用M4芯片的HASH模块计算SHA1和HMAC_SHA1
STM32F439芯片,以下用M4称呼。M4的HASH模块,可以计算SHA1、SHA224、SHA256、MD5这些校验值,也可以计算基于它们的HMAC加密校验值,都是硬件计算。在此以SHA1及其HMAC_SHA1为例,讨论其用法。
介绍一下HMAC的概念:
HMAC(message) = Hash[((key | pad) XOR 0x5C) | Hash(((key | pad) XOR 0x36) | message)]
其中,(key | pad)表示在key的后面缀上若干数量的零,使得其总长度为64bytes,即512bits。假如key本身就已经达到512bits,就不必后缀零了。假如key超过了512bits,那么计算这个key的HASH值来代替原本的key。XOR 0x5C表示这64个byte全部要异或0x5C。XOR 0x36同理,剩下的 | 符号只是简单的连接前面的bit串和后面的bit串。
首先要说明的是,这些校验算法,对原始数据的尺寸,都是以bit为单位的。只不过,平时在电脑上常用的CRC32啦、MD5啦、SHA1啦,因为都是用来校验文件的,而文件的尺寸是以byte为单位的,所以常见的HASH函数都是以byte为单位,就连M4的固件库也不例外。固件库里面的函数如下:
ErrorStatus HASH_SHA1(uint8_t *Input, uint32_t Ilen, uint8_t Output[20])
{
……
/* Number of valid bits in last word of the Input data */
nbvalidbitsdata = 8 * (Ilen % 4);
/* HASH peripheral initialization */
HASH_DeInit();
……
/* Configure the number of valid bits in last word of the data */
HASH_SetLastWordValidBitsNbr(nbvalidbitsdata);
/* Write the Input block in the IN FIFO */
for(i=0; i<Ilen; i+=4)
{
HASH_DataIn(*(uint32_t*)inputaddr);
inputaddr+=4;
}
/* Start the HASH processor */
HASH_StartDigest();
……
if (busystatus != RESET)
{
status = ERROR;
}
else
{
/* Read the message digest */
HASH_GetDigest(&SHA1_MessageDigest);
*(uint32_t*)(outputaddr) = __REV(SHA1_MessageDigest.Data[0]);
outputaddr+=4;
*(uint32_t*)(outputaddr) = __REV(SHA1_MessageDigest.Data[1]);
……
}
return status;
}
首先初始化该模块,然后第一个配置的就是NBW寄存器(HASH_SetLastWordValidBitsNbr函数)。后面的循环,用来将原始数据以32bits为单位,一点点压到寄存器中(HASH_DataIn函数)。由于数据并不一定正好按照32bits拆分完,所以循环的最后一次,究竟有多少bits是有效的,就要用NBW寄存器来指明了。最后给DCAL寄存器置位 ( HASH_StartDigest函数) ,表示原始数据已经传完,可以收尾了。延时等待硬件计算完成,就可以把结果拿出来(HASH_GetDigest函数),放到我们给的缓冲区中。
函数已经包装的很好了,只可惜直接拿来用还是用不了,明明固件库就是为了方便众人使用的,可是这个不能直接用,让人很无语啊……
好吧,其实只要在调用这个函数之前,使能某个总线的时钟即可:
RCC_AHB2PeriphClockCmd (RCC_AHB2Periph_HASH, ENABLE);算完之后,用同样的函数把时钟禁用,当然也可以不禁用。
接下来讨论byte和bit的区别。上文也说了,大多数HASH函数都是以byte为单位,固件库函数的Ilen参数就是指字节数,然后是 nbvalidbitsdata = 8 * (Ilen % 4); 这句,计算的是剩余的不够4个字节即不够32位的位数。明明NBW寄存器是可以精确到位的,但这里却只精确到字节。
下面改造这个函数,使其可以精确到位。注意,SHA1算法的字节顺序,是高位在前低位在后,也就是说,我们在原始数据的结尾,添上一些位,那么这些位要放置在字节的高位。改造后的函数如下:
ErrorStatus HASH_SHA1_bit(uint8_t *Input, uint32_t bit_Ilen, uint8_t Output[20])
{
HASH_InitTypeDef SHA1_HASH_InitStructure;
HASH_MsgDigest SHA1_MessageDigest;
__IO uint16_t nbvalidbitsdata = 0;
uint32_t i = 0;
__IO uint32_t counter = 0;
uint32_t busystatus = 0;
ErrorStatus status = SUCCESS;
uint32_t inputaddr = (uint32_t)Input;
uint32_t outputaddr = (uint32_t)Output;
/* Number of valid bits in last word of the Input data */
nbvalidbitsdata = bit_Ilen % 32; //8 * (Ilen % 4);
/* HASH peripheral initialization */
HASH_DeInit();
/* HASH Configuration */
SHA1_HASH_InitStructure.HASH_AlgoSelection = HASH_AlgoSelection_SHA1;
SHA1_HASH_InitStructure.HASH_AlgoMode = HASH_AlgoMode_HASH;
SHA1_HASH_InitStructure.HASH_DataType = HASH_DataType_8b;
HASH_Init(&SHA1_HASH_InitStructure);
/* Configure the number of valid bits in last word of the data */
HASH_SetLastWordValidBitsNbr(nbvalidbitsdata);
/* Write the Input block in the IN FIFO */
for(i=0; i<bit_Ilen; i+=4 * 8) // for(i=0; i<Ilen; i+=4)
{
HASH_DataIn(*(uint32_t*)inputaddr);
inputaddr+=4;
}
/* Start the HASH processor */
HASH_StartDigest();
/* wait until the Busy flag is RESET */
do
{
busystatus = HASH_GetFlagStatus(HASH_FLAG_BUSY);
counter++;
}while ((counter != SHA1BUSY_TIMEOUT) && (busystatus != RESET));
if (busystatus != RESET)
{
status = ERROR;
}
else
{
/* Read the message digest */
HASH_GetDigest(&SHA1_MessageDigest);
*(uint32_t*)(outputaddr) = __REV(SHA1_MessageDigest.Data[0]);
outputaddr+=4;
*(uint32_t*)(outputaddr) = __REV(SHA1_MessageDigest.Data[1]);
outputaddr+=4;
*(uint32_t*)(outputaddr) = __REV(SHA1_MessageDigest.Data[2]);
outputaddr+=4;
*(uint32_t*)(outputaddr) = __REV(SHA1_MessageDigest.Data[3]);
outputaddr+=4;
*(uint32_t*)(outputaddr) = __REV(SHA1_MessageDigest.Data[4]);
}
return status;
}
ErrorStatus HMAC_SHA1_bit(uint8_t *Key, uint32_t bit_Keylen, uint8_t *Input,
uint32_t bit_Ilen, uint8_t Output[20])
{
HASH_InitTypeDef SHA1_HASH_InitStructure;
HASH_MsgDigest SHA1_MessageDigest;
__IO uint16_t nbvalidbitsdata = 0;
__IO uint16_t nbvalidbitskey = 0;
uint32_t i = 0;
__IO uint32_t counter = 0;
uint32_t busystatus = 0;
ErrorStatus status = SUCCESS;
uint32_t keyaddr = (uint32_t)Key;
uint32_t inputaddr = (uint32_t)Input;
uint32_t outputaddr = (uint32_t)Output;
/* Number of valid bits in last word of the Input data */
nbvalidbitsdata = bit_Ilen % 32; // 8 * (Ilen % 4);
/* Number of valid bits in last word of the Key */
nbvalidbitskey = bit_Keylen % 32; // 8 * (Keylen % 4);
/* HASH peripheral initialization */
HASH_DeInit();
/* HASH Configuration */
SHA1_HASH_InitStructure.HASH_AlgoSelection = HASH_AlgoSelection_SHA1;
SHA1_HASH_InitStructure.HASH_AlgoMode = HASH_AlgoMode_HMAC;
SHA1_HASH_InitStructure.HASH_DataType = HASH_DataType_8b;
if(bit_Keylen > 64 * 8) // if(Keylen > 64)
{
/* HMAC long Key */
SHA1_HASH_InitStructure.HASH_HMACKeyType = HASH_HMACKeyType_LongKey;
}
else
{
/* HMAC short Key */
SHA1_HASH_InitStructure.HASH_HMACKeyType = HASH_HMACKeyType_ShortKey;
}
HASH_Init(&SHA1_HASH_InitStructure);
/* Configure the number of valid bits in last word of the Key */
HASH_SetLastWordValidBitsNbr(nbvalidbitskey);
/* Write the Key */
for(i=0; i<bit_Keylen; i+=4 * 8) // for(i=0; i<Keylen; i+=4)
{
HASH_DataIn(*(uint32_t*)keyaddr);
keyaddr+=4;
}
/* Start the HASH processor */
HASH_StartDigest();
/* wait until the Busy flag is RESET */
do
{
busystatus = HASH_GetFlagStatus(HASH_FLAG_BUSY);
counter++;
}while ((counter != SHA1BUSY_TIMEOUT) && (busystatus != RESET));
if (busystatus != RESET)
{
status = ERROR;
}
else
{
/* Configure the number of valid bits in last word of the Input data */
HASH_SetLastWordValidBitsNbr(nbvalidbitsdata);
/* Write the Input block in the IN FIFO */
for(i=0; i<bit_Ilen; i+=4 * 8) // for(i=0; i<Ilen; i+=4)
{
HASH_DataIn(*(uint32_t*)inputaddr);
inputaddr+=4;
}
/* Start the HASH processor */
HASH_StartDigest();
/* wait until the Busy flag is RESET */
counter =0;
do
{
busystatus = HASH_GetFlagStatus(HASH_FLAG_BUSY);
counter++;
}while ((counter != SHA1BUSY_TIMEOUT) && (busystatus != RESET));
if (busystatus != RESET)
{
status = ERROR;
}
else
{
/* Configure the number of valid bits in last word of the Key */
HASH_SetLastWordValidBitsNbr(nbvalidbitskey);
/* Write the Key */
keyaddr = (uint32_t)Key;
for(i=0; i<bit_Keylen; i+=4 * 8) // for(i=0; i<Keylen; i+=4)
{
HASH_DataIn(*(uint32_t*)keyaddr);
keyaddr+=4;
}
/* Start the HASH processor */
HASH_StartDigest();
/* wait until the Busy flag is RESET */
counter =0;
do
{
busystatus = HASH_GetFlagStatus(HASH_FLAG_BUSY);
counter++;
}while ((counter != SHA1BUSY_TIMEOUT) && (busystatus != RESET));
if (busystatus != RESET)
{
status = ERROR;
}
else
{
/* Read the message digest */
HASH_GetDigest(&SHA1_MessageDigest);
*(uint32_t*)(outputaddr) = __REV(SHA1_MessageDigest.Data[0]);
outputaddr+=4;
*(uint32_t*)(outputaddr) = __REV(SHA1_MessageDigest.Data[1]);
outputaddr+=4;
*(uint32_t*)(outputaddr) = __REV(SHA1_MessageDigest.Data[2]);
outputaddr+=4;
*(uint32_t*)(outputaddr) = __REV(SHA1_MessageDigest.Data[3]);
outputaddr+=4;
*(uint32_t*)(outputaddr) = __REV(SHA1_MessageDigest.Data[4]);
}
}
}
return status;
}
函数还是那么长,这里只说和固件库函数的区别,首先在函数名后面缀上
bit表示这俩函数可以对原始数据精确到bit,同时给参数中的长度,
Ilen和KeyLen也缀上bit,表示这俩参数也是以bit为单位。然后编译一下,所有有错误的行,都是要修改的地方,改起来只要注意把针对字节的计算和判断改成针对位的就行了。
接下来生成一组key和一组message,并选取各种不同的长度来进行测试。为了便于在IAR开发环境下查看HASH结果,用如下的函数专门把结果转换成十六进制字符串:
void out_to_hash( volatile char ref_hash[41], uint8_t Output[20] )
{
for (size_t i = 0; i < 20; i++)
{
const char *hex = "0123456789ABCDEF";
unsigned char ch = Output[i];
ref_hash[i * 2 + 0] = hex[(ch >> 4U) & 0x0F];
ref_hash[i * 2 + 1] = hex[(ch >> 0U) & 0x0F];
}
ref_hash[40] = 0;
return;
}
测试代码如下:
void hash_test( void )
{
uint8_t key[256] = "";
uint8_t message[256] = "";
for (size_t i = 0; i < 256; i++)
{
key[i] = 8 + i * 13;
message[i] = 3 + i * 5;
}
volatile char sha1_1b [41] = "";
volatile char sha1_5b [41] = "";
volatile char sha1_8b [41] = "";
volatile char sha1_13b [41] = "";
volatile char sha1_21b [41] = "";
volatile char sha1_34b [41] = "";
volatile char sha1_377b [41] = "";
volatile char sha1_610b [41] = "";
volatile char hmac_0b_sha1_0b [41] = "";
volatile char hmac_8b_sha1_8b [41] = "";
volatile char hmac_8b_sha1_13b [41] = "";
volatile char hmac_8b_sha1_610b [41] = "";
volatile char hmac_13b_sha1_8b [41] = "";
volatile char hmac_13b_sha1_13b [41] = "";
volatile char hmac_13b_sha1_610b [41] = "";
volatile char hmac_512b_sha1_8b [41] = "";
volatile char hmac_512b_sha1_13b [41] = "";
volatile char hmac_512b_sha1_610b[41] = "";
volatile char hmac_610b_sha1_8b [41] = "";
volatile char hmac_610b_sha1_13b [41] = "";
volatile char hmac_610b_sha1_610b[41] = "";
RCC_AHB2PeriphClockCmd (RCC_AHB2Periph_HASH, ENABLE);
uint8_t output[20] = "";
HASH_SHA1_bit (message, 1 , output); out_to_hash (sha1_1b , output);
HASH_SHA1_bit (message, 5 , output); out_to_hash (sha1_5b , output);
HASH_SHA1_bit (message, 8 , output); out_to_hash (sha1_8b , output);
HASH_SHA1_bit (message, 13 , output); out_to_hash (sha1_13b , output);
HASH_SHA1_bit (message, 21 , output); out_to_hash (sha1_21b , output);
HASH_SHA1_bit (message, 34 , output); out_to_hash (sha1_34b , output);
HASH_SHA1_bit (message, 377, output); out_to_hash (sha1_377b, output);
HASH_SHA1_bit (message, 610, output); out_to_hash (sha1_610b, output);
HMAC_SHA1_bit ("" , 8 , message, 0 , output); out_to_hash (hmac_0b_sha1_0b , output);
HMAC_SHA1_bit (key, 8 , message, 8 , output); out_to_hash (hmac_8b_sha1_8b , output);
HMAC_SHA1_bit (key, 8 , message, 13 , output); out_to_hash (hmac_8b_sha1_13b , output);
HMAC_SHA1_bit (key, 8 , message, 610, output); out_to_hash (hmac_8b_sha1_610b , output);
HMAC_SHA1_bit (key, 13 , message, 8 , output); out_to_hash (hmac_13b_sha1_8b , output);
HMAC_SHA1_bit (key, 13 , message, 13 , output); out_to_hash (hmac_13b_sha1_13b , output);
HMAC_SHA1_bit (key, 13 , message, 610, output); out_to_hash (hmac_13b_sha1_610b , output);
HMAC_SHA1_bit (key, 512, message, 8 , output); out_to_hash (hmac_512b_sha1_8b , output);
HMAC_SHA1_bit (key, 512, message, 13 , output); out_to_hash (hmac_512b_sha1_13b , output);
HMAC_SHA1_bit (key, 512, message, 610, output); out_to_hash (hmac_512b_sha1_610b, output);
HMAC_SHA1_bit (key, 610, message, 8 , output); out_to_hash (hmac_610b_sha1_8b , output);
HMAC_SHA1_bit (key, 610, message, 13 , output); out_to_hash (hmac_610b_sha1_13b , output);
HMAC_SHA1_bit (key, 610, message, 610, output); out_to_hash (hmac_610b_sha1_610b, output);
return;
}测试时要注意,key的长度可以是零,但硬件不认,算出来的HMAC值也只是简单的160个bit的零。考虑到(key | pad)的特点,只要在512bits长度之内,key后面缀多少个零都是等效的,所以这个key用8bits的零来代替了。测试结果如下:
虽然不知道算得对不对,但看起来挺像那么回事的。