lib/sha1.c

   1 // SPDX-License-Identifier: LGPL-2.1
   2 /*
   3  *  Heiko Schocher, DENX Software Engineering, hs@denx.de.
   4  *  based on:
   5  *  FIPS-180-1 compliant SHA-1 implementation
   6  *
   7  *  Copyright (C) 2003-2006  Christophe Devine
   8  */
   9 /*
  10  *  The SHA-1 standard was published by NIST in 1993.
  11  *
  12  *  http://www.itl.nist.gov/fipspubs/fip180-1.htm
  13  */
  14
  15 #ifndef _CRT_SECURE_NO_DEPRECATE
  16 #define _CRT_SECURE_NO_DEPRECATE 1
  17 #endif
  18
  19 #ifndef USE_HOSTCC
  20 #include <common.h>
  21 #include <linux/string.h>
  22 #else
  23 #include <string.h>
  24 #endif /* USE_HOSTCC */
  25 #include <watchdog.h>
  26 #include <u-boot/sha1.h>
  27
  28 #include <linux/compiler_attributes.h>
  29
  30 const uint8_t sha1_der_prefix[SHA1_DER_LEN] = {
  31         0x30, 0x21, 0x30, 0x09, 0x06, 0x05, 0x2b, 0x0e,
  32         0x03, 0x02, 0x1a, 0x05, 0x00, 0x04, 0x14
  33 };
  34
  35 /*
  36  * 32-bit integer manipulation macros (big endian)
  37  */
  38 #ifndef GET_UINT32_BE
  39 #define GET_UINT32_BE(n,b,i) {                          \
  40         (n) = ( (unsigned long) (b)[(i)    ] << 24 )    \
  41             | ( (unsigned long) (b)[(i) + 1] << 16 )    \
  42             | ( (unsigned long) (b)[(i) + 2] <<  8 )    \
  43             | ( (unsigned long) (b)[(i) + 3]       );   \
  44 }
  45 #endif
  46 #ifndef PUT_UINT32_BE
  47 #define PUT_UINT32_BE(n,b,i) {                          \
  48         (b)[(i)    ] = (unsigned char) ( (n) >> 24 );   \
  49         (b)[(i) + 1] = (unsigned char) ( (n) >> 16 );   \
  50         (b)[(i) + 2] = (unsigned char) ( (n) >>  8 );   \
  51         (b)[(i) + 3] = (unsigned char) ( (n)       );   \
  52 }
  53 #endif
  54
  55 /*
  56  * SHA-1 context setup
  57  */
  58 void sha1_starts (sha1_context * ctx)
  59 {
  60         ctx->total[0] = 0;
  61         ctx->total[1] = 0;
  62
  63         ctx->state[0] = 0x67452301;
  64         ctx->state[1] = 0xEFCDAB89;
  65         ctx->state[2] = 0x98BADCFE;
  66         ctx->state[3] = 0x10325476;
  67         ctx->state[4] = 0xC3D2E1F0;
  68 }
  69
  70 static void __maybe_unused sha1_process_one(sha1_context *ctx, const unsigned char data[64])
  71 {
  72         unsigned long temp, W[16], A, B, C, D, E;
  73
  74         GET_UINT32_BE (W[0], data, 0);
  75         GET_UINT32_BE (W[1], data, 4);
  76         GET_UINT32_BE (W[2], data, 8);
  77         GET_UINT32_BE (W[3], data, 12);
  78         GET_UINT32_BE (W[4], data, 16);
  79         GET_UINT32_BE (W[5], data, 20);
  80         GET_UINT32_BE (W[6], data, 24);
  81         GET_UINT32_BE (W[7], data, 28);
  82         GET_UINT32_BE (W[8], data, 32);
  83         GET_UINT32_BE (W[9], data, 36);
  84         GET_UINT32_BE (W[10], data, 40);
  85         GET_UINT32_BE (W[11], data, 44);
  86         GET_UINT32_BE (W[12], data, 48);
  87         GET_UINT32_BE (W[13], data, 52);
  88         GET_UINT32_BE (W[14], data, 56);
  89         GET_UINT32_BE (W[15], data, 60);
  90
  91 #define S(x,n)  ((x << n) | ((x & 0xFFFFFFFF) >> (32 - n)))
  92
  93 #define R(t) (                                          \
  94         temp = W[(t -  3) & 0x0F] ^ W[(t - 8) & 0x0F] ^ \
  95                W[(t - 14) & 0x0F] ^ W[ t      & 0x0F],  \
  96         ( W[t & 0x0F] = S(temp,1) )                     \
  97 )
  98
  99 #define P(a,b,c,d,e,x)  {                               \
 100         e += S(a,5) + F(b,c,d) + K + x; b = S(b,30);    \
 101 }
 102
 103         A = ctx->state[0];
 104         B = ctx->state[1];
 105         C = ctx->state[2];
 106         D = ctx->state[3];
 107         E = ctx->state[4];
 108
 109 #define F(x,y,z) (z ^ (x & (y ^ z)))
 110 #define K 0x5A827999
 111
 112         P (A, B, C, D, E, W[0]);
 113         P (E, A, B, C, D, W[1]);
 114         P (D, E, A, B, C, W[2]);
 115         P (C, D, E, A, B, W[3]);
 116         P (B, C, D, E, A, W[4]);
 117         P (A, B, C, D, E, W[5]);
 118         P (E, A, B, C, D, W[6]);
 119         P (D, E, A, B, C, W[7]);
 120         P (C, D, E, A, B, W[8]);
 121         P (B, C, D, E, A, W[9]);
 122         P (A, B, C, D, E, W[10]);
 123         P (E, A, B, C, D, W[11]);
 124         P (D, E, A, B, C, W[12]);
 125         P (C, D, E, A, B, W[13]);
 126         P (B, C, D, E, A, W[14]);
 127         P (A, B, C, D, E, W[15]);
 128         P (E, A, B, C, D, R (16));
 129         P (D, E, A, B, C, R (17));
 130         P (C, D, E, A, B, R (18));
 131         P (B, C, D, E, A, R (19));
 132
 133 #undef K
 134 #undef F
 135
 136 #define F(x,y,z) (x ^ y ^ z)
 137 #define K 0x6ED9EBA1
 138
 139         P (A, B, C, D, E, R (20));
 140         P (E, A, B, C, D, R (21));
 141         P (D, E, A, B, C, R (22));
 142         P (C, D, E, A, B, R (23));
 143         P (B, C, D, E, A, R (24));
 144         P (A, B, C, D, E, R (25));
 145         P (E, A, B, C, D, R (26));
 146         P (D, E, A, B, C, R (27));
 147         P (C, D, E, A, B, R (28));
 148         P (B, C, D, E, A, R (29));
 149         P (A, B, C, D, E, R (30));
 150         P (E, A, B, C, D, R (31));
 151         P (D, E, A, B, C, R (32));
 152         P (C, D, E, A, B, R (33));
 153         P (B, C, D, E, A, R (34));
 154         P (A, B, C, D, E, R (35));
 155         P (E, A, B, C, D, R (36));
 156         P (D, E, A, B, C, R (37));
 157         P (C, D, E, A, B, R (38));
 158         P (B, C, D, E, A, R (39));
 159
 160 #undef K
 161 #undef F
 162
 163 #define F(x,y,z) ((x & y) | (z & (x | y)))
 164 #define K 0x8F1BBCDC
 165
 166         P (A, B, C, D, E, R (40));
 167         P (E, A, B, C, D, R (41));
 168         P (D, E, A, B, C, R (42));
 169         P (C, D, E, A, B, R (43));
 170         P (B, C, D, E, A, R (44));
 171         P (A, B, C, D, E, R (45));
 172         P (E, A, B, C, D, R (46));
 173         P (D, E, A, B, C, R (47));
 174         P (C, D, E, A, B, R (48));
 175         P (B, C, D, E, A, R (49));
 176         P (A, B, C, D, E, R (50));
 177         P (E, A, B, C, D, R (51));
 178         P (D, E, A, B, C, R (52));
 179         P (C, D, E, A, B, R (53));
 180         P (B, C, D, E, A, R (54));
 181         P (A, B, C, D, E, R (55));
 182         P (E, A, B, C, D, R (56));
 183         P (D, E, A, B, C, R (57));
 184         P (C, D, E, A, B, R (58));
 185         P (B, C, D, E, A, R (59));
 186
 187 #undef K
 188 #undef F
 189
 190 #define F(x,y,z) (x ^ y ^ z)
 191 #define K 0xCA62C1D6
 192
 193         P (A, B, C, D, E, R (60));
 194         P (E, A, B, C, D, R (61));
 195         P (D, E, A, B, C, R (62));
 196         P (C, D, E, A, B, R (63));
 197         P (B, C, D, E, A, R (64));
 198         P (A, B, C, D, E, R (65));
 199         P (E, A, B, C, D, R (66));
 200         P (D, E, A, B, C, R (67));
 201         P (C, D, E, A, B, R (68));
 202         P (B, C, D, E, A, R (69));
 203         P (A, B, C, D, E, R (70));
 204         P (E, A, B, C, D, R (71));
 205         P (D, E, A, B, C, R (72));
 206         P (C, D, E, A, B, R (73));
 207         P (B, C, D, E, A, R (74));
 208         P (A, B, C, D, E, R (75));
 209         P (E, A, B, C, D, R (76));
 210         P (D, E, A, B, C, R (77));
 211         P (C, D, E, A, B, R (78));
 212         P (B, C, D, E, A, R (79));
 213
 214 #undef K
 215 #undef F
 216
 217         ctx->state[0] += A;
 218         ctx->state[1] += B;
 219         ctx->state[2] += C;
 220         ctx->state[3] += D;
 221         ctx->state[4] += E;
 222 }
 223
 224 __weak void sha1_process(sha1_context *ctx, const unsigned char *data,
 225                          unsigned int blocks)
 226 {
 227         if (!blocks)
 228                 return;
 229
 230         while (blocks--) {
 231                 sha1_process_one(ctx, data);
 232                 data += 64;
 233         }
 234 }
 235
 236 /*
 237  * SHA-1 process buffer
 238  */
 239 void sha1_update(sha1_context *ctx, const unsigned char *input,
 240                  unsigned int ilen)
 241 {
 242         int fill;
 243         unsigned long left;
 244
 245         if (ilen <= 0)
 246                 return;
 247
 248         left = ctx->total[0] & 0x3F;
 249         fill = 64 - left;
 250
 251         ctx->total[0] += ilen;
 252         ctx->total[0] &= 0xFFFFFFFF;
 253
 254         if (ctx->total[0] < (unsigned long) ilen)
 255                 ctx->total[1]++;
 256
 257         if (left && ilen >= fill) {
 258                 memcpy ((void *) (ctx->buffer + left), (void *) input, fill);
 259                 sha1_process(ctx, ctx->buffer, 1);
 260                 input += fill;
 261                 ilen -= fill;
 262                 left = 0;
 263         }
 264
 265         sha1_process(ctx, input, ilen / 64);
 266         input += ilen / 64 * 64;
 267         ilen = ilen % 64;
 268
 269         if (ilen > 0) {
 270                 memcpy ((void *) (ctx->buffer + left), (void *) input, ilen);
 271         }
 272 }
 273
 274 static const unsigned char sha1_padding[64] = {
 275         0x80, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
 276            0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
 277            0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
 278            0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0
 279 };
 280
 281 /*
 282  * SHA-1 final digest
 283  */
 284 void sha1_finish (sha1_context * ctx, unsigned char output[20])
 285 {
 286         unsigned long last, padn;
 287         unsigned long high, low;
 288         unsigned char msglen[8];
 289
 290         high = (ctx->total[0] >> 29)
 291                 | (ctx->total[1] << 3);
 292         low = (ctx->total[0] << 3);
 293
 294         PUT_UINT32_BE (high, msglen, 0);
 295         PUT_UINT32_BE (low, msglen, 4);
 296
 297         last = ctx->total[0] & 0x3F;
 298         padn = (last < 56) ? (56 - last) : (120 - last);
 299
 300         sha1_update (ctx, (unsigned char *) sha1_padding, padn);
 301         sha1_update (ctx, msglen, 8);
 302
 303         PUT_UINT32_BE (ctx->state[0], output, 0);
 304         PUT_UINT32_BE (ctx->state[1], output, 4);
 305         PUT_UINT32_BE (ctx->state[2], output, 8);
 306         PUT_UINT32_BE (ctx->state[3], output, 12);
 307         PUT_UINT32_BE (ctx->state[4], output, 16);
 308 }
 309
 310 /*
 311  * Output = SHA-1( input buffer )
 312  */
 313 void sha1_csum(const unsigned char *input, unsigned int ilen,
 314                unsigned char *output)
 315 {
 316         sha1_context ctx;
 317
 318         sha1_starts (&ctx);
 319         sha1_update (&ctx, input, ilen);
 320         sha1_finish (&ctx, output);
 321 }
 322
 323 /*
 324  * Output = SHA-1( input buffer ). Trigger the watchdog every 'chunk_sz'
 325  * bytes of input processed.
 326  */
 327 void sha1_csum_wd(const unsigned char *input, unsigned int ilen,
 328                   unsigned char *output, unsigned int chunk_sz)
 329 {
 330         sha1_context ctx;
 331 #if defined(CONFIG_HW_WATCHDOG) || defined(CONFIG_WATCHDOG)
 332         const unsigned char *end, *curr;
 333         int chunk;
 334 #endif
 335
 336         sha1_starts (&ctx);
 337
 338 #if defined(CONFIG_HW_WATCHDOG) || defined(CONFIG_WATCHDOG)
 339         curr = input;
 340         end = input + ilen;
 341         while (curr < end) {
 342                 chunk = end - curr;
 343                 if (chunk > chunk_sz)
 344                         chunk = chunk_sz;
 345                 sha1_update (&ctx, curr, chunk);
 346                 curr += chunk;
 347                 schedule();
 348         }
 349 #else
 350         sha1_update (&ctx, input, ilen);
 351 #endif
 352
 353         sha1_finish (&ctx, output);
 354 }
 355
 356 /*
 357  * Output = HMAC-SHA-1( input buffer, hmac key )
 358  */
 359 void sha1_hmac(const unsigned char *key, int keylen,
 360                const unsigned char *input, unsigned int ilen,
 361                unsigned char *output)
 362 {
 363         int i;
 364         sha1_context ctx;
 365         unsigned char k_ipad[64];
 366         unsigned char k_opad[64];
 367         unsigned char tmpbuf[20];
 368
 369         memset (k_ipad, 0x36, 64);
 370         memset (k_opad, 0x5C, 64);
 371
 372         for (i = 0; i < keylen; i++) {
 373                 if (i >= 64)
 374                         break;
 375
 376                 k_ipad[i] ^= key[i];
 377                 k_opad[i] ^= key[i];
 378         }
 379
 380         sha1_starts (&ctx);
 381         sha1_update (&ctx, k_ipad, 64);
 382         sha1_update (&ctx, input, ilen);
 383         sha1_finish (&ctx, tmpbuf);
 384
 385         sha1_starts (&ctx);
 386         sha1_update (&ctx, k_opad, 64);
 387         sha1_update (&ctx, tmpbuf, 20);
 388         sha1_finish (&ctx, output);
 389
 390         memset (k_ipad, 0, 64);
 391         memset (k_opad, 0, 64);
 392         memset (tmpbuf, 0, 20);
 393         memset (&ctx, 0, sizeof (sha1_context));
 394 }
 395
 396 #ifdef SELF_TEST
 397 /*
 398  * FIPS-180-1 test vectors
 399  */
 400 static const char sha1_test_str[3][57] = {
 401         {"abc"},
 402         {"abcdbcdecdefdefgefghfghighijhijkijkljklmklmnlmnomnopnopq"},
 403         {""}
 404 };
 405
 406 static const unsigned char sha1_test_sum[3][20] = {
 407         {0xA9, 0x99, 0x3E, 0x36, 0x47, 0x06, 0x81, 0x6A, 0xBA, 0x3E,
 408          0x25, 0x71, 0x78, 0x50, 0xC2, 0x6C, 0x9C, 0xD0, 0xD8, 0x9D},
 409         {0x84, 0x98, 0x3E, 0x44, 0x1C, 0x3B, 0xD2, 0x6E, 0xBA, 0xAE,
 410          0x4A, 0xA1, 0xF9, 0x51, 0x29, 0xE5, 0xE5, 0x46, 0x70, 0xF1},
 411         {0x34, 0xAA, 0x97, 0x3C, 0xD4, 0xC4, 0xDA, 0xA4, 0xF6, 0x1E,
 412          0xEB, 0x2B, 0xDB, 0xAD, 0x27, 0x31, 0x65, 0x34, 0x01, 0x6F}
 413 };
 414
 415 /*
 416  * Checkup routine
 417  */
 418 int sha1_self_test (void)
 419 {
 420         int i, j;
 421         unsigned char buf[1000];
 422         unsigned char sha1sum[20];
 423         sha1_context ctx;
 424
 425         for (i = 0; i < 3; i++) {
 426                 printf ("  SHA-1 test #%d: ", i + 1);
 427
 428                 sha1_starts (&ctx);
 429
 430                 if (i < 2)
 431                         sha1_update (&ctx, (unsigned char *) sha1_test_str[i],
 432                                      strlen (sha1_test_str[i]));
 433                 else {
 434                         memset (buf, 'a', 1000);
 435                         for (j = 0; j < 1000; j++)
 436                                 sha1_update (&ctx, buf, 1000);
 437                 }
 438
 439                 sha1_finish (&ctx, sha1sum);
 440
 441                 if (memcmp (sha1sum, sha1_test_sum[i], 20) != 0) {
 442                         printf ("failed\n");
 443                         return (1);
 444                 }
 445
 446                 printf ("passed\n");
 447         }
 448
 449         printf ("\n");
 450         return (0);
 451 }
 452 #else
 453 int sha1_self_test (void)
 454 {
 455         return (0);
 456 }
 457 #endif