1 // SPDX-License-Identifier: LGPL-2.1 2 /* 3 * Heiko Schocher, DENX Software Engineering, hs@denx.de. 4 * based on: 5 * FIPS-180-1 compliant SHA-1 implementation 6 * 7 * Copyright (C) 2003-2006 Christophe Devine 8 */ 9 /* 10 * The SHA-1 standard was published by NIST in 1993. 11 * 12 * http://www.itl.nist.gov/fipspubs/fip180-1.htm 13 */ 14 15 #ifndef _CRT_SECURE_NO_DEPRECATE 16 #define _CRT_SECURE_NO_DEPRECATE 1 17 #endif 18 19 #ifndef USE_HOSTCC 20 #include <common.h> 21 #include <linux/string.h> 22 #else 23 #include <string.h> 24 #endif /* USE_HOSTCC */ 25 #include <watchdog.h> 26 #include <u-boot/sha1.h> 27 28 const uint8_t sha1_der_prefix[SHA1_DER_LEN] = { 29 0x30, 0x21, 0x30, 0x09, 0x06, 0x05, 0x2b, 0x0e, 30 0x03, 0x02, 0x1a, 0x05, 0x00, 0x04, 0x14 31 }; 32 33 /* 34 * 32-bit integer manipulation macros (big endian) 35 */ 36 #ifndef GET_UINT32_BE 37 #define GET_UINT32_BE(n,b,i) { \ 38 (n) = ( (unsigned long) (b)[(i) ] << 24 ) \ 39 | ( (unsigned long) (b)[(i) + 1] << 16 ) \ 40 | ( (unsigned long) (b)[(i) + 2] << 8 ) \ 41 | ( (unsigned long) (b)[(i) + 3] ); \ 42 } 43 #endif 44 #ifndef PUT_UINT32_BE 45 #define PUT_UINT32_BE(n,b,i) { \ 46 (b)[(i) ] = (unsigned char) ( (n) >> 24 ); \ 47 (b)[(i) + 1] = (unsigned char) ( (n) >> 16 ); \ 48 (b)[(i) + 2] = (unsigned char) ( (n) >> 8 ); \ 49 (b)[(i) + 3] = (unsigned char) ( (n) ); \ 50 } 51 #endif 52 53 /* 54 * SHA-1 context setup 55 */ 56 void sha1_starts (sha1_context * ctx) 57 { 58 ctx->total[0] = 0; 59 ctx->total[1] = 0; 60 61 ctx->state[0] = 0x67452301; 62 ctx->state[1] = 0xEFCDAB89; 63 ctx->state[2] = 0x98BADCFE; 64 ctx->state[3] = 0x10325476; 65 ctx->state[4] = 0xC3D2E1F0; 66 } 67 68 static void sha1_process(sha1_context *ctx, const unsigned char data[64]) 69 { 70 unsigned long temp, W[16], A, B, C, D, E; 71 72 GET_UINT32_BE (W[0], data, 0); 73 GET_UINT32_BE (W[1], data, 4); 74 GET_UINT32_BE (W[2], data, 8); 75 GET_UINT32_BE (W[3], data, 12); 76 GET_UINT32_BE (W[4], data, 16); 77 GET_UINT32_BE (W[5], data, 20); 78 GET_UINT32_BE (W[6], data, 24); 79 GET_UINT32_BE (W[7], data, 28); 80 GET_UINT32_BE (W[8], data, 32); 81 GET_UINT32_BE (W[9], data, 36); 82 GET_UINT32_BE (W[10], data, 40); 83 GET_UINT32_BE (W[11], data, 44); 84 GET_UINT32_BE (W[12], data, 48); 85 GET_UINT32_BE (W[13], data, 52); 86 GET_UINT32_BE (W[14], data, 56); 87 GET_UINT32_BE (W[15], data, 60); 88 89 #define S(x,n) ((x << n) | ((x & 0xFFFFFFFF) >> (32 - n))) 90 91 #define R(t) ( \ 92 temp = W[(t - 3) & 0x0F] ^ W[(t - 8) & 0x0F] ^ \ 93 W[(t - 14) & 0x0F] ^ W[ t & 0x0F], \ 94 ( W[t & 0x0F] = S(temp,1) ) \ 95 ) 96 97 #define P(a,b,c,d,e,x) { \ 98 e += S(a,5) + F(b,c,d) + K + x; b = S(b,30); \ 99 } 100 101 A = ctx->state[0]; 102 B = ctx->state[1]; 103 C = ctx->state[2]; 104 D = ctx->state[3]; 105 E = ctx->state[4]; 106 107 #define F(x,y,z) (z ^ (x & (y ^ z))) 108 #define K 0x5A827999 109 110 P (A, B, C, D, E, W[0]); 111 P (E, A, B, C, D, W[1]); 112 P (D, E, A, B, C, W[2]); 113 P (C, D, E, A, B, W[3]); 114 P (B, C, D, E, A, W[4]); 115 P (A, B, C, D, E, W[5]); 116 P (E, A, B, C, D, W[6]); 117 P (D, E, A, B, C, W[7]); 118 P (C, D, E, A, B, W[8]); 119 P (B, C, D, E, A, W[9]); 120 P (A, B, C, D, E, W[10]); 121 P (E, A, B, C, D, W[11]); 122 P (D, E, A, B, C, W[12]); 123 P (C, D, E, A, B, W[13]); 124 P (B, C, D, E, A, W[14]); 125 P (A, B, C, D, E, W[15]); 126 P (E, A, B, C, D, R (16)); 127 P (D, E, A, B, C, R (17)); 128 P (C, D, E, A, B, R (18)); 129 P (B, C, D, E, A, R (19)); 130 131 #undef K 132 #undef F 133 134 #define F(x,y,z) (x ^ y ^ z) 135 #define K 0x6ED9EBA1 136 137 P (A, B, C, D, E, R (20)); 138 P (E, A, B, C, D, R (21)); 139 P (D, E, A, B, C, R (22)); 140 P (C, D, E, A, B, R (23)); 141 P (B, C, D, E, A, R (24)); 142 P (A, B, C, D, E, R (25)); 143 P (E, A, B, C, D, R (26)); 144 P (D, E, A, B, C, R (27)); 145 P (C, D, E, A, B, R (28)); 146 P (B, C, D, E, A, R (29)); 147 P (A, B, C, D, E, R (30)); 148 P (E, A, B, C, D, R (31)); 149 P (D, E, A, B, C, R (32)); 150 P (C, D, E, A, B, R (33)); 151 P (B, C, D, E, A, R (34)); 152 P (A, B, C, D, E, R (35)); 153 P (E, A, B, C, D, R (36)); 154 P (D, E, A, B, C, R (37)); 155 P (C, D, E, A, B, R (38)); 156 P (B, C, D, E, A, R (39)); 157 158 #undef K 159 #undef F 160 161 #define F(x,y,z) ((x & y) | (z & (x | y))) 162 #define K 0x8F1BBCDC 163 164 P (A, B, C, D, E, R (40)); 165 P (E, A, B, C, D, R (41)); 166 P (D, E, A, B, C, R (42)); 167 P (C, D, E, A, B, R (43)); 168 P (B, C, D, E, A, R (44)); 169 P (A, B, C, D, E, R (45)); 170 P (E, A, B, C, D, R (46)); 171 P (D, E, A, B, C, R (47)); 172 P (C, D, E, A, B, R (48)); 173 P (B, C, D, E, A, R (49)); 174 P (A, B, C, D, E, R (50)); 175 P (E, A, B, C, D, R (51)); 176 P (D, E, A, B, C, R (52)); 177 P (C, D, E, A, B, R (53)); 178 P (B, C, D, E, A, R (54)); 179 P (A, B, C, D, E, R (55)); 180 P (E, A, B, C, D, R (56)); 181 P (D, E, A, B, C, R (57)); 182 P (C, D, E, A, B, R (58)); 183 P (B, C, D, E, A, R (59)); 184 185 #undef K 186 #undef F 187 188 #define F(x,y,z) (x ^ y ^ z) 189 #define K 0xCA62C1D6 190 191 P (A, B, C, D, E, R (60)); 192 P (E, A, B, C, D, R (61)); 193 P (D, E, A, B, C, R (62)); 194 P (C, D, E, A, B, R (63)); 195 P (B, C, D, E, A, R (64)); 196 P (A, B, C, D, E, R (65)); 197 P (E, A, B, C, D, R (66)); 198 P (D, E, A, B, C, R (67)); 199 P (C, D, E, A, B, R (68)); 200 P (B, C, D, E, A, R (69)); 201 P (A, B, C, D, E, R (70)); 202 P (E, A, B, C, D, R (71)); 203 P (D, E, A, B, C, R (72)); 204 P (C, D, E, A, B, R (73)); 205 P (B, C, D, E, A, R (74)); 206 P (A, B, C, D, E, R (75)); 207 P (E, A, B, C, D, R (76)); 208 P (D, E, A, B, C, R (77)); 209 P (C, D, E, A, B, R (78)); 210 P (B, C, D, E, A, R (79)); 211 212 #undef K 213 #undef F 214 215 ctx->state[0] += A; 216 ctx->state[1] += B; 217 ctx->state[2] += C; 218 ctx->state[3] += D; 219 ctx->state[4] += E; 220 } 221 222 /* 223 * SHA-1 process buffer 224 */ 225 void sha1_update(sha1_context *ctx, const unsigned char *input, 226 unsigned int ilen) 227 { 228 int fill; 229 unsigned long left; 230 231 if (ilen <= 0) 232 return; 233 234 left = ctx->total[0] & 0x3F; 235 fill = 64 - left; 236 237 ctx->total[0] += ilen; 238 ctx->total[0] &= 0xFFFFFFFF; 239 240 if (ctx->total[0] < (unsigned long) ilen) 241 ctx->total[1]++; 242 243 if (left && ilen >= fill) { 244 memcpy ((void *) (ctx->buffer + left), (void *) input, fill); 245 sha1_process (ctx, ctx->buffer); 246 input += fill; 247 ilen -= fill; 248 left = 0; 249 } 250 251 while (ilen >= 64) { 252 sha1_process (ctx, input); 253 input += 64; 254 ilen -= 64; 255 } 256 257 if (ilen > 0) { 258 memcpy ((void *) (ctx->buffer + left), (void *) input, ilen); 259 } 260 } 261 262 static const unsigned char sha1_padding[64] = { 263 0x80, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 264 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 265 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 266 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0 267 }; 268 269 /* 270 * SHA-1 final digest 271 */ 272 void sha1_finish (sha1_context * ctx, unsigned char output[20]) 273 { 274 unsigned long last, padn; 275 unsigned long high, low; 276 unsigned char msglen[8]; 277 278 high = (ctx->total[0] >> 29) 279 | (ctx->total[1] << 3); 280 low = (ctx->total[0] << 3); 281 282 PUT_UINT32_BE (high, msglen, 0); 283 PUT_UINT32_BE (low, msglen, 4); 284 285 last = ctx->total[0] & 0x3F; 286 padn = (last < 56) ? (56 - last) : (120 - last); 287 288 sha1_update (ctx, (unsigned char *) sha1_padding, padn); 289 sha1_update (ctx, msglen, 8); 290 291 PUT_UINT32_BE (ctx->state[0], output, 0); 292 PUT_UINT32_BE (ctx->state[1], output, 4); 293 PUT_UINT32_BE (ctx->state[2], output, 8); 294 PUT_UINT32_BE (ctx->state[3], output, 12); 295 PUT_UINT32_BE (ctx->state[4], output, 16); 296 } 297 298 /* 299 * Output = SHA-1( input buffer ) 300 */ 301 void sha1_csum(const unsigned char *input, unsigned int ilen, 302 unsigned char *output) 303 { 304 sha1_context ctx; 305 306 sha1_starts (&ctx); 307 sha1_update (&ctx, input, ilen); 308 sha1_finish (&ctx, output); 309 } 310 311 /* 312 * Output = SHA-1( input buffer ). Trigger the watchdog every 'chunk_sz' 313 * bytes of input processed. 314 */ 315 void sha1_csum_wd(const unsigned char *input, unsigned int ilen, 316 unsigned char *output, unsigned int chunk_sz) 317 { 318 sha1_context ctx; 319 #if defined(CONFIG_HW_WATCHDOG) || defined(CONFIG_WATCHDOG) 320 const unsigned char *end, *curr; 321 int chunk; 322 #endif 323 324 sha1_starts (&ctx); 325 326 #if defined(CONFIG_HW_WATCHDOG) || defined(CONFIG_WATCHDOG) 327 curr = input; 328 end = input + ilen; 329 while (curr < end) { 330 chunk = end - curr; 331 if (chunk > chunk_sz) 332 chunk = chunk_sz; 333 sha1_update (&ctx, curr, chunk); 334 curr += chunk; 335 WATCHDOG_RESET (); 336 } 337 #else 338 sha1_update (&ctx, input, ilen); 339 #endif 340 341 sha1_finish (&ctx, output); 342 } 343 344 /* 345 * Output = HMAC-SHA-1( input buffer, hmac key ) 346 */ 347 void sha1_hmac(const unsigned char *key, int keylen, 348 const unsigned char *input, unsigned int ilen, 349 unsigned char *output) 350 { 351 int i; 352 sha1_context ctx; 353 unsigned char k_ipad[64]; 354 unsigned char k_opad[64]; 355 unsigned char tmpbuf[20]; 356 357 memset (k_ipad, 0x36, 64); 358 memset (k_opad, 0x5C, 64); 359 360 for (i = 0; i < keylen; i++) { 361 if (i >= 64) 362 break; 363 364 k_ipad[i] ^= key[i]; 365 k_opad[i] ^= key[i]; 366 } 367 368 sha1_starts (&ctx); 369 sha1_update (&ctx, k_ipad, 64); 370 sha1_update (&ctx, input, ilen); 371 sha1_finish (&ctx, tmpbuf); 372 373 sha1_starts (&ctx); 374 sha1_update (&ctx, k_opad, 64); 375 sha1_update (&ctx, tmpbuf, 20); 376 sha1_finish (&ctx, output); 377 378 memset (k_ipad, 0, 64); 379 memset (k_opad, 0, 64); 380 memset (tmpbuf, 0, 20); 381 memset (&ctx, 0, sizeof (sha1_context)); 382 } 383 384 #ifdef SELF_TEST 385 /* 386 * FIPS-180-1 test vectors 387 */ 388 static const char sha1_test_str[3][57] = { 389 {"abc"}, 390 {"abcdbcdecdefdefgefghfghighijhijkijkljklmklmnlmnomnopnopq"}, 391 {""} 392 }; 393 394 static const unsigned char sha1_test_sum[3][20] = { 395 {0xA9, 0x99, 0x3E, 0x36, 0x47, 0x06, 0x81, 0x6A, 0xBA, 0x3E, 396 0x25, 0x71, 0x78, 0x50, 0xC2, 0x6C, 0x9C, 0xD0, 0xD8, 0x9D}, 397 {0x84, 0x98, 0x3E, 0x44, 0x1C, 0x3B, 0xD2, 0x6E, 0xBA, 0xAE, 398 0x4A, 0xA1, 0xF9, 0x51, 0x29, 0xE5, 0xE5, 0x46, 0x70, 0xF1}, 399 {0x34, 0xAA, 0x97, 0x3C, 0xD4, 0xC4, 0xDA, 0xA4, 0xF6, 0x1E, 400 0xEB, 0x2B, 0xDB, 0xAD, 0x27, 0x31, 0x65, 0x34, 0x01, 0x6F} 401 }; 402 403 /* 404 * Checkup routine 405 */ 406 int sha1_self_test (void) 407 { 408 int i, j; 409 unsigned char buf[1000]; 410 unsigned char sha1sum[20]; 411 sha1_context ctx; 412 413 for (i = 0; i < 3; i++) { 414 printf (" SHA-1 test #%d: ", i + 1); 415 416 sha1_starts (&ctx); 417 418 if (i < 2) 419 sha1_update (&ctx, (unsigned char *) sha1_test_str[i], 420 strlen (sha1_test_str[i])); 421 else { 422 memset (buf, 'a', 1000); 423 for (j = 0; j < 1000; j++) 424 sha1_update (&ctx, buf, 1000); 425 } 426 427 sha1_finish (&ctx, sha1sum); 428 429 if (memcmp (sha1sum, sha1_test_sum[i], 20) != 0) { 430 printf ("failed\n"); 431 return (1); 432 } 433 434 printf ("passed\n"); 435 } 436 437 printf ("\n"); 438 return (0); 439 } 440 #else 441 int sha1_self_test (void) 442 { 443 return (0); 444 } 445 #endif 446