xref: /openbmc/u-boot/lib/sha1.c (revision a5c289b9bca3805fa35e42f389dc8225c6b916be) 
1  /*
2   *  Heiko Schocher, DENX Software Engineering, hs@denx.de.
3   *  based on:
4   *  FIPS-180-1 compliant SHA-1 implementation
5   *
6   *  Copyright (C) 2003-2006  Christophe Devine
7   *
8   * SPDX-License-Identifier:	LGPL-2.1
9   */
10  /*
11   *  The SHA-1 standard was published by NIST in 1993.
12   *
13   *  http://www.itl.nist.gov/fipspubs/fip180-1.htm
14   */
15  
16  #ifndef _CRT_SECURE_NO_DEPRECATE
17  #define _CRT_SECURE_NO_DEPRECATE 1
18  #endif
19  
20  #ifndef USE_HOSTCC
21  #include <common.h>
22  #include <linux/string.h>
23  #else
24  #include <string.h>
25  #endif /* USE_HOSTCC */
26  #include <watchdog.h>
27  #include <u-boot/sha1.h>
28  
29  /*
30   * 32-bit integer manipulation macros (big endian)
31   */
32  #ifndef GET_UINT32_BE
33  #define GET_UINT32_BE(n,b,i) {				\
34  	(n) = ( (unsigned long) (b)[(i)    ] << 24 )	\
35  	    | ( (unsigned long) (b)[(i) + 1] << 16 )	\
36  	    | ( (unsigned long) (b)[(i) + 2] <<  8 )	\
37  	    | ( (unsigned long) (b)[(i) + 3]       );	\
38  }
39  #endif
40  #ifndef PUT_UINT32_BE
41  #define PUT_UINT32_BE(n,b,i) {				\
42  	(b)[(i)    ] = (unsigned char) ( (n) >> 24 );	\
43  	(b)[(i) + 1] = (unsigned char) ( (n) >> 16 );	\
44  	(b)[(i) + 2] = (unsigned char) ( (n) >>  8 );	\
45  	(b)[(i) + 3] = (unsigned char) ( (n)       );	\
46  }
47  #endif
48  
49  /*
50   * SHA-1 context setup
51   */
52  void sha1_starts (sha1_context * ctx)
53  {
54  	ctx->total[0] = 0;
55  	ctx->total[1] = 0;
56  
57  	ctx->state[0] = 0x67452301;
58  	ctx->state[1] = 0xEFCDAB89;
59  	ctx->state[2] = 0x98BADCFE;
60  	ctx->state[3] = 0x10325476;
61  	ctx->state[4] = 0xC3D2E1F0;
62  }
63  
64  static void sha1_process(sha1_context *ctx, const unsigned char data[64])
65  {
66  	unsigned long temp, W[16], A, B, C, D, E;
67  
68  	GET_UINT32_BE (W[0], data, 0);
69  	GET_UINT32_BE (W[1], data, 4);
70  	GET_UINT32_BE (W[2], data, 8);
71  	GET_UINT32_BE (W[3], data, 12);
72  	GET_UINT32_BE (W[4], data, 16);
73  	GET_UINT32_BE (W[5], data, 20);
74  	GET_UINT32_BE (W[6], data, 24);
75  	GET_UINT32_BE (W[7], data, 28);
76  	GET_UINT32_BE (W[8], data, 32);
77  	GET_UINT32_BE (W[9], data, 36);
78  	GET_UINT32_BE (W[10], data, 40);
79  	GET_UINT32_BE (W[11], data, 44);
80  	GET_UINT32_BE (W[12], data, 48);
81  	GET_UINT32_BE (W[13], data, 52);
82  	GET_UINT32_BE (W[14], data, 56);
83  	GET_UINT32_BE (W[15], data, 60);
84  
85  #define S(x,n)	((x << n) | ((x & 0xFFFFFFFF) >> (32 - n)))
86  
87  #define R(t) (						\
88  	temp = W[(t -  3) & 0x0F] ^ W[(t - 8) & 0x0F] ^	\
89  	       W[(t - 14) & 0x0F] ^ W[ t      & 0x0F],	\
90  	( W[t & 0x0F] = S(temp,1) )			\
91  )
92  
93  #define P(a,b,c,d,e,x)	{				\
94  	e += S(a,5) + F(b,c,d) + K + x; b = S(b,30);	\
95  }
96  
97  	A = ctx->state[0];
98  	B = ctx->state[1];
99  	C = ctx->state[2];
100  	D = ctx->state[3];
101  	E = ctx->state[4];
102  
103  #define F(x,y,z) (z ^ (x & (y ^ z)))
104  #define K 0x5A827999
105  
106  	P (A, B, C, D, E, W[0]);
107  	P (E, A, B, C, D, W[1]);
108  	P (D, E, A, B, C, W[2]);
109  	P (C, D, E, A, B, W[3]);
110  	P (B, C, D, E, A, W[4]);
111  	P (A, B, C, D, E, W[5]);
112  	P (E, A, B, C, D, W[6]);
113  	P (D, E, A, B, C, W[7]);
114  	P (C, D, E, A, B, W[8]);
115  	P (B, C, D, E, A, W[9]);
116  	P (A, B, C, D, E, W[10]);
117  	P (E, A, B, C, D, W[11]);
118  	P (D, E, A, B, C, W[12]);
119  	P (C, D, E, A, B, W[13]);
120  	P (B, C, D, E, A, W[14]);
121  	P (A, B, C, D, E, W[15]);
122  	P (E, A, B, C, D, R (16));
123  	P (D, E, A, B, C, R (17));
124  	P (C, D, E, A, B, R (18));
125  	P (B, C, D, E, A, R (19));
126  
127  #undef K
128  #undef F
129  
130  #define F(x,y,z) (x ^ y ^ z)
131  #define K 0x6ED9EBA1
132  
133  	P (A, B, C, D, E, R (20));
134  	P (E, A, B, C, D, R (21));
135  	P (D, E, A, B, C, R (22));
136  	P (C, D, E, A, B, R (23));
137  	P (B, C, D, E, A, R (24));
138  	P (A, B, C, D, E, R (25));
139  	P (E, A, B, C, D, R (26));
140  	P (D, E, A, B, C, R (27));
141  	P (C, D, E, A, B, R (28));
142  	P (B, C, D, E, A, R (29));
143  	P (A, B, C, D, E, R (30));
144  	P (E, A, B, C, D, R (31));
145  	P (D, E, A, B, C, R (32));
146  	P (C, D, E, A, B, R (33));
147  	P (B, C, D, E, A, R (34));
148  	P (A, B, C, D, E, R (35));
149  	P (E, A, B, C, D, R (36));
150  	P (D, E, A, B, C, R (37));
151  	P (C, D, E, A, B, R (38));
152  	P (B, C, D, E, A, R (39));
153  
154  #undef K
155  #undef F
156  
157  #define F(x,y,z) ((x & y) | (z & (x | y)))
158  #define K 0x8F1BBCDC
159  
160  	P (A, B, C, D, E, R (40));
161  	P (E, A, B, C, D, R (41));
162  	P (D, E, A, B, C, R (42));
163  	P (C, D, E, A, B, R (43));
164  	P (B, C, D, E, A, R (44));
165  	P (A, B, C, D, E, R (45));
166  	P (E, A, B, C, D, R (46));
167  	P (D, E, A, B, C, R (47));
168  	P (C, D, E, A, B, R (48));
169  	P (B, C, D, E, A, R (49));
170  	P (A, B, C, D, E, R (50));
171  	P (E, A, B, C, D, R (51));
172  	P (D, E, A, B, C, R (52));
173  	P (C, D, E, A, B, R (53));
174  	P (B, C, D, E, A, R (54));
175  	P (A, B, C, D, E, R (55));
176  	P (E, A, B, C, D, R (56));
177  	P (D, E, A, B, C, R (57));
178  	P (C, D, E, A, B, R (58));
179  	P (B, C, D, E, A, R (59));
180  
181  #undef K
182  #undef F
183  
184  #define F(x,y,z) (x ^ y ^ z)
185  #define K 0xCA62C1D6
186  
187  	P (A, B, C, D, E, R (60));
188  	P (E, A, B, C, D, R (61));
189  	P (D, E, A, B, C, R (62));
190  	P (C, D, E, A, B, R (63));
191  	P (B, C, D, E, A, R (64));
192  	P (A, B, C, D, E, R (65));
193  	P (E, A, B, C, D, R (66));
194  	P (D, E, A, B, C, R (67));
195  	P (C, D, E, A, B, R (68));
196  	P (B, C, D, E, A, R (69));
197  	P (A, B, C, D, E, R (70));
198  	P (E, A, B, C, D, R (71));
199  	P (D, E, A, B, C, R (72));
200  	P (C, D, E, A, B, R (73));
201  	P (B, C, D, E, A, R (74));
202  	P (A, B, C, D, E, R (75));
203  	P (E, A, B, C, D, R (76));
204  	P (D, E, A, B, C, R (77));
205  	P (C, D, E, A, B, R (78));
206  	P (B, C, D, E, A, R (79));
207  
208  #undef K
209  #undef F
210  
211  	ctx->state[0] += A;
212  	ctx->state[1] += B;
213  	ctx->state[2] += C;
214  	ctx->state[3] += D;
215  	ctx->state[4] += E;
216  }
217  
218  /*
219   * SHA-1 process buffer
220   */
221  void sha1_update(sha1_context *ctx, const unsigned char *input,
222  		 unsigned int ilen)
223  {
224  	int fill;
225  	unsigned long left;
226  
227  	if (ilen <= 0)
228  		return;
229  
230  	left = ctx->total[0] & 0x3F;
231  	fill = 64 - left;
232  
233  	ctx->total[0] += ilen;
234  	ctx->total[0] &= 0xFFFFFFFF;
235  
236  	if (ctx->total[0] < (unsigned long) ilen)
237  		ctx->total[1]++;
238  
239  	if (left && ilen >= fill) {
240  		memcpy ((void *) (ctx->buffer + left), (void *) input, fill);
241  		sha1_process (ctx, ctx->buffer);
242  		input += fill;
243  		ilen -= fill;
244  		left = 0;
245  	}
246  
247  	while (ilen >= 64) {
248  		sha1_process (ctx, input);
249  		input += 64;
250  		ilen -= 64;
251  	}
252  
253  	if (ilen > 0) {
254  		memcpy ((void *) (ctx->buffer + left), (void *) input, ilen);
255  	}
256  }
257  
258  static const unsigned char sha1_padding[64] = {
259  	0x80, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
260  	   0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
261  	   0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
262  	   0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0
263  };
264  
265  /*
266   * SHA-1 final digest
267   */
268  void sha1_finish (sha1_context * ctx, unsigned char output[20])
269  {
270  	unsigned long last, padn;
271  	unsigned long high, low;
272  	unsigned char msglen[8];
273  
274  	high = (ctx->total[0] >> 29)
275  		| (ctx->total[1] << 3);
276  	low = (ctx->total[0] << 3);
277  
278  	PUT_UINT32_BE (high, msglen, 0);
279  	PUT_UINT32_BE (low, msglen, 4);
280  
281  	last = ctx->total[0] & 0x3F;
282  	padn = (last < 56) ? (56 - last) : (120 - last);
283  
284  	sha1_update (ctx, (unsigned char *) sha1_padding, padn);
285  	sha1_update (ctx, msglen, 8);
286  
287  	PUT_UINT32_BE (ctx->state[0], output, 0);
288  	PUT_UINT32_BE (ctx->state[1], output, 4);
289  	PUT_UINT32_BE (ctx->state[2], output, 8);
290  	PUT_UINT32_BE (ctx->state[3], output, 12);
291  	PUT_UINT32_BE (ctx->state[4], output, 16);
292  }
293  
294  /*
295   * Output = SHA-1( input buffer )
296   */
297  void sha1_csum(const unsigned char *input, unsigned int ilen,
298  	       unsigned char *output)
299  {
300  	sha1_context ctx;
301  
302  	sha1_starts (&ctx);
303  	sha1_update (&ctx, input, ilen);
304  	sha1_finish (&ctx, output);
305  }
306  
307  /*
308   * Output = SHA-1( input buffer ). Trigger the watchdog every 'chunk_sz'
309   * bytes of input processed.
310   */
311  void sha1_csum_wd(const unsigned char *input, unsigned int ilen,
312  		  unsigned char *output, unsigned int chunk_sz)
313  {
314  	sha1_context ctx;
315  #if defined(CONFIG_HW_WATCHDOG) || defined(CONFIG_WATCHDOG)
316  	const unsigned char *end, *curr;
317  	int chunk;
318  #endif
319  
320  	sha1_starts (&ctx);
321  
322  #if defined(CONFIG_HW_WATCHDOG) || defined(CONFIG_WATCHDOG)
323  	curr = input;
324  	end = input + ilen;
325  	while (curr < end) {
326  		chunk = end - curr;
327  		if (chunk > chunk_sz)
328  			chunk = chunk_sz;
329  		sha1_update (&ctx, curr, chunk);
330  		curr += chunk;
331  		WATCHDOG_RESET ();
332  	}
333  #else
334  	sha1_update (&ctx, input, ilen);
335  #endif
336  
337  	sha1_finish (&ctx, output);
338  }
339  
340  /*
341   * Output = HMAC-SHA-1( input buffer, hmac key )
342   */
343  void sha1_hmac(const unsigned char *key, int keylen,
344  	       const unsigned char *input, unsigned int ilen,
345  	       unsigned char *output)
346  {
347  	int i;
348  	sha1_context ctx;
349  	unsigned char k_ipad[64];
350  	unsigned char k_opad[64];
351  	unsigned char tmpbuf[20];
352  
353  	memset (k_ipad, 0x36, 64);
354  	memset (k_opad, 0x5C, 64);
355  
356  	for (i = 0; i < keylen; i++) {
357  		if (i >= 64)
358  			break;
359  
360  		k_ipad[i] ^= key[i];
361  		k_opad[i] ^= key[i];
362  	}
363  
364  	sha1_starts (&ctx);
365  	sha1_update (&ctx, k_ipad, 64);
366  	sha1_update (&ctx, input, ilen);
367  	sha1_finish (&ctx, tmpbuf);
368  
369  	sha1_starts (&ctx);
370  	sha1_update (&ctx, k_opad, 64);
371  	sha1_update (&ctx, tmpbuf, 20);
372  	sha1_finish (&ctx, output);
373  
374  	memset (k_ipad, 0, 64);
375  	memset (k_opad, 0, 64);
376  	memset (tmpbuf, 0, 20);
377  	memset (&ctx, 0, sizeof (sha1_context));
378  }
379  
380  #ifdef SELF_TEST
381  /*
382   * FIPS-180-1 test vectors
383   */
384  static const char sha1_test_str[3][57] = {
385  	{"abc"},
386  	{"abcdbcdecdefdefgefghfghighijhijkijkljklmklmnlmnomnopnopq"},
387  	{""}
388  };
389  
390  static const unsigned char sha1_test_sum[3][20] = {
391  	{0xA9, 0x99, 0x3E, 0x36, 0x47, 0x06, 0x81, 0x6A, 0xBA, 0x3E,
392  	 0x25, 0x71, 0x78, 0x50, 0xC2, 0x6C, 0x9C, 0xD0, 0xD8, 0x9D},
393  	{0x84, 0x98, 0x3E, 0x44, 0x1C, 0x3B, 0xD2, 0x6E, 0xBA, 0xAE,
394  	 0x4A, 0xA1, 0xF9, 0x51, 0x29, 0xE5, 0xE5, 0x46, 0x70, 0xF1},
395  	{0x34, 0xAA, 0x97, 0x3C, 0xD4, 0xC4, 0xDA, 0xA4, 0xF6, 0x1E,
396  	 0xEB, 0x2B, 0xDB, 0xAD, 0x27, 0x31, 0x65, 0x34, 0x01, 0x6F}
397  };
398  
399  /*
400   * Checkup routine
401   */
402  int sha1_self_test (void)
403  {
404  	int i, j;
405  	unsigned char buf[1000];
406  	unsigned char sha1sum[20];
407  	sha1_context ctx;
408  
409  	for (i = 0; i < 3; i++) {
410  		printf ("  SHA-1 test #%d: ", i + 1);
411  
412  		sha1_starts (&ctx);
413  
414  		if (i < 2)
415  			sha1_update (&ctx, (unsigned char *) sha1_test_str[i],
416  				     strlen (sha1_test_str[i]));
417  		else {
418  			memset (buf, 'a', 1000);
419  			for (j = 0; j < 1000; j++)
420  				sha1_update (&ctx, buf, 1000);
421  		}
422  
423  		sha1_finish (&ctx, sha1sum);
424  
425  		if (memcmp (sha1sum, sha1_test_sum[i], 20) != 0) {
426  			printf ("failed\n");
427  			return (1);
428  		}
429  
430  		printf ("passed\n");
431  	}
432  
433  	printf ("\n");
434  	return (0);
435  }
436  #else
437  int sha1_self_test (void)
438  {
439  	return (0);
440  }
441  #endif
442