xref: /openbmc/u-boot/lib/sha1.c (revision ae51b570)
1 /*
2  *  Heiko Schocher, DENX Software Engineering, hs@denx.de.
3  *  based on:
4  *  FIPS-180-1 compliant SHA-1 implementation
5  *
6  *  Copyright (C) 2003-2006  Christophe Devine
7  *
8  * SPDX-License-Identifier:	LGPL-2.1
9  */
10 /*
11  *  The SHA-1 standard was published by NIST in 1993.
12  *
13  *  http://www.itl.nist.gov/fipspubs/fip180-1.htm
14  */
15 
16 #ifndef _CRT_SECURE_NO_DEPRECATE
17 #define _CRT_SECURE_NO_DEPRECATE 1
18 #endif
19 
20 #ifndef USE_HOSTCC
21 #include <common.h>
22 #include <linux/string.h>
23 #else
24 #include <string.h>
25 #endif /* USE_HOSTCC */
26 #include <watchdog.h>
27 #include <u-boot/sha1.h>
28 
29 /*
30  * 32-bit integer manipulation macros (big endian)
31  */
32 #ifndef GET_UINT32_BE
33 #define GET_UINT32_BE(n,b,i) {				\
34 	(n) = ( (unsigned long) (b)[(i)    ] << 24 )	\
35 	    | ( (unsigned long) (b)[(i) + 1] << 16 )	\
36 	    | ( (unsigned long) (b)[(i) + 2] <<  8 )	\
37 	    | ( (unsigned long) (b)[(i) + 3]       );	\
38 }
39 #endif
40 #ifndef PUT_UINT32_BE
41 #define PUT_UINT32_BE(n,b,i) {				\
42 	(b)[(i)    ] = (unsigned char) ( (n) >> 24 );	\
43 	(b)[(i) + 1] = (unsigned char) ( (n) >> 16 );	\
44 	(b)[(i) + 2] = (unsigned char) ( (n) >>  8 );	\
45 	(b)[(i) + 3] = (unsigned char) ( (n)       );	\
46 }
47 #endif
48 
49 /*
50  * SHA-1 context setup
51  */
52 void sha1_starts (sha1_context * ctx)
53 {
54 	ctx->total[0] = 0;
55 	ctx->total[1] = 0;
56 
57 	ctx->state[0] = 0x67452301;
58 	ctx->state[1] = 0xEFCDAB89;
59 	ctx->state[2] = 0x98BADCFE;
60 	ctx->state[3] = 0x10325476;
61 	ctx->state[4] = 0xC3D2E1F0;
62 }
63 
64 static void sha1_process(sha1_context *ctx, const unsigned char data[64])
65 {
66 	unsigned long temp, W[16], A, B, C, D, E;
67 
68 	GET_UINT32_BE (W[0], data, 0);
69 	GET_UINT32_BE (W[1], data, 4);
70 	GET_UINT32_BE (W[2], data, 8);
71 	GET_UINT32_BE (W[3], data, 12);
72 	GET_UINT32_BE (W[4], data, 16);
73 	GET_UINT32_BE (W[5], data, 20);
74 	GET_UINT32_BE (W[6], data, 24);
75 	GET_UINT32_BE (W[7], data, 28);
76 	GET_UINT32_BE (W[8], data, 32);
77 	GET_UINT32_BE (W[9], data, 36);
78 	GET_UINT32_BE (W[10], data, 40);
79 	GET_UINT32_BE (W[11], data, 44);
80 	GET_UINT32_BE (W[12], data, 48);
81 	GET_UINT32_BE (W[13], data, 52);
82 	GET_UINT32_BE (W[14], data, 56);
83 	GET_UINT32_BE (W[15], data, 60);
84 
85 #define S(x,n)	((x << n) | ((x & 0xFFFFFFFF) >> (32 - n)))
86 
87 #define R(t) (						\
88 	temp = W[(t -  3) & 0x0F] ^ W[(t - 8) & 0x0F] ^	\
89 	       W[(t - 14) & 0x0F] ^ W[ t      & 0x0F],	\
90 	( W[t & 0x0F] = S(temp,1) )			\
91 )
92 
93 #define P(a,b,c,d,e,x)	{				\
94 	e += S(a,5) + F(b,c,d) + K + x; b = S(b,30);	\
95 }
96 
97 	A = ctx->state[0];
98 	B = ctx->state[1];
99 	C = ctx->state[2];
100 	D = ctx->state[3];
101 	E = ctx->state[4];
102 
103 #define F(x,y,z) (z ^ (x & (y ^ z)))
104 #define K 0x5A827999
105 
106 	P (A, B, C, D, E, W[0]);
107 	P (E, A, B, C, D, W[1]);
108 	P (D, E, A, B, C, W[2]);
109 	P (C, D, E, A, B, W[3]);
110 	P (B, C, D, E, A, W[4]);
111 	P (A, B, C, D, E, W[5]);
112 	P (E, A, B, C, D, W[6]);
113 	P (D, E, A, B, C, W[7]);
114 	P (C, D, E, A, B, W[8]);
115 	P (B, C, D, E, A, W[9]);
116 	P (A, B, C, D, E, W[10]);
117 	P (E, A, B, C, D, W[11]);
118 	P (D, E, A, B, C, W[12]);
119 	P (C, D, E, A, B, W[13]);
120 	P (B, C, D, E, A, W[14]);
121 	P (A, B, C, D, E, W[15]);
122 	P (E, A, B, C, D, R (16));
123 	P (D, E, A, B, C, R (17));
124 	P (C, D, E, A, B, R (18));
125 	P (B, C, D, E, A, R (19));
126 
127 #undef K
128 #undef F
129 
130 #define F(x,y,z) (x ^ y ^ z)
131 #define K 0x6ED9EBA1
132 
133 	P (A, B, C, D, E, R (20));
134 	P (E, A, B, C, D, R (21));
135 	P (D, E, A, B, C, R (22));
136 	P (C, D, E, A, B, R (23));
137 	P (B, C, D, E, A, R (24));
138 	P (A, B, C, D, E, R (25));
139 	P (E, A, B, C, D, R (26));
140 	P (D, E, A, B, C, R (27));
141 	P (C, D, E, A, B, R (28));
142 	P (B, C, D, E, A, R (29));
143 	P (A, B, C, D, E, R (30));
144 	P (E, A, B, C, D, R (31));
145 	P (D, E, A, B, C, R (32));
146 	P (C, D, E, A, B, R (33));
147 	P (B, C, D, E, A, R (34));
148 	P (A, B, C, D, E, R (35));
149 	P (E, A, B, C, D, R (36));
150 	P (D, E, A, B, C, R (37));
151 	P (C, D, E, A, B, R (38));
152 	P (B, C, D, E, A, R (39));
153 
154 #undef K
155 #undef F
156 
157 #define F(x,y,z) ((x & y) | (z & (x | y)))
158 #define K 0x8F1BBCDC
159 
160 	P (A, B, C, D, E, R (40));
161 	P (E, A, B, C, D, R (41));
162 	P (D, E, A, B, C, R (42));
163 	P (C, D, E, A, B, R (43));
164 	P (B, C, D, E, A, R (44));
165 	P (A, B, C, D, E, R (45));
166 	P (E, A, B, C, D, R (46));
167 	P (D, E, A, B, C, R (47));
168 	P (C, D, E, A, B, R (48));
169 	P (B, C, D, E, A, R (49));
170 	P (A, B, C, D, E, R (50));
171 	P (E, A, B, C, D, R (51));
172 	P (D, E, A, B, C, R (52));
173 	P (C, D, E, A, B, R (53));
174 	P (B, C, D, E, A, R (54));
175 	P (A, B, C, D, E, R (55));
176 	P (E, A, B, C, D, R (56));
177 	P (D, E, A, B, C, R (57));
178 	P (C, D, E, A, B, R (58));
179 	P (B, C, D, E, A, R (59));
180 
181 #undef K
182 #undef F
183 
184 #define F(x,y,z) (x ^ y ^ z)
185 #define K 0xCA62C1D6
186 
187 	P (A, B, C, D, E, R (60));
188 	P (E, A, B, C, D, R (61));
189 	P (D, E, A, B, C, R (62));
190 	P (C, D, E, A, B, R (63));
191 	P (B, C, D, E, A, R (64));
192 	P (A, B, C, D, E, R (65));
193 	P (E, A, B, C, D, R (66));
194 	P (D, E, A, B, C, R (67));
195 	P (C, D, E, A, B, R (68));
196 	P (B, C, D, E, A, R (69));
197 	P (A, B, C, D, E, R (70));
198 	P (E, A, B, C, D, R (71));
199 	P (D, E, A, B, C, R (72));
200 	P (C, D, E, A, B, R (73));
201 	P (B, C, D, E, A, R (74));
202 	P (A, B, C, D, E, R (75));
203 	P (E, A, B, C, D, R (76));
204 	P (D, E, A, B, C, R (77));
205 	P (C, D, E, A, B, R (78));
206 	P (B, C, D, E, A, R (79));
207 
208 #undef K
209 #undef F
210 
211 	ctx->state[0] += A;
212 	ctx->state[1] += B;
213 	ctx->state[2] += C;
214 	ctx->state[3] += D;
215 	ctx->state[4] += E;
216 }
217 
218 /*
219  * SHA-1 process buffer
220  */
221 void sha1_update(sha1_context *ctx, const unsigned char *input,
222 		 unsigned int ilen)
223 {
224 	int fill;
225 	unsigned long left;
226 
227 	if (ilen <= 0)
228 		return;
229 
230 	left = ctx->total[0] & 0x3F;
231 	fill = 64 - left;
232 
233 	ctx->total[0] += ilen;
234 	ctx->total[0] &= 0xFFFFFFFF;
235 
236 	if (ctx->total[0] < (unsigned long) ilen)
237 		ctx->total[1]++;
238 
239 	if (left && ilen >= fill) {
240 		memcpy ((void *) (ctx->buffer + left), (void *) input, fill);
241 		sha1_process (ctx, ctx->buffer);
242 		input += fill;
243 		ilen -= fill;
244 		left = 0;
245 	}
246 
247 	while (ilen >= 64) {
248 		sha1_process (ctx, input);
249 		input += 64;
250 		ilen -= 64;
251 	}
252 
253 	if (ilen > 0) {
254 		memcpy ((void *) (ctx->buffer + left), (void *) input, ilen);
255 	}
256 }
257 
258 static const unsigned char sha1_padding[64] = {
259 	0x80, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
260 	   0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
261 	   0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
262 	   0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0
263 };
264 
265 /*
266  * SHA-1 final digest
267  */
268 void sha1_finish (sha1_context * ctx, unsigned char output[20])
269 {
270 	unsigned long last, padn;
271 	unsigned long high, low;
272 	unsigned char msglen[8];
273 
274 	high = (ctx->total[0] >> 29)
275 		| (ctx->total[1] << 3);
276 	low = (ctx->total[0] << 3);
277 
278 	PUT_UINT32_BE (high, msglen, 0);
279 	PUT_UINT32_BE (low, msglen, 4);
280 
281 	last = ctx->total[0] & 0x3F;
282 	padn = (last < 56) ? (56 - last) : (120 - last);
283 
284 	sha1_update (ctx, (unsigned char *) sha1_padding, padn);
285 	sha1_update (ctx, msglen, 8);
286 
287 	PUT_UINT32_BE (ctx->state[0], output, 0);
288 	PUT_UINT32_BE (ctx->state[1], output, 4);
289 	PUT_UINT32_BE (ctx->state[2], output, 8);
290 	PUT_UINT32_BE (ctx->state[3], output, 12);
291 	PUT_UINT32_BE (ctx->state[4], output, 16);
292 }
293 
294 /*
295  * Output = SHA-1( input buffer )
296  */
297 void sha1_csum(const unsigned char *input, unsigned int ilen,
298 	       unsigned char *output)
299 {
300 	sha1_context ctx;
301 
302 	sha1_starts (&ctx);
303 	sha1_update (&ctx, input, ilen);
304 	sha1_finish (&ctx, output);
305 }
306 
307 /*
308  * Output = SHA-1( input buffer ). Trigger the watchdog every 'chunk_sz'
309  * bytes of input processed.
310  */
311 void sha1_csum_wd(const unsigned char *input, unsigned int ilen,
312 		  unsigned char *output, unsigned int chunk_sz)
313 {
314 	sha1_context ctx;
315 #if defined(CONFIG_HW_WATCHDOG) || defined(CONFIG_WATCHDOG)
316 	const unsigned char *end, *curr;
317 	int chunk;
318 #endif
319 
320 	sha1_starts (&ctx);
321 
322 #if defined(CONFIG_HW_WATCHDOG) || defined(CONFIG_WATCHDOG)
323 	curr = input;
324 	end = input + ilen;
325 	while (curr < end) {
326 		chunk = end - curr;
327 		if (chunk > chunk_sz)
328 			chunk = chunk_sz;
329 		sha1_update (&ctx, curr, chunk);
330 		curr += chunk;
331 		WATCHDOG_RESET ();
332 	}
333 #else
334 	sha1_update (&ctx, input, ilen);
335 #endif
336 
337 	sha1_finish (&ctx, output);
338 }
339 
340 /*
341  * Output = HMAC-SHA-1( input buffer, hmac key )
342  */
343 void sha1_hmac(const unsigned char *key, int keylen,
344 	       const unsigned char *input, unsigned int ilen,
345 	       unsigned char *output)
346 {
347 	int i;
348 	sha1_context ctx;
349 	unsigned char k_ipad[64];
350 	unsigned char k_opad[64];
351 	unsigned char tmpbuf[20];
352 
353 	memset (k_ipad, 0x36, 64);
354 	memset (k_opad, 0x5C, 64);
355 
356 	for (i = 0; i < keylen; i++) {
357 		if (i >= 64)
358 			break;
359 
360 		k_ipad[i] ^= key[i];
361 		k_opad[i] ^= key[i];
362 	}
363 
364 	sha1_starts (&ctx);
365 	sha1_update (&ctx, k_ipad, 64);
366 	sha1_update (&ctx, input, ilen);
367 	sha1_finish (&ctx, tmpbuf);
368 
369 	sha1_starts (&ctx);
370 	sha1_update (&ctx, k_opad, 64);
371 	sha1_update (&ctx, tmpbuf, 20);
372 	sha1_finish (&ctx, output);
373 
374 	memset (k_ipad, 0, 64);
375 	memset (k_opad, 0, 64);
376 	memset (tmpbuf, 0, 20);
377 	memset (&ctx, 0, sizeof (sha1_context));
378 }
379 
380 #ifdef SELF_TEST
381 /*
382  * FIPS-180-1 test vectors
383  */
384 static const char sha1_test_str[3][57] = {
385 	{"abc"},
386 	{"abcdbcdecdefdefgefghfghighijhijkijkljklmklmnlmnomnopnopq"},
387 	{""}
388 };
389 
390 static const unsigned char sha1_test_sum[3][20] = {
391 	{0xA9, 0x99, 0x3E, 0x36, 0x47, 0x06, 0x81, 0x6A, 0xBA, 0x3E,
392 	 0x25, 0x71, 0x78, 0x50, 0xC2, 0x6C, 0x9C, 0xD0, 0xD8, 0x9D},
393 	{0x84, 0x98, 0x3E, 0x44, 0x1C, 0x3B, 0xD2, 0x6E, 0xBA, 0xAE,
394 	 0x4A, 0xA1, 0xF9, 0x51, 0x29, 0xE5, 0xE5, 0x46, 0x70, 0xF1},
395 	{0x34, 0xAA, 0x97, 0x3C, 0xD4, 0xC4, 0xDA, 0xA4, 0xF6, 0x1E,
396 	 0xEB, 0x2B, 0xDB, 0xAD, 0x27, 0x31, 0x65, 0x34, 0x01, 0x6F}
397 };
398 
399 /*
400  * Checkup routine
401  */
402 int sha1_self_test (void)
403 {
404 	int i, j;
405 	unsigned char buf[1000];
406 	unsigned char sha1sum[20];
407 	sha1_context ctx;
408 
409 	for (i = 0; i < 3; i++) {
410 		printf ("  SHA-1 test #%d: ", i + 1);
411 
412 		sha1_starts (&ctx);
413 
414 		if (i < 2)
415 			sha1_update (&ctx, (unsigned char *) sha1_test_str[i],
416 				     strlen (sha1_test_str[i]));
417 		else {
418 			memset (buf, 'a', 1000);
419 			for (j = 0; j < 1000; j++)
420 				sha1_update (&ctx, buf, 1000);
421 		}
422 
423 		sha1_finish (&ctx, sha1sum);
424 
425 		if (memcmp (sha1sum, sha1_test_sum[i], 20) != 0) {
426 			printf ("failed\n");
427 			return (1);
428 		}
429 
430 		printf ("passed\n");
431 	}
432 
433 	printf ("\n");
434 	return (0);
435 }
436 #else
437 int sha1_self_test (void)
438 {
439 	return (0);
440 }
441 #endif
442