1 /* 2 * Heiko Schocher, DENX Software Engineering, hs@denx.de. 3 * based on: 4 * FIPS-180-1 compliant SHA-1 implementation 5 * 6 * Copyright (C) 2003-2006 Christophe Devine 7 * 8 * SPDX-License-Identifier: LGPL-2.1 9 */ 10 /* 11 * The SHA-1 standard was published by NIST in 1993. 12 * 13 * http://www.itl.nist.gov/fipspubs/fip180-1.htm 14 */ 15 16 #ifndef _CRT_SECURE_NO_DEPRECATE 17 #define _CRT_SECURE_NO_DEPRECATE 1 18 #endif 19 20 #ifndef USE_HOSTCC 21 #include <common.h> 22 #include <linux/string.h> 23 #include <crypto.h> 24 #else 25 #include <string.h> 26 #endif /* USE_HOSTCC */ 27 #include <watchdog.h> 28 #include <u-boot/sha1.h> 29 30 #include <linux/compiler.h> 31 32 #ifdef USE_HOSTCC 33 #undef __weak 34 #define __weak 35 #undef __maybe_unused 36 #define __maybe_unused 37 #endif 38 39 const uint8_t sha1_der_prefix[SHA1_DER_LEN] = { 40 0x30, 0x21, 0x30, 0x09, 0x06, 0x05, 0x2b, 0x0e, 41 0x03, 0x02, 0x1a, 0x05, 0x00, 0x04, 0x14 42 }; 43 44 /* 45 * 32-bit integer manipulation macros (big endian) 46 */ 47 #ifndef GET_UINT32_BE 48 #define GET_UINT32_BE(n,b,i) { \ 49 (n) = ( (unsigned long) (b)[(i) ] << 24 ) \ 50 | ( (unsigned long) (b)[(i) + 1] << 16 ) \ 51 | ( (unsigned long) (b)[(i) + 2] << 8 ) \ 52 | ( (unsigned long) (b)[(i) + 3] ); \ 53 } 54 #endif 55 #ifndef PUT_UINT32_BE 56 #define PUT_UINT32_BE(n,b,i) { \ 57 (b)[(i) ] = (unsigned char) ( (n) >> 24 ); \ 58 (b)[(i) + 1] = (unsigned char) ( (n) >> 16 ); \ 59 (b)[(i) + 2] = (unsigned char) ( (n) >> 8 ); \ 60 (b)[(i) + 3] = (unsigned char) ( (n) ); \ 61 } 62 #endif 63 64 /* 65 * SHA-1 context setup 66 */ 67 void sha1_starts (sha1_context * ctx) 68 { 69 #if !defined(USE_HOSTCC) 70 #if !CONFIG_IS_ENABLED(ARMV8_CE_SHA1) && CONFIG_IS_ENABLED(DM_CRYPTO) 71 sha_context cctx; 72 u32 algo = CRYPTO_SHA1; 73 74 ctx->cdev = NULL; 75 if (ctx->length) { 76 ctx->cdev = crypto_get_device(algo); 77 if (ctx->cdev) { 78 cctx.algo = algo; 79 cctx.length = ctx->length; 80 crypto_sha_init(ctx->cdev, &cctx); 81 return; 82 } 83 } 84 #endif 85 #endif 86 ctx->total[0] = 0; 87 ctx->total[1] = 0; 88 89 ctx->state[0] = 0x67452301; 90 ctx->state[1] = 0xEFCDAB89; 91 ctx->state[2] = 0x98BADCFE; 92 ctx->state[3] = 0x10325476; 93 ctx->state[4] = 0xC3D2E1F0; 94 } 95 96 static void __maybe_unused sha1_process_one(sha1_context *ctx, const unsigned char data[64]) 97 { 98 unsigned long temp, W[16], A, B, C, D, E; 99 100 GET_UINT32_BE (W[0], data, 0); 101 GET_UINT32_BE (W[1], data, 4); 102 GET_UINT32_BE (W[2], data, 8); 103 GET_UINT32_BE (W[3], data, 12); 104 GET_UINT32_BE (W[4], data, 16); 105 GET_UINT32_BE (W[5], data, 20); 106 GET_UINT32_BE (W[6], data, 24); 107 GET_UINT32_BE (W[7], data, 28); 108 GET_UINT32_BE (W[8], data, 32); 109 GET_UINT32_BE (W[9], data, 36); 110 GET_UINT32_BE (W[10], data, 40); 111 GET_UINT32_BE (W[11], data, 44); 112 GET_UINT32_BE (W[12], data, 48); 113 GET_UINT32_BE (W[13], data, 52); 114 GET_UINT32_BE (W[14], data, 56); 115 GET_UINT32_BE (W[15], data, 60); 116 117 #define S(x,n) ((x << n) | ((x & 0xFFFFFFFF) >> (32 - n))) 118 119 #define R(t) ( \ 120 temp = W[(t - 3) & 0x0F] ^ W[(t - 8) & 0x0F] ^ \ 121 W[(t - 14) & 0x0F] ^ W[ t & 0x0F], \ 122 ( W[t & 0x0F] = S(temp,1) ) \ 123 ) 124 125 #define P(a,b,c,d,e,x) { \ 126 e += S(a,5) + F(b,c,d) + K + x; b = S(b,30); \ 127 } 128 129 A = ctx->state[0]; 130 B = ctx->state[1]; 131 C = ctx->state[2]; 132 D = ctx->state[3]; 133 E = ctx->state[4]; 134 135 #define F(x,y,z) (z ^ (x & (y ^ z))) 136 #define K 0x5A827999 137 138 P (A, B, C, D, E, W[0]); 139 P (E, A, B, C, D, W[1]); 140 P (D, E, A, B, C, W[2]); 141 P (C, D, E, A, B, W[3]); 142 P (B, C, D, E, A, W[4]); 143 P (A, B, C, D, E, W[5]); 144 P (E, A, B, C, D, W[6]); 145 P (D, E, A, B, C, W[7]); 146 P (C, D, E, A, B, W[8]); 147 P (B, C, D, E, A, W[9]); 148 P (A, B, C, D, E, W[10]); 149 P (E, A, B, C, D, W[11]); 150 P (D, E, A, B, C, W[12]); 151 P (C, D, E, A, B, W[13]); 152 P (B, C, D, E, A, W[14]); 153 P (A, B, C, D, E, W[15]); 154 P (E, A, B, C, D, R (16)); 155 P (D, E, A, B, C, R (17)); 156 P (C, D, E, A, B, R (18)); 157 P (B, C, D, E, A, R (19)); 158 159 #undef K 160 #undef F 161 162 #define F(x,y,z) (x ^ y ^ z) 163 #define K 0x6ED9EBA1 164 165 P (A, B, C, D, E, R (20)); 166 P (E, A, B, C, D, R (21)); 167 P (D, E, A, B, C, R (22)); 168 P (C, D, E, A, B, R (23)); 169 P (B, C, D, E, A, R (24)); 170 P (A, B, C, D, E, R (25)); 171 P (E, A, B, C, D, R (26)); 172 P (D, E, A, B, C, R (27)); 173 P (C, D, E, A, B, R (28)); 174 P (B, C, D, E, A, R (29)); 175 P (A, B, C, D, E, R (30)); 176 P (E, A, B, C, D, R (31)); 177 P (D, E, A, B, C, R (32)); 178 P (C, D, E, A, B, R (33)); 179 P (B, C, D, E, A, R (34)); 180 P (A, B, C, D, E, R (35)); 181 P (E, A, B, C, D, R (36)); 182 P (D, E, A, B, C, R (37)); 183 P (C, D, E, A, B, R (38)); 184 P (B, C, D, E, A, R (39)); 185 186 #undef K 187 #undef F 188 189 #define F(x,y,z) ((x & y) | (z & (x | y))) 190 #define K 0x8F1BBCDC 191 192 P (A, B, C, D, E, R (40)); 193 P (E, A, B, C, D, R (41)); 194 P (D, E, A, B, C, R (42)); 195 P (C, D, E, A, B, R (43)); 196 P (B, C, D, E, A, R (44)); 197 P (A, B, C, D, E, R (45)); 198 P (E, A, B, C, D, R (46)); 199 P (D, E, A, B, C, R (47)); 200 P (C, D, E, A, B, R (48)); 201 P (B, C, D, E, A, R (49)); 202 P (A, B, C, D, E, R (50)); 203 P (E, A, B, C, D, R (51)); 204 P (D, E, A, B, C, R (52)); 205 P (C, D, E, A, B, R (53)); 206 P (B, C, D, E, A, R (54)); 207 P (A, B, C, D, E, R (55)); 208 P (E, A, B, C, D, R (56)); 209 P (D, E, A, B, C, R (57)); 210 P (C, D, E, A, B, R (58)); 211 P (B, C, D, E, A, R (59)); 212 213 #undef K 214 #undef F 215 216 #define F(x,y,z) (x ^ y ^ z) 217 #define K 0xCA62C1D6 218 219 P (A, B, C, D, E, R (60)); 220 P (E, A, B, C, D, R (61)); 221 P (D, E, A, B, C, R (62)); 222 P (C, D, E, A, B, R (63)); 223 P (B, C, D, E, A, R (64)); 224 P (A, B, C, D, E, R (65)); 225 P (E, A, B, C, D, R (66)); 226 P (D, E, A, B, C, R (67)); 227 P (C, D, E, A, B, R (68)); 228 P (B, C, D, E, A, R (69)); 229 P (A, B, C, D, E, R (70)); 230 P (E, A, B, C, D, R (71)); 231 P (D, E, A, B, C, R (72)); 232 P (C, D, E, A, B, R (73)); 233 P (B, C, D, E, A, R (74)); 234 P (A, B, C, D, E, R (75)); 235 P (E, A, B, C, D, R (76)); 236 P (D, E, A, B, C, R (77)); 237 P (C, D, E, A, B, R (78)); 238 P (B, C, D, E, A, R (79)); 239 240 #undef K 241 #undef F 242 243 ctx->state[0] += A; 244 ctx->state[1] += B; 245 ctx->state[2] += C; 246 ctx->state[3] += D; 247 ctx->state[4] += E; 248 } 249 250 __weak void sha1_process(sha1_context *ctx, const unsigned char *data, 251 unsigned int blocks) 252 { 253 if (!blocks) 254 return; 255 256 while (blocks--) { 257 sha1_process_one(ctx, data); 258 data += 64; 259 } 260 } 261 262 /* 263 * SHA-1 process buffer 264 */ 265 void sha1_update(sha1_context *ctx, const unsigned char *input, 266 unsigned int ilen) 267 { 268 int fill; 269 unsigned long left; 270 271 if (ilen <= 0) 272 return; 273 #if !defined(USE_HOSTCC) 274 #if !CONFIG_IS_ENABLED(ARMV8_CE_SHA1) && CONFIG_IS_ENABLED(DM_CRYPTO) 275 if (ctx->cdev) { 276 crypto_sha_update(ctx->cdev, (void *)input, ilen); 277 return; 278 } 279 #endif 280 #endif 281 left = ctx->total[0] & 0x3F; 282 fill = 64 - left; 283 284 ctx->total[0] += ilen; 285 ctx->total[0] &= 0xFFFFFFFF; 286 287 if (ctx->total[0] < (unsigned long) ilen) 288 ctx->total[1]++; 289 290 if (left && ilen >= fill) { 291 memcpy ((void *) (ctx->buffer + left), (void *) input, fill); 292 sha1_process(ctx, ctx->buffer, 1); 293 input += fill; 294 ilen -= fill; 295 left = 0; 296 } 297 298 sha1_process(ctx, input, ilen / 64); 299 input += ilen / 64 * 64; 300 ilen = ilen % 64; 301 302 if (ilen > 0) { 303 memcpy ((void *) (ctx->buffer + left), (void *) input, ilen); 304 } 305 } 306 307 static const unsigned char sha1_padding[64] = { 308 0x80, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 309 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 310 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 311 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0 312 }; 313 314 /* 315 * SHA-1 final digest 316 */ 317 void sha1_finish (sha1_context * ctx, unsigned char output[20]) 318 { 319 unsigned long last, padn; 320 unsigned long high, low; 321 unsigned char msglen[8]; 322 323 #if !defined(USE_HOSTCC) 324 #if !CONFIG_IS_ENABLED(ARMV8_CE_SHA1) && CONFIG_IS_ENABLED(DM_CRYPTO) 325 sha_context cctx; 326 327 if (ctx->cdev) { 328 cctx.algo = CRYPTO_SHA1; 329 cctx.length = ctx->length; 330 crypto_sha_final(ctx->cdev, &cctx, output); 331 return; 332 } 333 #endif 334 #endif 335 high = (ctx->total[0] >> 29) 336 | (ctx->total[1] << 3); 337 low = (ctx->total[0] << 3); 338 339 PUT_UINT32_BE (high, msglen, 0); 340 PUT_UINT32_BE (low, msglen, 4); 341 342 last = ctx->total[0] & 0x3F; 343 padn = (last < 56) ? (56 - last) : (120 - last); 344 345 sha1_update (ctx, (unsigned char *) sha1_padding, padn); 346 sha1_update (ctx, msglen, 8); 347 348 PUT_UINT32_BE (ctx->state[0], output, 0); 349 PUT_UINT32_BE (ctx->state[1], output, 4); 350 PUT_UINT32_BE (ctx->state[2], output, 8); 351 PUT_UINT32_BE (ctx->state[3], output, 12); 352 PUT_UINT32_BE (ctx->state[4], output, 16); 353 } 354 355 /* 356 * Output = SHA-1( input buffer ) 357 */ 358 void sha1_csum(const unsigned char *input, unsigned int ilen, 359 unsigned char *output) 360 { 361 sha1_context ctx; 362 363 #if !defined(USE_HOSTCC) 364 #if !CONFIG_IS_ENABLED(ARMV8_CE_SHA1) && CONFIG_IS_ENABLED(DM_CRYPTO) 365 ctx.length = ilen; 366 #endif 367 #endif 368 sha1_starts (&ctx); 369 sha1_update (&ctx, input, ilen); 370 sha1_finish (&ctx, output); 371 } 372 373 /* 374 * Output = SHA-1( input buffer ). Trigger the watchdog every 'chunk_sz' 375 * bytes of input processed. 376 */ 377 void sha1_csum_wd(const unsigned char *input, unsigned int ilen, 378 unsigned char *output, unsigned int chunk_sz) 379 { 380 sha1_context ctx; 381 #if defined(CONFIG_HW_WATCHDOG) || defined(CONFIG_WATCHDOG) 382 const unsigned char *end, *curr; 383 int chunk; 384 #endif 385 #if !defined(USE_HOSTCC) 386 #if !CONFIG_IS_ENABLED(ARMV8_CE_SHA1) && CONFIG_IS_ENABLED(DM_CRYPTO) 387 ctx.length = ilen; 388 #endif 389 #endif 390 sha1_starts (&ctx); 391 392 #if defined(CONFIG_HW_WATCHDOG) || defined(CONFIG_WATCHDOG) 393 curr = input; 394 end = input + ilen; 395 while (curr < end) { 396 chunk = end - curr; 397 if (chunk > chunk_sz) 398 chunk = chunk_sz; 399 sha1_update (&ctx, curr, chunk); 400 curr += chunk; 401 WATCHDOG_RESET (); 402 } 403 #else 404 sha1_update (&ctx, input, ilen); 405 #endif 406 407 sha1_finish (&ctx, output); 408 } 409 410 /* 411 * Output = HMAC-SHA-1( input buffer, hmac key ) 412 */ 413 void sha1_hmac(const unsigned char *key, int keylen, 414 const unsigned char *input, unsigned int ilen, 415 unsigned char *output) 416 { 417 int i; 418 sha1_context ctx; 419 unsigned char k_ipad[64]; 420 unsigned char k_opad[64]; 421 unsigned char tmpbuf[20]; 422 423 memset (k_ipad, 0x36, 64); 424 memset (k_opad, 0x5C, 64); 425 426 for (i = 0; i < keylen; i++) { 427 if (i >= 64) 428 break; 429 430 k_ipad[i] ^= key[i]; 431 k_opad[i] ^= key[i]; 432 } 433 434 #if !defined(USE_HOSTCC) 435 #if !CONFIG_IS_ENABLED(ARMV8_CE_SHA1) && CONFIG_IS_ENABLED(DM_CRYPTO) 436 ctx.length = 64 + ilen; 437 #endif 438 #endif 439 sha1_starts (&ctx); 440 sha1_update (&ctx, k_ipad, 64); 441 sha1_update (&ctx, input, ilen); 442 sha1_finish (&ctx, tmpbuf); 443 444 #if !defined(USE_HOSTCC) 445 #if !CONFIG_IS_ENABLED(ARMV8_CE_SHA1) && CONFIG_IS_ENABLED(DM_CRYPTO) 446 ctx.length = 64 + 20; 447 #endif 448 #endif 449 sha1_starts (&ctx); 450 sha1_update (&ctx, k_opad, 64); 451 sha1_update (&ctx, tmpbuf, 20); 452 sha1_finish (&ctx, output); 453 454 memset (k_ipad, 0, 64); 455 memset (k_opad, 0, 64); 456 memset (tmpbuf, 0, 20); 457 memset (&ctx, 0, sizeof (sha1_context)); 458 } 459 460 #ifdef SELF_TEST 461 /* 462 * FIPS-180-1 test vectors 463 */ 464 static const char sha1_test_str[3][57] = { 465 {"abc"}, 466 {"abcdbcdecdefdefgefghfghighijhijkijkljklmklmnlmnomnopnopq"}, 467 {""} 468 }; 469 470 static const unsigned char sha1_test_sum[3][20] = { 471 {0xA9, 0x99, 0x3E, 0x36, 0x47, 0x06, 0x81, 0x6A, 0xBA, 0x3E, 472 0x25, 0x71, 0x78, 0x50, 0xC2, 0x6C, 0x9C, 0xD0, 0xD8, 0x9D}, 473 {0x84, 0x98, 0x3E, 0x44, 0x1C, 0x3B, 0xD2, 0x6E, 0xBA, 0xAE, 474 0x4A, 0xA1, 0xF9, 0x51, 0x29, 0xE5, 0xE5, 0x46, 0x70, 0xF1}, 475 {0x34, 0xAA, 0x97, 0x3C, 0xD4, 0xC4, 0xDA, 0xA4, 0xF6, 0x1E, 476 0xEB, 0x2B, 0xDB, 0xAD, 0x27, 0x31, 0x65, 0x34, 0x01, 0x6F} 477 }; 478 479 /* 480 * Checkup routine 481 */ 482 int sha1_self_test (void) 483 { 484 int i, j; 485 unsigned char buf[1000]; 486 unsigned char sha1sum[20]; 487 sha1_context ctx; 488 489 for (i = 0; i < 3; i++) { 490 printf (" SHA-1 test #%d: ", i + 1); 491 492 sha1_starts (&ctx); 493 494 if (i < 2) 495 sha1_update (&ctx, (unsigned char *) sha1_test_str[i], 496 strlen (sha1_test_str[i])); 497 else { 498 memset (buf, 'a', 1000); 499 for (j = 0; j < 1000; j++) 500 sha1_update (&ctx, buf, 1000); 501 } 502 503 sha1_finish (&ctx, sha1sum); 504 505 if (memcmp (sha1sum, sha1_test_sum[i], 20) != 0) { 506 printf ("failed\n"); 507 return (1); 508 } 509 510 printf ("passed\n"); 511 } 512 513 printf ("\n"); 514 return (0); 515 } 516 #else 517 int sha1_self_test (void) 518 { 519 return (0); 520 } 521 #endif 522