1// SPDX-License-Identifier: LGPL-2.1 2/* 3 * Heiko Schocher, DENX Software Engineering, hs@denx.de. 4 * based on: 5 * FIPS-180-1 compliant SHA-1 implementation 6 * 7 * Copyright (C) 2003-2006 Christophe Devine 8 */ 9/* 10 * The SHA-1 standard was published by NIST in 1993. 11 * 12 * http://www.itl.nist.gov/fipspubs/fip180-1.htm 13 */ 14 15#ifndef _CRT_SECURE_NO_DEPRECATE 16#define _CRT_SECURE_NO_DEPRECATE 1 17#endif 18 19#ifndef USE_HOSTCC 20#include <cyclic.h> 21#endif /* USE_HOSTCC */ 22#include <string.h> 23#include <u-boot/sha1.h> 24 25#include <linux/compiler_attributes.h> 26 27const uint8_t sha1_der_prefix[SHA1_DER_LEN] = { 28 0x30, 0x21, 0x30, 0x09, 0x06, 0x05, 0x2b, 0x0e, 29 0x03, 0x02, 0x1a, 0x05, 0x00, 0x04, 0x14 30}; 31 32/* 33 * 32-bit integer manipulation macros (big endian) 34 */ 35#ifndef GET_UINT32_BE 36#define GET_UINT32_BE(n,b,i) { \ 37 (n) = ( (unsigned long) (b)[(i) ] << 24 ) \ 38 | ( (unsigned long) (b)[(i) + 1] << 16 ) \ 39 | ( (unsigned long) (b)[(i) + 2] << 8 ) \ 40 | ( (unsigned long) (b)[(i) + 3] ); \ 41} 42#endif 43#ifndef PUT_UINT32_BE 44#define PUT_UINT32_BE(n,b,i) { \ 45 (b)[(i) ] = (unsigned char) ( (n) >> 24 ); \ 46 (b)[(i) + 1] = (unsigned char) ( (n) >> 16 ); \ 47 (b)[(i) + 2] = (unsigned char) ( (n) >> 8 ); \ 48 (b)[(i) + 3] = (unsigned char) ( (n) ); \ 49} 50#endif 51 52/* 53 * SHA-1 context setup 54 */ 55void sha1_starts (sha1_context * ctx) 56{ 57 ctx->total[0] = 0; 58 ctx->total[1] = 0; 59 60 ctx->state[0] = 0x67452301; 61 ctx->state[1] = 0xEFCDAB89; 62 ctx->state[2] = 0x98BADCFE; 63 ctx->state[3] = 0x10325476; 64 ctx->state[4] = 0xC3D2E1F0; 65} 66 67static void __maybe_unused sha1_process_one(sha1_context *ctx, const unsigned char data[64]) 68{ 69 unsigned long temp, W[16], A, B, C, D, E; 70 71 GET_UINT32_BE (W[0], data, 0); 72 GET_UINT32_BE (W[1], data, 4); 73 GET_UINT32_BE (W[2], data, 8); 74 GET_UINT32_BE (W[3], data, 12); 75 GET_UINT32_BE (W[4], data, 16); 76 GET_UINT32_BE (W[5], data, 20); 77 GET_UINT32_BE (W[6], data, 24); 78 GET_UINT32_BE (W[7], data, 28); 79 GET_UINT32_BE (W[8], data, 32); 80 GET_UINT32_BE (W[9], data, 36); 81 GET_UINT32_BE (W[10], data, 40); 82 GET_UINT32_BE (W[11], data, 44); 83 GET_UINT32_BE (W[12], data, 48); 84 GET_UINT32_BE (W[13], data, 52); 85 GET_UINT32_BE (W[14], data, 56); 86 GET_UINT32_BE (W[15], data, 60); 87 88#define S(x,n) ((x << n) | ((x & 0xFFFFFFFF) >> (32 - n))) 89 90#define R(t) ( \ 91 temp = W[(t - 3) & 0x0F] ^ W[(t - 8) & 0x0F] ^ \ 92 W[(t - 14) & 0x0F] ^ W[ t & 0x0F], \ 93 ( W[t & 0x0F] = S(temp,1) ) \ 94) 95 96#define P(a,b,c,d,e,x) { \ 97 e += S(a,5) + F(b,c,d) + K + x; b = S(b,30); \ 98} 99 100 A = ctx->state[0]; 101 B = ctx->state[1]; 102 C = ctx->state[2]; 103 D = ctx->state[3]; 104 E = ctx->state[4]; 105 106#define F(x,y,z) (z ^ (x & (y ^ z))) 107#define K 0x5A827999 108 109 P (A, B, C, D, E, W[0]); 110 P (E, A, B, C, D, W[1]); 111 P (D, E, A, B, C, W[2]); 112 P (C, D, E, A, B, W[3]); 113 P (B, C, D, E, A, W[4]); 114 P (A, B, C, D, E, W[5]); 115 P (E, A, B, C, D, W[6]); 116 P (D, E, A, B, C, W[7]); 117 P (C, D, E, A, B, W[8]); 118 P (B, C, D, E, A, W[9]); 119 P (A, B, C, D, E, W[10]); 120 P (E, A, B, C, D, W[11]); 121 P (D, E, A, B, C, W[12]); 122 P (C, D, E, A, B, W[13]); 123 P (B, C, D, E, A, W[14]); 124 P (A, B, C, D, E, W[15]); 125 P (E, A, B, C, D, R (16)); 126 P (D, E, A, B, C, R (17)); 127 P (C, D, E, A, B, R (18)); 128 P (B, C, D, E, A, R (19)); 129 130#undef K 131#undef F 132 133#define F(x,y,z) (x ^ y ^ z) 134#define K 0x6ED9EBA1 135 136 P (A, B, C, D, E, R (20)); 137 P (E, A, B, C, D, R (21)); 138 P (D, E, A, B, C, R (22)); 139 P (C, D, E, A, B, R (23)); 140 P (B, C, D, E, A, R (24)); 141 P (A, B, C, D, E, R (25)); 142 P (E, A, B, C, D, R (26)); 143 P (D, E, A, B, C, R (27)); 144 P (C, D, E, A, B, R (28)); 145 P (B, C, D, E, A, R (29)); 146 P (A, B, C, D, E, R (30)); 147 P (E, A, B, C, D, R (31)); 148 P (D, E, A, B, C, R (32)); 149 P (C, D, E, A, B, R (33)); 150 P (B, C, D, E, A, R (34)); 151 P (A, B, C, D, E, R (35)); 152 P (E, A, B, C, D, R (36)); 153 P (D, E, A, B, C, R (37)); 154 P (C, D, E, A, B, R (38)); 155 P (B, C, D, E, A, R (39)); 156 157#undef K 158#undef F 159 160#define F(x,y,z) ((x & y) | (z & (x | y))) 161#define K 0x8F1BBCDC 162 163 P (A, B, C, D, E, R (40)); 164 P (E, A, B, C, D, R (41)); 165 P (D, E, A, B, C, R (42)); 166 P (C, D, E, A, B, R (43)); 167 P (B, C, D, E, A, R (44)); 168 P (A, B, C, D, E, R (45)); 169 P (E, A, B, C, D, R (46)); 170 P (D, E, A, B, C, R (47)); 171 P (C, D, E, A, B, R (48)); 172 P (B, C, D, E, A, R (49)); 173 P (A, B, C, D, E, R (50)); 174 P (E, A, B, C, D, R (51)); 175 P (D, E, A, B, C, R (52)); 176 P (C, D, E, A, B, R (53)); 177 P (B, C, D, E, A, R (54)); 178 P (A, B, C, D, E, R (55)); 179 P (E, A, B, C, D, R (56)); 180 P (D, E, A, B, C, R (57)); 181 P (C, D, E, A, B, R (58)); 182 P (B, C, D, E, A, R (59)); 183 184#undef K 185#undef F 186 187#define F(x,y,z) (x ^ y ^ z) 188#define K 0xCA62C1D6 189 190 P (A, B, C, D, E, R (60)); 191 P (E, A, B, C, D, R (61)); 192 P (D, E, A, B, C, R (62)); 193 P (C, D, E, A, B, R (63)); 194 P (B, C, D, E, A, R (64)); 195 P (A, B, C, D, E, R (65)); 196 P (E, A, B, C, D, R (66)); 197 P (D, E, A, B, C, R (67)); 198 P (C, D, E, A, B, R (68)); 199 P (B, C, D, E, A, R (69)); 200 P (A, B, C, D, E, R (70)); 201 P (E, A, B, C, D, R (71)); 202 P (D, E, A, B, C, R (72)); 203 P (C, D, E, A, B, R (73)); 204 P (B, C, D, E, A, R (74)); 205 P (A, B, C, D, E, R (75)); 206 P (E, A, B, C, D, R (76)); 207 P (D, E, A, B, C, R (77)); 208 P (C, D, E, A, B, R (78)); 209 P (B, C, D, E, A, R (79)); 210 211#undef K 212#undef F 213 214 ctx->state[0] += A; 215 ctx->state[1] += B; 216 ctx->state[2] += C; 217 ctx->state[3] += D; 218 ctx->state[4] += E; 219} 220 221__weak void sha1_process(sha1_context *ctx, const unsigned char *data, 222 unsigned int blocks) 223{ 224 if (!blocks) 225 return; 226 227 while (blocks--) { 228 sha1_process_one(ctx, data); 229 data += 64; 230 } 231} 232 233/* 234 * SHA-1 process buffer 235 */ 236void sha1_update(sha1_context *ctx, const unsigned char *input, 237 unsigned int ilen) 238{ 239 int fill; 240 unsigned long left; 241 242 if (ilen <= 0) 243 return; 244 245 left = ctx->total[0] & 0x3F; 246 fill = 64 - left; 247 248 ctx->total[0] += ilen; 249 ctx->total[0] &= 0xFFFFFFFF; 250 251 if (ctx->total[0] < (unsigned long) ilen) 252 ctx->total[1]++; 253 254 if (left && ilen >= fill) { 255 memcpy ((void *) (ctx->buffer + left), (void *) input, fill); 256 sha1_process(ctx, ctx->buffer, 1); 257 input += fill; 258 ilen -= fill; 259 left = 0; 260 } 261 262 sha1_process(ctx, input, ilen / 64); 263 input += ilen / 64 * 64; 264 ilen = ilen % 64; 265 266 if (ilen > 0) { 267 memcpy ((void *) (ctx->buffer + left), (void *) input, ilen); 268 } 269} 270 271static const unsigned char sha1_padding[64] = { 272 0x80, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 273 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 274 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 275 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0 276}; 277 278/* 279 * SHA-1 final digest 280 */ 281void sha1_finish (sha1_context * ctx, unsigned char output[20]) 282{ 283 unsigned long last, padn; 284 unsigned long high, low; 285 unsigned char msglen[8]; 286 287 high = (ctx->total[0] >> 29) 288 | (ctx->total[1] << 3); 289 low = (ctx->total[0] << 3); 290 291 PUT_UINT32_BE (high, msglen, 0); 292 PUT_UINT32_BE (low, msglen, 4); 293 294 last = ctx->total[0] & 0x3F; 295 padn = (last < 56) ? (56 - last) : (120 - last); 296 297 sha1_update (ctx, (unsigned char *) sha1_padding, padn); 298 sha1_update (ctx, msglen, 8); 299 300 PUT_UINT32_BE (ctx->state[0], output, 0); 301 PUT_UINT32_BE (ctx->state[1], output, 4); 302 PUT_UINT32_BE (ctx->state[2], output, 8); 303 PUT_UINT32_BE (ctx->state[3], output, 12); 304 PUT_UINT32_BE (ctx->state[4], output, 16); 305} 306 307/* 308 * Output = SHA-1( input buffer ) 309 */ 310void sha1_csum(const unsigned char *input, unsigned int ilen, 311 unsigned char *output) 312{ 313 sha1_context ctx; 314 315 sha1_starts (&ctx); 316 sha1_update (&ctx, input, ilen); 317 sha1_finish (&ctx, output); 318} 319 320/* 321 * Output = SHA-1( input buffer ). Trigger the watchdog every 'chunk_sz' 322 * bytes of input processed. 323 */ 324void sha1_csum_wd(const unsigned char *input, unsigned int ilen, 325 unsigned char *output, unsigned int chunk_sz) 326{ 327 sha1_context ctx; 328#if defined(CONFIG_HW_WATCHDOG) || defined(CONFIG_WATCHDOG) 329 const unsigned char *end, *curr; 330 int chunk; 331#endif 332 333 sha1_starts (&ctx); 334 335#if defined(CONFIG_HW_WATCHDOG) || defined(CONFIG_WATCHDOG) 336 curr = input; 337 end = input + ilen; 338 while (curr < end) { 339 chunk = end - curr; 340 if (chunk > chunk_sz) 341 chunk = chunk_sz; 342 sha1_update (&ctx, curr, chunk); 343 curr += chunk; 344 schedule(); 345 } 346#else 347 sha1_update (&ctx, input, ilen); 348#endif 349 350 sha1_finish (&ctx, output); 351} 352 353/* 354 * Output = HMAC-SHA-1( input buffer, hmac key ) 355 */ 356void sha1_hmac(const unsigned char *key, int keylen, 357 const unsigned char *input, unsigned int ilen, 358 unsigned char *output) 359{ 360 int i; 361 sha1_context ctx; 362 unsigned char k_ipad[64]; 363 unsigned char k_opad[64]; 364 unsigned char tmpbuf[20]; 365 366 memset (k_ipad, 0x36, 64); 367 memset (k_opad, 0x5C, 64); 368 369 for (i = 0; i < keylen; i++) { 370 if (i >= 64) 371 break; 372 373 k_ipad[i] ^= key[i]; 374 k_opad[i] ^= key[i]; 375 } 376 377 sha1_starts (&ctx); 378 sha1_update (&ctx, k_ipad, 64); 379 sha1_update (&ctx, input, ilen); 380 sha1_finish (&ctx, tmpbuf); 381 382 sha1_starts (&ctx); 383 sha1_update (&ctx, k_opad, 64); 384 sha1_update (&ctx, tmpbuf, 20); 385 sha1_finish (&ctx, output); 386 387 memset (k_ipad, 0, 64); 388 memset (k_opad, 0, 64); 389 memset (tmpbuf, 0, 20); 390 memset (&ctx, 0, sizeof (sha1_context)); 391} 392 393#ifdef SELF_TEST 394/* 395 * FIPS-180-1 test vectors 396 */ 397static const char sha1_test_str[3][57] = { 398 {"abc"}, 399 {"abcdbcdecdefdefgefghfghighijhijkijkljklmklmnlmnomnopnopq"}, 400 {""} 401}; 402 403static const unsigned char sha1_test_sum[3][20] = { 404 {0xA9, 0x99, 0x3E, 0x36, 0x47, 0x06, 0x81, 0x6A, 0xBA, 0x3E, 405 0x25, 0x71, 0x78, 0x50, 0xC2, 0x6C, 0x9C, 0xD0, 0xD8, 0x9D}, 406 {0x84, 0x98, 0x3E, 0x44, 0x1C, 0x3B, 0xD2, 0x6E, 0xBA, 0xAE, 407 0x4A, 0xA1, 0xF9, 0x51, 0x29, 0xE5, 0xE5, 0x46, 0x70, 0xF1}, 408 {0x34, 0xAA, 0x97, 0x3C, 0xD4, 0xC4, 0xDA, 0xA4, 0xF6, 0x1E, 409 0xEB, 0x2B, 0xDB, 0xAD, 0x27, 0x31, 0x65, 0x34, 0x01, 0x6F} 410}; 411 412/* 413 * Checkup routine 414 */ 415int sha1_self_test (void) 416{ 417 int i, j; 418 unsigned char buf[1000]; 419 unsigned char sha1sum[20]; 420 sha1_context ctx; 421 422 for (i = 0; i < 3; i++) { 423 printf (" SHA-1 test #%d: ", i + 1); 424 425 sha1_starts (&ctx); 426 427 if (i < 2) 428 sha1_update (&ctx, (unsigned char *) sha1_test_str[i], 429 strlen (sha1_test_str[i])); 430 else { 431 memset (buf, 'a', 1000); 432 for (j = 0; j < 1000; j++) 433 sha1_update (&ctx, buf, 1000); 434 } 435 436 sha1_finish (&ctx, sha1sum); 437 438 if (memcmp (sha1sum, sha1_test_sum[i], 20) != 0) { 439 printf ("failed\n"); 440 return (1); 441 } 442 443 printf ("passed\n"); 444 } 445 446 printf ("\n"); 447 return (0); 448} 449#else 450int sha1_self_test (void) 451{ 452 return (0); 453} 454#endif 455