xref: /openbmc/u-boot/lib/sha1.c (revision cb686454c74c20617a91276083c41b19f7d118ad)
1 /*
2  *  Heiko Schocher, DENX Software Engineering, hs@denx.de.
3  *  based on:
4  *  FIPS-180-1 compliant SHA-1 implementation
5  *
6  *  Copyright (C) 2003-2006  Christophe Devine
7  *
8  * SPDX-License-Identifier:	LGPL-2.1
9  */
10 /*
11  *  The SHA-1 standard was published by NIST in 1993.
12  *
13  *  http://www.itl.nist.gov/fipspubs/fip180-1.htm
14  */
15 
16 #ifndef _CRT_SECURE_NO_DEPRECATE
17 #define _CRT_SECURE_NO_DEPRECATE 1
18 #endif
19 
20 #ifndef USE_HOSTCC
21 #include <common.h>
22 #include <linux/string.h>
23 #else
24 #include <string.h>
25 #endif /* USE_HOSTCC */
26 #include <watchdog.h>
27 #include <u-boot/sha1.h>
28 
29 const uint8_t sha1_der_prefix[SHA1_DER_LEN] = {
30 	0x30, 0x21, 0x30, 0x09, 0x06, 0x05, 0x2b, 0x0e,
31 	0x03, 0x02, 0x1a, 0x05, 0x00, 0x04, 0x14
32 };
33 
34 /*
35  * 32-bit integer manipulation macros (big endian)
36  */
37 #ifndef GET_UINT32_BE
38 #define GET_UINT32_BE(n,b,i) {				\
39 	(n) = ( (unsigned long) (b)[(i)    ] << 24 )	\
40 	    | ( (unsigned long) (b)[(i) + 1] << 16 )	\
41 	    | ( (unsigned long) (b)[(i) + 2] <<  8 )	\
42 	    | ( (unsigned long) (b)[(i) + 3]       );	\
43 }
44 #endif
45 #ifndef PUT_UINT32_BE
46 #define PUT_UINT32_BE(n,b,i) {				\
47 	(b)[(i)    ] = (unsigned char) ( (n) >> 24 );	\
48 	(b)[(i) + 1] = (unsigned char) ( (n) >> 16 );	\
49 	(b)[(i) + 2] = (unsigned char) ( (n) >>  8 );	\
50 	(b)[(i) + 3] = (unsigned char) ( (n)       );	\
51 }
52 #endif
53 
54 /*
55  * SHA-1 context setup
56  */
57 void sha1_starts (sha1_context * ctx)
58 {
59 	ctx->total[0] = 0;
60 	ctx->total[1] = 0;
61 
62 	ctx->state[0] = 0x67452301;
63 	ctx->state[1] = 0xEFCDAB89;
64 	ctx->state[2] = 0x98BADCFE;
65 	ctx->state[3] = 0x10325476;
66 	ctx->state[4] = 0xC3D2E1F0;
67 }
68 
69 static void sha1_process(sha1_context *ctx, const unsigned char data[64])
70 {
71 	unsigned long temp, W[16], A, B, C, D, E;
72 
73 	GET_UINT32_BE (W[0], data, 0);
74 	GET_UINT32_BE (W[1], data, 4);
75 	GET_UINT32_BE (W[2], data, 8);
76 	GET_UINT32_BE (W[3], data, 12);
77 	GET_UINT32_BE (W[4], data, 16);
78 	GET_UINT32_BE (W[5], data, 20);
79 	GET_UINT32_BE (W[6], data, 24);
80 	GET_UINT32_BE (W[7], data, 28);
81 	GET_UINT32_BE (W[8], data, 32);
82 	GET_UINT32_BE (W[9], data, 36);
83 	GET_UINT32_BE (W[10], data, 40);
84 	GET_UINT32_BE (W[11], data, 44);
85 	GET_UINT32_BE (W[12], data, 48);
86 	GET_UINT32_BE (W[13], data, 52);
87 	GET_UINT32_BE (W[14], data, 56);
88 	GET_UINT32_BE (W[15], data, 60);
89 
90 #define S(x,n)	((x << n) | ((x & 0xFFFFFFFF) >> (32 - n)))
91 
92 #define R(t) (						\
93 	temp = W[(t -  3) & 0x0F] ^ W[(t - 8) & 0x0F] ^	\
94 	       W[(t - 14) & 0x0F] ^ W[ t      & 0x0F],	\
95 	( W[t & 0x0F] = S(temp,1) )			\
96 )
97 
98 #define P(a,b,c,d,e,x)	{				\
99 	e += S(a,5) + F(b,c,d) + K + x; b = S(b,30);	\
100 }
101 
102 	A = ctx->state[0];
103 	B = ctx->state[1];
104 	C = ctx->state[2];
105 	D = ctx->state[3];
106 	E = ctx->state[4];
107 
108 #define F(x,y,z) (z ^ (x & (y ^ z)))
109 #define K 0x5A827999
110 
111 	P (A, B, C, D, E, W[0]);
112 	P (E, A, B, C, D, W[1]);
113 	P (D, E, A, B, C, W[2]);
114 	P (C, D, E, A, B, W[3]);
115 	P (B, C, D, E, A, W[4]);
116 	P (A, B, C, D, E, W[5]);
117 	P (E, A, B, C, D, W[6]);
118 	P (D, E, A, B, C, W[7]);
119 	P (C, D, E, A, B, W[8]);
120 	P (B, C, D, E, A, W[9]);
121 	P (A, B, C, D, E, W[10]);
122 	P (E, A, B, C, D, W[11]);
123 	P (D, E, A, B, C, W[12]);
124 	P (C, D, E, A, B, W[13]);
125 	P (B, C, D, E, A, W[14]);
126 	P (A, B, C, D, E, W[15]);
127 	P (E, A, B, C, D, R (16));
128 	P (D, E, A, B, C, R (17));
129 	P (C, D, E, A, B, R (18));
130 	P (B, C, D, E, A, R (19));
131 
132 #undef K
133 #undef F
134 
135 #define F(x,y,z) (x ^ y ^ z)
136 #define K 0x6ED9EBA1
137 
138 	P (A, B, C, D, E, R (20));
139 	P (E, A, B, C, D, R (21));
140 	P (D, E, A, B, C, R (22));
141 	P (C, D, E, A, B, R (23));
142 	P (B, C, D, E, A, R (24));
143 	P (A, B, C, D, E, R (25));
144 	P (E, A, B, C, D, R (26));
145 	P (D, E, A, B, C, R (27));
146 	P (C, D, E, A, B, R (28));
147 	P (B, C, D, E, A, R (29));
148 	P (A, B, C, D, E, R (30));
149 	P (E, A, B, C, D, R (31));
150 	P (D, E, A, B, C, R (32));
151 	P (C, D, E, A, B, R (33));
152 	P (B, C, D, E, A, R (34));
153 	P (A, B, C, D, E, R (35));
154 	P (E, A, B, C, D, R (36));
155 	P (D, E, A, B, C, R (37));
156 	P (C, D, E, A, B, R (38));
157 	P (B, C, D, E, A, R (39));
158 
159 #undef K
160 #undef F
161 
162 #define F(x,y,z) ((x & y) | (z & (x | y)))
163 #define K 0x8F1BBCDC
164 
165 	P (A, B, C, D, E, R (40));
166 	P (E, A, B, C, D, R (41));
167 	P (D, E, A, B, C, R (42));
168 	P (C, D, E, A, B, R (43));
169 	P (B, C, D, E, A, R (44));
170 	P (A, B, C, D, E, R (45));
171 	P (E, A, B, C, D, R (46));
172 	P (D, E, A, B, C, R (47));
173 	P (C, D, E, A, B, R (48));
174 	P (B, C, D, E, A, R (49));
175 	P (A, B, C, D, E, R (50));
176 	P (E, A, B, C, D, R (51));
177 	P (D, E, A, B, C, R (52));
178 	P (C, D, E, A, B, R (53));
179 	P (B, C, D, E, A, R (54));
180 	P (A, B, C, D, E, R (55));
181 	P (E, A, B, C, D, R (56));
182 	P (D, E, A, B, C, R (57));
183 	P (C, D, E, A, B, R (58));
184 	P (B, C, D, E, A, R (59));
185 
186 #undef K
187 #undef F
188 
189 #define F(x,y,z) (x ^ y ^ z)
190 #define K 0xCA62C1D6
191 
192 	P (A, B, C, D, E, R (60));
193 	P (E, A, B, C, D, R (61));
194 	P (D, E, A, B, C, R (62));
195 	P (C, D, E, A, B, R (63));
196 	P (B, C, D, E, A, R (64));
197 	P (A, B, C, D, E, R (65));
198 	P (E, A, B, C, D, R (66));
199 	P (D, E, A, B, C, R (67));
200 	P (C, D, E, A, B, R (68));
201 	P (B, C, D, E, A, R (69));
202 	P (A, B, C, D, E, R (70));
203 	P (E, A, B, C, D, R (71));
204 	P (D, E, A, B, C, R (72));
205 	P (C, D, E, A, B, R (73));
206 	P (B, C, D, E, A, R (74));
207 	P (A, B, C, D, E, R (75));
208 	P (E, A, B, C, D, R (76));
209 	P (D, E, A, B, C, R (77));
210 	P (C, D, E, A, B, R (78));
211 	P (B, C, D, E, A, R (79));
212 
213 #undef K
214 #undef F
215 
216 	ctx->state[0] += A;
217 	ctx->state[1] += B;
218 	ctx->state[2] += C;
219 	ctx->state[3] += D;
220 	ctx->state[4] += E;
221 }
222 
223 /*
224  * SHA-1 process buffer
225  */
226 void sha1_update(sha1_context *ctx, const unsigned char *input,
227 		 unsigned int ilen)
228 {
229 	int fill;
230 	unsigned long left;
231 
232 	if (ilen <= 0)
233 		return;
234 
235 	left = ctx->total[0] & 0x3F;
236 	fill = 64 - left;
237 
238 	ctx->total[0] += ilen;
239 	ctx->total[0] &= 0xFFFFFFFF;
240 
241 	if (ctx->total[0] < (unsigned long) ilen)
242 		ctx->total[1]++;
243 
244 	if (left && ilen >= fill) {
245 		memcpy ((void *) (ctx->buffer + left), (void *) input, fill);
246 		sha1_process (ctx, ctx->buffer);
247 		input += fill;
248 		ilen -= fill;
249 		left = 0;
250 	}
251 
252 	while (ilen >= 64) {
253 		sha1_process (ctx, input);
254 		input += 64;
255 		ilen -= 64;
256 	}
257 
258 	if (ilen > 0) {
259 		memcpy ((void *) (ctx->buffer + left), (void *) input, ilen);
260 	}
261 }
262 
263 static const unsigned char sha1_padding[64] = {
264 	0x80, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
265 	   0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
266 	   0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
267 	   0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0
268 };
269 
270 /*
271  * SHA-1 final digest
272  */
273 void sha1_finish (sha1_context * ctx, unsigned char output[20])
274 {
275 	unsigned long last, padn;
276 	unsigned long high, low;
277 	unsigned char msglen[8];
278 
279 	high = (ctx->total[0] >> 29)
280 		| (ctx->total[1] << 3);
281 	low = (ctx->total[0] << 3);
282 
283 	PUT_UINT32_BE (high, msglen, 0);
284 	PUT_UINT32_BE (low, msglen, 4);
285 
286 	last = ctx->total[0] & 0x3F;
287 	padn = (last < 56) ? (56 - last) : (120 - last);
288 
289 	sha1_update (ctx, (unsigned char *) sha1_padding, padn);
290 	sha1_update (ctx, msglen, 8);
291 
292 	PUT_UINT32_BE (ctx->state[0], output, 0);
293 	PUT_UINT32_BE (ctx->state[1], output, 4);
294 	PUT_UINT32_BE (ctx->state[2], output, 8);
295 	PUT_UINT32_BE (ctx->state[3], output, 12);
296 	PUT_UINT32_BE (ctx->state[4], output, 16);
297 }
298 
299 /*
300  * Output = SHA-1( input buffer )
301  */
302 void sha1_csum(const unsigned char *input, unsigned int ilen,
303 	       unsigned char *output)
304 {
305 	sha1_context ctx;
306 
307 	sha1_starts (&ctx);
308 	sha1_update (&ctx, input, ilen);
309 	sha1_finish (&ctx, output);
310 }
311 
312 /*
313  * Output = SHA-1( input buffer ). Trigger the watchdog every 'chunk_sz'
314  * bytes of input processed.
315  */
316 void sha1_csum_wd(const unsigned char *input, unsigned int ilen,
317 		  unsigned char *output, unsigned int chunk_sz)
318 {
319 	sha1_context ctx;
320 #if defined(CONFIG_HW_WATCHDOG) || defined(CONFIG_WATCHDOG)
321 	const unsigned char *end, *curr;
322 	int chunk;
323 #endif
324 
325 	sha1_starts (&ctx);
326 
327 #if defined(CONFIG_HW_WATCHDOG) || defined(CONFIG_WATCHDOG)
328 	curr = input;
329 	end = input + ilen;
330 	while (curr < end) {
331 		chunk = end - curr;
332 		if (chunk > chunk_sz)
333 			chunk = chunk_sz;
334 		sha1_update (&ctx, curr, chunk);
335 		curr += chunk;
336 		WATCHDOG_RESET ();
337 	}
338 #else
339 	sha1_update (&ctx, input, ilen);
340 #endif
341 
342 	sha1_finish (&ctx, output);
343 }
344 
345 /*
346  * Output = HMAC-SHA-1( input buffer, hmac key )
347  */
348 void sha1_hmac(const unsigned char *key, int keylen,
349 	       const unsigned char *input, unsigned int ilen,
350 	       unsigned char *output)
351 {
352 	int i;
353 	sha1_context ctx;
354 	unsigned char k_ipad[64];
355 	unsigned char k_opad[64];
356 	unsigned char tmpbuf[20];
357 
358 	memset (k_ipad, 0x36, 64);
359 	memset (k_opad, 0x5C, 64);
360 
361 	for (i = 0; i < keylen; i++) {
362 		if (i >= 64)
363 			break;
364 
365 		k_ipad[i] ^= key[i];
366 		k_opad[i] ^= key[i];
367 	}
368 
369 	sha1_starts (&ctx);
370 	sha1_update (&ctx, k_ipad, 64);
371 	sha1_update (&ctx, input, ilen);
372 	sha1_finish (&ctx, tmpbuf);
373 
374 	sha1_starts (&ctx);
375 	sha1_update (&ctx, k_opad, 64);
376 	sha1_update (&ctx, tmpbuf, 20);
377 	sha1_finish (&ctx, output);
378 
379 	memset (k_ipad, 0, 64);
380 	memset (k_opad, 0, 64);
381 	memset (tmpbuf, 0, 20);
382 	memset (&ctx, 0, sizeof (sha1_context));
383 }
384 
385 #ifdef SELF_TEST
386 /*
387  * FIPS-180-1 test vectors
388  */
389 static const char sha1_test_str[3][57] = {
390 	{"abc"},
391 	{"abcdbcdecdefdefgefghfghighijhijkijkljklmklmnlmnomnopnopq"},
392 	{""}
393 };
394 
395 static const unsigned char sha1_test_sum[3][20] = {
396 	{0xA9, 0x99, 0x3E, 0x36, 0x47, 0x06, 0x81, 0x6A, 0xBA, 0x3E,
397 	 0x25, 0x71, 0x78, 0x50, 0xC2, 0x6C, 0x9C, 0xD0, 0xD8, 0x9D},
398 	{0x84, 0x98, 0x3E, 0x44, 0x1C, 0x3B, 0xD2, 0x6E, 0xBA, 0xAE,
399 	 0x4A, 0xA1, 0xF9, 0x51, 0x29, 0xE5, 0xE5, 0x46, 0x70, 0xF1},
400 	{0x34, 0xAA, 0x97, 0x3C, 0xD4, 0xC4, 0xDA, 0xA4, 0xF6, 0x1E,
401 	 0xEB, 0x2B, 0xDB, 0xAD, 0x27, 0x31, 0x65, 0x34, 0x01, 0x6F}
402 };
403 
404 /*
405  * Checkup routine
406  */
407 int sha1_self_test (void)
408 {
409 	int i, j;
410 	unsigned char buf[1000];
411 	unsigned char sha1sum[20];
412 	sha1_context ctx;
413 
414 	for (i = 0; i < 3; i++) {
415 		printf ("  SHA-1 test #%d: ", i + 1);
416 
417 		sha1_starts (&ctx);
418 
419 		if (i < 2)
420 			sha1_update (&ctx, (unsigned char *) sha1_test_str[i],
421 				     strlen (sha1_test_str[i]));
422 		else {
423 			memset (buf, 'a', 1000);
424 			for (j = 0; j < 1000; j++)
425 				sha1_update (&ctx, buf, 1000);
426 		}
427 
428 		sha1_finish (&ctx, sha1sum);
429 
430 		if (memcmp (sha1sum, sha1_test_sum[i], 20) != 0) {
431 			printf ("failed\n");
432 			return (1);
433 		}
434 
435 		printf ("passed\n");
436 	}
437 
438 	printf ("\n");
439 	return (0);
440 }
441 #else
442 int sha1_self_test (void)
443 {
444 	return (0);
445 }
446 #endif
447