1// SPDX-License-Identifier: LGPL-2.1
2/*
3 *  Heiko Schocher, DENX Software Engineering, hs@denx.de.
4 *  based on:
5 *  FIPS-180-1 compliant SHA-1 implementation
6 *
7 *  Copyright (C) 2003-2006  Christophe Devine
8 */
9/*
10 *  The SHA-1 standard was published by NIST in 1993.
11 *
12 *  http://www.itl.nist.gov/fipspubs/fip180-1.htm
13 */
14
15#ifndef _CRT_SECURE_NO_DEPRECATE
16#define _CRT_SECURE_NO_DEPRECATE 1
17#endif
18
19#ifndef USE_HOSTCC
20#include <cyclic.h>
21#endif /* USE_HOSTCC */
22#include <string.h>
23#include <u-boot/sha1.h>
24
25#include <linux/compiler_attributes.h>
26
27const uint8_t sha1_der_prefix[SHA1_DER_LEN] = {
28	0x30, 0x21, 0x30, 0x09, 0x06, 0x05, 0x2b, 0x0e,
29	0x03, 0x02, 0x1a, 0x05, 0x00, 0x04, 0x14
30};
31
32/*
33 * 32-bit integer manipulation macros (big endian)
34 */
35#ifndef GET_UINT32_BE
36#define GET_UINT32_BE(n,b,i) {				\
37	(n) = ( (unsigned long) (b)[(i)    ] << 24 )	\
38	    | ( (unsigned long) (b)[(i) + 1] << 16 )	\
39	    | ( (unsigned long) (b)[(i) + 2] <<  8 )	\
40	    | ( (unsigned long) (b)[(i) + 3]       );	\
41}
42#endif
43#ifndef PUT_UINT32_BE
44#define PUT_UINT32_BE(n,b,i) {				\
45	(b)[(i)    ] = (unsigned char) ( (n) >> 24 );	\
46	(b)[(i) + 1] = (unsigned char) ( (n) >> 16 );	\
47	(b)[(i) + 2] = (unsigned char) ( (n) >>  8 );	\
48	(b)[(i) + 3] = (unsigned char) ( (n)       );	\
49}
50#endif
51
52/*
53 * SHA-1 context setup
54 */
55void sha1_starts (sha1_context * ctx)
56{
57	ctx->total[0] = 0;
58	ctx->total[1] = 0;
59
60	ctx->state[0] = 0x67452301;
61	ctx->state[1] = 0xEFCDAB89;
62	ctx->state[2] = 0x98BADCFE;
63	ctx->state[3] = 0x10325476;
64	ctx->state[4] = 0xC3D2E1F0;
65}
66
67static void __maybe_unused sha1_process_one(sha1_context *ctx, const unsigned char data[64])
68{
69	unsigned long temp, W[16], A, B, C, D, E;
70
71	GET_UINT32_BE (W[0], data, 0);
72	GET_UINT32_BE (W[1], data, 4);
73	GET_UINT32_BE (W[2], data, 8);
74	GET_UINT32_BE (W[3], data, 12);
75	GET_UINT32_BE (W[4], data, 16);
76	GET_UINT32_BE (W[5], data, 20);
77	GET_UINT32_BE (W[6], data, 24);
78	GET_UINT32_BE (W[7], data, 28);
79	GET_UINT32_BE (W[8], data, 32);
80	GET_UINT32_BE (W[9], data, 36);
81	GET_UINT32_BE (W[10], data, 40);
82	GET_UINT32_BE (W[11], data, 44);
83	GET_UINT32_BE (W[12], data, 48);
84	GET_UINT32_BE (W[13], data, 52);
85	GET_UINT32_BE (W[14], data, 56);
86	GET_UINT32_BE (W[15], data, 60);
87
88#define S(x,n)	((x << n) | ((x & 0xFFFFFFFF) >> (32 - n)))
89
90#define R(t) (						\
91	temp = W[(t -  3) & 0x0F] ^ W[(t - 8) & 0x0F] ^	\
92	       W[(t - 14) & 0x0F] ^ W[ t      & 0x0F],	\
93	( W[t & 0x0F] = S(temp,1) )			\
94)
95
96#define P(a,b,c,d,e,x)	{				\
97	e += S(a,5) + F(b,c,d) + K + x; b = S(b,30);	\
98}
99
100	A = ctx->state[0];
101	B = ctx->state[1];
102	C = ctx->state[2];
103	D = ctx->state[3];
104	E = ctx->state[4];
105
106#define F(x,y,z) (z ^ (x & (y ^ z)))
107#define K 0x5A827999
108
109	P (A, B, C, D, E, W[0]);
110	P (E, A, B, C, D, W[1]);
111	P (D, E, A, B, C, W[2]);
112	P (C, D, E, A, B, W[3]);
113	P (B, C, D, E, A, W[4]);
114	P (A, B, C, D, E, W[5]);
115	P (E, A, B, C, D, W[6]);
116	P (D, E, A, B, C, W[7]);
117	P (C, D, E, A, B, W[8]);
118	P (B, C, D, E, A, W[9]);
119	P (A, B, C, D, E, W[10]);
120	P (E, A, B, C, D, W[11]);
121	P (D, E, A, B, C, W[12]);
122	P (C, D, E, A, B, W[13]);
123	P (B, C, D, E, A, W[14]);
124	P (A, B, C, D, E, W[15]);
125	P (E, A, B, C, D, R (16));
126	P (D, E, A, B, C, R (17));
127	P (C, D, E, A, B, R (18));
128	P (B, C, D, E, A, R (19));
129
130#undef K
131#undef F
132
133#define F(x,y,z) (x ^ y ^ z)
134#define K 0x6ED9EBA1
135
136	P (A, B, C, D, E, R (20));
137	P (E, A, B, C, D, R (21));
138	P (D, E, A, B, C, R (22));
139	P (C, D, E, A, B, R (23));
140	P (B, C, D, E, A, R (24));
141	P (A, B, C, D, E, R (25));
142	P (E, A, B, C, D, R (26));
143	P (D, E, A, B, C, R (27));
144	P (C, D, E, A, B, R (28));
145	P (B, C, D, E, A, R (29));
146	P (A, B, C, D, E, R (30));
147	P (E, A, B, C, D, R (31));
148	P (D, E, A, B, C, R (32));
149	P (C, D, E, A, B, R (33));
150	P (B, C, D, E, A, R (34));
151	P (A, B, C, D, E, R (35));
152	P (E, A, B, C, D, R (36));
153	P (D, E, A, B, C, R (37));
154	P (C, D, E, A, B, R (38));
155	P (B, C, D, E, A, R (39));
156
157#undef K
158#undef F
159
160#define F(x,y,z) ((x & y) | (z & (x | y)))
161#define K 0x8F1BBCDC
162
163	P (A, B, C, D, E, R (40));
164	P (E, A, B, C, D, R (41));
165	P (D, E, A, B, C, R (42));
166	P (C, D, E, A, B, R (43));
167	P (B, C, D, E, A, R (44));
168	P (A, B, C, D, E, R (45));
169	P (E, A, B, C, D, R (46));
170	P (D, E, A, B, C, R (47));
171	P (C, D, E, A, B, R (48));
172	P (B, C, D, E, A, R (49));
173	P (A, B, C, D, E, R (50));
174	P (E, A, B, C, D, R (51));
175	P (D, E, A, B, C, R (52));
176	P (C, D, E, A, B, R (53));
177	P (B, C, D, E, A, R (54));
178	P (A, B, C, D, E, R (55));
179	P (E, A, B, C, D, R (56));
180	P (D, E, A, B, C, R (57));
181	P (C, D, E, A, B, R (58));
182	P (B, C, D, E, A, R (59));
183
184#undef K
185#undef F
186
187#define F(x,y,z) (x ^ y ^ z)
188#define K 0xCA62C1D6
189
190	P (A, B, C, D, E, R (60));
191	P (E, A, B, C, D, R (61));
192	P (D, E, A, B, C, R (62));
193	P (C, D, E, A, B, R (63));
194	P (B, C, D, E, A, R (64));
195	P (A, B, C, D, E, R (65));
196	P (E, A, B, C, D, R (66));
197	P (D, E, A, B, C, R (67));
198	P (C, D, E, A, B, R (68));
199	P (B, C, D, E, A, R (69));
200	P (A, B, C, D, E, R (70));
201	P (E, A, B, C, D, R (71));
202	P (D, E, A, B, C, R (72));
203	P (C, D, E, A, B, R (73));
204	P (B, C, D, E, A, R (74));
205	P (A, B, C, D, E, R (75));
206	P (E, A, B, C, D, R (76));
207	P (D, E, A, B, C, R (77));
208	P (C, D, E, A, B, R (78));
209	P (B, C, D, E, A, R (79));
210
211#undef K
212#undef F
213
214	ctx->state[0] += A;
215	ctx->state[1] += B;
216	ctx->state[2] += C;
217	ctx->state[3] += D;
218	ctx->state[4] += E;
219}
220
221__weak void sha1_process(sha1_context *ctx, const unsigned char *data,
222			 unsigned int blocks)
223{
224	if (!blocks)
225		return;
226
227	while (blocks--) {
228		sha1_process_one(ctx, data);
229		data += 64;
230	}
231}
232
233/*
234 * SHA-1 process buffer
235 */
236void sha1_update(sha1_context *ctx, const unsigned char *input,
237		 unsigned int ilen)
238{
239	int fill;
240	unsigned long left;
241
242	if (ilen <= 0)
243		return;
244
245	left = ctx->total[0] & 0x3F;
246	fill = 64 - left;
247
248	ctx->total[0] += ilen;
249	ctx->total[0] &= 0xFFFFFFFF;
250
251	if (ctx->total[0] < (unsigned long) ilen)
252		ctx->total[1]++;
253
254	if (left && ilen >= fill) {
255		memcpy ((void *) (ctx->buffer + left), (void *) input, fill);
256		sha1_process(ctx, ctx->buffer, 1);
257		input += fill;
258		ilen -= fill;
259		left = 0;
260	}
261
262	sha1_process(ctx, input, ilen / 64);
263	input += ilen / 64 * 64;
264	ilen = ilen % 64;
265
266	if (ilen > 0) {
267		memcpy ((void *) (ctx->buffer + left), (void *) input, ilen);
268	}
269}
270
271static const unsigned char sha1_padding[64] = {
272	0x80, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
273	   0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
274	   0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
275	   0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0
276};
277
278/*
279 * SHA-1 final digest
280 */
281void sha1_finish (sha1_context * ctx, unsigned char output[20])
282{
283	unsigned long last, padn;
284	unsigned long high, low;
285	unsigned char msglen[8];
286
287	high = (ctx->total[0] >> 29)
288		| (ctx->total[1] << 3);
289	low = (ctx->total[0] << 3);
290
291	PUT_UINT32_BE (high, msglen, 0);
292	PUT_UINT32_BE (low, msglen, 4);
293
294	last = ctx->total[0] & 0x3F;
295	padn = (last < 56) ? (56 - last) : (120 - last);
296
297	sha1_update (ctx, (unsigned char *) sha1_padding, padn);
298	sha1_update (ctx, msglen, 8);
299
300	PUT_UINT32_BE (ctx->state[0], output, 0);
301	PUT_UINT32_BE (ctx->state[1], output, 4);
302	PUT_UINT32_BE (ctx->state[2], output, 8);
303	PUT_UINT32_BE (ctx->state[3], output, 12);
304	PUT_UINT32_BE (ctx->state[4], output, 16);
305}
306
307/*
308 * Output = SHA-1( input buffer )
309 */
310void sha1_csum(const unsigned char *input, unsigned int ilen,
311	       unsigned char *output)
312{
313	sha1_context ctx;
314
315	sha1_starts (&ctx);
316	sha1_update (&ctx, input, ilen);
317	sha1_finish (&ctx, output);
318}
319
320/*
321 * Output = SHA-1( input buffer ). Trigger the watchdog every 'chunk_sz'
322 * bytes of input processed.
323 */
324void sha1_csum_wd(const unsigned char *input, unsigned int ilen,
325		  unsigned char *output, unsigned int chunk_sz)
326{
327	sha1_context ctx;
328#if defined(CONFIG_HW_WATCHDOG) || defined(CONFIG_WATCHDOG)
329	const unsigned char *end, *curr;
330	int chunk;
331#endif
332
333	sha1_starts (&ctx);
334
335#if defined(CONFIG_HW_WATCHDOG) || defined(CONFIG_WATCHDOG)
336	curr = input;
337	end = input + ilen;
338	while (curr < end) {
339		chunk = end - curr;
340		if (chunk > chunk_sz)
341			chunk = chunk_sz;
342		sha1_update (&ctx, curr, chunk);
343		curr += chunk;
344		schedule();
345	}
346#else
347	sha1_update (&ctx, input, ilen);
348#endif
349
350	sha1_finish (&ctx, output);
351}
352
353/*
354 * Output = HMAC-SHA-1( input buffer, hmac key )
355 */
356void sha1_hmac(const unsigned char *key, int keylen,
357	       const unsigned char *input, unsigned int ilen,
358	       unsigned char *output)
359{
360	int i;
361	sha1_context ctx;
362	unsigned char k_ipad[64];
363	unsigned char k_opad[64];
364	unsigned char tmpbuf[20];
365
366	memset (k_ipad, 0x36, 64);
367	memset (k_opad, 0x5C, 64);
368
369	for (i = 0; i < keylen; i++) {
370		if (i >= 64)
371			break;
372
373		k_ipad[i] ^= key[i];
374		k_opad[i] ^= key[i];
375	}
376
377	sha1_starts (&ctx);
378	sha1_update (&ctx, k_ipad, 64);
379	sha1_update (&ctx, input, ilen);
380	sha1_finish (&ctx, tmpbuf);
381
382	sha1_starts (&ctx);
383	sha1_update (&ctx, k_opad, 64);
384	sha1_update (&ctx, tmpbuf, 20);
385	sha1_finish (&ctx, output);
386
387	memset (k_ipad, 0, 64);
388	memset (k_opad, 0, 64);
389	memset (tmpbuf, 0, 20);
390	memset (&ctx, 0, sizeof (sha1_context));
391}
392
393#ifdef SELF_TEST
394/*
395 * FIPS-180-1 test vectors
396 */
397static const char sha1_test_str[3][57] = {
398	{"abc"},
399	{"abcdbcdecdefdefgefghfghighijhijkijkljklmklmnlmnomnopnopq"},
400	{""}
401};
402
403static const unsigned char sha1_test_sum[3][20] = {
404	{0xA9, 0x99, 0x3E, 0x36, 0x47, 0x06, 0x81, 0x6A, 0xBA, 0x3E,
405	 0x25, 0x71, 0x78, 0x50, 0xC2, 0x6C, 0x9C, 0xD0, 0xD8, 0x9D},
406	{0x84, 0x98, 0x3E, 0x44, 0x1C, 0x3B, 0xD2, 0x6E, 0xBA, 0xAE,
407	 0x4A, 0xA1, 0xF9, 0x51, 0x29, 0xE5, 0xE5, 0x46, 0x70, 0xF1},
408	{0x34, 0xAA, 0x97, 0x3C, 0xD4, 0xC4, 0xDA, 0xA4, 0xF6, 0x1E,
409	 0xEB, 0x2B, 0xDB, 0xAD, 0x27, 0x31, 0x65, 0x34, 0x01, 0x6F}
410};
411
412/*
413 * Checkup routine
414 */
415int sha1_self_test (void)
416{
417	int i, j;
418	unsigned char buf[1000];
419	unsigned char sha1sum[20];
420	sha1_context ctx;
421
422	for (i = 0; i < 3; i++) {
423		printf ("  SHA-1 test #%d: ", i + 1);
424
425		sha1_starts (&ctx);
426
427		if (i < 2)
428			sha1_update (&ctx, (unsigned char *) sha1_test_str[i],
429				     strlen (sha1_test_str[i]));
430		else {
431			memset (buf, 'a', 1000);
432			for (j = 0; j < 1000; j++)
433				sha1_update (&ctx, buf, 1000);
434		}
435
436		sha1_finish (&ctx, sha1sum);
437
438		if (memcmp (sha1sum, sha1_test_sum[i], 20) != 0) {
439			printf ("failed\n");
440			return (1);
441		}
442
443		printf ("passed\n");
444	}
445
446	printf ("\n");
447	return (0);
448}
449#else
450int sha1_self_test (void)
451{
452	return (0);
453}
454#endif
455