1 /* 2 * Heiko Schocher, DENX Software Engineering, hs@denx.de. 3 * based on: 4 * FIPS-180-1 compliant SHA-1 implementation 5 * 6 * Copyright (C) 2003-2006 Christophe Devine 7 * 8 * SPDX-License-Identifier: LGPL-2.1 9 */ 10 /* 11 * The SHA-1 standard was published by NIST in 1993. 12 * 13 * http://www.itl.nist.gov/fipspubs/fip180-1.htm 14 */ 15 16 #ifndef _CRT_SECURE_NO_DEPRECATE 17 #define _CRT_SECURE_NO_DEPRECATE 1 18 #endif 19 20 #ifndef USE_HOSTCC 21 #include <common.h> 22 #include <linux/string.h> 23 #else 24 #include <string.h> 25 #endif /* USE_HOSTCC */ 26 #include <watchdog.h> 27 #include <u-boot/sha1.h> 28 29 const uint8_t sha1_der_prefix[SHA1_DER_LEN] = { 30 0x30, 0x21, 0x30, 0x09, 0x06, 0x05, 0x2b, 0x0e, 31 0x03, 0x02, 0x1a, 0x05, 0x00, 0x04, 0x14 32 }; 33 34 /* 35 * 32-bit integer manipulation macros (big endian) 36 */ 37 #ifndef GET_UINT32_BE 38 #define GET_UINT32_BE(n,b,i) { \ 39 (n) = ( (unsigned long) (b)[(i) ] << 24 ) \ 40 | ( (unsigned long) (b)[(i) + 1] << 16 ) \ 41 | ( (unsigned long) (b)[(i) + 2] << 8 ) \ 42 | ( (unsigned long) (b)[(i) + 3] ); \ 43 } 44 #endif 45 #ifndef PUT_UINT32_BE 46 #define PUT_UINT32_BE(n,b,i) { \ 47 (b)[(i) ] = (unsigned char) ( (n) >> 24 ); \ 48 (b)[(i) + 1] = (unsigned char) ( (n) >> 16 ); \ 49 (b)[(i) + 2] = (unsigned char) ( (n) >> 8 ); \ 50 (b)[(i) + 3] = (unsigned char) ( (n) ); \ 51 } 52 #endif 53 54 /* 55 * SHA-1 context setup 56 */ 57 void sha1_starts (sha1_context * ctx) 58 { 59 ctx->total[0] = 0; 60 ctx->total[1] = 0; 61 62 ctx->state[0] = 0x67452301; 63 ctx->state[1] = 0xEFCDAB89; 64 ctx->state[2] = 0x98BADCFE; 65 ctx->state[3] = 0x10325476; 66 ctx->state[4] = 0xC3D2E1F0; 67 } 68 69 static void sha1_process(sha1_context *ctx, const unsigned char data[64]) 70 { 71 unsigned long temp, W[16], A, B, C, D, E; 72 73 GET_UINT32_BE (W[0], data, 0); 74 GET_UINT32_BE (W[1], data, 4); 75 GET_UINT32_BE (W[2], data, 8); 76 GET_UINT32_BE (W[3], data, 12); 77 GET_UINT32_BE (W[4], data, 16); 78 GET_UINT32_BE (W[5], data, 20); 79 GET_UINT32_BE (W[6], data, 24); 80 GET_UINT32_BE (W[7], data, 28); 81 GET_UINT32_BE (W[8], data, 32); 82 GET_UINT32_BE (W[9], data, 36); 83 GET_UINT32_BE (W[10], data, 40); 84 GET_UINT32_BE (W[11], data, 44); 85 GET_UINT32_BE (W[12], data, 48); 86 GET_UINT32_BE (W[13], data, 52); 87 GET_UINT32_BE (W[14], data, 56); 88 GET_UINT32_BE (W[15], data, 60); 89 90 #define S(x,n) ((x << n) | ((x & 0xFFFFFFFF) >> (32 - n))) 91 92 #define R(t) ( \ 93 temp = W[(t - 3) & 0x0F] ^ W[(t - 8) & 0x0F] ^ \ 94 W[(t - 14) & 0x0F] ^ W[ t & 0x0F], \ 95 ( W[t & 0x0F] = S(temp,1) ) \ 96 ) 97 98 #define P(a,b,c,d,e,x) { \ 99 e += S(a,5) + F(b,c,d) + K + x; b = S(b,30); \ 100 } 101 102 A = ctx->state[0]; 103 B = ctx->state[1]; 104 C = ctx->state[2]; 105 D = ctx->state[3]; 106 E = ctx->state[4]; 107 108 #define F(x,y,z) (z ^ (x & (y ^ z))) 109 #define K 0x5A827999 110 111 P (A, B, C, D, E, W[0]); 112 P (E, A, B, C, D, W[1]); 113 P (D, E, A, B, C, W[2]); 114 P (C, D, E, A, B, W[3]); 115 P (B, C, D, E, A, W[4]); 116 P (A, B, C, D, E, W[5]); 117 P (E, A, B, C, D, W[6]); 118 P (D, E, A, B, C, W[7]); 119 P (C, D, E, A, B, W[8]); 120 P (B, C, D, E, A, W[9]); 121 P (A, B, C, D, E, W[10]); 122 P (E, A, B, C, D, W[11]); 123 P (D, E, A, B, C, W[12]); 124 P (C, D, E, A, B, W[13]); 125 P (B, C, D, E, A, W[14]); 126 P (A, B, C, D, E, W[15]); 127 P (E, A, B, C, D, R (16)); 128 P (D, E, A, B, C, R (17)); 129 P (C, D, E, A, B, R (18)); 130 P (B, C, D, E, A, R (19)); 131 132 #undef K 133 #undef F 134 135 #define F(x,y,z) (x ^ y ^ z) 136 #define K 0x6ED9EBA1 137 138 P (A, B, C, D, E, R (20)); 139 P (E, A, B, C, D, R (21)); 140 P (D, E, A, B, C, R (22)); 141 P (C, D, E, A, B, R (23)); 142 P (B, C, D, E, A, R (24)); 143 P (A, B, C, D, E, R (25)); 144 P (E, A, B, C, D, R (26)); 145 P (D, E, A, B, C, R (27)); 146 P (C, D, E, A, B, R (28)); 147 P (B, C, D, E, A, R (29)); 148 P (A, B, C, D, E, R (30)); 149 P (E, A, B, C, D, R (31)); 150 P (D, E, A, B, C, R (32)); 151 P (C, D, E, A, B, R (33)); 152 P (B, C, D, E, A, R (34)); 153 P (A, B, C, D, E, R (35)); 154 P (E, A, B, C, D, R (36)); 155 P (D, E, A, B, C, R (37)); 156 P (C, D, E, A, B, R (38)); 157 P (B, C, D, E, A, R (39)); 158 159 #undef K 160 #undef F 161 162 #define F(x,y,z) ((x & y) | (z & (x | y))) 163 #define K 0x8F1BBCDC 164 165 P (A, B, C, D, E, R (40)); 166 P (E, A, B, C, D, R (41)); 167 P (D, E, A, B, C, R (42)); 168 P (C, D, E, A, B, R (43)); 169 P (B, C, D, E, A, R (44)); 170 P (A, B, C, D, E, R (45)); 171 P (E, A, B, C, D, R (46)); 172 P (D, E, A, B, C, R (47)); 173 P (C, D, E, A, B, R (48)); 174 P (B, C, D, E, A, R (49)); 175 P (A, B, C, D, E, R (50)); 176 P (E, A, B, C, D, R (51)); 177 P (D, E, A, B, C, R (52)); 178 P (C, D, E, A, B, R (53)); 179 P (B, C, D, E, A, R (54)); 180 P (A, B, C, D, E, R (55)); 181 P (E, A, B, C, D, R (56)); 182 P (D, E, A, B, C, R (57)); 183 P (C, D, E, A, B, R (58)); 184 P (B, C, D, E, A, R (59)); 185 186 #undef K 187 #undef F 188 189 #define F(x,y,z) (x ^ y ^ z) 190 #define K 0xCA62C1D6 191 192 P (A, B, C, D, E, R (60)); 193 P (E, A, B, C, D, R (61)); 194 P (D, E, A, B, C, R (62)); 195 P (C, D, E, A, B, R (63)); 196 P (B, C, D, E, A, R (64)); 197 P (A, B, C, D, E, R (65)); 198 P (E, A, B, C, D, R (66)); 199 P (D, E, A, B, C, R (67)); 200 P (C, D, E, A, B, R (68)); 201 P (B, C, D, E, A, R (69)); 202 P (A, B, C, D, E, R (70)); 203 P (E, A, B, C, D, R (71)); 204 P (D, E, A, B, C, R (72)); 205 P (C, D, E, A, B, R (73)); 206 P (B, C, D, E, A, R (74)); 207 P (A, B, C, D, E, R (75)); 208 P (E, A, B, C, D, R (76)); 209 P (D, E, A, B, C, R (77)); 210 P (C, D, E, A, B, R (78)); 211 P (B, C, D, E, A, R (79)); 212 213 #undef K 214 #undef F 215 216 ctx->state[0] += A; 217 ctx->state[1] += B; 218 ctx->state[2] += C; 219 ctx->state[3] += D; 220 ctx->state[4] += E; 221 } 222 223 /* 224 * SHA-1 process buffer 225 */ 226 void sha1_update(sha1_context *ctx, const unsigned char *input, 227 unsigned int ilen) 228 { 229 int fill; 230 unsigned long left; 231 232 if (ilen <= 0) 233 return; 234 235 left = ctx->total[0] & 0x3F; 236 fill = 64 - left; 237 238 ctx->total[0] += ilen; 239 ctx->total[0] &= 0xFFFFFFFF; 240 241 if (ctx->total[0] < (unsigned long) ilen) 242 ctx->total[1]++; 243 244 if (left && ilen >= fill) { 245 memcpy ((void *) (ctx->buffer + left), (void *) input, fill); 246 sha1_process (ctx, ctx->buffer); 247 input += fill; 248 ilen -= fill; 249 left = 0; 250 } 251 252 while (ilen >= 64) { 253 sha1_process (ctx, input); 254 input += 64; 255 ilen -= 64; 256 } 257 258 if (ilen > 0) { 259 memcpy ((void *) (ctx->buffer + left), (void *) input, ilen); 260 } 261 } 262 263 static const unsigned char sha1_padding[64] = { 264 0x80, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 265 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 266 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 267 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0 268 }; 269 270 /* 271 * SHA-1 final digest 272 */ 273 void sha1_finish (sha1_context * ctx, unsigned char output[20]) 274 { 275 unsigned long last, padn; 276 unsigned long high, low; 277 unsigned char msglen[8]; 278 279 high = (ctx->total[0] >> 29) 280 | (ctx->total[1] << 3); 281 low = (ctx->total[0] << 3); 282 283 PUT_UINT32_BE (high, msglen, 0); 284 PUT_UINT32_BE (low, msglen, 4); 285 286 last = ctx->total[0] & 0x3F; 287 padn = (last < 56) ? (56 - last) : (120 - last); 288 289 sha1_update (ctx, (unsigned char *) sha1_padding, padn); 290 sha1_update (ctx, msglen, 8); 291 292 PUT_UINT32_BE (ctx->state[0], output, 0); 293 PUT_UINT32_BE (ctx->state[1], output, 4); 294 PUT_UINT32_BE (ctx->state[2], output, 8); 295 PUT_UINT32_BE (ctx->state[3], output, 12); 296 PUT_UINT32_BE (ctx->state[4], output, 16); 297 } 298 299 /* 300 * Output = SHA-1( input buffer ) 301 */ 302 void sha1_csum(const unsigned char *input, unsigned int ilen, 303 unsigned char *output) 304 { 305 sha1_context ctx; 306 307 sha1_starts (&ctx); 308 sha1_update (&ctx, input, ilen); 309 sha1_finish (&ctx, output); 310 } 311 312 /* 313 * Output = SHA-1( input buffer ). Trigger the watchdog every 'chunk_sz' 314 * bytes of input processed. 315 */ 316 void sha1_csum_wd(const unsigned char *input, unsigned int ilen, 317 unsigned char *output, unsigned int chunk_sz) 318 { 319 sha1_context ctx; 320 #if defined(CONFIG_HW_WATCHDOG) || defined(CONFIG_WATCHDOG) 321 const unsigned char *end, *curr; 322 int chunk; 323 #endif 324 325 sha1_starts (&ctx); 326 327 #if defined(CONFIG_HW_WATCHDOG) || defined(CONFIG_WATCHDOG) 328 curr = input; 329 end = input + ilen; 330 while (curr < end) { 331 chunk = end - curr; 332 if (chunk > chunk_sz) 333 chunk = chunk_sz; 334 sha1_update (&ctx, curr, chunk); 335 curr += chunk; 336 WATCHDOG_RESET (); 337 } 338 #else 339 sha1_update (&ctx, input, ilen); 340 #endif 341 342 sha1_finish (&ctx, output); 343 } 344 345 /* 346 * Output = HMAC-SHA-1( input buffer, hmac key ) 347 */ 348 void sha1_hmac(const unsigned char *key, int keylen, 349 const unsigned char *input, unsigned int ilen, 350 unsigned char *output) 351 { 352 int i; 353 sha1_context ctx; 354 unsigned char k_ipad[64]; 355 unsigned char k_opad[64]; 356 unsigned char tmpbuf[20]; 357 358 memset (k_ipad, 0x36, 64); 359 memset (k_opad, 0x5C, 64); 360 361 for (i = 0; i < keylen; i++) { 362 if (i >= 64) 363 break; 364 365 k_ipad[i] ^= key[i]; 366 k_opad[i] ^= key[i]; 367 } 368 369 sha1_starts (&ctx); 370 sha1_update (&ctx, k_ipad, 64); 371 sha1_update (&ctx, input, ilen); 372 sha1_finish (&ctx, tmpbuf); 373 374 sha1_starts (&ctx); 375 sha1_update (&ctx, k_opad, 64); 376 sha1_update (&ctx, tmpbuf, 20); 377 sha1_finish (&ctx, output); 378 379 memset (k_ipad, 0, 64); 380 memset (k_opad, 0, 64); 381 memset (tmpbuf, 0, 20); 382 memset (&ctx, 0, sizeof (sha1_context)); 383 } 384 385 #ifdef SELF_TEST 386 /* 387 * FIPS-180-1 test vectors 388 */ 389 static const char sha1_test_str[3][57] = { 390 {"abc"}, 391 {"abcdbcdecdefdefgefghfghighijhijkijkljklmklmnlmnomnopnopq"}, 392 {""} 393 }; 394 395 static const unsigned char sha1_test_sum[3][20] = { 396 {0xA9, 0x99, 0x3E, 0x36, 0x47, 0x06, 0x81, 0x6A, 0xBA, 0x3E, 397 0x25, 0x71, 0x78, 0x50, 0xC2, 0x6C, 0x9C, 0xD0, 0xD8, 0x9D}, 398 {0x84, 0x98, 0x3E, 0x44, 0x1C, 0x3B, 0xD2, 0x6E, 0xBA, 0xAE, 399 0x4A, 0xA1, 0xF9, 0x51, 0x29, 0xE5, 0xE5, 0x46, 0x70, 0xF1}, 400 {0x34, 0xAA, 0x97, 0x3C, 0xD4, 0xC4, 0xDA, 0xA4, 0xF6, 0x1E, 401 0xEB, 0x2B, 0xDB, 0xAD, 0x27, 0x31, 0x65, 0x34, 0x01, 0x6F} 402 }; 403 404 /* 405 * Checkup routine 406 */ 407 int sha1_self_test (void) 408 { 409 int i, j; 410 unsigned char buf[1000]; 411 unsigned char sha1sum[20]; 412 sha1_context ctx; 413 414 for (i = 0; i < 3; i++) { 415 printf (" SHA-1 test #%d: ", i + 1); 416 417 sha1_starts (&ctx); 418 419 if (i < 2) 420 sha1_update (&ctx, (unsigned char *) sha1_test_str[i], 421 strlen (sha1_test_str[i])); 422 else { 423 memset (buf, 'a', 1000); 424 for (j = 0; j < 1000; j++) 425 sha1_update (&ctx, buf, 1000); 426 } 427 428 sha1_finish (&ctx, sha1sum); 429 430 if (memcmp (sha1sum, sha1_test_sum[i], 20) != 0) { 431 printf ("failed\n"); 432 return (1); 433 } 434 435 printf ("passed\n"); 436 } 437 438 printf ("\n"); 439 return (0); 440 } 441 #else 442 int sha1_self_test (void) 443 { 444 return (0); 445 } 446 #endif 447