1 /* 2 * Heiko Schocher, DENX Software Engineering, hs@denx.de. 3 * based on: 4 * FIPS-180-1 compliant SHA-1 implementation 5 * 6 * Copyright (C) 2003-2006 Christophe Devine 7 * 8 * SPDX-License-Identifier: LGPL-2.1 9 */ 10 /* 11 * The SHA-1 standard was published by NIST in 1993. 12 * 13 * http://www.itl.nist.gov/fipspubs/fip180-1.htm 14 */ 15 16 #ifndef _CRT_SECURE_NO_DEPRECATE 17 #define _CRT_SECURE_NO_DEPRECATE 1 18 #endif 19 20 #ifndef USE_HOSTCC 21 #include <common.h> 22 #include <linux/string.h> 23 #else 24 #include <string.h> 25 #endif /* USE_HOSTCC */ 26 #include <watchdog.h> 27 #include <u-boot/sha1.h> 28 29 #include <linux/compiler.h> 30 31 #ifdef USE_HOSTCC 32 #undef __weak 33 #define __weak 34 #undef __maybe_unused 35 #define __maybe_unused 36 #endif 37 38 const uint8_t sha1_der_prefix[SHA1_DER_LEN] = { 39 0x30, 0x21, 0x30, 0x09, 0x06, 0x05, 0x2b, 0x0e, 40 0x03, 0x02, 0x1a, 0x05, 0x00, 0x04, 0x14 41 }; 42 43 /* 44 * 32-bit integer manipulation macros (big endian) 45 */ 46 #ifndef GET_UINT32_BE 47 #define GET_UINT32_BE(n,b,i) { \ 48 (n) = ( (unsigned long) (b)[(i) ] << 24 ) \ 49 | ( (unsigned long) (b)[(i) + 1] << 16 ) \ 50 | ( (unsigned long) (b)[(i) + 2] << 8 ) \ 51 | ( (unsigned long) (b)[(i) + 3] ); \ 52 } 53 #endif 54 #ifndef PUT_UINT32_BE 55 #define PUT_UINT32_BE(n,b,i) { \ 56 (b)[(i) ] = (unsigned char) ( (n) >> 24 ); \ 57 (b)[(i) + 1] = (unsigned char) ( (n) >> 16 ); \ 58 (b)[(i) + 2] = (unsigned char) ( (n) >> 8 ); \ 59 (b)[(i) + 3] = (unsigned char) ( (n) ); \ 60 } 61 #endif 62 63 /* 64 * SHA-1 context setup 65 */ 66 void sha1_starts (sha1_context * ctx) 67 { 68 ctx->total[0] = 0; 69 ctx->total[1] = 0; 70 71 ctx->state[0] = 0x67452301; 72 ctx->state[1] = 0xEFCDAB89; 73 ctx->state[2] = 0x98BADCFE; 74 ctx->state[3] = 0x10325476; 75 ctx->state[4] = 0xC3D2E1F0; 76 } 77 78 static void __maybe_unused sha1_process_one(sha1_context *ctx, const unsigned char data[64]) 79 { 80 unsigned long temp, W[16], A, B, C, D, E; 81 82 GET_UINT32_BE (W[0], data, 0); 83 GET_UINT32_BE (W[1], data, 4); 84 GET_UINT32_BE (W[2], data, 8); 85 GET_UINT32_BE (W[3], data, 12); 86 GET_UINT32_BE (W[4], data, 16); 87 GET_UINT32_BE (W[5], data, 20); 88 GET_UINT32_BE (W[6], data, 24); 89 GET_UINT32_BE (W[7], data, 28); 90 GET_UINT32_BE (W[8], data, 32); 91 GET_UINT32_BE (W[9], data, 36); 92 GET_UINT32_BE (W[10], data, 40); 93 GET_UINT32_BE (W[11], data, 44); 94 GET_UINT32_BE (W[12], data, 48); 95 GET_UINT32_BE (W[13], data, 52); 96 GET_UINT32_BE (W[14], data, 56); 97 GET_UINT32_BE (W[15], data, 60); 98 99 #define S(x,n) ((x << n) | ((x & 0xFFFFFFFF) >> (32 - n))) 100 101 #define R(t) ( \ 102 temp = W[(t - 3) & 0x0F] ^ W[(t - 8) & 0x0F] ^ \ 103 W[(t - 14) & 0x0F] ^ W[ t & 0x0F], \ 104 ( W[t & 0x0F] = S(temp,1) ) \ 105 ) 106 107 #define P(a,b,c,d,e,x) { \ 108 e += S(a,5) + F(b,c,d) + K + x; b = S(b,30); \ 109 } 110 111 A = ctx->state[0]; 112 B = ctx->state[1]; 113 C = ctx->state[2]; 114 D = ctx->state[3]; 115 E = ctx->state[4]; 116 117 #define F(x,y,z) (z ^ (x & (y ^ z))) 118 #define K 0x5A827999 119 120 P (A, B, C, D, E, W[0]); 121 P (E, A, B, C, D, W[1]); 122 P (D, E, A, B, C, W[2]); 123 P (C, D, E, A, B, W[3]); 124 P (B, C, D, E, A, W[4]); 125 P (A, B, C, D, E, W[5]); 126 P (E, A, B, C, D, W[6]); 127 P (D, E, A, B, C, W[7]); 128 P (C, D, E, A, B, W[8]); 129 P (B, C, D, E, A, W[9]); 130 P (A, B, C, D, E, W[10]); 131 P (E, A, B, C, D, W[11]); 132 P (D, E, A, B, C, W[12]); 133 P (C, D, E, A, B, W[13]); 134 P (B, C, D, E, A, W[14]); 135 P (A, B, C, D, E, W[15]); 136 P (E, A, B, C, D, R (16)); 137 P (D, E, A, B, C, R (17)); 138 P (C, D, E, A, B, R (18)); 139 P (B, C, D, E, A, R (19)); 140 141 #undef K 142 #undef F 143 144 #define F(x,y,z) (x ^ y ^ z) 145 #define K 0x6ED9EBA1 146 147 P (A, B, C, D, E, R (20)); 148 P (E, A, B, C, D, R (21)); 149 P (D, E, A, B, C, R (22)); 150 P (C, D, E, A, B, R (23)); 151 P (B, C, D, E, A, R (24)); 152 P (A, B, C, D, E, R (25)); 153 P (E, A, B, C, D, R (26)); 154 P (D, E, A, B, C, R (27)); 155 P (C, D, E, A, B, R (28)); 156 P (B, C, D, E, A, R (29)); 157 P (A, B, C, D, E, R (30)); 158 P (E, A, B, C, D, R (31)); 159 P (D, E, A, B, C, R (32)); 160 P (C, D, E, A, B, R (33)); 161 P (B, C, D, E, A, R (34)); 162 P (A, B, C, D, E, R (35)); 163 P (E, A, B, C, D, R (36)); 164 P (D, E, A, B, C, R (37)); 165 P (C, D, E, A, B, R (38)); 166 P (B, C, D, E, A, R (39)); 167 168 #undef K 169 #undef F 170 171 #define F(x,y,z) ((x & y) | (z & (x | y))) 172 #define K 0x8F1BBCDC 173 174 P (A, B, C, D, E, R (40)); 175 P (E, A, B, C, D, R (41)); 176 P (D, E, A, B, C, R (42)); 177 P (C, D, E, A, B, R (43)); 178 P (B, C, D, E, A, R (44)); 179 P (A, B, C, D, E, R (45)); 180 P (E, A, B, C, D, R (46)); 181 P (D, E, A, B, C, R (47)); 182 P (C, D, E, A, B, R (48)); 183 P (B, C, D, E, A, R (49)); 184 P (A, B, C, D, E, R (50)); 185 P (E, A, B, C, D, R (51)); 186 P (D, E, A, B, C, R (52)); 187 P (C, D, E, A, B, R (53)); 188 P (B, C, D, E, A, R (54)); 189 P (A, B, C, D, E, R (55)); 190 P (E, A, B, C, D, R (56)); 191 P (D, E, A, B, C, R (57)); 192 P (C, D, E, A, B, R (58)); 193 P (B, C, D, E, A, R (59)); 194 195 #undef K 196 #undef F 197 198 #define F(x,y,z) (x ^ y ^ z) 199 #define K 0xCA62C1D6 200 201 P (A, B, C, D, E, R (60)); 202 P (E, A, B, C, D, R (61)); 203 P (D, E, A, B, C, R (62)); 204 P (C, D, E, A, B, R (63)); 205 P (B, C, D, E, A, R (64)); 206 P (A, B, C, D, E, R (65)); 207 P (E, A, B, C, D, R (66)); 208 P (D, E, A, B, C, R (67)); 209 P (C, D, E, A, B, R (68)); 210 P (B, C, D, E, A, R (69)); 211 P (A, B, C, D, E, R (70)); 212 P (E, A, B, C, D, R (71)); 213 P (D, E, A, B, C, R (72)); 214 P (C, D, E, A, B, R (73)); 215 P (B, C, D, E, A, R (74)); 216 P (A, B, C, D, E, R (75)); 217 P (E, A, B, C, D, R (76)); 218 P (D, E, A, B, C, R (77)); 219 P (C, D, E, A, B, R (78)); 220 P (B, C, D, E, A, R (79)); 221 222 #undef K 223 #undef F 224 225 ctx->state[0] += A; 226 ctx->state[1] += B; 227 ctx->state[2] += C; 228 ctx->state[3] += D; 229 ctx->state[4] += E; 230 } 231 232 __weak void sha1_process(sha1_context *ctx, const unsigned char *data, 233 unsigned int blocks) 234 { 235 if (!blocks) 236 return; 237 238 while (blocks--) { 239 sha1_process_one(ctx, data); 240 data += 64; 241 } 242 } 243 244 /* 245 * SHA-1 process buffer 246 */ 247 void sha1_update(sha1_context *ctx, const unsigned char *input, 248 unsigned int ilen) 249 { 250 int fill; 251 unsigned long left; 252 253 if (ilen <= 0) 254 return; 255 256 left = ctx->total[0] & 0x3F; 257 fill = 64 - left; 258 259 ctx->total[0] += ilen; 260 ctx->total[0] &= 0xFFFFFFFF; 261 262 if (ctx->total[0] < (unsigned long) ilen) 263 ctx->total[1]++; 264 265 if (left && ilen >= fill) { 266 memcpy ((void *) (ctx->buffer + left), (void *) input, fill); 267 sha1_process(ctx, ctx->buffer, 1); 268 input += fill; 269 ilen -= fill; 270 left = 0; 271 } 272 273 sha1_process(ctx, input, ilen / 64); 274 input += ilen / 64 * 64; 275 ilen = ilen % 64; 276 277 if (ilen > 0) { 278 memcpy ((void *) (ctx->buffer + left), (void *) input, ilen); 279 } 280 } 281 282 static const unsigned char sha1_padding[64] = { 283 0x80, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 284 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 285 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 286 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0 287 }; 288 289 /* 290 * SHA-1 final digest 291 */ 292 void sha1_finish (sha1_context * ctx, unsigned char output[20]) 293 { 294 unsigned long last, padn; 295 unsigned long high, low; 296 unsigned char msglen[8]; 297 298 high = (ctx->total[0] >> 29) 299 | (ctx->total[1] << 3); 300 low = (ctx->total[0] << 3); 301 302 PUT_UINT32_BE (high, msglen, 0); 303 PUT_UINT32_BE (low, msglen, 4); 304 305 last = ctx->total[0] & 0x3F; 306 padn = (last < 56) ? (56 - last) : (120 - last); 307 308 sha1_update (ctx, (unsigned char *) sha1_padding, padn); 309 sha1_update (ctx, msglen, 8); 310 311 PUT_UINT32_BE (ctx->state[0], output, 0); 312 PUT_UINT32_BE (ctx->state[1], output, 4); 313 PUT_UINT32_BE (ctx->state[2], output, 8); 314 PUT_UINT32_BE (ctx->state[3], output, 12); 315 PUT_UINT32_BE (ctx->state[4], output, 16); 316 } 317 318 /* 319 * Output = SHA-1( input buffer ) 320 */ 321 void sha1_csum(const unsigned char *input, unsigned int ilen, 322 unsigned char *output) 323 { 324 sha1_context ctx; 325 326 sha1_starts (&ctx); 327 sha1_update (&ctx, input, ilen); 328 sha1_finish (&ctx, output); 329 } 330 331 /* 332 * Output = SHA-1( input buffer ). Trigger the watchdog every 'chunk_sz' 333 * bytes of input processed. 334 */ 335 void sha1_csum_wd(const unsigned char *input, unsigned int ilen, 336 unsigned char *output, unsigned int chunk_sz) 337 { 338 sha1_context ctx; 339 #if defined(CONFIG_HW_WATCHDOG) || defined(CONFIG_WATCHDOG) 340 const unsigned char *end, *curr; 341 int chunk; 342 #endif 343 344 sha1_starts (&ctx); 345 346 #if defined(CONFIG_HW_WATCHDOG) || defined(CONFIG_WATCHDOG) 347 curr = input; 348 end = input + ilen; 349 while (curr < end) { 350 chunk = end - curr; 351 if (chunk > chunk_sz) 352 chunk = chunk_sz; 353 sha1_update (&ctx, curr, chunk); 354 curr += chunk; 355 WATCHDOG_RESET (); 356 } 357 #else 358 sha1_update (&ctx, input, ilen); 359 #endif 360 361 sha1_finish (&ctx, output); 362 } 363 364 /* 365 * Output = HMAC-SHA-1( input buffer, hmac key ) 366 */ 367 void sha1_hmac(const unsigned char *key, int keylen, 368 const unsigned char *input, unsigned int ilen, 369 unsigned char *output) 370 { 371 int i; 372 sha1_context ctx; 373 unsigned char k_ipad[64]; 374 unsigned char k_opad[64]; 375 unsigned char tmpbuf[20]; 376 377 memset (k_ipad, 0x36, 64); 378 memset (k_opad, 0x5C, 64); 379 380 for (i = 0; i < keylen; i++) { 381 if (i >= 64) 382 break; 383 384 k_ipad[i] ^= key[i]; 385 k_opad[i] ^= key[i]; 386 } 387 388 sha1_starts (&ctx); 389 sha1_update (&ctx, k_ipad, 64); 390 sha1_update (&ctx, input, ilen); 391 sha1_finish (&ctx, tmpbuf); 392 393 sha1_starts (&ctx); 394 sha1_update (&ctx, k_opad, 64); 395 sha1_update (&ctx, tmpbuf, 20); 396 sha1_finish (&ctx, output); 397 398 memset (k_ipad, 0, 64); 399 memset (k_opad, 0, 64); 400 memset (tmpbuf, 0, 20); 401 memset (&ctx, 0, sizeof (sha1_context)); 402 } 403 404 #ifdef SELF_TEST 405 /* 406 * FIPS-180-1 test vectors 407 */ 408 static const char sha1_test_str[3][57] = { 409 {"abc"}, 410 {"abcdbcdecdefdefgefghfghighijhijkijkljklmklmnlmnomnopnopq"}, 411 {""} 412 }; 413 414 static const unsigned char sha1_test_sum[3][20] = { 415 {0xA9, 0x99, 0x3E, 0x36, 0x47, 0x06, 0x81, 0x6A, 0xBA, 0x3E, 416 0x25, 0x71, 0x78, 0x50, 0xC2, 0x6C, 0x9C, 0xD0, 0xD8, 0x9D}, 417 {0x84, 0x98, 0x3E, 0x44, 0x1C, 0x3B, 0xD2, 0x6E, 0xBA, 0xAE, 418 0x4A, 0xA1, 0xF9, 0x51, 0x29, 0xE5, 0xE5, 0x46, 0x70, 0xF1}, 419 {0x34, 0xAA, 0x97, 0x3C, 0xD4, 0xC4, 0xDA, 0xA4, 0xF6, 0x1E, 420 0xEB, 0x2B, 0xDB, 0xAD, 0x27, 0x31, 0x65, 0x34, 0x01, 0x6F} 421 }; 422 423 /* 424 * Checkup routine 425 */ 426 int sha1_self_test (void) 427 { 428 int i, j; 429 unsigned char buf[1000]; 430 unsigned char sha1sum[20]; 431 sha1_context ctx; 432 433 for (i = 0; i < 3; i++) { 434 printf (" SHA-1 test #%d: ", i + 1); 435 436 sha1_starts (&ctx); 437 438 if (i < 2) 439 sha1_update (&ctx, (unsigned char *) sha1_test_str[i], 440 strlen (sha1_test_str[i])); 441 else { 442 memset (buf, 'a', 1000); 443 for (j = 0; j < 1000; j++) 444 sha1_update (&ctx, buf, 1000); 445 } 446 447 sha1_finish (&ctx, sha1sum); 448 449 if (memcmp (sha1sum, sha1_test_sum[i], 20) != 0) { 450 printf ("failed\n"); 451 return (1); 452 } 453 454 printf ("passed\n"); 455 } 456 457 printf ("\n"); 458 return (0); 459 } 460 #else 461 int sha1_self_test (void) 462 { 463 return (0); 464 } 465 #endif 466