[crypto] Replace SHA-1 implementation

Replace SHA-1 implementation from AXTLS with a dedicated iPXE
implementation which is around 40% smaller.  This implementation has
been verified using the existing SHA-1 self-tests (including the NIST
SHA-1 test vectors).

Signed-off-by: Michael Brown <mcb30@ipxe.org>

src/crypto/axtls/sha1.c

@@ -1,240 +0,0 @@
-/*
- *  Copyright(C) 2006 Cameron Rich
- *
- *  This library is free software; you can redistribute it and/or modify
- *  it under the terms of the GNU Lesser General Public License as published by
- *  the Free Software Foundation; either version 2.1 of the License, or
- *  (at your option) any later version.
- *
- *  This library is distributed in the hope that it will be useful,
- *  but WITHOUT ANY WARRANTY; without even the implied warranty of
- *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
- *  GNU Lesser General Public License for more details.
- *
- *  You should have received a copy of the GNU Lesser General Public License
- *  along with this library; if not, write to the Free Software
- *  Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA  02111-1307  USA
- */
-
-/**
- * SHA1 implementation - as defined in FIPS PUB 180-1 published April 17, 1995.
- * This code was originally taken from RFC3174
- */
-
-#include <string.h>
-#include "crypto.h"
-
-/*
- *  Define the SHA1 circular left shift macro
- */
-#define SHA1CircularShift(bits,word) \
-                (((word) << (bits)) | ((word) >> (32-(bits))))
-
-/* ----- static functions ----- */
-static void SHA1PadMessage(SHA1_CTX *ctx);
-static void SHA1ProcessMessageBlock(SHA1_CTX *ctx);
-
-/**
- * Initialize the SHA1 context 
- */
-void SHA1Init(SHA1_CTX *ctx)
-{
-    ctx->Length_Low             = 0;
-    ctx->Length_High            = 0;
-    ctx->Message_Block_Index    = 0;
-    ctx->Intermediate_Hash[0]   = 0x67452301;
-    ctx->Intermediate_Hash[1]   = 0xEFCDAB89;
-    ctx->Intermediate_Hash[2]   = 0x98BADCFE;
-    ctx->Intermediate_Hash[3]   = 0x10325476;
-    ctx->Intermediate_Hash[4]   = 0xC3D2E1F0;
-}
-
-/**
- * Accepts an array of octets as the next portion of the message.
- */
-void SHA1Update(SHA1_CTX *ctx, const uint8_t *msg, int len)
-{
-    while (len--)
-    {
-        ctx->Message_Block[ctx->Message_Block_Index++] = (*msg & 0xFF);
-
-        ctx->Length_Low += 8;
-        if (ctx->Length_Low == 0)
-        {
-            ctx->Length_High++;
-        }
-
-        if (ctx->Message_Block_Index == 64)
-        {
-            SHA1ProcessMessageBlock(ctx);
-        }
-
-        msg++;
-    }
-}
-
-/**
- * Return the 160-bit message digest into the user's array
- */
-void SHA1Final(SHA1_CTX *ctx, uint8_t *digest)
-{
-    int i;
-
-    SHA1PadMessage(ctx);
-    memset(ctx->Message_Block, 0, 64);
-    ctx->Length_Low = 0;    /* and clear length */
-    ctx->Length_High = 0;
-
-    for  (i = 0; i < SHA1_SIZE; i++)
-    {
-        digest[i] = ctx->Intermediate_Hash[i>>2] >> 8 * ( 3 - ( i & 0x03 ) );
-    }
-}
-
-/**
- * Process the next 512 bits of the message stored in the array.
- */
-static void SHA1ProcessMessageBlock(SHA1_CTX *ctx)
-{
-    const uint32_t K[] =    {       /* Constants defined in SHA-1   */
-                            0x5A827999,
-                            0x6ED9EBA1,
-                            0x8F1BBCDC,
-                            0xCA62C1D6
-                            };
-    int        t;                 /* Loop counter                */
-    uint32_t      temp;              /* Temporary word value        */
-    uint32_t      W[80];             /* Word sequence               */
-    uint32_t      A, B, C, D, E;     /* Word buffers                */
-
-    /*
-     *  Initialize the first 16 words in the array W
-     */
-    for  (t = 0; t < 16; t++)
-    {
-        W[t] = ctx->Message_Block[t * 4] << 24;
-        W[t] |= ctx->Message_Block[t * 4 + 1] << 16;
-        W[t] |= ctx->Message_Block[t * 4 + 2] << 8;
-        W[t] |= ctx->Message_Block[t * 4 + 3];
-    }
-
-    for (t = 16; t < 80; t++)
-    {
-       W[t] = SHA1CircularShift(1,W[t-3] ^ W[t-8] ^ W[t-14] ^ W[t-16]);
-    }
-
-    A = ctx->Intermediate_Hash[0];
-    B = ctx->Intermediate_Hash[1];
-    C = ctx->Intermediate_Hash[2];
-    D = ctx->Intermediate_Hash[3];
-    E = ctx->Intermediate_Hash[4];
-
-    for (t = 0; t < 20; t++)
-    {
-        temp =  SHA1CircularShift(5,A) +
-                ((B & C) | ((~B) & D)) + E + W[t] + K[0];
-        E = D;
-        D = C;
-        C = SHA1CircularShift(30,B);
-
-        B = A;
-        A = temp;
-    }
-
-    for (t = 20; t < 40; t++)
-    {
-        temp = SHA1CircularShift(5,A) + (B ^ C ^ D) + E + W[t] + K[1];
-        E = D;
-        D = C;
-        C = SHA1CircularShift(30,B);
-        B = A;
-        A = temp;
-    }
-
-    for (t = 40; t < 60; t++)
-    {
-        temp = SHA1CircularShift(5,A) +
-               ((B & C) | (B & D) | (C & D)) + E + W[t] + K[2];
-        E = D;
-        D = C;
-        C = SHA1CircularShift(30,B);
-        B = A;
-        A = temp;
-    }
-
-    for (t = 60; t < 80; t++)
-    {
-        temp = SHA1CircularShift(5,A) + (B ^ C ^ D) + E + W[t] + K[3];
-        E = D;
-        D = C;
-        C = SHA1CircularShift(30,B);
-        B = A;
-        A = temp;
-    }
-
-    ctx->Intermediate_Hash[0] += A;
-    ctx->Intermediate_Hash[1] += B;
-    ctx->Intermediate_Hash[2] += C;
-    ctx->Intermediate_Hash[3] += D;
-    ctx->Intermediate_Hash[4] += E;
-    ctx->Message_Block_Index = 0;
-}
-
-/*
- * According to the standard, the message must be padded to an even
- * 512 bits.  The first padding bit must be a '1'.  The last 64
- * bits represent the length of the original message.  All bits in
- * between should be 0.  This function will pad the message
- * according to those rules by filling the Message_Block array
- * accordingly.  It will also call the ProcessMessageBlock function
- * provided appropriately.  When it returns, it can be assumed that
- * the message digest has been computed.
- *
- * @param ctx [in, out] The SHA1 context
- */
-static void SHA1PadMessage(SHA1_CTX *ctx)
-{
-    /*
-     *  Check to see if the current message block is too small to hold
-     *  the initial padding bits and length.  If so, we will pad the
-     *  block, process it, and then continue padding into a second
-     *  block.
-     */
-    if (ctx->Message_Block_Index > 55)
-    {
-        ctx->Message_Block[ctx->Message_Block_Index++] = 0x80;
-        while(ctx->Message_Block_Index < 64)
-        {
-            ctx->Message_Block[ctx->Message_Block_Index++] = 0;
-        }
-
-        SHA1ProcessMessageBlock(ctx);
-
-        while (ctx->Message_Block_Index < 56)
-        {
-            ctx->Message_Block[ctx->Message_Block_Index++] = 0;
-        }
-    }
-    else
-    {
-        ctx->Message_Block[ctx->Message_Block_Index++] = 0x80;
-        while(ctx->Message_Block_Index < 56)
-        {
-
-            ctx->Message_Block[ctx->Message_Block_Index++] = 0;
-        }
-    }
-
-    /*
-     *  Store the message length as the last 8 octets
-     */
-    ctx->Message_Block[56] = ctx->Length_High >> 24;
-    ctx->Message_Block[57] = ctx->Length_High >> 16;
-    ctx->Message_Block[58] = ctx->Length_High >> 8;
-    ctx->Message_Block[59] = ctx->Length_High;
-    ctx->Message_Block[60] = ctx->Length_Low >> 24;
-    ctx->Message_Block[61] = ctx->Length_Low >> 16;
-    ctx->Message_Block[62] = ctx->Length_Low >> 8;
-    ctx->Message_Block[63] = ctx->Length_Low;
-    SHA1ProcessMessageBlock(ctx);
-}

src/crypto/axtls_sha1.c

@@ -1,25 +0,0 @@
-#include "crypto/axtls/crypto.h"
-#include <ipxe/crypto.h>
-#include <ipxe/sha1.h>
-
-static void sha1_init ( void *ctx ) {
-	SHA1Init ( ctx );
-}
-
-static void sha1_update ( void *ctx, const void *data, size_t len ) {
-	SHA1Update ( ctx, data, len );
-}
-
-static void sha1_final ( void *ctx, void *out ) {
-	SHA1Final ( ctx, out );
-}
-
-struct digest_algorithm sha1_algorithm = {
-	.name		= "sha1",
-	.ctxsize	= SHA1_CTX_SIZE,
-	.blocksize	= 64,
-	.digestsize	= SHA1_DIGEST_SIZE,
-	.init		= sha1_init,
-	.update		= sha1_update,
-	.final		= sha1_final,
-};

src/crypto/sha1.c

@@ -0,0 +1,270 @@
+/*
+ * Copyright (C) 2012 Michael Brown <mbrown@fensystems.co.uk>.
+ *
+ * This program is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU General Public License as
+ * published by the Free Software Foundation; either version 2 of the
+ * License, or any later version.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+ * General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program; if not, write to the Free Software
+ * Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
+ */
+
+FILE_LICENCE ( GPL2_OR_LATER );
+
+/** @file
+ *
+ * SHA-1 algorithm
+ *
+ */
+
+#include <stdint.h>
+#include <string.h>
+#include <byteswap.h>
+#include <assert.h>
+#include <ipxe/crypto.h>
+#include <ipxe/sha1.h>
+
+/**
+ * Rotate dword left
+ *
+ * @v dword		Dword
+ * @v rotate		Amount of rotation
+ */
+static inline __attribute__ (( always_inline )) uint32_t
+rol32 ( uint32_t dword, unsigned int rotate ) {
+	return ( ( dword << rotate ) | ( dword >> ( 32 - rotate ) ) );
+}
+
+/** SHA-1 variables */
+struct sha1_variables {
+	/* This layout matches that of struct sha1_digest_data,
+	 * allowing for efficient endianness-conversion,
+	 */
+	uint32_t a;
+	uint32_t b;
+	uint32_t c;
+	uint32_t d;
+	uint32_t e;
+	uint32_t w[80];
+} __attribute__ (( packed ));
+
+/**
+ * f(a,b,c,d) for steps 0 to 19
+ *
+ * @v v		SHA-1 variables
+ * @ret f	f(a,b,c,d)
+ */
+static uint32_t sha1_f_0_19 ( struct sha1_variables *v ) {
+	return ( ( v->b & v->c ) | ( (~v->b) & v->d ) );
+}
+
+/**
+ * f(a,b,c,d) for steps 20 to 39 and 60 to 79
+ *
+ * @v v		SHA-1 variables
+ * @ret f	f(a,b,c,d)
+ */
+static uint32_t sha1_f_20_39_60_79 ( struct sha1_variables *v ) {
+	return ( v->b ^ v->c ^ v->d );
+}
+
+/**
+ * f(a,b,c,d) for steps 40 to 59
+ *
+ * @v v		SHA-1 variables
+ * @ret f	f(a,b,c,d)
+ */
+static uint32_t sha1_f_40_59 ( struct sha1_variables *v ) {
+	return ( ( v->b & v->c ) | ( v->b & v->d ) | ( v->c & v->d ) );
+}
+
+/** An SHA-1 step function */
+struct sha1_step {
+	/**
+	 * Calculate f(a,b,c,d)
+	 *
+	 * @v v		SHA-1 variables
+	 * @ret f	f(a,b,c,d)
+	 */
+	uint32_t ( * f ) ( struct sha1_variables *v );
+	/** Constant k */
+	uint32_t k;
+};
+
+/** SHA-1 steps */
+static struct sha1_step sha1_steps[4] = {
+	/** 0 to 19 */
+	{ .f = sha1_f_0_19,		.k = 0x5a827999 },
+	/** 20 to 39 */
+	{ .f = sha1_f_20_39_60_79,	.k = 0x6ed9eba1 },
+	/** 40 to 59 */
+	{ .f = sha1_f_40_59,		.k = 0x8f1bbcdc },
+	/** 60 to 79 */
+	{ .f = sha1_f_20_39_60_79,	.k = 0xca62c1d6 },
+};
+
+/**
+ * Initialise SHA-1 algorithm
+ *
+ * @v ctx		SHA-1 context
+ */
+static void sha1_init ( void *ctx ) {
+	struct sha1_context *context = ctx;
+
+	context->ddd.dd.digest.h[0] = cpu_to_be32 ( 0x67452301 );
+	context->ddd.dd.digest.h[1] = cpu_to_be32 ( 0xefcdab89 );
+	context->ddd.dd.digest.h[2] = cpu_to_be32 ( 0x98badcfe );
+	context->ddd.dd.digest.h[3] = cpu_to_be32 ( 0x10325476 );
+	context->ddd.dd.digest.h[4] = cpu_to_be32 ( 0xc3d2e1f0 );
+	context->len = 0;
+}
+
+/**
+ * Calculate SHA-1 digest of accumulated data
+ *
+ * @v context		SHA-1 context
+ */
+static void sha1_digest ( struct sha1_context *context ) {
+        union {
+		union sha1_digest_data_dwords ddd;
+		struct sha1_variables v;
+	} u;
+	uint32_t *a = &u.v.a;
+	uint32_t *b = &u.v.b;
+	uint32_t *c = &u.v.c;
+	uint32_t *d = &u.v.d;
+	uint32_t *e = &u.v.e;
+	uint32_t *w = u.v.w;
+	uint32_t f;
+	uint32_t k;
+	uint32_t temp;
+	struct sha1_step *step;
+	unsigned int i;
+
+	/* Sanity checks */
+	assert ( ( context->len % sizeof ( context->ddd.dd.data ) ) == 0 );
+	linker_assert ( &u.ddd.dd.digest.h[0] == a, sha1_bad_layout );
+	linker_assert ( &u.ddd.dd.digest.h[1] == b, sha1_bad_layout );
+	linker_assert ( &u.ddd.dd.digest.h[2] == c, sha1_bad_layout );
+	linker_assert ( &u.ddd.dd.digest.h[3] == d, sha1_bad_layout );
+	linker_assert ( &u.ddd.dd.digest.h[4] == e, sha1_bad_layout );
+	linker_assert ( &u.ddd.dd.data.dword[0] == w, sha1_bad_layout );
+
+	DBGC ( context, "SHA1 digesting:\n" );
+	DBGC_HDA ( context, 0, &context->ddd.dd.digest,
+		   sizeof ( context->ddd.dd.digest ) );
+	DBGC_HDA ( context, context->len, &context->ddd.dd.data,
+		   sizeof ( context->ddd.dd.data ) );
+
+	/* Convert h[0..4] to host-endian, and initialise a, b, c, d,
+	 * e, and w[0..15]
+	 */
+	for ( i = 0 ; i < ( sizeof ( u.ddd.dword ) /
+			    sizeof ( u.ddd.dword[0] ) ) ; i++ ) {
+		be32_to_cpus ( &context->ddd.dword[i] );
+		u.ddd.dword[i] = context->ddd.dword[i];
+	}
+
+	/* Initialise w[16..79] */
+	for ( i = 16 ; i < 80 ; i++ )
+		w[i] = rol32 ( ( w[i-3] ^ w[i-8] ^ w[i-14] ^ w[i-16] ), 1 );
+
+	/* Main loop */
+	for ( i = 0 ; i < 80 ; i++ ) {
+		step = &sha1_steps[ i / 20 ];
+		f = step->f ( &u.v );
+		k = step->k;
+		temp = ( rol32 ( *a, 5 ) + f + *e + k + w[i] );
+		*e = *d;
+		*d = *c;
+		*c = rol32 ( *b, 30 );
+		*b = *a;
+		*a = temp;
+		DBGC2 ( context, "%2d : %08x %08x %08x %08x %08x\n",
+			i, *a, *b, *c, *d, *e );
+	}
+
+	/* Add chunk to hash and convert back to big-endian */
+	for ( i = 0 ; i < 5 ; i++ ) {
+		context->ddd.dd.digest.h[i] =
+			cpu_to_be32 ( context->ddd.dd.digest.h[i] +
+				      u.ddd.dd.digest.h[i] );
+	}
+
+	DBGC ( context, "SHA1 digested:\n" );
+	DBGC_HDA ( context, 0, &context->ddd.dd.digest,
+		   sizeof ( context->ddd.dd.digest ) );
+}
+
+/**
+ * Accumulate data with SHA-1 algorithm
+ *
+ * @v ctx		SHA-1 context
+ * @v data		Data
+ * @v len		Length of data
+ */
+static void sha1_update ( void *ctx, const void *data, size_t len ) {
+	struct sha1_context *context = ctx;
+	const uint8_t *byte = data;
+	size_t offset;
+
+	/* Accumulate data a byte at a time, performing the digest
+	 * whenever we fill the data buffer
+	 */
+	while ( len-- ) {
+		offset = ( context->len % sizeof ( context->ddd.dd.data ) );
+		context->ddd.dd.data.byte[offset] = *(byte++);
+		context->len++;
+		if ( ( context->len % sizeof ( context->ddd.dd.data ) ) == 0 )
+			sha1_digest ( context );
+	}
+}
+
+/**
+ * Generate SHA-1 digest
+ *
+ * @v ctx		SHA-1 context
+ * @v out		Output buffer
+ */
+static void sha1_final ( void *ctx, void *out ) {
+	struct sha1_context *context = ctx;
+	uint64_t len_bits;
+	uint8_t pad;
+
+	/* Record length before pre-processing */
+	len_bits = cpu_to_be64 ( ( ( uint64_t ) context->len ) * 8 );
+
+	/* Pad with a single "1" bit followed by as many "0" bits as required */
+	pad = 0x80;
+	do {
+		sha1_update ( ctx, &pad, sizeof ( pad ) );
+		pad = 0x00;
+	} while ( ( context->len % sizeof ( context->ddd.dd.data ) ) !=
+		  offsetof ( typeof ( context->ddd.dd.data ), final.len ) );
+
+	/* Append length (in bits) */
+	sha1_update ( ctx, &len_bits, sizeof ( len_bits ) );
+	assert ( ( context->len % sizeof ( context->ddd.dd.data ) ) == 0 );
+
+	/* Copy out final digest */
+	memcpy ( out, &context->ddd.dd.digest,
+		 sizeof ( context->ddd.dd.digest ) );
+}
+
+/** SHA-1 algorithm */
+struct digest_algorithm sha1_algorithm = {
+	.name		= "sha1",
+	.ctxsize	= sizeof ( struct sha1_context ),
+	.blocksize	= sizeof ( union sha1_block ),
+	.digestsize	= sizeof ( struct sha1_digest ),
+	.init		= sha1_init,
+	.update		= sha1_update,
+	.final		= sha1_final,
+};

src/include/ipxe/sha1.h

@@ -1,24 +1,80 @@
 #ifndef _IPXE_SHA1_H
 #define _IPXE_SHA1_H
 
+/** @file
+ *
+ * SHA-1 algorithm
+ *
+ */
+
 FILE_LICENCE ( GPL2_OR_LATER );
 
-#include "crypto/axtls/crypto.h"
+#include <stdint.h>
+#include <ipxe/crypto.h>
 
-struct digest_algorithm;
+/** An SHA-1 digest */
+struct sha1_digest {
+	/** Hash output */
+	uint32_t h[5];
+};
 
-#define SHA1_CTX_SIZE sizeof ( SHA1_CTX )
-#define SHA1_DIGEST_SIZE SHA1_SIZE
+/** An SHA-1 data block */
+union sha1_block {
+	/** Raw bytes */
+	uint8_t byte[64];
+	/** Raw dwords */
+	uint32_t dword[16];
+	/** Final block structure */
+	struct {
+		/** Padding */
+		uint8_t pad[56];
+		/** Length in bits */
+		uint64_t len;
+	} final;
+};
 
-extern struct digest_algorithm sha1_algorithm;
+/** SHA-1 digest and data block
+ *
+ * The order of fields within this structure is designed to minimise
+ * code size.
+ */
+struct sha1_digest_data {
+	/** Digest of data already processed */
+	struct sha1_digest digest;
+	/** Accumulated data */
+	union sha1_block data;
+} __attribute__ (( packed ));
+
+/** SHA-1 digest and data block */
+union sha1_digest_data_dwords {
+	/** Digest and data block */
+	struct sha1_digest_data dd;
+	/** Raw dwords */
+	uint32_t dword[ sizeof ( struct sha1_digest_data ) /
+			sizeof ( uint32_t ) ];
+};
 
-/* SHA1-wrapping functions defined in sha1extra.c: */
+/** An SHA-1 context */
+struct sha1_context {
+	/** Amount of accumulated data */
+	size_t len;
+	/** Digest and accumulated data */
+	union sha1_digest_data_dwords ddd;
+} __attribute__ (( packed ));
 
-void prf_sha1 ( const void *key, size_t key_len, const char *label,
-		const void *data, size_t data_len, void *prf, size_t prf_len );
+/** SHA-1 context size */
+#define SHA1_CTX_SIZE sizeof ( struct sha1_context )
+
+/** SHA-1 digest size */
+#define SHA1_DIGEST_SIZE sizeof ( struct sha1_digest )
+
+extern struct digest_algorithm sha1_algorithm;
 
-void pbkdf2_sha1 ( const void *passphrase, size_t pass_len,
-		   const void *salt, size_t salt_len,
-		   int iterations, void *key, size_t key_len );
+extern void prf_sha1 ( const void *key, size_t key_len, const char *label,
+		       const void *data, size_t data_len, void *prf,
+		       size_t prf_len );
+extern void pbkdf2_sha1 ( const void *passphrase, size_t pass_len,
+			  const void *salt, size_t salt_len,
+			  int iterations, void *key, size_t key_len );
 
 #endif /* _IPXE_SHA1_H */