1 // SPDX-License-Identifier: LGPL-2.1
2 /*
3 * Heiko Schocher, DENX Software Engineering, hs@denx.de.
4 * based on:
5 * FIPS-180-1 compliant SHA-1 implementation
6 *
7 * Copyright (C) 2003-2006 Christophe Devine
8 */
9 /*
10 * The SHA-1 standard was published by NIST in 1993.
11 *
12 * http://www.itl.nist.gov/fipspubs/fip180-1.htm
13 */
14
15 #ifndef _CRT_SECURE_NO_DEPRECATE
16 #define _CRT_SECURE_NO_DEPRECATE 1
17 #endif
18
19 #ifndef USE_HOSTCC
20 #include <common.h>
21 #include <linux/string.h>
22 #else
23 #include <string.h>
24 #endif /* USE_HOSTCC */
25 #include <watchdog.h>
26 #include <u-boot/sha1.h>
27
28 #include <linux/compiler_attributes.h>
29
30 const uint8_t sha1_der_prefix[SHA1_DER_LEN] = {
31 0x30, 0x21, 0x30, 0x09, 0x06, 0x05, 0x2b, 0x0e,
32 0x03, 0x02, 0x1a, 0x05, 0x00, 0x04, 0x14
33 };
34
35 /*
36 * 32-bit integer manipulation macros (big endian)
37 */
38 #ifndef GET_UINT32_BE
39 #define GET_UINT32_BE(n,b,i) { \
40 (n) = ( (unsigned long) (b)[(i) ] << 24 ) \
41 | ( (unsigned long) (b)[(i) + 1] << 16 ) \
42 | ( (unsigned long) (b)[(i) + 2] << 8 ) \
43 | ( (unsigned long) (b)[(i) + 3] ); \
44 }
45 #endif
46 #ifndef PUT_UINT32_BE
47 #define PUT_UINT32_BE(n,b,i) { \
48 (b)[(i) ] = (unsigned char) ( (n) >> 24 ); \
49 (b)[(i) + 1] = (unsigned char) ( (n) >> 16 ); \
50 (b)[(i) + 2] = (unsigned char) ( (n) >> 8 ); \
51 (b)[(i) + 3] = (unsigned char) ( (n) ); \
52 }
53 #endif
54
55 /*
56 * SHA-1 context setup
57 */
sha1_starts(sha1_context * ctx)58 void sha1_starts (sha1_context * ctx)
59 {
60 ctx->total[0] = 0;
61 ctx->total[1] = 0;
62
63 ctx->state[0] = 0x67452301;
64 ctx->state[1] = 0xEFCDAB89;
65 ctx->state[2] = 0x98BADCFE;
66 ctx->state[3] = 0x10325476;
67 ctx->state[4] = 0xC3D2E1F0;
68 }
69
sha1_process_one(sha1_context * ctx,const unsigned char data[64])70 static void __maybe_unused sha1_process_one(sha1_context *ctx, const unsigned char data[64])
71 {
72 unsigned long temp, W[16], A, B, C, D, E;
73
74 GET_UINT32_BE (W[0], data, 0);
75 GET_UINT32_BE (W[1], data, 4);
76 GET_UINT32_BE (W[2], data, 8);
77 GET_UINT32_BE (W[3], data, 12);
78 GET_UINT32_BE (W[4], data, 16);
79 GET_UINT32_BE (W[5], data, 20);
80 GET_UINT32_BE (W[6], data, 24);
81 GET_UINT32_BE (W[7], data, 28);
82 GET_UINT32_BE (W[8], data, 32);
83 GET_UINT32_BE (W[9], data, 36);
84 GET_UINT32_BE (W[10], data, 40);
85 GET_UINT32_BE (W[11], data, 44);
86 GET_UINT32_BE (W[12], data, 48);
87 GET_UINT32_BE (W[13], data, 52);
88 GET_UINT32_BE (W[14], data, 56);
89 GET_UINT32_BE (W[15], data, 60);
90
91 #define S(x,n) ((x << n) | ((x & 0xFFFFFFFF) >> (32 - n)))
92
93 #define R(t) ( \
94 temp = W[(t - 3) & 0x0F] ^ W[(t - 8) & 0x0F] ^ \
95 W[(t - 14) & 0x0F] ^ W[ t & 0x0F], \
96 ( W[t & 0x0F] = S(temp,1) ) \
97 )
98
99 #define P(a,b,c,d,e,x) { \
100 e += S(a,5) + F(b,c,d) + K + x; b = S(b,30); \
101 }
102
103 A = ctx->state[0];
104 B = ctx->state[1];
105 C = ctx->state[2];
106 D = ctx->state[3];
107 E = ctx->state[4];
108
109 #define F(x,y,z) (z ^ (x & (y ^ z)))
110 #define K 0x5A827999
111
112 P (A, B, C, D, E, W[0]);
113 P (E, A, B, C, D, W[1]);
114 P (D, E, A, B, C, W[2]);
115 P (C, D, E, A, B, W[3]);
116 P (B, C, D, E, A, W[4]);
117 P (A, B, C, D, E, W[5]);
118 P (E, A, B, C, D, W[6]);
119 P (D, E, A, B, C, W[7]);
120 P (C, D, E, A, B, W[8]);
121 P (B, C, D, E, A, W[9]);
122 P (A, B, C, D, E, W[10]);
123 P (E, A, B, C, D, W[11]);
124 P (D, E, A, B, C, W[12]);
125 P (C, D, E, A, B, W[13]);
126 P (B, C, D, E, A, W[14]);
127 P (A, B, C, D, E, W[15]);
128 P (E, A, B, C, D, R (16));
129 P (D, E, A, B, C, R (17));
130 P (C, D, E, A, B, R (18));
131 P (B, C, D, E, A, R (19));
132
133 #undef K
134 #undef F
135
136 #define F(x,y,z) (x ^ y ^ z)
137 #define K 0x6ED9EBA1
138
139 P (A, B, C, D, E, R (20));
140 P (E, A, B, C, D, R (21));
141 P (D, E, A, B, C, R (22));
142 P (C, D, E, A, B, R (23));
143 P (B, C, D, E, A, R (24));
144 P (A, B, C, D, E, R (25));
145 P (E, A, B, C, D, R (26));
146 P (D, E, A, B, C, R (27));
147 P (C, D, E, A, B, R (28));
148 P (B, C, D, E, A, R (29));
149 P (A, B, C, D, E, R (30));
150 P (E, A, B, C, D, R (31));
151 P (D, E, A, B, C, R (32));
152 P (C, D, E, A, B, R (33));
153 P (B, C, D, E, A, R (34));
154 P (A, B, C, D, E, R (35));
155 P (E, A, B, C, D, R (36));
156 P (D, E, A, B, C, R (37));
157 P (C, D, E, A, B, R (38));
158 P (B, C, D, E, A, R (39));
159
160 #undef K
161 #undef F
162
163 #define F(x,y,z) ((x & y) | (z & (x | y)))
164 #define K 0x8F1BBCDC
165
166 P (A, B, C, D, E, R (40));
167 P (E, A, B, C, D, R (41));
168 P (D, E, A, B, C, R (42));
169 P (C, D, E, A, B, R (43));
170 P (B, C, D, E, A, R (44));
171 P (A, B, C, D, E, R (45));
172 P (E, A, B, C, D, R (46));
173 P (D, E, A, B, C, R (47));
174 P (C, D, E, A, B, R (48));
175 P (B, C, D, E, A, R (49));
176 P (A, B, C, D, E, R (50));
177 P (E, A, B, C, D, R (51));
178 P (D, E, A, B, C, R (52));
179 P (C, D, E, A, B, R (53));
180 P (B, C, D, E, A, R (54));
181 P (A, B, C, D, E, R (55));
182 P (E, A, B, C, D, R (56));
183 P (D, E, A, B, C, R (57));
184 P (C, D, E, A, B, R (58));
185 P (B, C, D, E, A, R (59));
186
187 #undef K
188 #undef F
189
190 #define F(x,y,z) (x ^ y ^ z)
191 #define K 0xCA62C1D6
192
193 P (A, B, C, D, E, R (60));
194 P (E, A, B, C, D, R (61));
195 P (D, E, A, B, C, R (62));
196 P (C, D, E, A, B, R (63));
197 P (B, C, D, E, A, R (64));
198 P (A, B, C, D, E, R (65));
199 P (E, A, B, C, D, R (66));
200 P (D, E, A, B, C, R (67));
201 P (C, D, E, A, B, R (68));
202 P (B, C, D, E, A, R (69));
203 P (A, B, C, D, E, R (70));
204 P (E, A, B, C, D, R (71));
205 P (D, E, A, B, C, R (72));
206 P (C, D, E, A, B, R (73));
207 P (B, C, D, E, A, R (74));
208 P (A, B, C, D, E, R (75));
209 P (E, A, B, C, D, R (76));
210 P (D, E, A, B, C, R (77));
211 P (C, D, E, A, B, R (78));
212 P (B, C, D, E, A, R (79));
213
214 #undef K
215 #undef F
216
217 ctx->state[0] += A;
218 ctx->state[1] += B;
219 ctx->state[2] += C;
220 ctx->state[3] += D;
221 ctx->state[4] += E;
222 }
223
sha1_process(sha1_context * ctx,const unsigned char * data,unsigned int blocks)224 __weak void sha1_process(sha1_context *ctx, const unsigned char *data,
225 unsigned int blocks)
226 {
227 if (!blocks)
228 return;
229
230 while (blocks--) {
231 sha1_process_one(ctx, data);
232 data += 64;
233 }
234 }
235
236 /*
237 * SHA-1 process buffer
238 */
sha1_update(sha1_context * ctx,const unsigned char * input,unsigned int ilen)239 void sha1_update(sha1_context *ctx, const unsigned char *input,
240 unsigned int ilen)
241 {
242 int fill;
243 unsigned long left;
244
245 if (ilen <= 0)
246 return;
247
248 left = ctx->total[0] & 0x3F;
249 fill = 64 - left;
250
251 ctx->total[0] += ilen;
252 ctx->total[0] &= 0xFFFFFFFF;
253
254 if (ctx->total[0] < (unsigned long) ilen)
255 ctx->total[1]++;
256
257 if (left && ilen >= fill) {
258 memcpy ((void *) (ctx->buffer + left), (void *) input, fill);
259 sha1_process(ctx, ctx->buffer, 1);
260 input += fill;
261 ilen -= fill;
262 left = 0;
263 }
264
265 sha1_process(ctx, input, ilen / 64);
266 input += ilen / 64 * 64;
267 ilen = ilen % 64;
268
269 if (ilen > 0) {
270 memcpy ((void *) (ctx->buffer + left), (void *) input, ilen);
271 }
272 }
273
274 static const unsigned char sha1_padding[64] = {
275 0x80, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
276 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
277 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
278 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0
279 };
280
281 /*
282 * SHA-1 final digest
283 */
sha1_finish(sha1_context * ctx,unsigned char output[20])284 void sha1_finish (sha1_context * ctx, unsigned char output[20])
285 {
286 unsigned long last, padn;
287 unsigned long high, low;
288 unsigned char msglen[8];
289
290 high = (ctx->total[0] >> 29)
291 | (ctx->total[1] << 3);
292 low = (ctx->total[0] << 3);
293
294 PUT_UINT32_BE (high, msglen, 0);
295 PUT_UINT32_BE (low, msglen, 4);
296
297 last = ctx->total[0] & 0x3F;
298 padn = (last < 56) ? (56 - last) : (120 - last);
299
300 sha1_update (ctx, (unsigned char *) sha1_padding, padn);
301 sha1_update (ctx, msglen, 8);
302
303 PUT_UINT32_BE (ctx->state[0], output, 0);
304 PUT_UINT32_BE (ctx->state[1], output, 4);
305 PUT_UINT32_BE (ctx->state[2], output, 8);
306 PUT_UINT32_BE (ctx->state[3], output, 12);
307 PUT_UINT32_BE (ctx->state[4], output, 16);
308 }
309
310 /*
311 * Output = SHA-1( input buffer )
312 */
sha1_csum(const unsigned char * input,unsigned int ilen,unsigned char * output)313 void sha1_csum(const unsigned char *input, unsigned int ilen,
314 unsigned char *output)
315 {
316 sha1_context ctx;
317
318 sha1_starts (&ctx);
319 sha1_update (&ctx, input, ilen);
320 sha1_finish (&ctx, output);
321 }
322
323 /*
324 * Output = SHA-1( input buffer ). Trigger the watchdog every 'chunk_sz'
325 * bytes of input processed.
326 */
sha1_csum_wd(const unsigned char * input,unsigned int ilen,unsigned char * output,unsigned int chunk_sz)327 void sha1_csum_wd(const unsigned char *input, unsigned int ilen,
328 unsigned char *output, unsigned int chunk_sz)
329 {
330 sha1_context ctx;
331 #if defined(CONFIG_HW_WATCHDOG) || defined(CONFIG_WATCHDOG)
332 const unsigned char *end, *curr;
333 int chunk;
334 #endif
335
336 sha1_starts (&ctx);
337
338 #if defined(CONFIG_HW_WATCHDOG) || defined(CONFIG_WATCHDOG)
339 curr = input;
340 end = input + ilen;
341 while (curr < end) {
342 chunk = end - curr;
343 if (chunk > chunk_sz)
344 chunk = chunk_sz;
345 sha1_update (&ctx, curr, chunk);
346 curr += chunk;
347 schedule();
348 }
349 #else
350 sha1_update (&ctx, input, ilen);
351 #endif
352
353 sha1_finish (&ctx, output);
354 }
355
356 /*
357 * Output = HMAC-SHA-1( input buffer, hmac key )
358 */
sha1_hmac(const unsigned char * key,int keylen,const unsigned char * input,unsigned int ilen,unsigned char * output)359 void sha1_hmac(const unsigned char *key, int keylen,
360 const unsigned char *input, unsigned int ilen,
361 unsigned char *output)
362 {
363 int i;
364 sha1_context ctx;
365 unsigned char k_ipad[64];
366 unsigned char k_opad[64];
367 unsigned char tmpbuf[20];
368
369 memset (k_ipad, 0x36, 64);
370 memset (k_opad, 0x5C, 64);
371
372 for (i = 0; i < keylen; i++) {
373 if (i >= 64)
374 break;
375
376 k_ipad[i] ^= key[i];
377 k_opad[i] ^= key[i];
378 }
379
380 sha1_starts (&ctx);
381 sha1_update (&ctx, k_ipad, 64);
382 sha1_update (&ctx, input, ilen);
383 sha1_finish (&ctx, tmpbuf);
384
385 sha1_starts (&ctx);
386 sha1_update (&ctx, k_opad, 64);
387 sha1_update (&ctx, tmpbuf, 20);
388 sha1_finish (&ctx, output);
389
390 memset (k_ipad, 0, 64);
391 memset (k_opad, 0, 64);
392 memset (tmpbuf, 0, 20);
393 memset (&ctx, 0, sizeof (sha1_context));
394 }
395
396 #ifdef SELF_TEST
397 /*
398 * FIPS-180-1 test vectors
399 */
400 static const char sha1_test_str[3][57] = {
401 {"abc"},
402 {"abcdbcdecdefdefgefghfghighijhijkijkljklmklmnlmnomnopnopq"},
403 {""}
404 };
405
406 static const unsigned char sha1_test_sum[3][20] = {
407 {0xA9, 0x99, 0x3E, 0x36, 0x47, 0x06, 0x81, 0x6A, 0xBA, 0x3E,
408 0x25, 0x71, 0x78, 0x50, 0xC2, 0x6C, 0x9C, 0xD0, 0xD8, 0x9D},
409 {0x84, 0x98, 0x3E, 0x44, 0x1C, 0x3B, 0xD2, 0x6E, 0xBA, 0xAE,
410 0x4A, 0xA1, 0xF9, 0x51, 0x29, 0xE5, 0xE5, 0x46, 0x70, 0xF1},
411 {0x34, 0xAA, 0x97, 0x3C, 0xD4, 0xC4, 0xDA, 0xA4, 0xF6, 0x1E,
412 0xEB, 0x2B, 0xDB, 0xAD, 0x27, 0x31, 0x65, 0x34, 0x01, 0x6F}
413 };
414
415 /*
416 * Checkup routine
417 */
sha1_self_test(void)418 int sha1_self_test (void)
419 {
420 int i, j;
421 unsigned char buf[1000];
422 unsigned char sha1sum[20];
423 sha1_context ctx;
424
425 for (i = 0; i < 3; i++) {
426 printf (" SHA-1 test #%d: ", i + 1);
427
428 sha1_starts (&ctx);
429
430 if (i < 2)
431 sha1_update (&ctx, (unsigned char *) sha1_test_str[i],
432 strlen (sha1_test_str[i]));
433 else {
434 memset (buf, 'a', 1000);
435 for (j = 0; j < 1000; j++)
436 sha1_update (&ctx, buf, 1000);
437 }
438
439 sha1_finish (&ctx, sha1sum);
440
441 if (memcmp (sha1sum, sha1_test_sum[i], 20) != 0) {
442 printf ("failed\n");
443 return (1);
444 }
445
446 printf ("passed\n");
447 }
448
449 printf ("\n");
450 return (0);
451 }
452 #else
sha1_self_test(void)453 int sha1_self_test (void)
454 {
455 return (0);
456 }
457 #endif
458