
static int sha1_init(struct digest *desc)
|
|
{
|
|
struct sha1_state *ctx = digest_ctx(desc);
|
|
|
|
ctx->count = 0;
|
|
|
|
ctx->state[0] = SHA1_H0;
|
|
ctx->state[1] = SHA1_H1;
|
|
ctx->state[2] = SHA1_H2;
|
|
ctx->state[3] = SHA1_H3;
|
|
ctx->state[4] = SHA1_H4;
|
|
|
|
return 0;
|
|
}
|
|
|
|
/*
|
|
* If you have 32 registers or more, the compiler can (and should)
|
|
* try to change the array[] accesses into registers. However, on
|
|
* machines with less than ~25 registers, that won't really work,
|
|
* and at least gcc will make an unholy mess of it.
|
|
*
|
|
* So to avoid that mess which just slows things down, we force
|
|
* the stores to memory to actually happen (we might be better off
|
|
* with a 'W(t)=(val);asm("":"+m" (W(t))' there instead, as
|
|
* suggested by Artur Skawina - that will also make gcc unable to
|
|
* try to do the silly "optimize away loads" part because it won't
|
|
* see what the value will be).
|
|
*
|
|
* Ben Herrenschmidt reports that on PPC, the C version comes close
|
|
* to the optimized asm with this (ie on PPC you don't want that
|
|
* 'volatile', since there are lots of registers).
|
|
*
|
|
* On ARM we get the best code generation by forcing a full memory barrier
|
|
* between each SHA_ROUND, otherwise gcc happily get wild with spilling and
|
|
* the stack frame size simply explode and performance goes down the drain.
|
|
*/
|
|
|
|
#ifdef CONFIG_X86
|
|
#define setW(x, val) (*(volatile __u32 *)&W(x) = (val))
|
|
#elif defined(CONFIG_ARM)
|
|
#define setW(x, val) do { W(x) = (val); __asm__("":::"memory"); } while (0)
|
|
#else
|
|
#define setW(x, val) (W(x) = (val))
|
|
#endif
|
|
|
|
/* This "rolls" over the 512-bit array */
|
|
#define W(x) (array[(x)&15])
|
|
|
|
/*
|
|
* Where do we get the source from? The first 16 iterations get it from
|
|
* the input data, the next mix it from the 512-bit array.
|
|
*/
|
|
#define SHA_SRC(t) get_unaligned_be32((__u32 *)data + t)
|
|
#define SHA_MIX(t) rol32(W(t+13) ^ W(t+8) ^ W(t+2) ^ W(t), 1)
|
|
|
|
#define SHA_ROUND(t, input, fn, constant, A, B, C, D, E) do { \
|
|
__u32 TEMP = input(t); setW(t, TEMP); \
|
|
E += TEMP + rol32(A,5) + (fn) + (constant); \
|
|
B = ror32(B, 2); } while (0)
|
|
|
|
#define T_0_15(t, A, B, C, D, E) SHA_ROUND(t, SHA_SRC, (((C^D)&B)^D) , 0x5a827999, A, B, C, D, E )
|
|
#define T_16_19(t, A, B, C, D, E) SHA_ROUND(t, SHA_MIX, (((C^D)&B)^D) , 0x5a827999, A, B, C, D, E )
|
|
#define T_20_39(t, A, B, C, D, E) SHA_ROUND(t, SHA_MIX, (B^C^D) , 0x6ed9eba1, A, B, C, D, E )
|
|
#define T_40_59(t, A, B, C, D, E) SHA_ROUND(t, SHA_MIX, ((B&C)+(D&(B^C))) , 0x8f1bbcdc, A, B, C, D, E )
|
|
#define T_60_79(t, A, B, C, D, E) SHA_ROUND(t, SHA_MIX, (B^C^D) , 0xca62c1d6, A, B, C, D, E )
|
|
|
|
/**
|
|
* sha_transform - single block SHA1 transform
|
|
*
|
|
* @digest: 160 bit digest to update
|
|
* @data: 512 bits of data to hash
|
|
* @array: 16 words of workspace (see note)
|
|
*
|
|
* This function generates a SHA1 digest for a single 512-bit block.
|
|
* Be warned, it does not handle padding and message digest, do not
|
|
* confuse it with the full FIPS 180-1 digest algorithm for variable
|
|
* length messages.
|
|
*
|
|
* Note: If the hash is security sensitive, the caller should be sure
|
|
* to clear the workspace. This is left to the caller to avoid
|
|
* unnecessary clears between chained hashing operations.
|
|
*/
|
|
static void sha_transform(__u32 *digest, const char *data, __u32 *array)
|
|
{
|
|
__u32 A, B, C, D, E;
|
|
|
|
A = digest[0];
|
|
B = digest[1];
|
|
C = digest[2];
|
|
D = digest[3];
|
|
E = digest[4];
|
|
|
|
/* Round 1 - iterations 0-16 take their input from 'data' */
|
|
T_0_15( 0, A, B, C, D, E);
|
|
T_0_15( 1, E, A, B, C, D);
|
|
T_0_15( 2, D, E, A, B, C);
|
|
T_0_15( 3, C, D, E, A, B);
|
|
T_0_15( 4, B, C, D, E, A);
|
|
T_0_15( 5, A, B, C, D, E);
|
|
T_0_15( 6, E, A, B, C, D);
|
|
T_0_15( 7, D, E, A, B, C);
|
|
T_0_15( 8, C, D, E, A, B);
|
|
T_0_15( 9, B, C, D, E, A);
|
|
T_0_15(10, A, B, C, D, E);
|
|
T_0_15(11, E, A, B, C, D);
|
|
T_0_15(12, D, E, A, B, C);
|
|
T_0_15(13, C, D, E, A, B);
|
|
T_0_15(14, B, C, D, E, A);
|
|
T_0_15(15, A, B, C, D, E);
|
|
|
|
/* Round 1 - tail. Input from 512-bit mixing array */
|
|
T_16_19(16, E, A, B, C, D);
|
|
T_16_19(17, D, E, A, B, C);
|
|
T_16_19(18, C, D, E, A, B);
|
|
T_16_19(19, B, C, D, E, A);
|
|
|
|
/* Round 2 */
|
|
T_20_39(20, A, B, C, D, E);
|
|
T_20_39(21, E, A, B, C, D);
|
|
T_20_39(22, D, E, A, B, C);
|
|
T_20_39(23, C, D, E, A, B);
|
|
T_20_39(24, B, C, D, E, A);
|
|
T_20_39(25, A, B, C, D, E);
|
|
T_20_39(26, E, A, B, C, D);
|
|
T_20_39(27, D, E, A, B, C);
|
|
T_20_39(28, C, D, E, A, B);
|
|
T_20_39(29, B, C, D, E, A);
|
|
T_20_39(30, A, B, C, D, E);
|
|
T_20_39(31, E, A, B, C, D);
|
|
T_20_39(32, D, E, A, B, C);
|
|
T_20_39(33, C, D, E, A, B);
|
|
T_20_39(34, B, C, D, E, A);
|
|
T_20_39(35, A, B, C, D, E);
|
|
T_20_39(36, E, A, B, C, D);
|
|
T_20_39(37, D, E, A, B, C);
|
|
T_20_39(38, C, D, E, A, B);
|
|
T_20_39(39, B, C, D, E, A);
|
|
|
|
/* Round 3 */
|
|
T_40_59(40, A, B, C, D, E);
|
|
T_40_59(41, E, A, B, C, D);
|
|
T_40_59(42, D, E, A, B, C);
|
|
T_40_59(43, C, D, E, A, B);
|
|
T_40_59(44, B, C, D, E, A);
|
|
T_40_59(45, A, B, C, D, E);
|
|
T_40_59(46, E, A, B, C, D);
|
|
T_40_59(47, D, E, A, B, C);
|
|
T_40_59(48, C, D, E, A, B);
|
|
T_40_59(49, B, C, D, E, A);
|
|
T_40_59(50, A, B, C, D, E);
|
|
T_40_59(51, E, A, B, C, D);
|
|
T_40_59(52, D, E, A, B, C);
|
|
T_40_59(53, C, D, E, A, B);
|
|
T_40_59(54, B, C, D, E, A);
|
|
T_40_59(55, A, B, C, D, E);
|
|
T_40_59(56, E, A, B, C, D);
|
|
T_40_59(57, D, E, A, B, C);
|
|
T_40_59(58, C, D, E, A, B);
|
|
T_40_59(59, B, C, D, E, A);
|
|
|
|
/* Round 4 */
|
|
T_60_79(60, A, B, C, D, E);
|
|
T_60_79(61, E, A, B, C, D);
|
|
T_60_79(62, D, E, A, B, C);
|
|
T_60_79(63, C, D, E, A, B);
|
|
T_60_79(64, B, C, D, E, A);
|
|
T_60_79(65, A, B, C, D, E);
|
|
T_60_79(66, E, A, B, C, D);
|
|
T_60_79(67, D, E, A, B, C);
|
|
T_60_79(68, C, D, E, A, B);
|
|
T_60_79(69, B, C, D, E, A);
|
|
T_60_79(70, A, B, C, D, E);
|
|
T_60_79(71, E, A, B, C, D);
|
|
T_60_79(72, D, E, A, B, C);
|
|
T_60_79(73, C, D, E, A, B);
|
|
T_60_79(74, B, C, D, E, A);
|
|
T_60_79(75, A, B, C, D, E);
|
|
T_60_79(76, E, A, B, C, D);
|
|
T_60_79(77, D, E, A, B, C);
|
|
T_60_79(78, C, D, E, A, B);
|
|
T_60_79(79, B, C, D, E, A);
|
|
|
|
digest[0] += A;
|
|
digest[1] += B;
|
|
digest[2] += C;
|
|
digest[3] += D;
|
|
digest[4] += E;
|
|
}
|
|
|
|
static int sha1_update(struct digest *desc, const void *data,
|
|
unsigned long len)
|
|
{
|
|
struct sha1_state *sctx = digest_ctx(desc);
|
|
unsigned int partial, done;
|
|
const u8 *src;
|
|
|
|
partial = sctx->count % SHA1_BLOCK_SIZE;
|
|
sctx->count += len;
|
|
done = 0;
|
|
src = data;
|
|
|
|
if ((partial + len) >= SHA1_BLOCK_SIZE) {
|
|
u32 temp[SHA_WORKSPACE_WORDS];
|
|
|
|
if (partial) {
|
|
done = -partial;
|
|
memcpy(sctx->buffer + partial, data,
|
|
done + SHA1_BLOCK_SIZE);
|
|
src = sctx->buffer;
|
|
}
|
|
|
|
do {
|
|
sha_transform(sctx->state, src, temp);
|
|
done += SHA1_BLOCK_SIZE;
|
|
src = data + done;
|
|
} while (done + SHA1_BLOCK_SIZE <= len);
|
|
|
|
memset(temp, 0, sizeof(temp));
|
|
partial = 0;
|
|
}
|
|
memcpy(sctx->buffer + partial, src, len - done);
|
|
|
|
return 0;
|
|
}
|
|
|
|
static int sha1_final(struct digest *desc, unsigned char *md)
|
|
{
|
|
struct sha1_state *sctx = digest_ctx(desc);
|
|
__be32 *dst = (__be32 *)md;
|
|
u32 i, index, padlen;
|
|
__be64 bits;
|
|
static const u8 padding[64] = { 0x80, };
|
|
|
|
bits = cpu_to_be64(sctx->count << 3);
|
|
|
|
/* Pad out to 56 mod 64 */
|
|
index = sctx->count & 0x3f;
|
|
padlen = (index < 56) ? (56 - index) : ((64+56) - index);
|
|
sha1_update(desc, padding, padlen);
|
|
|
|
/* Append length */
|
|
sha1_update(desc, (const u8 *)&bits, sizeof(bits));
|
|
|
|
/* Store state in digest */
|
|
for (i = 0; i < 5; i++)
|
|
dst[i] = cpu_to_be32(sctx->state[i]);
|
|
|
|
/* Wipe context */
|
|
memset(sctx, 0, sizeof *sctx);
|
|
|
|
return 0;
|
|
}
|
|
|
|
static struct digest_algo m = {
|
|
.base = {
|
|
.name = "sha1",
|
|
.driver_name = "sha1-generic",
|
|
.priority = 0,
|
|
},
|
|
|
|
.init = sha1_init,
|
|
.update = sha1_update,
|
|
.final = sha1_final,
|
|
.digest = digest_generic_digest,
|
|
.verify = digest_generic_verify,
|
|
.length = SHA1_DIGEST_SIZE,
|
|
.ctx_length = sizeof(struct sha1_state),
|
|
};
|
|
|
|
static int sha1_digest_register(void)
|
|
{
|
|
return digest_algo_register(&m);
|
|
}
|
|
device_initcall(sha1_digest_register);
|