1 /*
2 * Heiko Schocher, DENX Software Engineering, hs@denx.de.
3 * based on:
4 * FIPS-180-1 compliant SHA-1 implementation
5 *
6 * Copyright (C) 2003-2006 Christophe Devine
7 *
8 * SPDX-License-Identifier: LGPL-2.1
9 */
10 /*
11 * The SHA-1 standard was published by NIST in 1993.
12 *
13 * http://www.itl.nist.gov/fipspubs/fip180-1.htm
14 */
15
16 #ifndef _CRT_SECURE_NO_DEPRECATE
17 #define _CRT_SECURE_NO_DEPRECATE 1
18 #endif
19
20 #ifndef USE_HOSTCC
21 #include <common.h>
22 #include <linux/string.h>
23 #include <crypto.h>
24 #else
25 #include <string.h>
26 #endif /* USE_HOSTCC */
27 #include <watchdog.h>
28 #include <u-boot/sha1.h>
29
30 #include <linux/compiler.h>
31
32 #ifdef USE_HOSTCC
33 #undef __weak
34 #define __weak
35 #undef __maybe_unused
36 #define __maybe_unused
37 #endif
38
39 const uint8_t sha1_der_prefix[SHA1_DER_LEN] = {
40 0x30, 0x21, 0x30, 0x09, 0x06, 0x05, 0x2b, 0x0e,
41 0x03, 0x02, 0x1a, 0x05, 0x00, 0x04, 0x14
42 };
43
44 /*
45 * 32-bit integer manipulation macros (big endian)
46 */
47 #ifndef GET_UINT32_BE
48 #define GET_UINT32_BE(n,b,i) { \
49 (n) = ( (unsigned long) (b)[(i) ] << 24 ) \
50 | ( (unsigned long) (b)[(i) + 1] << 16 ) \
51 | ( (unsigned long) (b)[(i) + 2] << 8 ) \
52 | ( (unsigned long) (b)[(i) + 3] ); \
53 }
54 #endif
55 #ifndef PUT_UINT32_BE
56 #define PUT_UINT32_BE(n,b,i) { \
57 (b)[(i) ] = (unsigned char) ( (n) >> 24 ); \
58 (b)[(i) + 1] = (unsigned char) ( (n) >> 16 ); \
59 (b)[(i) + 2] = (unsigned char) ( (n) >> 8 ); \
60 (b)[(i) + 3] = (unsigned char) ( (n) ); \
61 }
62 #endif
63
64 /*
65 * SHA-1 context setup
66 */
sha1_starts(sha1_context * ctx)67 void sha1_starts (sha1_context * ctx)
68 {
69 #if !defined(USE_HOSTCC)
70 #if !CONFIG_IS_ENABLED(ARMV8_CE_SHA1) && CONFIG_IS_ENABLED(DM_CRYPTO)
71 sha_context cctx;
72 u32 algo = CRYPTO_SHA1;
73
74 ctx->cdev = NULL;
75 if (ctx->length) {
76 ctx->cdev = crypto_get_device(algo);
77 if (ctx->cdev) {
78 cctx.algo = algo;
79 cctx.length = ctx->length;
80 crypto_sha_init(ctx->cdev, &cctx);
81 return;
82 }
83 }
84 #endif
85 #endif
86 ctx->total[0] = 0;
87 ctx->total[1] = 0;
88
89 ctx->state[0] = 0x67452301;
90 ctx->state[1] = 0xEFCDAB89;
91 ctx->state[2] = 0x98BADCFE;
92 ctx->state[3] = 0x10325476;
93 ctx->state[4] = 0xC3D2E1F0;
94 }
95
sha1_process_one(sha1_context * ctx,const unsigned char data[64])96 static void __maybe_unused sha1_process_one(sha1_context *ctx, const unsigned char data[64])
97 {
98 unsigned long temp, W[16], A, B, C, D, E;
99
100 GET_UINT32_BE (W[0], data, 0);
101 GET_UINT32_BE (W[1], data, 4);
102 GET_UINT32_BE (W[2], data, 8);
103 GET_UINT32_BE (W[3], data, 12);
104 GET_UINT32_BE (W[4], data, 16);
105 GET_UINT32_BE (W[5], data, 20);
106 GET_UINT32_BE (W[6], data, 24);
107 GET_UINT32_BE (W[7], data, 28);
108 GET_UINT32_BE (W[8], data, 32);
109 GET_UINT32_BE (W[9], data, 36);
110 GET_UINT32_BE (W[10], data, 40);
111 GET_UINT32_BE (W[11], data, 44);
112 GET_UINT32_BE (W[12], data, 48);
113 GET_UINT32_BE (W[13], data, 52);
114 GET_UINT32_BE (W[14], data, 56);
115 GET_UINT32_BE (W[15], data, 60);
116
117 #define S(x,n) ((x << n) | ((x & 0xFFFFFFFF) >> (32 - n)))
118
119 #define R(t) ( \
120 temp = W[(t - 3) & 0x0F] ^ W[(t - 8) & 0x0F] ^ \
121 W[(t - 14) & 0x0F] ^ W[ t & 0x0F], \
122 ( W[t & 0x0F] = S(temp,1) ) \
123 )
124
125 #define P(a,b,c,d,e,x) { \
126 e += S(a,5) + F(b,c,d) + K + x; b = S(b,30); \
127 }
128
129 A = ctx->state[0];
130 B = ctx->state[1];
131 C = ctx->state[2];
132 D = ctx->state[3];
133 E = ctx->state[4];
134
135 #define F(x,y,z) (z ^ (x & (y ^ z)))
136 #define K 0x5A827999
137
138 P (A, B, C, D, E, W[0]);
139 P (E, A, B, C, D, W[1]);
140 P (D, E, A, B, C, W[2]);
141 P (C, D, E, A, B, W[3]);
142 P (B, C, D, E, A, W[4]);
143 P (A, B, C, D, E, W[5]);
144 P (E, A, B, C, D, W[6]);
145 P (D, E, A, B, C, W[7]);
146 P (C, D, E, A, B, W[8]);
147 P (B, C, D, E, A, W[9]);
148 P (A, B, C, D, E, W[10]);
149 P (E, A, B, C, D, W[11]);
150 P (D, E, A, B, C, W[12]);
151 P (C, D, E, A, B, W[13]);
152 P (B, C, D, E, A, W[14]);
153 P (A, B, C, D, E, W[15]);
154 P (E, A, B, C, D, R (16));
155 P (D, E, A, B, C, R (17));
156 P (C, D, E, A, B, R (18));
157 P (B, C, D, E, A, R (19));
158
159 #undef K
160 #undef F
161
162 #define F(x,y,z) (x ^ y ^ z)
163 #define K 0x6ED9EBA1
164
165 P (A, B, C, D, E, R (20));
166 P (E, A, B, C, D, R (21));
167 P (D, E, A, B, C, R (22));
168 P (C, D, E, A, B, R (23));
169 P (B, C, D, E, A, R (24));
170 P (A, B, C, D, E, R (25));
171 P (E, A, B, C, D, R (26));
172 P (D, E, A, B, C, R (27));
173 P (C, D, E, A, B, R (28));
174 P (B, C, D, E, A, R (29));
175 P (A, B, C, D, E, R (30));
176 P (E, A, B, C, D, R (31));
177 P (D, E, A, B, C, R (32));
178 P (C, D, E, A, B, R (33));
179 P (B, C, D, E, A, R (34));
180 P (A, B, C, D, E, R (35));
181 P (E, A, B, C, D, R (36));
182 P (D, E, A, B, C, R (37));
183 P (C, D, E, A, B, R (38));
184 P (B, C, D, E, A, R (39));
185
186 #undef K
187 #undef F
188
189 #define F(x,y,z) ((x & y) | (z & (x | y)))
190 #define K 0x8F1BBCDC
191
192 P (A, B, C, D, E, R (40));
193 P (E, A, B, C, D, R (41));
194 P (D, E, A, B, C, R (42));
195 P (C, D, E, A, B, R (43));
196 P (B, C, D, E, A, R (44));
197 P (A, B, C, D, E, R (45));
198 P (E, A, B, C, D, R (46));
199 P (D, E, A, B, C, R (47));
200 P (C, D, E, A, B, R (48));
201 P (B, C, D, E, A, R (49));
202 P (A, B, C, D, E, R (50));
203 P (E, A, B, C, D, R (51));
204 P (D, E, A, B, C, R (52));
205 P (C, D, E, A, B, R (53));
206 P (B, C, D, E, A, R (54));
207 P (A, B, C, D, E, R (55));
208 P (E, A, B, C, D, R (56));
209 P (D, E, A, B, C, R (57));
210 P (C, D, E, A, B, R (58));
211 P (B, C, D, E, A, R (59));
212
213 #undef K
214 #undef F
215
216 #define F(x,y,z) (x ^ y ^ z)
217 #define K 0xCA62C1D6
218
219 P (A, B, C, D, E, R (60));
220 P (E, A, B, C, D, R (61));
221 P (D, E, A, B, C, R (62));
222 P (C, D, E, A, B, R (63));
223 P (B, C, D, E, A, R (64));
224 P (A, B, C, D, E, R (65));
225 P (E, A, B, C, D, R (66));
226 P (D, E, A, B, C, R (67));
227 P (C, D, E, A, B, R (68));
228 P (B, C, D, E, A, R (69));
229 P (A, B, C, D, E, R (70));
230 P (E, A, B, C, D, R (71));
231 P (D, E, A, B, C, R (72));
232 P (C, D, E, A, B, R (73));
233 P (B, C, D, E, A, R (74));
234 P (A, B, C, D, E, R (75));
235 P (E, A, B, C, D, R (76));
236 P (D, E, A, B, C, R (77));
237 P (C, D, E, A, B, R (78));
238 P (B, C, D, E, A, R (79));
239
240 #undef K
241 #undef F
242
243 ctx->state[0] += A;
244 ctx->state[1] += B;
245 ctx->state[2] += C;
246 ctx->state[3] += D;
247 ctx->state[4] += E;
248 }
249
sha1_process(sha1_context * ctx,const unsigned char * data,unsigned int blocks)250 __weak void sha1_process(sha1_context *ctx, const unsigned char *data,
251 unsigned int blocks)
252 {
253 if (!blocks)
254 return;
255
256 while (blocks--) {
257 sha1_process_one(ctx, data);
258 data += 64;
259 }
260 }
261
262 /*
263 * SHA-1 process buffer
264 */
sha1_update(sha1_context * ctx,const unsigned char * input,unsigned int ilen)265 void sha1_update(sha1_context *ctx, const unsigned char *input,
266 unsigned int ilen)
267 {
268 int fill;
269 unsigned long left;
270
271 if (ilen <= 0)
272 return;
273 #if !defined(USE_HOSTCC)
274 #if !CONFIG_IS_ENABLED(ARMV8_CE_SHA1) && CONFIG_IS_ENABLED(DM_CRYPTO)
275 if (ctx->cdev) {
276 crypto_sha_update(ctx->cdev, (void *)input, ilen);
277 return;
278 }
279 #endif
280 #endif
281 left = ctx->total[0] & 0x3F;
282 fill = 64 - left;
283
284 ctx->total[0] += ilen;
285 ctx->total[0] &= 0xFFFFFFFF;
286
287 if (ctx->total[0] < (unsigned long) ilen)
288 ctx->total[1]++;
289
290 if (left && ilen >= fill) {
291 memcpy ((void *) (ctx->buffer + left), (void *) input, fill);
292 sha1_process(ctx, ctx->buffer, 1);
293 input += fill;
294 ilen -= fill;
295 left = 0;
296 }
297
298 sha1_process(ctx, input, ilen / 64);
299 input += ilen / 64 * 64;
300 ilen = ilen % 64;
301
302 if (ilen > 0) {
303 memcpy ((void *) (ctx->buffer + left), (void *) input, ilen);
304 }
305 }
306
307 static const unsigned char sha1_padding[64] = {
308 0x80, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
309 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
310 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
311 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0
312 };
313
314 /*
315 * SHA-1 final digest
316 */
sha1_finish(sha1_context * ctx,unsigned char output[20])317 void sha1_finish (sha1_context * ctx, unsigned char output[20])
318 {
319 unsigned long last, padn;
320 unsigned long high, low;
321 unsigned char msglen[8];
322
323 #if !defined(USE_HOSTCC)
324 #if !CONFIG_IS_ENABLED(ARMV8_CE_SHA1) && CONFIG_IS_ENABLED(DM_CRYPTO)
325 sha_context cctx;
326
327 if (ctx->cdev) {
328 cctx.algo = CRYPTO_SHA1;
329 cctx.length = ctx->length;
330 crypto_sha_final(ctx->cdev, &cctx, output);
331 return;
332 }
333 #endif
334 #endif
335 high = (ctx->total[0] >> 29)
336 | (ctx->total[1] << 3);
337 low = (ctx->total[0] << 3);
338
339 PUT_UINT32_BE (high, msglen, 0);
340 PUT_UINT32_BE (low, msglen, 4);
341
342 last = ctx->total[0] & 0x3F;
343 padn = (last < 56) ? (56 - last) : (120 - last);
344
345 sha1_update (ctx, (unsigned char *) sha1_padding, padn);
346 sha1_update (ctx, msglen, 8);
347
348 PUT_UINT32_BE (ctx->state[0], output, 0);
349 PUT_UINT32_BE (ctx->state[1], output, 4);
350 PUT_UINT32_BE (ctx->state[2], output, 8);
351 PUT_UINT32_BE (ctx->state[3], output, 12);
352 PUT_UINT32_BE (ctx->state[4], output, 16);
353 }
354
355 /*
356 * Output = SHA-1( input buffer )
357 */
sha1_csum(const unsigned char * input,unsigned int ilen,unsigned char * output)358 void sha1_csum(const unsigned char *input, unsigned int ilen,
359 unsigned char *output)
360 {
361 sha1_context ctx;
362
363 #if !defined(USE_HOSTCC)
364 #if !CONFIG_IS_ENABLED(ARMV8_CE_SHA1) && CONFIG_IS_ENABLED(DM_CRYPTO)
365 ctx.length = ilen;
366 #endif
367 #endif
368 sha1_starts (&ctx);
369 sha1_update (&ctx, input, ilen);
370 sha1_finish (&ctx, output);
371 }
372
373 /*
374 * Output = SHA-1( input buffer ). Trigger the watchdog every 'chunk_sz'
375 * bytes of input processed.
376 */
sha1_csum_wd(const unsigned char * input,unsigned int ilen,unsigned char * output,unsigned int chunk_sz)377 void sha1_csum_wd(const unsigned char *input, unsigned int ilen,
378 unsigned char *output, unsigned int chunk_sz)
379 {
380 sha1_context ctx;
381 #if defined(CONFIG_HW_WATCHDOG) || defined(CONFIG_WATCHDOG)
382 const unsigned char *end, *curr;
383 int chunk;
384 #endif
385 #if !defined(USE_HOSTCC)
386 #if !CONFIG_IS_ENABLED(ARMV8_CE_SHA1) && CONFIG_IS_ENABLED(DM_CRYPTO)
387 ctx.length = ilen;
388 #endif
389 #endif
390 sha1_starts (&ctx);
391
392 #if defined(CONFIG_HW_WATCHDOG) || defined(CONFIG_WATCHDOG)
393 curr = input;
394 end = input + ilen;
395 while (curr < end) {
396 chunk = end - curr;
397 if (chunk > chunk_sz)
398 chunk = chunk_sz;
399 sha1_update (&ctx, curr, chunk);
400 curr += chunk;
401 WATCHDOG_RESET ();
402 }
403 #else
404 sha1_update (&ctx, input, ilen);
405 #endif
406
407 sha1_finish (&ctx, output);
408 }
409
410 /*
411 * Output = HMAC-SHA-1( input buffer, hmac key )
412 */
sha1_hmac(const unsigned char * key,int keylen,const unsigned char * input,unsigned int ilen,unsigned char * output)413 void sha1_hmac(const unsigned char *key, int keylen,
414 const unsigned char *input, unsigned int ilen,
415 unsigned char *output)
416 {
417 int i;
418 sha1_context ctx;
419 unsigned char k_ipad[64];
420 unsigned char k_opad[64];
421 unsigned char tmpbuf[20];
422
423 memset (k_ipad, 0x36, 64);
424 memset (k_opad, 0x5C, 64);
425
426 for (i = 0; i < keylen; i++) {
427 if (i >= 64)
428 break;
429
430 k_ipad[i] ^= key[i];
431 k_opad[i] ^= key[i];
432 }
433
434 #if !defined(USE_HOSTCC)
435 #if !CONFIG_IS_ENABLED(ARMV8_CE_SHA1) && CONFIG_IS_ENABLED(DM_CRYPTO)
436 ctx.length = 64 + ilen;
437 #endif
438 #endif
439 sha1_starts (&ctx);
440 sha1_update (&ctx, k_ipad, 64);
441 sha1_update (&ctx, input, ilen);
442 sha1_finish (&ctx, tmpbuf);
443
444 #if !defined(USE_HOSTCC)
445 #if !CONFIG_IS_ENABLED(ARMV8_CE_SHA1) && CONFIG_IS_ENABLED(DM_CRYPTO)
446 ctx.length = 64 + 20;
447 #endif
448 #endif
449 sha1_starts (&ctx);
450 sha1_update (&ctx, k_opad, 64);
451 sha1_update (&ctx, tmpbuf, 20);
452 sha1_finish (&ctx, output);
453
454 memset (k_ipad, 0, 64);
455 memset (k_opad, 0, 64);
456 memset (tmpbuf, 0, 20);
457 memset (&ctx, 0, sizeof (sha1_context));
458 }
459
460 #ifdef SELF_TEST
461 /*
462 * FIPS-180-1 test vectors
463 */
464 static const char sha1_test_str[3][57] = {
465 {"abc"},
466 {"abcdbcdecdefdefgefghfghighijhijkijkljklmklmnlmnomnopnopq"},
467 {""}
468 };
469
470 static const unsigned char sha1_test_sum[3][20] = {
471 {0xA9, 0x99, 0x3E, 0x36, 0x47, 0x06, 0x81, 0x6A, 0xBA, 0x3E,
472 0x25, 0x71, 0x78, 0x50, 0xC2, 0x6C, 0x9C, 0xD0, 0xD8, 0x9D},
473 {0x84, 0x98, 0x3E, 0x44, 0x1C, 0x3B, 0xD2, 0x6E, 0xBA, 0xAE,
474 0x4A, 0xA1, 0xF9, 0x51, 0x29, 0xE5, 0xE5, 0x46, 0x70, 0xF1},
475 {0x34, 0xAA, 0x97, 0x3C, 0xD4, 0xC4, 0xDA, 0xA4, 0xF6, 0x1E,
476 0xEB, 0x2B, 0xDB, 0xAD, 0x27, 0x31, 0x65, 0x34, 0x01, 0x6F}
477 };
478
479 /*
480 * Checkup routine
481 */
sha1_self_test(void)482 int sha1_self_test (void)
483 {
484 int i, j;
485 unsigned char buf[1000];
486 unsigned char sha1sum[20];
487 sha1_context ctx;
488
489 for (i = 0; i < 3; i++) {
490 printf (" SHA-1 test #%d: ", i + 1);
491
492 sha1_starts (&ctx);
493
494 if (i < 2)
495 sha1_update (&ctx, (unsigned char *) sha1_test_str[i],
496 strlen (sha1_test_str[i]));
497 else {
498 memset (buf, 'a', 1000);
499 for (j = 0; j < 1000; j++)
500 sha1_update (&ctx, buf, 1000);
501 }
502
503 sha1_finish (&ctx, sha1sum);
504
505 if (memcmp (sha1sum, sha1_test_sum[i], 20) != 0) {
506 printf ("failed\n");
507 return (1);
508 }
509
510 printf ("passed\n");
511 }
512
513 printf ("\n");
514 return (0);
515 }
516 #else
sha1_self_test(void)517 int sha1_self_test (void)
518 {
519 return (0);
520 }
521 #endif
522