xref: /openbmc/u-boot/lib/sha1.c (revision ae485b54)
1 // SPDX-License-Identifier: LGPL-2.1
2 /*
3  *  Heiko Schocher, DENX Software Engineering, hs@denx.de.
4  *  based on:
5  *  FIPS-180-1 compliant SHA-1 implementation
6  *
7  *  Copyright (C) 2003-2006  Christophe Devine
8  */
9 /*
10  *  The SHA-1 standard was published by NIST in 1993.
11  *
12  *  http://www.itl.nist.gov/fipspubs/fip180-1.htm
13  */
14 
15 #ifndef _CRT_SECURE_NO_DEPRECATE
16 #define _CRT_SECURE_NO_DEPRECATE 1
17 #endif
18 
19 #ifndef USE_HOSTCC
20 #include <common.h>
21 #include <linux/string.h>
22 #else
23 #include <string.h>
24 #endif /* USE_HOSTCC */
25 #include <watchdog.h>
26 #include <u-boot/sha1.h>
27 
28 const uint8_t sha1_der_prefix[SHA1_DER_LEN] = {
29 	0x30, 0x21, 0x30, 0x09, 0x06, 0x05, 0x2b, 0x0e,
30 	0x03, 0x02, 0x1a, 0x05, 0x00, 0x04, 0x14
31 };
32 
33 /*
34  * 32-bit integer manipulation macros (big endian)
35  */
36 #ifndef GET_UINT32_BE
37 #define GET_UINT32_BE(n,b,i) {				\
38 	(n) = ( (unsigned long) (b)[(i)    ] << 24 )	\
39 	    | ( (unsigned long) (b)[(i) + 1] << 16 )	\
40 	    | ( (unsigned long) (b)[(i) + 2] <<  8 )	\
41 	    | ( (unsigned long) (b)[(i) + 3]       );	\
42 }
43 #endif
44 #ifndef PUT_UINT32_BE
45 #define PUT_UINT32_BE(n,b,i) {				\
46 	(b)[(i)    ] = (unsigned char) ( (n) >> 24 );	\
47 	(b)[(i) + 1] = (unsigned char) ( (n) >> 16 );	\
48 	(b)[(i) + 2] = (unsigned char) ( (n) >>  8 );	\
49 	(b)[(i) + 3] = (unsigned char) ( (n)       );	\
50 }
51 #endif
52 
53 /*
54  * SHA-1 context setup
55  */
56 void sha1_starts (sha1_context * ctx)
57 {
58 	ctx->total[0] = 0;
59 	ctx->total[1] = 0;
60 
61 	ctx->state[0] = 0x67452301;
62 	ctx->state[1] = 0xEFCDAB89;
63 	ctx->state[2] = 0x98BADCFE;
64 	ctx->state[3] = 0x10325476;
65 	ctx->state[4] = 0xC3D2E1F0;
66 }
67 
68 static void sha1_process(sha1_context *ctx, const unsigned char data[64])
69 {
70 	unsigned long temp, W[16], A, B, C, D, E;
71 
72 	GET_UINT32_BE (W[0], data, 0);
73 	GET_UINT32_BE (W[1], data, 4);
74 	GET_UINT32_BE (W[2], data, 8);
75 	GET_UINT32_BE (W[3], data, 12);
76 	GET_UINT32_BE (W[4], data, 16);
77 	GET_UINT32_BE (W[5], data, 20);
78 	GET_UINT32_BE (W[6], data, 24);
79 	GET_UINT32_BE (W[7], data, 28);
80 	GET_UINT32_BE (W[8], data, 32);
81 	GET_UINT32_BE (W[9], data, 36);
82 	GET_UINT32_BE (W[10], data, 40);
83 	GET_UINT32_BE (W[11], data, 44);
84 	GET_UINT32_BE (W[12], data, 48);
85 	GET_UINT32_BE (W[13], data, 52);
86 	GET_UINT32_BE (W[14], data, 56);
87 	GET_UINT32_BE (W[15], data, 60);
88 
89 #define S(x,n)	((x << n) | ((x & 0xFFFFFFFF) >> (32 - n)))
90 
91 #define R(t) (						\
92 	temp = W[(t -  3) & 0x0F] ^ W[(t - 8) & 0x0F] ^	\
93 	       W[(t - 14) & 0x0F] ^ W[ t      & 0x0F],	\
94 	( W[t & 0x0F] = S(temp,1) )			\
95 )
96 
97 #define P(a,b,c,d,e,x)	{				\
98 	e += S(a,5) + F(b,c,d) + K + x; b = S(b,30);	\
99 }
100 
101 	A = ctx->state[0];
102 	B = ctx->state[1];
103 	C = ctx->state[2];
104 	D = ctx->state[3];
105 	E = ctx->state[4];
106 
107 #define F(x,y,z) (z ^ (x & (y ^ z)))
108 #define K 0x5A827999
109 
110 	P (A, B, C, D, E, W[0]);
111 	P (E, A, B, C, D, W[1]);
112 	P (D, E, A, B, C, W[2]);
113 	P (C, D, E, A, B, W[3]);
114 	P (B, C, D, E, A, W[4]);
115 	P (A, B, C, D, E, W[5]);
116 	P (E, A, B, C, D, W[6]);
117 	P (D, E, A, B, C, W[7]);
118 	P (C, D, E, A, B, W[8]);
119 	P (B, C, D, E, A, W[9]);
120 	P (A, B, C, D, E, W[10]);
121 	P (E, A, B, C, D, W[11]);
122 	P (D, E, A, B, C, W[12]);
123 	P (C, D, E, A, B, W[13]);
124 	P (B, C, D, E, A, W[14]);
125 	P (A, B, C, D, E, W[15]);
126 	P (E, A, B, C, D, R (16));
127 	P (D, E, A, B, C, R (17));
128 	P (C, D, E, A, B, R (18));
129 	P (B, C, D, E, A, R (19));
130 
131 #undef K
132 #undef F
133 
134 #define F(x,y,z) (x ^ y ^ z)
135 #define K 0x6ED9EBA1
136 
137 	P (A, B, C, D, E, R (20));
138 	P (E, A, B, C, D, R (21));
139 	P (D, E, A, B, C, R (22));
140 	P (C, D, E, A, B, R (23));
141 	P (B, C, D, E, A, R (24));
142 	P (A, B, C, D, E, R (25));
143 	P (E, A, B, C, D, R (26));
144 	P (D, E, A, B, C, R (27));
145 	P (C, D, E, A, B, R (28));
146 	P (B, C, D, E, A, R (29));
147 	P (A, B, C, D, E, R (30));
148 	P (E, A, B, C, D, R (31));
149 	P (D, E, A, B, C, R (32));
150 	P (C, D, E, A, B, R (33));
151 	P (B, C, D, E, A, R (34));
152 	P (A, B, C, D, E, R (35));
153 	P (E, A, B, C, D, R (36));
154 	P (D, E, A, B, C, R (37));
155 	P (C, D, E, A, B, R (38));
156 	P (B, C, D, E, A, R (39));
157 
158 #undef K
159 #undef F
160 
161 #define F(x,y,z) ((x & y) | (z & (x | y)))
162 #define K 0x8F1BBCDC
163 
164 	P (A, B, C, D, E, R (40));
165 	P (E, A, B, C, D, R (41));
166 	P (D, E, A, B, C, R (42));
167 	P (C, D, E, A, B, R (43));
168 	P (B, C, D, E, A, R (44));
169 	P (A, B, C, D, E, R (45));
170 	P (E, A, B, C, D, R (46));
171 	P (D, E, A, B, C, R (47));
172 	P (C, D, E, A, B, R (48));
173 	P (B, C, D, E, A, R (49));
174 	P (A, B, C, D, E, R (50));
175 	P (E, A, B, C, D, R (51));
176 	P (D, E, A, B, C, R (52));
177 	P (C, D, E, A, B, R (53));
178 	P (B, C, D, E, A, R (54));
179 	P (A, B, C, D, E, R (55));
180 	P (E, A, B, C, D, R (56));
181 	P (D, E, A, B, C, R (57));
182 	P (C, D, E, A, B, R (58));
183 	P (B, C, D, E, A, R (59));
184 
185 #undef K
186 #undef F
187 
188 #define F(x,y,z) (x ^ y ^ z)
189 #define K 0xCA62C1D6
190 
191 	P (A, B, C, D, E, R (60));
192 	P (E, A, B, C, D, R (61));
193 	P (D, E, A, B, C, R (62));
194 	P (C, D, E, A, B, R (63));
195 	P (B, C, D, E, A, R (64));
196 	P (A, B, C, D, E, R (65));
197 	P (E, A, B, C, D, R (66));
198 	P (D, E, A, B, C, R (67));
199 	P (C, D, E, A, B, R (68));
200 	P (B, C, D, E, A, R (69));
201 	P (A, B, C, D, E, R (70));
202 	P (E, A, B, C, D, R (71));
203 	P (D, E, A, B, C, R (72));
204 	P (C, D, E, A, B, R (73));
205 	P (B, C, D, E, A, R (74));
206 	P (A, B, C, D, E, R (75));
207 	P (E, A, B, C, D, R (76));
208 	P (D, E, A, B, C, R (77));
209 	P (C, D, E, A, B, R (78));
210 	P (B, C, D, E, A, R (79));
211 
212 #undef K
213 #undef F
214 
215 	ctx->state[0] += A;
216 	ctx->state[1] += B;
217 	ctx->state[2] += C;
218 	ctx->state[3] += D;
219 	ctx->state[4] += E;
220 }
221 
222 /*
223  * SHA-1 process buffer
224  */
225 void sha1_update(sha1_context *ctx, const unsigned char *input,
226 		 unsigned int ilen)
227 {
228 	int fill;
229 	unsigned long left;
230 
231 	if (ilen <= 0)
232 		return;
233 
234 	left = ctx->total[0] & 0x3F;
235 	fill = 64 - left;
236 
237 	ctx->total[0] += ilen;
238 	ctx->total[0] &= 0xFFFFFFFF;
239 
240 	if (ctx->total[0] < (unsigned long) ilen)
241 		ctx->total[1]++;
242 
243 	if (left && ilen >= fill) {
244 		memcpy ((void *) (ctx->buffer + left), (void *) input, fill);
245 		sha1_process (ctx, ctx->buffer);
246 		input += fill;
247 		ilen -= fill;
248 		left = 0;
249 	}
250 
251 	while (ilen >= 64) {
252 		sha1_process (ctx, input);
253 		input += 64;
254 		ilen -= 64;
255 	}
256 
257 	if (ilen > 0) {
258 		memcpy ((void *) (ctx->buffer + left), (void *) input, ilen);
259 	}
260 }
261 
262 static const unsigned char sha1_padding[64] = {
263 	0x80, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
264 	   0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
265 	   0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
266 	   0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0
267 };
268 
269 /*
270  * SHA-1 final digest
271  */
272 void sha1_finish (sha1_context * ctx, unsigned char output[20])
273 {
274 	unsigned long last, padn;
275 	unsigned long high, low;
276 	unsigned char msglen[8];
277 
278 	high = (ctx->total[0] >> 29)
279 		| (ctx->total[1] << 3);
280 	low = (ctx->total[0] << 3);
281 
282 	PUT_UINT32_BE (high, msglen, 0);
283 	PUT_UINT32_BE (low, msglen, 4);
284 
285 	last = ctx->total[0] & 0x3F;
286 	padn = (last < 56) ? (56 - last) : (120 - last);
287 
288 	sha1_update (ctx, (unsigned char *) sha1_padding, padn);
289 	sha1_update (ctx, msglen, 8);
290 
291 	PUT_UINT32_BE (ctx->state[0], output, 0);
292 	PUT_UINT32_BE (ctx->state[1], output, 4);
293 	PUT_UINT32_BE (ctx->state[2], output, 8);
294 	PUT_UINT32_BE (ctx->state[3], output, 12);
295 	PUT_UINT32_BE (ctx->state[4], output, 16);
296 }
297 
298 /*
299  * Output = SHA-1( input buffer )
300  */
301 void sha1_csum(const unsigned char *input, unsigned int ilen,
302 	       unsigned char *output)
303 {
304 	sha1_context ctx;
305 
306 	sha1_starts (&ctx);
307 	sha1_update (&ctx, input, ilen);
308 	sha1_finish (&ctx, output);
309 }
310 
311 /*
312  * Output = SHA-1( input buffer ). Trigger the watchdog every 'chunk_sz'
313  * bytes of input processed.
314  */
315 void sha1_csum_wd(const unsigned char *input, unsigned int ilen,
316 		  unsigned char *output, unsigned int chunk_sz)
317 {
318 	sha1_context ctx;
319 #if defined(CONFIG_HW_WATCHDOG) || defined(CONFIG_WATCHDOG)
320 	const unsigned char *end, *curr;
321 	int chunk;
322 #endif
323 
324 	sha1_starts (&ctx);
325 
326 #if defined(CONFIG_HW_WATCHDOG) || defined(CONFIG_WATCHDOG)
327 	curr = input;
328 	end = input + ilen;
329 	while (curr < end) {
330 		chunk = end - curr;
331 		if (chunk > chunk_sz)
332 			chunk = chunk_sz;
333 		sha1_update (&ctx, curr, chunk);
334 		curr += chunk;
335 		WATCHDOG_RESET ();
336 	}
337 #else
338 	sha1_update (&ctx, input, ilen);
339 #endif
340 
341 	sha1_finish (&ctx, output);
342 }
343 
344 /*
345  * Output = HMAC-SHA-1( input buffer, hmac key )
346  */
347 void sha1_hmac(const unsigned char *key, int keylen,
348 	       const unsigned char *input, unsigned int ilen,
349 	       unsigned char *output)
350 {
351 	int i;
352 	sha1_context ctx;
353 	unsigned char k_ipad[64];
354 	unsigned char k_opad[64];
355 	unsigned char tmpbuf[20];
356 
357 	memset (k_ipad, 0x36, 64);
358 	memset (k_opad, 0x5C, 64);
359 
360 	for (i = 0; i < keylen; i++) {
361 		if (i >= 64)
362 			break;
363 
364 		k_ipad[i] ^= key[i];
365 		k_opad[i] ^= key[i];
366 	}
367 
368 	sha1_starts (&ctx);
369 	sha1_update (&ctx, k_ipad, 64);
370 	sha1_update (&ctx, input, ilen);
371 	sha1_finish (&ctx, tmpbuf);
372 
373 	sha1_starts (&ctx);
374 	sha1_update (&ctx, k_opad, 64);
375 	sha1_update (&ctx, tmpbuf, 20);
376 	sha1_finish (&ctx, output);
377 
378 	memset (k_ipad, 0, 64);
379 	memset (k_opad, 0, 64);
380 	memset (tmpbuf, 0, 20);
381 	memset (&ctx, 0, sizeof (sha1_context));
382 }
383 
384 #ifdef SELF_TEST
385 /*
386  * FIPS-180-1 test vectors
387  */
388 static const char sha1_test_str[3][57] = {
389 	{"abc"},
390 	{"abcdbcdecdefdefgefghfghighijhijkijkljklmklmnlmnomnopnopq"},
391 	{""}
392 };
393 
394 static const unsigned char sha1_test_sum[3][20] = {
395 	{0xA9, 0x99, 0x3E, 0x36, 0x47, 0x06, 0x81, 0x6A, 0xBA, 0x3E,
396 	 0x25, 0x71, 0x78, 0x50, 0xC2, 0x6C, 0x9C, 0xD0, 0xD8, 0x9D},
397 	{0x84, 0x98, 0x3E, 0x44, 0x1C, 0x3B, 0xD2, 0x6E, 0xBA, 0xAE,
398 	 0x4A, 0xA1, 0xF9, 0x51, 0x29, 0xE5, 0xE5, 0x46, 0x70, 0xF1},
399 	{0x34, 0xAA, 0x97, 0x3C, 0xD4, 0xC4, 0xDA, 0xA4, 0xF6, 0x1E,
400 	 0xEB, 0x2B, 0xDB, 0xAD, 0x27, 0x31, 0x65, 0x34, 0x01, 0x6F}
401 };
402 
403 /*
404  * Checkup routine
405  */
406 int sha1_self_test (void)
407 {
408 	int i, j;
409 	unsigned char buf[1000];
410 	unsigned char sha1sum[20];
411 	sha1_context ctx;
412 
413 	for (i = 0; i < 3; i++) {
414 		printf ("  SHA-1 test #%d: ", i + 1);
415 
416 		sha1_starts (&ctx);
417 
418 		if (i < 2)
419 			sha1_update (&ctx, (unsigned char *) sha1_test_str[i],
420 				     strlen (sha1_test_str[i]));
421 		else {
422 			memset (buf, 'a', 1000);
423 			for (j = 0; j < 1000; j++)
424 				sha1_update (&ctx, buf, 1000);
425 		}
426 
427 		sha1_finish (&ctx, sha1sum);
428 
429 		if (memcmp (sha1sum, sha1_test_sum[i], 20) != 0) {
430 			printf ("failed\n");
431 			return (1);
432 		}
433 
434 		printf ("passed\n");
435 	}
436 
437 	printf ("\n");
438 	return (0);
439 }
440 #else
441 int sha1_self_test (void)
442 {
443 	return (0);
444 }
445 #endif
446