From f73634d17c9af8a9df602602bf3e3964e955a3ad Mon Sep 17 00:00:00 2001
From: NIIBE Yutaka <gniibe@fsij.org>
Date: Mon, 4 Jun 2012 16:31:40 +0900
Subject: [PATCH] Implement CRC32 check

---
 ChangeLog            |  7 ++++
 regnual/regnual.c    | 46 ++++++++++++++++++----
 src/usb_ctrl.c       | 36 ++++++++++++-----
 tool/gnuk_upgrade.py | 92 ++++++++++++++++++++++++++++++++++++++++++--
 4 files changed, 159 insertions(+), 22 deletions(-)

diff --git a/ChangeLog b/ChangeLog
index e82d5ca..5043cfa 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,5 +1,12 @@
 2012-06-04  Niibe Yutaka  <gniibe@fsij.org>
 
+	Implement CRC32 check for firmware update.
+	* src/usb_ctrl.c (download_check_crc32): New.
+	* regnual/regnual.c (calc_crc32): New.
+	(regnual_ctrl_write_finish): Call calc_crc32.
+	* tool/gnuk_upgrade.py (crc32): New.
+	(regnual.download): Check crc32code.
+
 	* regnual/regnual.c (regnual_ctrl_write_finish): Bug fix.
 
 2012-06-01  Niibe Yutaka  <gniibe@fsij.org>
diff --git a/regnual/regnual.c b/regnual/regnual.c
index 66603c9..eecf698 100644
--- a/regnual/regnual.c
+++ b/regnual/regnual.c
@@ -147,28 +147,58 @@ static uint32_t result;
 static const uint8_t *const mem_info[] = { &_flash_start,  &_flash_end, };
 
 
+static uint32_t fetch (int i)
+{
+  uint32_t r;
+
+  r = (mem[i*4] << 24) | (mem[i*4+1] << 16) | (mem[i*4+2] << 8) | mem[i*4+3];
+  return r;
+}
+
+struct CRC {
+  __IO uint32_t DR;
+  __IO uint8_t  IDR;
+  uint8_t   RESERVED0;
+  uint16_t  RESERVED1;
+  __IO uint32_t CR;
+};
+
+#define  CRC_CR_RESET 0x01
+static uint32_t calc_crc32 (void)
+{
+  struct CRC *CRC = (struct CRC *)0x40023000;
+  int i;
+
+  CRC->CR = CRC_CR_RESET;
+
+  for (i = 0; i < 256/4; i++)
+    CRC->DR = fetch (i);
+
+  return CRC->DR;
+}
+
+
 static void regnual_ctrl_write_finish (uint8_t req, uint8_t req_no,
 				    uint16_t value, uint16_t index,
 				    uint16_t len)
 {
   uint8_t type_rcp = req & (REQUEST_TYPE|RECIPIENT);
 
-  if (type_rcp == (VENDOR_REQUEST | DEVICE_RECIPIENT)
-      && USB_SETUP_SET (req) && len == 0)
+  if (type_rcp == (VENDOR_REQUEST | DEVICE_RECIPIENT) && USB_SETUP_SET (req))
     {
       if (req_no == USB_REGNUAL_SEND && value == 0)
-	{
-	  result = 0;		// calculate crc32 here!!!
-	}
-      else if (req_no == USB_REGNUAL_FLASH && index == 0)
+	result = calc_crc32 ();
+      else if (req_no == USB_REGNUAL_FLASH && len == 0 && index == 0)
 	{
 	  uint32_t dst_addr = (0x08000000 + value * 0x100);
 
 	  result = flash_write (dst_addr, mem, 256);
 	}
-      else if (req_no == USB_REGNUAL_PROTECT && value == 0 && index == 0)
+      else if (req_no == USB_REGNUAL_PROTECT && len == 0
+	       && value == 0 && index == 0)
 	result = flash_protect ();
-      else if (req_no == USB_REGNUAL_FINISH && value == 0 && index == 0)
+      else if (req_no == USB_REGNUAL_FINISH && len == 0
+	       && value == 0 && index == 0)
 	nvic_system_reset ();
     }
 }
diff --git a/src/usb_ctrl.c b/src/usb_ctrl.c
index 9c80e78..f43f229 100644
--- a/src/usb_ctrl.c
+++ b/src/usb_ctrl.c
@@ -26,6 +26,7 @@
 
 #include "config.h"
 #include "ch.h"
+#include "hal.h"
 #include "usb_lld.h"
 #include "usb_conf.h"
 #include "gnuk.h"
@@ -187,17 +188,30 @@ static const uint8_t *const mem_info[] = { &_regnual_start,  &__heap_end__, };
 #define USB_FSIJ_GNUK_DOWNLOAD 1
 #define USB_FSIJ_GNUK_EXEC     2
 
-static int download_check_crc32 (const uint8_t *p)
+static uint32_t reverse32 (uint32_t v)
 {
-  uint32_t crc32 = 0;
+  uint32_t r;
 
-  crc32 += (*--p << 24);
-  crc32 += (*--p << 16);
-  crc32 += (*--p << 8);
-  crc32 += (*--p);
+  r = (v << 24) | ((v & 0xff00) << 8) | ((v & 0xff0000) >> 8) | (v >> 24);
+  return r;
+}
 
-  /* Not yet: Calculate crc32 from &_regnual_start to p, then compare */
-  return USB_SUCCESS;
+/* After calling this function, CRC module remain enabled.  */
+static int download_check_crc32 (const uint32_t *end_p)
+{
+  uint32_t crc32 = *end_p;
+  const uint32_t *p;
+
+  RCC->AHBENR |= RCC_AHBENR_CRCEN;
+  CRC->CR = CRC_CR_RESET;
+
+  for (p = (const uint32_t *)&_regnual_start; p < end_p; p++)
+    CRC->DR = reverse32 (*p);
+
+  if ((CRC->DR ^ crc32) == 0xffffffff)
+    return USB_SUCCESS;
+
+  return USB_UNSUPPORT;
 }
 
 static int
@@ -239,8 +253,10 @@ gnuk_setup (uint8_t req, uint8_t req_no,
 	      if (icc_state_p == NULL || *icc_state_p != ICC_STATE_EXITED)
 		return USB_UNSUPPORT;
 
-	      /* There is a trailer at addr: crc32 */
-	      return download_check_crc32 (addr);
+	      if (((uint32_t)addr & 0x03))
+		return USB_UNSUPPORT;
+
+	      return download_check_crc32 ((uint32_t *)addr);
 	    }
 	}
     }
diff --git a/tool/gnuk_upgrade.py b/tool/gnuk_upgrade.py
index 9677a01..18ed48b 100755
--- a/tool/gnuk_upgrade.py
+++ b/tool/gnuk_upgrade.py
@@ -83,6 +83,13 @@ class regnual:
                                         value = 0, index = 0,
                                         buffer = data[j*256:j*256+256],
                                         timeout = 10000)
+            crc32code = crc32(data[j*256:j*256+256], 0xffffffff)
+            res = self.__devhandle.controlMsg(requestType = 0xc0, request = 2,
+                                              value = 0, index = 0, buffer = 4,
+                                              timeout = 10000)
+            r_value = ((res[3]*256 + res[2])*256 + res[1])*256 + res[0]
+            if (crc32code ^ r_value) != 0xffffffff:
+                print "failure"
             self.__devhandle.controlMsg(requestType = 0x40, request = 3,
                                         value = i, index = 0,
                                         buffer = None,
@@ -104,6 +111,13 @@ class regnual:
                                         value = 0, index = 0,
                                         buffer = data[j*256:],
                                         timeout = 10000)
+            crc32code = crc32(data[j*256:].ljust(256,chr(255)), 0xffffffff)
+            res = self.__devhandle.controlMsg(requestType = 0xc0, request = 2,
+                                              value = 0, index = 0, buffer = 4,
+                                              timeout = 10000)
+            r_value = ((res[3]*256 + res[2])*256 + res[1])*256 + res[0]
+            if (crc32code ^ r_value) != 0xffffffff:
+                print "failure"
             self.__devhandle.controlMsg(requestType = 0x40, request = 3,
                                         value = i, index = 0,
                                         buffer = None,
@@ -397,9 +411,79 @@ def gpg_sign(keygrip, hash):
         raise ValueError, binascii.hexlify(signed)
     return signed
 
-def main(keygrip, data_regnual, data_upgrade):
-    data_regnual += pack('<i', binascii.crc32(data_regnual))
+crctab = [ 0x00000000, 0x04c11db7, 0x09823b6e, 0x0d4326d9, 0x130476dc,
+           0x17c56b6b, 0x1a864db2, 0x1e475005, 0x2608edb8, 0x22c9f00f,
+           0x2f8ad6d6, 0x2b4bcb61, 0x350c9b64, 0x31cd86d3, 0x3c8ea00a,
+           0x384fbdbd, 0x4c11db70, 0x48d0c6c7, 0x4593e01e, 0x4152fda9,
+           0x5f15adac, 0x5bd4b01b, 0x569796c2, 0x52568b75, 0x6a1936c8,
+           0x6ed82b7f, 0x639b0da6, 0x675a1011, 0x791d4014, 0x7ddc5da3,
+           0x709f7b7a, 0x745e66cd, 0x9823b6e0, 0x9ce2ab57, 0x91a18d8e,
+           0x95609039, 0x8b27c03c, 0x8fe6dd8b, 0x82a5fb52, 0x8664e6e5,
+           0xbe2b5b58, 0xbaea46ef, 0xb7a96036, 0xb3687d81, 0xad2f2d84,
+           0xa9ee3033, 0xa4ad16ea, 0xa06c0b5d, 0xd4326d90, 0xd0f37027,
+           0xddb056fe, 0xd9714b49, 0xc7361b4c, 0xc3f706fb, 0xceb42022,
+           0xca753d95, 0xf23a8028, 0xf6fb9d9f, 0xfbb8bb46, 0xff79a6f1,
+           0xe13ef6f4, 0xe5ffeb43, 0xe8bccd9a, 0xec7dd02d, 0x34867077,
+           0x30476dc0, 0x3d044b19, 0x39c556ae, 0x278206ab, 0x23431b1c,
+           0x2e003dc5, 0x2ac12072, 0x128e9dcf, 0x164f8078, 0x1b0ca6a1,
+           0x1fcdbb16, 0x018aeb13, 0x054bf6a4, 0x0808d07d, 0x0cc9cdca,
+           0x7897ab07, 0x7c56b6b0, 0x71159069, 0x75d48dde, 0x6b93dddb,
+           0x6f52c06c, 0x6211e6b5, 0x66d0fb02, 0x5e9f46bf, 0x5a5e5b08,
+           0x571d7dd1, 0x53dc6066, 0x4d9b3063, 0x495a2dd4, 0x44190b0d,
+           0x40d816ba, 0xaca5c697, 0xa864db20, 0xa527fdf9, 0xa1e6e04e,
+           0xbfa1b04b, 0xbb60adfc, 0xb6238b25, 0xb2e29692, 0x8aad2b2f,
+           0x8e6c3698, 0x832f1041, 0x87ee0df6, 0x99a95df3, 0x9d684044,
+           0x902b669d, 0x94ea7b2a, 0xe0b41de7, 0xe4750050, 0xe9362689,
+           0xedf73b3e, 0xf3b06b3b, 0xf771768c, 0xfa325055, 0xfef34de2,
+           0xc6bcf05f, 0xc27dede8, 0xcf3ecb31, 0xcbffd686, 0xd5b88683,
+           0xd1799b34, 0xdc3abded, 0xd8fba05a, 0x690ce0ee, 0x6dcdfd59,
+           0x608edb80, 0x644fc637, 0x7a089632, 0x7ec98b85, 0x738aad5c,
+           0x774bb0eb, 0x4f040d56, 0x4bc510e1, 0x46863638, 0x42472b8f,
+           0x5c007b8a, 0x58c1663d, 0x558240e4, 0x51435d53, 0x251d3b9e,
+           0x21dc2629, 0x2c9f00f0, 0x285e1d47, 0x36194d42, 0x32d850f5,
+           0x3f9b762c, 0x3b5a6b9b, 0x0315d626, 0x07d4cb91, 0x0a97ed48,
+           0x0e56f0ff, 0x1011a0fa, 0x14d0bd4d, 0x19939b94, 0x1d528623,
+           0xf12f560e, 0xf5ee4bb9, 0xf8ad6d60, 0xfc6c70d7, 0xe22b20d2,
+           0xe6ea3d65, 0xeba91bbc, 0xef68060b, 0xd727bbb6, 0xd3e6a601,
+           0xdea580d8, 0xda649d6f, 0xc423cd6a, 0xc0e2d0dd, 0xcda1f604,
+           0xc960ebb3, 0xbd3e8d7e, 0xb9ff90c9, 0xb4bcb610, 0xb07daba7,
+           0xae3afba2, 0xaafbe615, 0xa7b8c0cc, 0xa379dd7b, 0x9b3660c6,
+           0x9ff77d71, 0x92b45ba8, 0x9675461f, 0x8832161a, 0x8cf30bad,
+           0x81b02d74, 0x857130c3, 0x5d8a9099, 0x594b8d2e, 0x5408abf7,
+           0x50c9b640, 0x4e8ee645, 0x4a4ffbf2, 0x470cdd2b, 0x43cdc09c,
+           0x7b827d21, 0x7f436096, 0x7200464f, 0x76c15bf8, 0x68860bfd,
+           0x6c47164a, 0x61043093, 0x65c52d24, 0x119b4be9, 0x155a565e,
+           0x18197087, 0x1cd86d30, 0x029f3d35, 0x065e2082, 0x0b1d065b,
+           0x0fdc1bec, 0x3793a651, 0x3352bbe6, 0x3e119d3f, 0x3ad08088,
+           0x2497d08d, 0x2056cd3a, 0x2d15ebe3, 0x29d4f654, 0xc5a92679,
+           0xc1683bce, 0xcc2b1d17, 0xc8ea00a0, 0xd6ad50a5, 0xd26c4d12,
+           0xdf2f6bcb, 0xdbee767c, 0xe3a1cbc1, 0xe760d676, 0xea23f0af,
+           0xeee2ed18, 0xf0a5bd1d, 0xf464a0aa, 0xf9278673, 0xfde69bc4,
+           0x89b8fd09, 0x8d79e0be, 0x803ac667, 0x84fbdbd0, 0x9abc8bd5,
+           0x9e7d9662, 0x933eb0bb, 0x97ffad0c, 0xafb010b1, 0xab710d06,
+           0xa6322bdf, 0xa2f33668, 0xbcb4666d, 0xb8757bda, 0xb5365d03,
+           0xb1f740b4 ]
 
+def UNSIGNED(n):
+    return n & 0xffffffff
+
+# (1) Alas, zlib.crc32 (== binascii.crc32) uses same polynomial, but in a
+#     different way of endian-ness.
+# (2) POSIX cksum command uses same calculation, but the initial value
+#     is different.
+def crc32(bytestr, crc):
+    for b in bytestr:
+        idx = (crc>>24)^ord(b)
+        crc = UNSIGNED((crc << 8)) ^ crctab[idx]
+    return UNSIGNED(~crc)
+
+def main(keygrip, data_regnual, data_upgrade):
+    l = len(data_regnual)
+    if (l & 0x03) != 0:
+        data_regnual = data_regnual.ljust(l + 4 - (l & 0x03), chr(0))
+    crc32code = crc32(data_regnual, 0xffffffff)
+    print "CRC32: %04x\n" % crc32code
+    data_regnual += pack('<I', crc32code)
     for (dev, config, intf) in ccid_devices():
         try:
             icc = gnuk_token(dev, config, intf)
@@ -423,9 +507,9 @@ def main(keygrip, data_regnual, data_upgrade):
     print "Downloading flash upgrade program..."
     icc.download(mem_info[0], data_regnual)
     print "Run flash upgrade program..."
-    icc.execute(mem_info[1] + len(data_regnual))
+    icc.execute(mem_info[0] + len(data_regnual) - 4)
     #
-    time.sleep(2)
+    time.sleep(3)
     icc.reset_device()
     del icc
     icc = None