1 /*
2 * Heiko Schocher, DENX Software Engineering, hs@denx.de.
3 * based on:
4 * FIPS-180-1 compliant SHA-1 implementation
5 *
6 * Copyright (C) 2003-2006 Christophe Devine
7 *
8 * SPDX-License-Identifier: LGPL-2.1
9 */
10 /*
11 * The SHA-1 standard was published by NIST in 1993.
12 *
13 * http://www.itl.nist.gov/fipspubs/fip180-1.htm
14 */
15
16 #ifndef _CRT_SECURE_NO_DEPRECATE
17 #define _CRT_SECURE_NO_DEPRECATE 1
18 #endif
19
20 #ifndef USE_HOSTCC
21 #include <common.h>
22 #include <linux/string.h>
23 #else
24 #include <string.h>
25 #endif /* USE_HOSTCC */
26 #include <watchdog.h>
27 #include <u-boot/sha1.h>
28
29 #include <linux/compiler.h>
30
31 #ifdef USE_HOSTCC
32 #undef __weak
33 #define __weak
34 #undef __maybe_unused
35 #define __maybe_unused
36 #endif
37
38 const uint8_t sha1_der_prefix[SHA1_DER_LEN] = {
39 0x30, 0x21, 0x30, 0x09, 0x06, 0x05, 0x2b, 0x0e,
40 0x03, 0x02, 0x1a, 0x05, 0x00, 0x04, 0x14
41 };
42
43 /*
44 * 32-bit integer manipulation macros (big endian)
45 */
46 #ifndef GET_UINT32_BE
47 #define GET_UINT32_BE(n,b,i) { \
48 (n) = ( (unsigned long) (b)[(i) ] << 24 ) \
49 | ( (unsigned long) (b)[(i) + 1] << 16 ) \
50 | ( (unsigned long) (b)[(i) + 2] << 8 ) \
51 | ( (unsigned long) (b)[(i) + 3] ); \
52 }
53 #endif
54 #ifndef PUT_UINT32_BE
55 #define PUT_UINT32_BE(n,b,i) { \
56 (b)[(i) ] = (unsigned char) ( (n) >> 24 ); \
57 (b)[(i) + 1] = (unsigned char) ( (n) >> 16 ); \
58 (b)[(i) + 2] = (unsigned char) ( (n) >> 8 ); \
59 (b)[(i) + 3] = (unsigned char) ( (n) ); \
60 }
61 #endif
62
63 /*
64 * SHA-1 context setup
65 */
sha1_starts(sha1_context * ctx)66 void sha1_starts (sha1_context * ctx)
67 {
68 ctx->total[0] = 0;
69 ctx->total[1] = 0;
70
71 ctx->state[0] = 0x67452301;
72 ctx->state[1] = 0xEFCDAB89;
73 ctx->state[2] = 0x98BADCFE;
74 ctx->state[3] = 0x10325476;
75 ctx->state[4] = 0xC3D2E1F0;
76 }
77
sha1_process_one(sha1_context * ctx,const unsigned char data[64])78 static void __maybe_unused sha1_process_one(sha1_context *ctx, const unsigned char data[64])
79 {
80 unsigned long temp, W[16], A, B, C, D, E;
81
82 GET_UINT32_BE (W[0], data, 0);
83 GET_UINT32_BE (W[1], data, 4);
84 GET_UINT32_BE (W[2], data, 8);
85 GET_UINT32_BE (W[3], data, 12);
86 GET_UINT32_BE (W[4], data, 16);
87 GET_UINT32_BE (W[5], data, 20);
88 GET_UINT32_BE (W[6], data, 24);
89 GET_UINT32_BE (W[7], data, 28);
90 GET_UINT32_BE (W[8], data, 32);
91 GET_UINT32_BE (W[9], data, 36);
92 GET_UINT32_BE (W[10], data, 40);
93 GET_UINT32_BE (W[11], data, 44);
94 GET_UINT32_BE (W[12], data, 48);
95 GET_UINT32_BE (W[13], data, 52);
96 GET_UINT32_BE (W[14], data, 56);
97 GET_UINT32_BE (W[15], data, 60);
98
99 #define S(x,n) ((x << n) | ((x & 0xFFFFFFFF) >> (32 - n)))
100
101 #define R(t) ( \
102 temp = W[(t - 3) & 0x0F] ^ W[(t - 8) & 0x0F] ^ \
103 W[(t - 14) & 0x0F] ^ W[ t & 0x0F], \
104 ( W[t & 0x0F] = S(temp,1) ) \
105 )
106
107 #define P(a,b,c,d,e,x) { \
108 e += S(a,5) + F(b,c,d) + K + x; b = S(b,30); \
109 }
110
111 A = ctx->state[0];
112 B = ctx->state[1];
113 C = ctx->state[2];
114 D = ctx->state[3];
115 E = ctx->state[4];
116
117 #define F(x,y,z) (z ^ (x & (y ^ z)))
118 #define K 0x5A827999
119
120 P (A, B, C, D, E, W[0]);
121 P (E, A, B, C, D, W[1]);
122 P (D, E, A, B, C, W[2]);
123 P (C, D, E, A, B, W[3]);
124 P (B, C, D, E, A, W[4]);
125 P (A, B, C, D, E, W[5]);
126 P (E, A, B, C, D, W[6]);
127 P (D, E, A, B, C, W[7]);
128 P (C, D, E, A, B, W[8]);
129 P (B, C, D, E, A, W[9]);
130 P (A, B, C, D, E, W[10]);
131 P (E, A, B, C, D, W[11]);
132 P (D, E, A, B, C, W[12]);
133 P (C, D, E, A, B, W[13]);
134 P (B, C, D, E, A, W[14]);
135 P (A, B, C, D, E, W[15]);
136 P (E, A, B, C, D, R (16));
137 P (D, E, A, B, C, R (17));
138 P (C, D, E, A, B, R (18));
139 P (B, C, D, E, A, R (19));
140
141 #undef K
142 #undef F
143
144 #define F(x,y,z) (x ^ y ^ z)
145 #define K 0x6ED9EBA1
146
147 P (A, B, C, D, E, R (20));
148 P (E, A, B, C, D, R (21));
149 P (D, E, A, B, C, R (22));
150 P (C, D, E, A, B, R (23));
151 P (B, C, D, E, A, R (24));
152 P (A, B, C, D, E, R (25));
153 P (E, A, B, C, D, R (26));
154 P (D, E, A, B, C, R (27));
155 P (C, D, E, A, B, R (28));
156 P (B, C, D, E, A, R (29));
157 P (A, B, C, D, E, R (30));
158 P (E, A, B, C, D, R (31));
159 P (D, E, A, B, C, R (32));
160 P (C, D, E, A, B, R (33));
161 P (B, C, D, E, A, R (34));
162 P (A, B, C, D, E, R (35));
163 P (E, A, B, C, D, R (36));
164 P (D, E, A, B, C, R (37));
165 P (C, D, E, A, B, R (38));
166 P (B, C, D, E, A, R (39));
167
168 #undef K
169 #undef F
170
171 #define F(x,y,z) ((x & y) | (z & (x | y)))
172 #define K 0x8F1BBCDC
173
174 P (A, B, C, D, E, R (40));
175 P (E, A, B, C, D, R (41));
176 P (D, E, A, B, C, R (42));
177 P (C, D, E, A, B, R (43));
178 P (B, C, D, E, A, R (44));
179 P (A, B, C, D, E, R (45));
180 P (E, A, B, C, D, R (46));
181 P (D, E, A, B, C, R (47));
182 P (C, D, E, A, B, R (48));
183 P (B, C, D, E, A, R (49));
184 P (A, B, C, D, E, R (50));
185 P (E, A, B, C, D, R (51));
186 P (D, E, A, B, C, R (52));
187 P (C, D, E, A, B, R (53));
188 P (B, C, D, E, A, R (54));
189 P (A, B, C, D, E, R (55));
190 P (E, A, B, C, D, R (56));
191 P (D, E, A, B, C, R (57));
192 P (C, D, E, A, B, R (58));
193 P (B, C, D, E, A, R (59));
194
195 #undef K
196 #undef F
197
198 #define F(x,y,z) (x ^ y ^ z)
199 #define K 0xCA62C1D6
200
201 P (A, B, C, D, E, R (60));
202 P (E, A, B, C, D, R (61));
203 P (D, E, A, B, C, R (62));
204 P (C, D, E, A, B, R (63));
205 P (B, C, D, E, A, R (64));
206 P (A, B, C, D, E, R (65));
207 P (E, A, B, C, D, R (66));
208 P (D, E, A, B, C, R (67));
209 P (C, D, E, A, B, R (68));
210 P (B, C, D, E, A, R (69));
211 P (A, B, C, D, E, R (70));
212 P (E, A, B, C, D, R (71));
213 P (D, E, A, B, C, R (72));
214 P (C, D, E, A, B, R (73));
215 P (B, C, D, E, A, R (74));
216 P (A, B, C, D, E, R (75));
217 P (E, A, B, C, D, R (76));
218 P (D, E, A, B, C, R (77));
219 P (C, D, E, A, B, R (78));
220 P (B, C, D, E, A, R (79));
221
222 #undef K
223 #undef F
224
225 ctx->state[0] += A;
226 ctx->state[1] += B;
227 ctx->state[2] += C;
228 ctx->state[3] += D;
229 ctx->state[4] += E;
230 }
231
sha1_process(sha1_context * ctx,const unsigned char * data,unsigned int blocks)232 __weak void sha1_process(sha1_context *ctx, const unsigned char *data,
233 unsigned int blocks)
234 {
235 if (!blocks)
236 return;
237
238 while (blocks--) {
239 sha1_process_one(ctx, data);
240 data += 64;
241 }
242 }
243
244 /*
245 * SHA-1 process buffer
246 */
sha1_update(sha1_context * ctx,const unsigned char * input,unsigned int ilen)247 void sha1_update(sha1_context *ctx, const unsigned char *input,
248 unsigned int ilen)
249 {
250 int fill;
251 unsigned long left;
252
253 if (ilen <= 0)
254 return;
255
256 left = ctx->total[0] & 0x3F;
257 fill = 64 - left;
258
259 ctx->total[0] += ilen;
260 ctx->total[0] &= 0xFFFFFFFF;
261
262 if (ctx->total[0] < (unsigned long) ilen)
263 ctx->total[1]++;
264
265 if (left && ilen >= fill) {
266 memcpy ((void *) (ctx->buffer + left), (void *) input, fill);
267 sha1_process(ctx, ctx->buffer, 1);
268 input += fill;
269 ilen -= fill;
270 left = 0;
271 }
272
273 sha1_process(ctx, input, ilen / 64);
274 input += ilen / 64 * 64;
275 ilen = ilen % 64;
276
277 if (ilen > 0) {
278 memcpy ((void *) (ctx->buffer + left), (void *) input, ilen);
279 }
280 }
281
282 static const unsigned char sha1_padding[64] = {
283 0x80, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
284 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
285 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
286 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0
287 };
288
289 /*
290 * SHA-1 final digest
291 */
sha1_finish(sha1_context * ctx,unsigned char output[20])292 void sha1_finish (sha1_context * ctx, unsigned char output[20])
293 {
294 unsigned long last, padn;
295 unsigned long high, low;
296 unsigned char msglen[8];
297
298 high = (ctx->total[0] >> 29)
299 | (ctx->total[1] << 3);
300 low = (ctx->total[0] << 3);
301
302 PUT_UINT32_BE (high, msglen, 0);
303 PUT_UINT32_BE (low, msglen, 4);
304
305 last = ctx->total[0] & 0x3F;
306 padn = (last < 56) ? (56 - last) : (120 - last);
307
308 sha1_update (ctx, (unsigned char *) sha1_padding, padn);
309 sha1_update (ctx, msglen, 8);
310
311 PUT_UINT32_BE (ctx->state[0], output, 0);
312 PUT_UINT32_BE (ctx->state[1], output, 4);
313 PUT_UINT32_BE (ctx->state[2], output, 8);
314 PUT_UINT32_BE (ctx->state[3], output, 12);
315 PUT_UINT32_BE (ctx->state[4], output, 16);
316 }
317
318 /*
319 * Output = SHA-1( input buffer )
320 */
sha1_csum(const unsigned char * input,unsigned int ilen,unsigned char * output)321 void sha1_csum(const unsigned char *input, unsigned int ilen,
322 unsigned char *output)
323 {
324 sha1_context ctx;
325
326 sha1_starts (&ctx);
327 sha1_update (&ctx, input, ilen);
328 sha1_finish (&ctx, output);
329 }
330
331 /*
332 * Output = SHA-1( input buffer ). Trigger the watchdog every 'chunk_sz'
333 * bytes of input processed.
334 */
sha1_csum_wd(const unsigned char * input,unsigned int ilen,unsigned char * output,unsigned int chunk_sz)335 void sha1_csum_wd(const unsigned char *input, unsigned int ilen,
336 unsigned char *output, unsigned int chunk_sz)
337 {
338 sha1_context ctx;
339 #if defined(CONFIG_HW_WATCHDOG) || defined(CONFIG_WATCHDOG)
340 const unsigned char *end, *curr;
341 int chunk;
342 #endif
343
344 sha1_starts (&ctx);
345
346 #if defined(CONFIG_HW_WATCHDOG) || defined(CONFIG_WATCHDOG)
347 curr = input;
348 end = input + ilen;
349 while (curr < end) {
350 chunk = end - curr;
351 if (chunk > chunk_sz)
352 chunk = chunk_sz;
353 sha1_update (&ctx, curr, chunk);
354 curr += chunk;
355 WATCHDOG_RESET ();
356 }
357 #else
358 sha1_update (&ctx, input, ilen);
359 #endif
360
361 sha1_finish (&ctx, output);
362 }
363
364 /*
365 * Output = HMAC-SHA-1( input buffer, hmac key )
366 */
sha1_hmac(const unsigned char * key,int keylen,const unsigned char * input,unsigned int ilen,unsigned char * output)367 void sha1_hmac(const unsigned char *key, int keylen,
368 const unsigned char *input, unsigned int ilen,
369 unsigned char *output)
370 {
371 int i;
372 sha1_context ctx;
373 unsigned char k_ipad[64];
374 unsigned char k_opad[64];
375 unsigned char tmpbuf[20];
376
377 memset (k_ipad, 0x36, 64);
378 memset (k_opad, 0x5C, 64);
379
380 for (i = 0; i < keylen; i++) {
381 if (i >= 64)
382 break;
383
384 k_ipad[i] ^= key[i];
385 k_opad[i] ^= key[i];
386 }
387
388 sha1_starts (&ctx);
389 sha1_update (&ctx, k_ipad, 64);
390 sha1_update (&ctx, input, ilen);
391 sha1_finish (&ctx, tmpbuf);
392
393 sha1_starts (&ctx);
394 sha1_update (&ctx, k_opad, 64);
395 sha1_update (&ctx, tmpbuf, 20);
396 sha1_finish (&ctx, output);
397
398 memset (k_ipad, 0, 64);
399 memset (k_opad, 0, 64);
400 memset (tmpbuf, 0, 20);
401 memset (&ctx, 0, sizeof (sha1_context));
402 }
403
404 #ifdef SELF_TEST
405 /*
406 * FIPS-180-1 test vectors
407 */
408 static const char sha1_test_str[3][57] = {
409 {"abc"},
410 {"abcdbcdecdefdefgefghfghighijhijkijkljklmklmnlmnomnopnopq"},
411 {""}
412 };
413
414 static const unsigned char sha1_test_sum[3][20] = {
415 {0xA9, 0x99, 0x3E, 0x36, 0x47, 0x06, 0x81, 0x6A, 0xBA, 0x3E,
416 0x25, 0x71, 0x78, 0x50, 0xC2, 0x6C, 0x9C, 0xD0, 0xD8, 0x9D},
417 {0x84, 0x98, 0x3E, 0x44, 0x1C, 0x3B, 0xD2, 0x6E, 0xBA, 0xAE,
418 0x4A, 0xA1, 0xF9, 0x51, 0x29, 0xE5, 0xE5, 0x46, 0x70, 0xF1},
419 {0x34, 0xAA, 0x97, 0x3C, 0xD4, 0xC4, 0xDA, 0xA4, 0xF6, 0x1E,
420 0xEB, 0x2B, 0xDB, 0xAD, 0x27, 0x31, 0x65, 0x34, 0x01, 0x6F}
421 };
422
423 /*
424 * Checkup routine
425 */
sha1_self_test(void)426 int sha1_self_test (void)
427 {
428 int i, j;
429 unsigned char buf[1000];
430 unsigned char sha1sum[20];
431 sha1_context ctx;
432
433 for (i = 0; i < 3; i++) {
434 printf (" SHA-1 test #%d: ", i + 1);
435
436 sha1_starts (&ctx);
437
438 if (i < 2)
439 sha1_update (&ctx, (unsigned char *) sha1_test_str[i],
440 strlen (sha1_test_str[i]));
441 else {
442 memset (buf, 'a', 1000);
443 for (j = 0; j < 1000; j++)
444 sha1_update (&ctx, buf, 1000);
445 }
446
447 sha1_finish (&ctx, sha1sum);
448
449 if (memcmp (sha1sum, sha1_test_sum[i], 20) != 0) {
450 printf ("failed\n");
451 return (1);
452 }
453
454 printf ("passed\n");
455 }
456
457 printf ("\n");
458 return (0);
459 }
460 #else
sha1_self_test(void)461 int sha1_self_test (void)
462 {
463 return (0);
464 }
465 #endif
466