1 // SPDX-License-Identifier: LGPL-2.1
2 /*
3 * Heiko Schocher, DENX Software Engineering, hs@denx.de.
4 * based on:
5 * FIPS-180-1 compliant SHA-1 implementation
6 *
7 * Copyright (C) 2003-2006 Christophe Devine
8 */
9 /*
10 * The SHA-1 standard was published by NIST in 1993.
11 *
12 * http://www.itl.nist.gov/fipspubs/fip180-1.htm
13 */
14
15 #ifndef _CRT_SECURE_NO_DEPRECATE
16 #define _CRT_SECURE_NO_DEPRECATE 1
17 #endif
18
19 #ifndef USE_HOSTCC
20 #include <u-boot/schedule.h>
21 #endif /* USE_HOSTCC */
22 #include <string.h>
23 #include <u-boot/sha1.h>
24
25 #include <linux/compiler_attributes.h>
26
27 const uint8_t sha1_der_prefix[SHA1_DER_LEN] = {
28 0x30, 0x21, 0x30, 0x09, 0x06, 0x05, 0x2b, 0x0e,
29 0x03, 0x02, 0x1a, 0x05, 0x00, 0x04, 0x14
30 };
31
32 /*
33 * 32-bit integer manipulation macros (big endian)
34 */
35 #ifndef GET_UINT32_BE
36 #define GET_UINT32_BE(n,b,i) { \
37 (n) = ( (unsigned long) (b)[(i) ] << 24 ) \
38 | ( (unsigned long) (b)[(i) + 1] << 16 ) \
39 | ( (unsigned long) (b)[(i) + 2] << 8 ) \
40 | ( (unsigned long) (b)[(i) + 3] ); \
41 }
42 #endif
43 #ifndef PUT_UINT32_BE
44 #define PUT_UINT32_BE(n,b,i) { \
45 (b)[(i) ] = (unsigned char) ( (n) >> 24 ); \
46 (b)[(i) + 1] = (unsigned char) ( (n) >> 16 ); \
47 (b)[(i) + 2] = (unsigned char) ( (n) >> 8 ); \
48 (b)[(i) + 3] = (unsigned char) ( (n) ); \
49 }
50 #endif
51
52 /*
53 * SHA-1 context setup
54 */
sha1_starts(sha1_context * ctx)55 void sha1_starts (sha1_context * ctx)
56 {
57 ctx->total[0] = 0;
58 ctx->total[1] = 0;
59
60 ctx->state[0] = 0x67452301;
61 ctx->state[1] = 0xEFCDAB89;
62 ctx->state[2] = 0x98BADCFE;
63 ctx->state[3] = 0x10325476;
64 ctx->state[4] = 0xC3D2E1F0;
65 }
66
sha1_process_one(sha1_context * ctx,const unsigned char data[64])67 static void __maybe_unused sha1_process_one(sha1_context *ctx, const unsigned char data[64])
68 {
69 unsigned long temp, W[16], A, B, C, D, E;
70
71 GET_UINT32_BE (W[0], data, 0);
72 GET_UINT32_BE (W[1], data, 4);
73 GET_UINT32_BE (W[2], data, 8);
74 GET_UINT32_BE (W[3], data, 12);
75 GET_UINT32_BE (W[4], data, 16);
76 GET_UINT32_BE (W[5], data, 20);
77 GET_UINT32_BE (W[6], data, 24);
78 GET_UINT32_BE (W[7], data, 28);
79 GET_UINT32_BE (W[8], data, 32);
80 GET_UINT32_BE (W[9], data, 36);
81 GET_UINT32_BE (W[10], data, 40);
82 GET_UINT32_BE (W[11], data, 44);
83 GET_UINT32_BE (W[12], data, 48);
84 GET_UINT32_BE (W[13], data, 52);
85 GET_UINT32_BE (W[14], data, 56);
86 GET_UINT32_BE (W[15], data, 60);
87
88 #define S(x,n) ((x << n) | ((x & 0xFFFFFFFF) >> (32 - n)))
89
90 #define R(t) ( \
91 temp = W[(t - 3) & 0x0F] ^ W[(t - 8) & 0x0F] ^ \
92 W[(t - 14) & 0x0F] ^ W[ t & 0x0F], \
93 ( W[t & 0x0F] = S(temp,1) ) \
94 )
95
96 #define P(a,b,c,d,e,x) { \
97 e += S(a,5) + F(b,c,d) + K + x; b = S(b,30); \
98 }
99
100 A = ctx->state[0];
101 B = ctx->state[1];
102 C = ctx->state[2];
103 D = ctx->state[3];
104 E = ctx->state[4];
105
106 #define F(x,y,z) (z ^ (x & (y ^ z)))
107 #define K 0x5A827999
108
109 P (A, B, C, D, E, W[0]);
110 P (E, A, B, C, D, W[1]);
111 P (D, E, A, B, C, W[2]);
112 P (C, D, E, A, B, W[3]);
113 P (B, C, D, E, A, W[4]);
114 P (A, B, C, D, E, W[5]);
115 P (E, A, B, C, D, W[6]);
116 P (D, E, A, B, C, W[7]);
117 P (C, D, E, A, B, W[8]);
118 P (B, C, D, E, A, W[9]);
119 P (A, B, C, D, E, W[10]);
120 P (E, A, B, C, D, W[11]);
121 P (D, E, A, B, C, W[12]);
122 P (C, D, E, A, B, W[13]);
123 P (B, C, D, E, A, W[14]);
124 P (A, B, C, D, E, W[15]);
125 P (E, A, B, C, D, R (16));
126 P (D, E, A, B, C, R (17));
127 P (C, D, E, A, B, R (18));
128 P (B, C, D, E, A, R (19));
129
130 #undef K
131 #undef F
132
133 #define F(x,y,z) (x ^ y ^ z)
134 #define K 0x6ED9EBA1
135
136 P (A, B, C, D, E, R (20));
137 P (E, A, B, C, D, R (21));
138 P (D, E, A, B, C, R (22));
139 P (C, D, E, A, B, R (23));
140 P (B, C, D, E, A, R (24));
141 P (A, B, C, D, E, R (25));
142 P (E, A, B, C, D, R (26));
143 P (D, E, A, B, C, R (27));
144 P (C, D, E, A, B, R (28));
145 P (B, C, D, E, A, R (29));
146 P (A, B, C, D, E, R (30));
147 P (E, A, B, C, D, R (31));
148 P (D, E, A, B, C, R (32));
149 P (C, D, E, A, B, R (33));
150 P (B, C, D, E, A, R (34));
151 P (A, B, C, D, E, R (35));
152 P (E, A, B, C, D, R (36));
153 P (D, E, A, B, C, R (37));
154 P (C, D, E, A, B, R (38));
155 P (B, C, D, E, A, R (39));
156
157 #undef K
158 #undef F
159
160 #define F(x,y,z) ((x & y) | (z & (x | y)))
161 #define K 0x8F1BBCDC
162
163 P (A, B, C, D, E, R (40));
164 P (E, A, B, C, D, R (41));
165 P (D, E, A, B, C, R (42));
166 P (C, D, E, A, B, R (43));
167 P (B, C, D, E, A, R (44));
168 P (A, B, C, D, E, R (45));
169 P (E, A, B, C, D, R (46));
170 P (D, E, A, B, C, R (47));
171 P (C, D, E, A, B, R (48));
172 P (B, C, D, E, A, R (49));
173 P (A, B, C, D, E, R (50));
174 P (E, A, B, C, D, R (51));
175 P (D, E, A, B, C, R (52));
176 P (C, D, E, A, B, R (53));
177 P (B, C, D, E, A, R (54));
178 P (A, B, C, D, E, R (55));
179 P (E, A, B, C, D, R (56));
180 P (D, E, A, B, C, R (57));
181 P (C, D, E, A, B, R (58));
182 P (B, C, D, E, A, R (59));
183
184 #undef K
185 #undef F
186
187 #define F(x,y,z) (x ^ y ^ z)
188 #define K 0xCA62C1D6
189
190 P (A, B, C, D, E, R (60));
191 P (E, A, B, C, D, R (61));
192 P (D, E, A, B, C, R (62));
193 P (C, D, E, A, B, R (63));
194 P (B, C, D, E, A, R (64));
195 P (A, B, C, D, E, R (65));
196 P (E, A, B, C, D, R (66));
197 P (D, E, A, B, C, R (67));
198 P (C, D, E, A, B, R (68));
199 P (B, C, D, E, A, R (69));
200 P (A, B, C, D, E, R (70));
201 P (E, A, B, C, D, R (71));
202 P (D, E, A, B, C, R (72));
203 P (C, D, E, A, B, R (73));
204 P (B, C, D, E, A, R (74));
205 P (A, B, C, D, E, R (75));
206 P (E, A, B, C, D, R (76));
207 P (D, E, A, B, C, R (77));
208 P (C, D, E, A, B, R (78));
209 P (B, C, D, E, A, R (79));
210
211 #undef K
212 #undef F
213
214 ctx->state[0] += A;
215 ctx->state[1] += B;
216 ctx->state[2] += C;
217 ctx->state[3] += D;
218 ctx->state[4] += E;
219 }
220
sha1_process(sha1_context * ctx,const unsigned char * data,unsigned int blocks)221 __weak void sha1_process(sha1_context *ctx, const unsigned char *data,
222 unsigned int blocks)
223 {
224 if (!blocks)
225 return;
226
227 while (blocks--) {
228 sha1_process_one(ctx, data);
229 data += 64;
230 }
231 }
232
233 /*
234 * SHA-1 process buffer
235 */
sha1_update(sha1_context * ctx,const unsigned char * input,unsigned int ilen)236 void sha1_update(sha1_context *ctx, const unsigned char *input,
237 unsigned int ilen)
238 {
239 int fill;
240 unsigned long left;
241
242 if (ilen <= 0)
243 return;
244
245 left = ctx->total[0] & 0x3F;
246 fill = 64 - left;
247
248 ctx->total[0] += ilen;
249 ctx->total[0] &= 0xFFFFFFFF;
250
251 if (ctx->total[0] < (unsigned long) ilen)
252 ctx->total[1]++;
253
254 if (left && ilen >= fill) {
255 memcpy ((void *) (ctx->buffer + left), (void *) input, fill);
256 sha1_process(ctx, ctx->buffer, 1);
257 input += fill;
258 ilen -= fill;
259 left = 0;
260 }
261
262 sha1_process(ctx, input, ilen / 64);
263 input += ilen / 64 * 64;
264 ilen = ilen % 64;
265
266 if (ilen > 0) {
267 memcpy ((void *) (ctx->buffer + left), (void *) input, ilen);
268 }
269 }
270
271 static const unsigned char sha1_padding[64] = {
272 0x80, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
273 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
274 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
275 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0
276 };
277
278 /*
279 * SHA-1 final digest
280 */
sha1_finish(sha1_context * ctx,unsigned char output[20])281 void sha1_finish (sha1_context * ctx, unsigned char output[20])
282 {
283 unsigned long last, padn;
284 unsigned long high, low;
285 unsigned char msglen[8];
286
287 high = (ctx->total[0] >> 29)
288 | (ctx->total[1] << 3);
289 low = (ctx->total[0] << 3);
290
291 PUT_UINT32_BE (high, msglen, 0);
292 PUT_UINT32_BE (low, msglen, 4);
293
294 last = ctx->total[0] & 0x3F;
295 padn = (last < 56) ? (56 - last) : (120 - last);
296
297 sha1_update (ctx, (unsigned char *) sha1_padding, padn);
298 sha1_update (ctx, msglen, 8);
299
300 PUT_UINT32_BE (ctx->state[0], output, 0);
301 PUT_UINT32_BE (ctx->state[1], output, 4);
302 PUT_UINT32_BE (ctx->state[2], output, 8);
303 PUT_UINT32_BE (ctx->state[3], output, 12);
304 PUT_UINT32_BE (ctx->state[4], output, 16);
305 }
306
307 /*
308 * Output = SHA-1( input buffer ). Trigger the watchdog every 'chunk_sz'
309 * bytes of input processed.
310 */
sha1_csum_wd(const unsigned char * input,unsigned int ilen,unsigned char * output,unsigned int chunk_sz)311 void sha1_csum_wd(const unsigned char *input, unsigned int ilen,
312 unsigned char *output, unsigned int chunk_sz)
313 {
314 sha1_context ctx;
315 #if !defined(USE_HOSTCC) && \
316 (defined(CONFIG_HW_WATCHDOG) || defined(CONFIG_WATCHDOG))
317 const unsigned char *end, *curr;
318 int chunk;
319 #endif
320
321 sha1_starts (&ctx);
322
323 #if !defined(USE_HOSTCC) && \
324 (defined(CONFIG_HW_WATCHDOG) || defined(CONFIG_WATCHDOG))
325 curr = input;
326 end = input + ilen;
327 while (curr < end) {
328 chunk = end - curr;
329 if (chunk > chunk_sz)
330 chunk = chunk_sz;
331 sha1_update (&ctx, curr, chunk);
332 curr += chunk;
333 schedule();
334 }
335 #else
336 sha1_update (&ctx, input, ilen);
337 #endif
338
339 sha1_finish (&ctx, output);
340 }
341
342 /*
343 * Output = HMAC-SHA-1( input buffer, hmac key )
344 */
sha1_hmac(const unsigned char * key,int keylen,const unsigned char * input,unsigned int ilen,unsigned char * output)345 void sha1_hmac(const unsigned char *key, int keylen,
346 const unsigned char *input, unsigned int ilen,
347 unsigned char *output)
348 {
349 int i;
350 sha1_context ctx;
351 unsigned char k_ipad[64];
352 unsigned char k_opad[64];
353 unsigned char tmpbuf[20];
354
355 memset (k_ipad, 0x36, 64);
356 memset (k_opad, 0x5C, 64);
357
358 for (i = 0; i < keylen; i++) {
359 if (i >= 64)
360 break;
361
362 k_ipad[i] ^= key[i];
363 k_opad[i] ^= key[i];
364 }
365
366 sha1_starts (&ctx);
367 sha1_update (&ctx, k_ipad, 64);
368 sha1_update (&ctx, input, ilen);
369 sha1_finish (&ctx, tmpbuf);
370
371 sha1_starts (&ctx);
372 sha1_update (&ctx, k_opad, 64);
373 sha1_update (&ctx, tmpbuf, 20);
374 sha1_finish (&ctx, output);
375
376 memset (k_ipad, 0, 64);
377 memset (k_opad, 0, 64);
378 memset (tmpbuf, 0, 20);
379 memset (&ctx, 0, sizeof (sha1_context));
380 }
381
382 #ifdef SELF_TEST
383 /*
384 * FIPS-180-1 test vectors
385 */
386 static const char sha1_test_str[3][57] = {
387 {"abc"},
388 {"abcdbcdecdefdefgefghfghighijhijkijkljklmklmnlmnomnopnopq"},
389 {""}
390 };
391
392 static const unsigned char sha1_test_sum[3][20] = {
393 {0xA9, 0x99, 0x3E, 0x36, 0x47, 0x06, 0x81, 0x6A, 0xBA, 0x3E,
394 0x25, 0x71, 0x78, 0x50, 0xC2, 0x6C, 0x9C, 0xD0, 0xD8, 0x9D},
395 {0x84, 0x98, 0x3E, 0x44, 0x1C, 0x3B, 0xD2, 0x6E, 0xBA, 0xAE,
396 0x4A, 0xA1, 0xF9, 0x51, 0x29, 0xE5, 0xE5, 0x46, 0x70, 0xF1},
397 {0x34, 0xAA, 0x97, 0x3C, 0xD4, 0xC4, 0xDA, 0xA4, 0xF6, 0x1E,
398 0xEB, 0x2B, 0xDB, 0xAD, 0x27, 0x31, 0x65, 0x34, 0x01, 0x6F}
399 };
400
401 /*
402 * Checkup routine
403 */
sha1_self_test(void)404 int sha1_self_test (void)
405 {
406 int i, j;
407 unsigned char buf[1000];
408 unsigned char sha1sum[20];
409 sha1_context ctx;
410
411 for (i = 0; i < 3; i++) {
412 printf (" SHA-1 test #%d: ", i + 1);
413
414 sha1_starts (&ctx);
415
416 if (i < 2)
417 sha1_update (&ctx, (unsigned char *) sha1_test_str[i],
418 strlen (sha1_test_str[i]));
419 else {
420 memset (buf, 'a', 1000);
421 for (j = 0; j < 1000; j++)
422 sha1_update (&ctx, buf, 1000);
423 }
424
425 sha1_finish (&ctx, sha1sum);
426
427 if (memcmp (sha1sum, sha1_test_sum[i], 20) != 0) {
428 printf ("failed\n");
429 return (1);
430 }
431
432 printf ("passed\n");
433 }
434
435 printf ("\n");
436 return (0);
437 }
438 #else
sha1_self_test(void)439 int sha1_self_test (void)
440 {
441 return (0);
442 }
443 #endif
444