fxr.watson.org: sys/contrib/openzfs/module/icp/algs/sha2/sha2.c

FreeBSD/Linux Kernel Cross Reference
sys/contrib/openzfs/module/icp/algs/sha2/sha2.c

Version: - FREEBSD - FREEBSD-13-STABLE - FREEBSD-13-0 - FREEBSD-12-STABLE - FREEBSD-12-0 - FREEBSD-11-STABLE - FREEBSD-11-0 - FREEBSD-10-STABLE - FREEBSD-10-0 - FREEBSD-9-STABLE - FREEBSD-9-0 - FREEBSD-8-STABLE - FREEBSD-8-0 - FREEBSD-7-STABLE - FREEBSD-7-0 - FREEBSD-6-STABLE - FREEBSD-6-0 - FREEBSD-5-STABLE - FREEBSD-5-0 - FREEBSD-4-STABLE - FREEBSD-3-STABLE - FREEBSD22 - l41 - OPENBSD - linux-2.6 - MK84 - PLAN9 - xnu-8792
SearchContext: - none - 3 - 10

1 /* 2 * Copyright 2009 Sun Microsystems, Inc. All rights reserved. 3 * Use is subject to license terms. 4 */ 5 /* 6 * Copyright 2013 Saso Kiselkov. All rights reserved. 7 */ 8 9 /* 10 * The basic framework for this code came from the reference 11 * implementation for MD5. That implementation is Copyright (C) 12 * 1991-2, RSA Data Security, Inc. Created 1991. All rights reserved. 13 * 14 * License to copy and use this software is granted provided that it 15 * is identified as the "RSA Data Security, Inc. MD5 Message-Digest 16 * Algorithm" in all material mentioning or referencing this software 17 * or this function. 18 * 19 * License is also granted to make and use derivative works provided 20 * that such works are identified as "derived from the RSA Data 21 * Security, Inc. MD5 Message-Digest Algorithm" in all material 22 * mentioning or referencing the derived work. 23 * 24 * RSA Data Security, Inc. makes no representations concerning either 25 * the merchantability of this software or the suitability of this 26 * software for any particular purpose. It is provided "as is" 27 * without express or implied warranty of any kind. 28 * 29 * These notices must be retained in any copies of any part of this 30 * documentation and/or software. 31 * 32 * NOTE: Cleaned-up and optimized, version of SHA2, based on the FIPS 180-2 33 * standard, available at 34 * http://csrc.nist.gov/publications/fips/fips180-2/fips180-2.pdf 35 * Not as fast as one would like -- further optimizations are encouraged 36 * and appreciated. 37 */ 38 39 #include <sys/zfs_context.h> 40 #define _SHA2_IMPL 41 #include <sys/sha2.h> 42 #include <sha2/sha2_consts.h> 43 44 #define _RESTRICT_KYWD 45 46 #ifdef _ZFS_LITTLE_ENDIAN 47 #include <sys/byteorder.h> 48 #define HAVE_HTONL 49 #endif 50 #include <sys/isa_defs.h> /* for _ILP32 */ 51 #include <sys/asm_linkage.h> 52 53 static void Encode(uint8_t *, uint32_t *, size_t); 54 static void Encode64(uint8_t *, uint64_t *, size_t); 55 56 /* userspace only supports the generic version */ 57 #if defined(__amd64) && defined(_KERNEL) 58 #define SHA512Transform(ctx, in) SHA512TransformBlocks((ctx), (in), 1) 59 #define SHA256Transform(ctx, in) SHA256TransformBlocks((ctx), (in), 1) 60 61 void ASMABI SHA512TransformBlocks(SHA2_CTX *ctx, const void *in, size_t num); 62 void ASMABI SHA256TransformBlocks(SHA2_CTX *ctx, const void *in, size_t num); 63 64 #else 65 static void SHA256Transform(SHA2_CTX *, const uint8_t *); 66 static void SHA512Transform(SHA2_CTX *, const uint8_t *); 67 #endif /* __amd64 && _KERNEL */ 68 69 static const uint8_t PADDING[128] = { 0x80, /* all zeros */ }; 70 71 /* 72 * The low-level checksum routines use a lot of stack space. On systems where 73 * small stacks are enforced (like 32-bit kernel builds), insert compiler memory 74 * barriers to reduce stack frame size. This can reduce the SHA512Transform() 75 * stack frame usage from 3k to <1k on ARM32, for example. 76 */ 77 #if defined(_ILP32) || defined(__powerpc) /* small stack */ 78 #define SMALL_STACK_MEMORY_BARRIER asm volatile("": : :"memory"); 79 #else 80 #define SMALL_STACK_MEMORY_BARRIER 81 #endif 82 83 /* Ch and Maj are the basic SHA2 functions. */ 84 #define Ch(b, c, d) (((b) & (c)) ^ ((~b) & (d))) 85 #define Maj(b, c, d) (((b) & (c)) ^ ((b) & (d)) ^ ((c) & (d))) 86 87 /* Rotates x right n bits. */ 88 #define ROTR(x, n) \ 89 (((x) >> (n)) | ((x) << ((sizeof (x) * NBBY)-(n)))) 90 91 /* Shift x right n bits */ 92 #define SHR(x, n) ((x) >> (n)) 93 94 /* SHA256 Functions */ 95 #define BIGSIGMA0_256(x) (ROTR((x), 2) ^ ROTR((x), 13) ^ ROTR((x), 22)) 96 #define BIGSIGMA1_256(x) (ROTR((x), 6) ^ ROTR((x), 11) ^ ROTR((x), 25)) 97 #define SIGMA0_256(x) (ROTR((x), 7) ^ ROTR((x), 18) ^ SHR((x), 3)) 98 #define SIGMA1_256(x) (ROTR((x), 17) ^ ROTR((x), 19) ^ SHR((x), 10)) 99 100 #define SHA256ROUND(a, b, c, d, e, f, g, h, i, w) \ 101 T1 = h + BIGSIGMA1_256(e) + Ch(e, f, g) + SHA256_CONST(i) + w; \ 102 d += T1; \ 103 T2 = BIGSIGMA0_256(a) + Maj(a, b, c); \ 104 h = T1 + T2 105 106 /* SHA384/512 Functions */ 107 #define BIGSIGMA0(x) (ROTR((x), 28) ^ ROTR((x), 34) ^ ROTR((x), 39)) 108 #define BIGSIGMA1(x) (ROTR((x), 14) ^ ROTR((x), 18) ^ ROTR((x), 41)) 109 #define SIGMA0(x) (ROTR((x), 1) ^ ROTR((x), 8) ^ SHR((x), 7)) 110 #define SIGMA1(x) (ROTR((x), 19) ^ ROTR((x), 61) ^ SHR((x), 6)) 111 #define SHA512ROUND(a, b, c, d, e, f, g, h, i, w) \ 112 T1 = h + BIGSIGMA1(e) + Ch(e, f, g) + SHA512_CONST(i) + w; \ 113 d += T1; \ 114 T2 = BIGSIGMA0(a) + Maj(a, b, c); \ 115 h = T1 + T2; \ 116 SMALL_STACK_MEMORY_BARRIER; 117 118 /* 119 * sparc optimization: 120 * 121 * on the sparc, we can load big endian 32-bit data easily. note that 122 * special care must be taken to ensure the address is 32-bit aligned. 123 * in the interest of speed, we don't check to make sure, since 124 * careful programming can guarantee this for us. 125 */ 126 127 #if defined(_ZFS_BIG_ENDIAN) 128 #define LOAD_BIG_32(addr) (*(uint32_t *)(addr)) 129 #define LOAD_BIG_64(addr) (*(uint64_t *)(addr)) 130 131 #elif defined(HAVE_HTONL) 132 #define LOAD_BIG_32(addr) htonl(*((uint32_t *)(addr))) 133 #define LOAD_BIG_64(addr) htonll(*((uint64_t *)(addr))) 134 135 #else 136 /* little endian -- will work on big endian, but slowly */ 137 #define LOAD_BIG_32(addr) \ 138 (((addr)[0] << 24) | ((addr)[1] << 16) | ((addr)[2] << 8) | (addr)[3]) 139 #define LOAD_BIG_64(addr) \ 140 (((uint64_t)(addr)[0] << 56) | ((uint64_t)(addr)[1] << 48) | \ 141 ((uint64_t)(addr)[2] << 40) | ((uint64_t)(addr)[3] << 32) | \ 142 ((uint64_t)(addr)[4] << 24) | ((uint64_t)(addr)[5] << 16) | \ 143 ((uint64_t)(addr)[6] << 8) | (uint64_t)(addr)[7]) 144 #endif /* _BIG_ENDIAN */ 145 146 147 #if !defined(__amd64) || !defined(_KERNEL) 148 /* SHA256 Transform */ 149 150 static void 151 SHA256Transform(SHA2_CTX *ctx, const uint8_t *blk) 152 { 153 uint32_t a = ctx->state.s32[0]; 154 uint32_t b = ctx->state.s32[1]; 155 uint32_t c = ctx->state.s32[2]; 156 uint32_t d = ctx->state.s32[3]; 157 uint32_t e = ctx->state.s32[4]; 158 uint32_t f = ctx->state.s32[5]; 159 uint32_t g = ctx->state.s32[6]; 160 uint32_t h = ctx->state.s32[7]; 161 162 uint32_t w0, w1, w2, w3, w4, w5, w6, w7; 163 uint32_t w8, w9, w10, w11, w12, w13, w14, w15; 164 uint32_t T1, T2; 165 166 #if defined(__sparc) 167 static const uint32_t sha256_consts[] = { 168 SHA256_CONST_0, SHA256_CONST_1, SHA256_CONST_2, 169 SHA256_CONST_3, SHA256_CONST_4, SHA256_CONST_5, 170 SHA256_CONST_6, SHA256_CONST_7, SHA256_CONST_8, 171 SHA256_CONST_9, SHA256_CONST_10, SHA256_CONST_11, 172 SHA256_CONST_12, SHA256_CONST_13, SHA256_CONST_14, 173 SHA256_CONST_15, SHA256_CONST_16, SHA256_CONST_17, 174 SHA256_CONST_18, SHA256_CONST_19, SHA256_CONST_20, 175 SHA256_CONST_21, SHA256_CONST_22, SHA256_CONST_23, 176 SHA256_CONST_24, SHA256_CONST_25, SHA256_CONST_26, 177 SHA256_CONST_27, SHA256_CONST_28, SHA256_CONST_29, 178 SHA256_CONST_30, SHA256_CONST_31, SHA256_CONST_32, 179 SHA256_CONST_33, SHA256_CONST_34, SHA256_CONST_35, 180 SHA256_CONST_36, SHA256_CONST_37, SHA256_CONST_38, 181 SHA256_CONST_39, SHA256_CONST_40, SHA256_CONST_41, 182 SHA256_CONST_42, SHA256_CONST_43, SHA256_CONST_44, 183 SHA256_CONST_45, SHA256_CONST_46, SHA256_CONST_47, 184 SHA256_CONST_48, SHA256_CONST_49, SHA256_CONST_50, 185 SHA256_CONST_51, SHA256_CONST_52, SHA256_CONST_53, 186 SHA256_CONST_54, SHA256_CONST_55, SHA256_CONST_56, 187 SHA256_CONST_57, SHA256_CONST_58, SHA256_CONST_59, 188 SHA256_CONST_60, SHA256_CONST_61, SHA256_CONST_62, 189 SHA256_CONST_63 190 }; 191 #endif /* __sparc */ 192 193 if ((uintptr_t)blk & 0x3) { /* not 4-byte aligned? */ 194 memcpy(ctx->buf_un.buf32, blk, sizeof (ctx->buf_un.buf32)); 195 blk = (uint8_t *)ctx->buf_un.buf32; 196 } 197 198 /* LINTED E_BAD_PTR_CAST_ALIGN */ 199 w0 = LOAD_BIG_32(blk + 4 * 0); 200 SHA256ROUND(a, b, c, d, e, f, g, h, 0, w0); 201 /* LINTED E_BAD_PTR_CAST_ALIGN */ 202 w1 = LOAD_BIG_32(blk + 4 * 1); 203 SHA256ROUND(h, a, b, c, d, e, f, g, 1, w1); 204 /* LINTED E_BAD_PTR_CAST_ALIGN */ 205 w2 = LOAD_BIG_32(blk + 4 * 2); 206 SHA256ROUND(g, h, a, b, c, d, e, f, 2, w2); 207 /* LINTED E_BAD_PTR_CAST_ALIGN */ 208 w3 = LOAD_BIG_32(blk + 4 * 3); 209 SHA256ROUND(f, g, h, a, b, c, d, e, 3, w3); 210 /* LINTED E_BAD_PTR_CAST_ALIGN */ 211 w4 = LOAD_BIG_32(blk + 4 * 4); 212 SHA256ROUND(e, f, g, h, a, b, c, d, 4, w4); 213 /* LINTED E_BAD_PTR_CAST_ALIGN */ 214 w5 = LOAD_BIG_32(blk + 4 * 5); 215 SHA256ROUND(d, e, f, g, h, a, b, c, 5, w5); 216 /* LINTED E_BAD_PTR_CAST_ALIGN */ 217 w6 = LOAD_BIG_32(blk + 4 * 6); 218 SHA256ROUND(c, d, e, f, g, h, a, b, 6, w6); 219 /* LINTED E_BAD_PTR_CAST_ALIGN */ 220 w7 = LOAD_BIG_32(blk + 4 * 7); 221 SHA256ROUND(b, c, d, e, f, g, h, a, 7, w7); 222 /* LINTED E_BAD_PTR_CAST_ALIGN */ 223 w8 = LOAD_BIG_32(blk + 4 * 8); 224 SHA256ROUND(a, b, c, d, e, f, g, h, 8, w8); 225 /* LINTED E_BAD_PTR_CAST_ALIGN */ 226 w9 = LOAD_BIG_32(blk + 4 * 9); 227 SHA256ROUND(h, a, b, c, d, e, f, g, 9, w9); 228 /* LINTED E_BAD_PTR_CAST_ALIGN */ 229 w10 = LOAD_BIG_32(blk + 4 * 10); 230 SHA256ROUND(g, h, a, b, c, d, e, f, 10, w10); 231 /* LINTED E_BAD_PTR_CAST_ALIGN */ 232 w11 = LOAD_BIG_32(blk + 4 * 11); 233 SHA256ROUND(f, g, h, a, b, c, d, e, 11, w11); 234 /* LINTED E_BAD_PTR_CAST_ALIGN */ 235 w12 = LOAD_BIG_32(blk + 4 * 12); 236 SHA256ROUND(e, f, g, h, a, b, c, d, 12, w12); 237 /* LINTED E_BAD_PTR_CAST_ALIGN */ 238 w13 = LOAD_BIG_32(blk + 4 * 13); 239 SHA256ROUND(d, e, f, g, h, a, b, c, 13, w13); 240 /* LINTED E_BAD_PTR_CAST_ALIGN */ 241 w14 = LOAD_BIG_32(blk + 4 * 14); 242 SHA256ROUND(c, d, e, f, g, h, a, b, 14, w14); 243 /* LINTED E_BAD_PTR_CAST_ALIGN */ 244 w15 = LOAD_BIG_32(blk + 4 * 15); 245 SHA256ROUND(b, c, d, e, f, g, h, a, 15, w15); 246 247 w0 = SIGMA1_256(w14) + w9 + SIGMA0_256(w1) + w0; 248 SHA256ROUND(a, b, c, d, e, f, g, h, 16, w0); 249 w1 = SIGMA1_256(w15) + w10 + SIGMA0_256(w2) + w1; 250 SHA256ROUND(h, a, b, c, d, e, f, g, 17, w1); 251 w2 = SIGMA1_256(w0) + w11 + SIGMA0_256(w3) + w2; 252 SHA256ROUND(g, h, a, b, c, d, e, f, 18, w2); 253 w3 = SIGMA1_256(w1) + w12 + SIGMA0_256(w4) + w3; 254 SHA256ROUND(f, g, h, a, b, c, d, e, 19, w3); 255 w4 = SIGMA1_256(w2) + w13 + SIGMA0_256(w5) + w4; 256 SHA256ROUND(e, f, g, h, a, b, c, d, 20, w4); 257 w5 = SIGMA1_256(w3) + w14 + SIGMA0_256(w6) + w5; 258 SHA256ROUND(d, e, f, g, h, a, b, c, 21, w5); 259 w6 = SIGMA1_256(w4) + w15 + SIGMA0_256(w7) + w6; 260 SHA256ROUND(c, d, e, f, g, h, a, b, 22, w6); 261 w7 = SIGMA1_256(w5) + w0 + SIGMA0_256(w8) + w7; 262 SHA256ROUND(b, c, d, e, f, g, h, a, 23, w7); 263 w8 = SIGMA1_256(w6) + w1 + SIGMA0_256(w9) + w8; 264 SHA256ROUND(a, b, c, d, e, f, g, h, 24, w8); 265 w9 = SIGMA1_256(w7) + w2 + SIGMA0_256(w10) + w9; 266 SHA256ROUND(h, a, b, c, d, e, f, g, 25, w9); 267 w10 = SIGMA1_256(w8) + w3 + SIGMA0_256(w11) + w10; 268 SHA256ROUND(g, h, a, b, c, d, e, f, 26, w10); 269 w11 = SIGMA1_256(w9) + w4 + SIGMA0_256(w12) + w11; 270 SHA256ROUND(f, g, h, a, b, c, d, e, 27, w11); 271 w12 = SIGMA1_256(w10) + w5 + SIGMA0_256(w13) + w12; 272 SHA256ROUND(e, f, g, h, a, b, c, d, 28, w12); 273 w13 = SIGMA1_256(w11) + w6 + SIGMA0_256(w14) + w13; 274 SHA256ROUND(d, e, f, g, h, a, b, c, 29, w13); 275 w14 = SIGMA1_256(w12) + w7 + SIGMA0_256(w15) + w14; 276 SHA256ROUND(c, d, e, f, g, h, a, b, 30, w14); 277 w15 = SIGMA1_256(w13) + w8 + SIGMA0_256(w0) + w15; 278 SHA256ROUND(b, c, d, e, f, g, h, a, 31, w15); 279 280 w0 = SIGMA1_256(w14) + w9 + SIGMA0_256(w1) + w0; 281 SHA256ROUND(a, b, c, d, e, f, g, h, 32, w0); 282 w1 = SIGMA1_256(w15) + w10 + SIGMA0_256(w2) + w1; 283 SHA256ROUND(h, a, b, c, d, e, f, g, 33, w1); 284 w2 = SIGMA1_256(w0) + w11 + SIGMA0_256(w3) + w2; 285 SHA256ROUND(g, h, a, b, c, d, e, f, 34, w2); 286 w3 = SIGMA1_256(w1) + w12 + SIGMA0_256(w4) + w3; 287 SHA256ROUND(f, g, h, a, b, c, d, e, 35, w3); 288 w4 = SIGMA1_256(w2) + w13 + SIGMA0_256(w5) + w4; 289 SHA256ROUND(e, f, g, h, a, b, c, d, 36, w4); 290 w5 = SIGMA1_256(w3) + w14 + SIGMA0_256(w6) + w5; 291 SHA256ROUND(d, e, f, g, h, a, b, c, 37, w5); 292 w6 = SIGMA1_256(w4) + w15 + SIGMA0_256(w7) + w6; 293 SHA256ROUND(c, d, e, f, g, h, a, b, 38, w6); 294 w7 = SIGMA1_256(w5) + w0 + SIGMA0_256(w8) + w7; 295 SHA256ROUND(b, c, d, e, f, g, h, a, 39, w7); 296 w8 = SIGMA1_256(w6) + w1 + SIGMA0_256(w9) + w8; 297 SHA256ROUND(a, b, c, d, e, f, g, h, 40, w8); 298 w9 = SIGMA1_256(w7) + w2 + SIGMA0_256(w10) + w9; 299 SHA256ROUND(h, a, b, c, d, e, f, g, 41, w9); 300 w10 = SIGMA1_256(w8) + w3 + SIGMA0_256(w11) + w10; 301 SHA256ROUND(g, h, a, b, c, d, e, f, 42, w10); 302 w11 = SIGMA1_256(w9) + w4 + SIGMA0_256(w12) + w11; 303 SHA256ROUND(f, g, h, a, b, c, d, e, 43, w11); 304 w12 = SIGMA1_256(w10) + w5 + SIGMA0_256(w13) + w12; 305 SHA256ROUND(e, f, g, h, a, b, c, d, 44, w12); 306 w13 = SIGMA1_256(w11) + w6 + SIGMA0_256(w14) + w13; 307 SHA256ROUND(d, e, f, g, h, a, b, c, 45, w13); 308 w14 = SIGMA1_256(w12) + w7 + SIGMA0_256(w15) + w14; 309 SHA256ROUND(c, d, e, f, g, h, a, b, 46, w14); 310 w15 = SIGMA1_256(w13) + w8 + SIGMA0_256(w0) + w15; 311 SHA256ROUND(b, c, d, e, f, g, h, a, 47, w15); 312 313 w0 = SIGMA1_256(w14) + w9 + SIGMA0_256(w1) + w0; 314 SHA256ROUND(a, b, c, d, e, f, g, h, 48, w0); 315 w1 = SIGMA1_256(w15) + w10 + SIGMA0_256(w2) + w1; 316 SHA256ROUND(h, a, b, c, d, e, f, g, 49, w1); 317 w2 = SIGMA1_256(w0) + w11 + SIGMA0_256(w3) + w2; 318 SHA256ROUND(g, h, a, b, c, d, e, f, 50, w2); 319 w3 = SIGMA1_256(w1) + w12 + SIGMA0_256(w4) + w3; 320 SHA256ROUND(f, g, h, a, b, c, d, e, 51, w3); 321 w4 = SIGMA1_256(w2) + w13 + SIGMA0_256(w5) + w4; 322 SHA256ROUND(e, f, g, h, a, b, c, d, 52, w4); 323 w5 = SIGMA1_256(w3) + w14 + SIGMA0_256(w6) + w5; 324 SHA256ROUND(d, e, f, g, h, a, b, c, 53, w5); 325 w6 = SIGMA1_256(w4) + w15 + SIGMA0_256(w7) + w6; 326 SHA256ROUND(c, d, e, f, g, h, a, b, 54, w6); 327 w7 = SIGMA1_256(w5) + w0 + SIGMA0_256(w8) + w7; 328 SHA256ROUND(b, c, d, e, f, g, h, a, 55, w7); 329 w8 = SIGMA1_256(w6) + w1 + SIGMA0_256(w9) + w8; 330 SHA256ROUND(a, b, c, d, e, f, g, h, 56, w8); 331 w9 = SIGMA1_256(w7) + w2 + SIGMA0_256(w10) + w9; 332 SHA256ROUND(h, a, b, c, d, e, f, g, 57, w9); 333 w10 = SIGMA1_256(w8) + w3 + SIGMA0_256(w11) + w10; 334 SHA256ROUND(g, h, a, b, c, d, e, f, 58, w10); 335 w11 = SIGMA1_256(w9) + w4 + SIGMA0_256(w12) + w11; 336 SHA256ROUND(f, g, h, a, b, c, d, e, 59, w11); 337 w12 = SIGMA1_256(w10) + w5 + SIGMA0_256(w13) + w12; 338 SHA256ROUND(e, f, g, h, a, b, c, d, 60, w12); 339 w13 = SIGMA1_256(w11) + w6 + SIGMA0_256(w14) + w13; 340 SHA256ROUND(d, e, f, g, h, a, b, c, 61, w13); 341 w14 = SIGMA1_256(w12) + w7 + SIGMA0_256(w15) + w14; 342 SHA256ROUND(c, d, e, f, g, h, a, b, 62, w14); 343 w15 = SIGMA1_256(w13) + w8 + SIGMA0_256(w0) + w15; 344 SHA256ROUND(b, c, d, e, f, g, h, a, 63, w15); 345 346 ctx->state.s32[0] += a; 347 ctx->state.s32[1] += b; 348 ctx->state.s32[2] += c; 349 ctx->state.s32[3] += d; 350 ctx->state.s32[4] += e; 351 ctx->state.s32[5] += f; 352 ctx->state.s32[6] += g; 353 ctx->state.s32[7] += h; 354 } 355 356 357 /* SHA384 and SHA512 Transform */ 358 359 static void 360 SHA512Transform(SHA2_CTX *ctx, const uint8_t *blk) 361 { 362 363 uint64_t a = ctx->state.s64[0]; 364 uint64_t b = ctx->state.s64[1]; 365 uint64_t c = ctx->state.s64[2]; 366 uint64_t d = ctx->state.s64[3]; 367 uint64_t e = ctx->state.s64[4]; 368 uint64_t f = ctx->state.s64[5]; 369 uint64_t g = ctx->state.s64[6]; 370 uint64_t h = ctx->state.s64[7]; 371 372 uint64_t w0, w1, w2, w3, w4, w5, w6, w7; 373 uint64_t w8, w9, w10, w11, w12, w13, w14, w15; 374 uint64_t T1, T2; 375 376 #if defined(__sparc) 377 static const uint64_t sha512_consts[] = { 378 SHA512_CONST_0, SHA512_CONST_1, SHA512_CONST_2, 379 SHA512_CONST_3, SHA512_CONST_4, SHA512_CONST_5, 380 SHA512_CONST_6, SHA512_CONST_7, SHA512_CONST_8, 381 SHA512_CONST_9, SHA512_CONST_10, SHA512_CONST_11, 382 SHA512_CONST_12, SHA512_CONST_13, SHA512_CONST_14, 383 SHA512_CONST_15, SHA512_CONST_16, SHA512_CONST_17, 384 SHA512_CONST_18, SHA512_CONST_19, SHA512_CONST_20, 385 SHA512_CONST_21, SHA512_CONST_22, SHA512_CONST_23, 386 SHA512_CONST_24, SHA512_CONST_25, SHA512_CONST_26, 387 SHA512_CONST_27, SHA512_CONST_28, SHA512_CONST_29, 388 SHA512_CONST_30, SHA512_CONST_31, SHA512_CONST_32, 389 SHA512_CONST_33, SHA512_CONST_34, SHA512_CONST_35, 390 SHA512_CONST_36, SHA512_CONST_37, SHA512_CONST_38, 391 SHA512_CONST_39, SHA512_CONST_40, SHA512_CONST_41, 392 SHA512_CONST_42, SHA512_CONST_43, SHA512_CONST_44, 393 SHA512_CONST_45, SHA512_CONST_46, SHA512_CONST_47, 394 SHA512_CONST_48, SHA512_CONST_49, SHA512_CONST_50, 395 SHA512_CONST_51, SHA512_CONST_52, SHA512_CONST_53, 396 SHA512_CONST_54, SHA512_CONST_55, SHA512_CONST_56, 397 SHA512_CONST_57, SHA512_CONST_58, SHA512_CONST_59, 398 SHA512_CONST_60, SHA512_CONST_61, SHA512_CONST_62, 399 SHA512_CONST_63, SHA512_CONST_64, SHA512_CONST_65, 400 SHA512_CONST_66, SHA512_CONST_67, SHA512_CONST_68, 401 SHA512_CONST_69, SHA512_CONST_70, SHA512_CONST_71, 402 SHA512_CONST_72, SHA512_CONST_73, SHA512_CONST_74, 403 SHA512_CONST_75, SHA512_CONST_76, SHA512_CONST_77, 404 SHA512_CONST_78, SHA512_CONST_79 405 }; 406 #endif /* __sparc */ 407 408 409 if ((uintptr_t)blk & 0x7) { /* not 8-byte aligned? */ 410 memcpy(ctx->buf_un.buf64, blk, sizeof (ctx->buf_un.buf64)); 411 blk = (uint8_t *)ctx->buf_un.buf64; 412 } 413 414 /* LINTED E_BAD_PTR_CAST_ALIGN */ 415 w0 = LOAD_BIG_64(blk + 8 * 0); 416 SHA512ROUND(a, b, c, d, e, f, g, h, 0, w0); 417 /* LINTED E_BAD_PTR_CAST_ALIGN */ 418 w1 = LOAD_BIG_64(blk + 8 * 1); 419 SHA512ROUND(h, a, b, c, d, e, f, g, 1, w1); 420 /* LINTED E_BAD_PTR_CAST_ALIGN */ 421 w2 = LOAD_BIG_64(blk + 8 * 2); 422 SHA512ROUND(g, h, a, b, c, d, e, f, 2, w2); 423 /* LINTED E_BAD_PTR_CAST_ALIGN */ 424 w3 = LOAD_BIG_64(blk + 8 * 3); 425 SHA512ROUND(f, g, h, a, b, c, d, e, 3, w3); 426 /* LINTED E_BAD_PTR_CAST_ALIGN */ 427 w4 = LOAD_BIG_64(blk + 8 * 4); 428 SHA512ROUND(e, f, g, h, a, b, c, d, 4, w4); 429 /* LINTED E_BAD_PTR_CAST_ALIGN */ 430 w5 = LOAD_BIG_64(blk + 8 * 5); 431 SHA512ROUND(d, e, f, g, h, a, b, c, 5, w5); 432 /* LINTED E_BAD_PTR_CAST_ALIGN */ 433 w6 = LOAD_BIG_64(blk + 8 * 6); 434 SHA512ROUND(c, d, e, f, g, h, a, b, 6, w6); 435 /* LINTED E_BAD_PTR_CAST_ALIGN */ 436 w7 = LOAD_BIG_64(blk + 8 * 7); 437 SHA512ROUND(b, c, d, e, f, g, h, a, 7, w7); 438 /* LINTED E_BAD_PTR_CAST_ALIGN */ 439 w8 = LOAD_BIG_64(blk + 8 * 8); 440 SHA512ROUND(a, b, c, d, e, f, g, h, 8, w8); 441 /* LINTED E_BAD_PTR_CAST_ALIGN */ 442 w9 = LOAD_BIG_64(blk + 8 * 9); 443 SHA512ROUND(h, a, b, c, d, e, f, g, 9, w9); 444 /* LINTED E_BAD_PTR_CAST_ALIGN */ 445 w10 = LOAD_BIG_64(blk + 8 * 10); 446 SHA512ROUND(g, h, a, b, c, d, e, f, 10, w10); 447 /* LINTED E_BAD_PTR_CAST_ALIGN */ 448 w11 = LOAD_BIG_64(blk + 8 * 11); 449 SHA512ROUND(f, g, h, a, b, c, d, e, 11, w11); 450 /* LINTED E_BAD_PTR_CAST_ALIGN */ 451 w12 = LOAD_BIG_64(blk + 8 * 12); 452 SHA512ROUND(e, f, g, h, a, b, c, d, 12, w12); 453 /* LINTED E_BAD_PTR_CAST_ALIGN */ 454 w13 = LOAD_BIG_64(blk + 8 * 13); 455 SHA512ROUND(d, e, f, g, h, a, b, c, 13, w13); 456 /* LINTED E_BAD_PTR_CAST_ALIGN */ 457 w14 = LOAD_BIG_64(blk + 8 * 14); 458 SHA512ROUND(c, d, e, f, g, h, a, b, 14, w14); 459 /* LINTED E_BAD_PTR_CAST_ALIGN */ 460 w15 = LOAD_BIG_64(blk + 8 * 15); 461 SHA512ROUND(b, c, d, e, f, g, h, a, 15, w15); 462 463 w0 = SIGMA1(w14) + w9 + SIGMA0(w1) + w0; 464 SHA512ROUND(a, b, c, d, e, f, g, h, 16, w0); 465 w1 = SIGMA1(w15) + w10 + SIGMA0(w2) + w1; 466 SHA512ROUND(h, a, b, c, d, e, f, g, 17, w1); 467 w2 = SIGMA1(w0) + w11 + SIGMA0(w3) + w2; 468 SHA512ROUND(g, h, a, b, c, d, e, f, 18, w2); 469 w3 = SIGMA1(w1) + w12 + SIGMA0(w4) + w3; 470 SHA512ROUND(f, g, h, a, b, c, d, e, 19, w3); 471 w4 = SIGMA1(w2) + w13 + SIGMA0(w5) + w4; 472 SHA512ROUND(e, f, g, h, a, b, c, d, 20, w4); 473 w5 = SIGMA1(w3) + w14 + SIGMA0(w6) + w5; 474 SHA512ROUND(d, e, f, g, h, a, b, c, 21, w5); 475 w6 = SIGMA1(w4) + w15 + SIGMA0(w7) + w6; 476 SHA512ROUND(c, d, e, f, g, h, a, b, 22, w6); 477 w7 = SIGMA1(w5) + w0 + SIGMA0(w8) + w7; 478 SHA512ROUND(b, c, d, e, f, g, h, a, 23, w7); 479 w8 = SIGMA1(w6) + w1 + SIGMA0(w9) + w8; 480 SHA512ROUND(a, b, c, d, e, f, g, h, 24, w8); 481 w9 = SIGMA1(w7) + w2 + SIGMA0(w10) + w9; 482 SHA512ROUND(h, a, b, c, d, e, f, g, 25, w9); 483 w10 = SIGMA1(w8) + w3 + SIGMA0(w11) + w10; 484 SHA512ROUND(g, h, a, b, c, d, e, f, 26, w10); 485 w11 = SIGMA1(w9) + w4 + SIGMA0(w12) + w11; 486 SHA512ROUND(f, g, h, a, b, c, d, e, 27, w11); 487 w12 = SIGMA1(w10) + w5 + SIGMA0(w13) + w12; 488 SHA512ROUND(e, f, g, h, a, b, c, d, 28, w12); 489 w13 = SIGMA1(w11) + w6 + SIGMA0(w14) + w13; 490 SHA512ROUND(d, e, f, g, h, a, b, c, 29, w13); 491 w14 = SIGMA1(w12) + w7 + SIGMA0(w15) + w14; 492 SHA512ROUND(c, d, e, f, g, h, a, b, 30, w14); 493 w15 = SIGMA1(w13) + w8 + SIGMA0(w0) + w15; 494 SHA512ROUND(b, c, d, e, f, g, h, a, 31, w15); 495 496 w0 = SIGMA1(w14) + w9 + SIGMA0(w1) + w0; 497 SHA512ROUND(a, b, c, d, e, f, g, h, 32, w0); 498 w1 = SIGMA1(w15) + w10 + SIGMA0(w2) + w1; 499 SHA512ROUND(h, a, b, c, d, e, f, g, 33, w1); 500 w2 = SIGMA1(w0) + w11 + SIGMA0(w3) + w2; 501 SHA512ROUND(g, h, a, b, c, d, e, f, 34, w2); 502 w3 = SIGMA1(w1) + w12 + SIGMA0(w4) + w3; 503 SHA512ROUND(f, g, h, a, b, c, d, e, 35, w3); 504 w4 = SIGMA1(w2) + w13 + SIGMA0(w5) + w4; 505 SHA512ROUND(e, f, g, h, a, b, c, d, 36, w4); 506 w5 = SIGMA1(w3) + w14 + SIGMA0(w6) + w5; 507 SHA512ROUND(d, e, f, g, h, a, b, c, 37, w5); 508 w6 = SIGMA1(w4) + w15 + SIGMA0(w7) + w6; 509 SHA512ROUND(c, d, e, f, g, h, a, b, 38, w6); 510 w7 = SIGMA1(w5) + w0 + SIGMA0(w8) + w7; 511 SHA512ROUND(b, c, d, e, f, g, h, a, 39, w7); 512 w8 = SIGMA1(w6) + w1 + SIGMA0(w9) + w8; 513 SHA512ROUND(a, b, c, d, e, f, g, h, 40, w8); 514 w9 = SIGMA1(w7) + w2 + SIGMA0(w10) + w9; 515 SHA512ROUND(h, a, b, c, d, e, f, g, 41, w9); 516 w10 = SIGMA1(w8) + w3 + SIGMA0(w11) + w10; 517 SHA512ROUND(g, h, a, b, c, d, e, f, 42, w10); 518 w11 = SIGMA1(w9) + w4 + SIGMA0(w12) + w11; 519 SHA512ROUND(f, g, h, a, b, c, d, e, 43, w11); 520 w12 = SIGMA1(w10) + w5 + SIGMA0(w13) + w12; 521 SHA512ROUND(e, f, g, h, a, b, c, d, 44, w12); 522 w13 = SIGMA1(w11) + w6 + SIGMA0(w14) + w13; 523 SHA512ROUND(d, e, f, g, h, a, b, c, 45, w13); 524 w14 = SIGMA1(w12) + w7 + SIGMA0(w15) + w14; 525 SHA512ROUND(c, d, e, f, g, h, a, b, 46, w14); 526 w15 = SIGMA1(w13) + w8 + SIGMA0(w0) + w15; 527 SHA512ROUND(b, c, d, e, f, g, h, a, 47, w15); 528 529 w0 = SIGMA1(w14) + w9 + SIGMA0(w1) + w0; 530 SHA512ROUND(a, b, c, d, e, f, g, h, 48, w0); 531 w1 = SIGMA1(w15) + w10 + SIGMA0(w2) + w1; 532 SHA512ROUND(h, a, b, c, d, e, f, g, 49, w1); 533 w2 = SIGMA1(w0) + w11 + SIGMA0(w3) + w2; 534 SHA512ROUND(g, h, a, b, c, d, e, f, 50, w2); 535 w3 = SIGMA1(w1) + w12 + SIGMA0(w4) + w3; 536 SHA512ROUND(f, g, h, a, b, c, d, e, 51, w3); 537 w4 = SIGMA1(w2) + w13 + SIGMA0(w5) + w4; 538 SHA512ROUND(e, f, g, h, a, b, c, d, 52, w4); 539 w5 = SIGMA1(w3) + w14 + SIGMA0(w6) + w5; 540 SHA512ROUND(d, e, f, g, h, a, b, c, 53, w5); 541 w6 = SIGMA1(w4) + w15 + SIGMA0(w7) + w6; 542 SHA512ROUND(c, d, e, f, g, h, a, b, 54, w6); 543 w7 = SIGMA1(w5) + w0 + SIGMA0(w8) + w7; 544 SHA512ROUND(b, c, d, e, f, g, h, a, 55, w7); 545 w8 = SIGMA1(w6) + w1 + SIGMA0(w9) + w8; 546 SHA512ROUND(a, b, c, d, e, f, g, h, 56, w8); 547 w9 = SIGMA1(w7) + w2 + SIGMA0(w10) + w9; 548 SHA512ROUND(h, a, b, c, d, e, f, g, 57, w9); 549 w10 = SIGMA1(w8) + w3 + SIGMA0(w11) + w10; 550 SHA512ROUND(g, h, a, b, c, d, e, f, 58, w10); 551 w11 = SIGMA1(w9) + w4 + SIGMA0(w12) + w11; 552 SHA512ROUND(f, g, h, a, b, c, d, e, 59, w11); 553 w12 = SIGMA1(w10) + w5 + SIGMA0(w13) + w12; 554 SHA512ROUND(e, f, g, h, a, b, c, d, 60, w12); 555 w13 = SIGMA1(w11) + w6 + SIGMA0(w14) + w13; 556 SHA512ROUND(d, e, f, g, h, a, b, c, 61, w13); 557 w14 = SIGMA1(w12) + w7 + SIGMA0(w15) + w14; 558 SHA512ROUND(c, d, e, f, g, h, a, b, 62, w14); 559 w15 = SIGMA1(w13) + w8 + SIGMA0(w0) + w15; 560 SHA512ROUND(b, c, d, e, f, g, h, a, 63, w15); 561 562 w0 = SIGMA1(w14) + w9 + SIGMA0(w1) + w0; 563 SHA512ROUND(a, b, c, d, e, f, g, h, 64, w0); 564 w1 = SIGMA1(w15) + w10 + SIGMA0(w2) + w1; 565 SHA512ROUND(h, a, b, c, d, e, f, g, 65, w1); 566 w2 = SIGMA1(w0) + w11 + SIGMA0(w3) + w2; 567 SHA512ROUND(g, h, a, b, c, d, e, f, 66, w2); 568 w3 = SIGMA1(w1) + w12 + SIGMA0(w4) + w3; 569 SHA512ROUND(f, g, h, a, b, c, d, e, 67, w3); 570 w4 = SIGMA1(w2) + w13 + SIGMA0(w5) + w4; 571 SHA512ROUND(e, f, g, h, a, b, c, d, 68, w4); 572 w5 = SIGMA1(w3) + w14 + SIGMA0(w6) + w5; 573 SHA512ROUND(d, e, f, g, h, a, b, c, 69, w5); 574 w6 = SIGMA1(w4) + w15 + SIGMA0(w7) + w6; 575 SHA512ROUND(c, d, e, f, g, h, a, b, 70, w6); 576 w7 = SIGMA1(w5) + w0 + SIGMA0(w8) + w7; 577 SHA512ROUND(b, c, d, e, f, g, h, a, 71, w7); 578 w8 = SIGMA1(w6) + w1 + SIGMA0(w9) + w8; 579 SHA512ROUND(a, b, c, d, e, f, g, h, 72, w8); 580 w9 = SIGMA1(w7) + w2 + SIGMA0(w10) + w9; 581 SHA512ROUND(h, a, b, c, d, e, f, g, 73, w9); 582 w10 = SIGMA1(w8) + w3 + SIGMA0(w11) + w10; 583 SHA512ROUND(g, h, a, b, c, d, e, f, 74, w10); 584 w11 = SIGMA1(w9) + w4 + SIGMA0(w12) + w11; 585 SHA512ROUND(f, g, h, a, b, c, d, e, 75, w11); 586 w12 = SIGMA1(w10) + w5 + SIGMA0(w13) + w12; 587 SHA512ROUND(e, f, g, h, a, b, c, d, 76, w12); 588 w13 = SIGMA1(w11) + w6 + SIGMA0(w14) + w13; 589 SHA512ROUND(d, e, f, g, h, a, b, c, 77, w13); 590 w14 = SIGMA1(w12) + w7 + SIGMA0(w15) + w14; 591 SHA512ROUND(c, d, e, f, g, h, a, b, 78, w14); 592 w15 = SIGMA1(w13) + w8 + SIGMA0(w0) + w15; 593 SHA512ROUND(b, c, d, e, f, g, h, a, 79, w15); 594 595 ctx->state.s64[0] += a; 596 ctx->state.s64[1] += b; 597 ctx->state.s64[2] += c; 598 ctx->state.s64[3] += d; 599 ctx->state.s64[4] += e; 600 ctx->state.s64[5] += f; 601 ctx->state.s64[6] += g; 602 ctx->state.s64[7] += h; 603 604 } 605 #endif /* !__amd64 || !_KERNEL */ 606 607 608 /* 609 * Encode() 610 * 611 * purpose: to convert a list of numbers from little endian to big endian 612 * input: uint8_t * : place to store the converted big endian numbers 613 * uint32_t * : place to get numbers to convert from 614 * size_t : the length of the input in bytes 615 * output: void 616 */ 617 618 static void 619 Encode(uint8_t *_RESTRICT_KYWD output, uint32_t *_RESTRICT_KYWD input, 620 size_t len) 621 { 622 size_t i, j; 623 624 #if defined(__sparc) 625 if (IS_P2ALIGNED(output, sizeof (uint32_t))) { 626 for (i = 0, j = 0; j < len; i++, j += 4) { 627 /* LINTED E_BAD_PTR_CAST_ALIGN */ 628 *((uint32_t *)(output + j)) = input[i]; 629 } 630 } else { 631 #endif /* little endian -- will work on big endian, but slowly */ 632 for (i = 0, j = 0; j < len; i++, j += 4) { 633 output[j] = (input[i] >> 24) & 0xff; 634 output[j + 1] = (input[i] >> 16) & 0xff; 635 output[j + 2] = (input[i] >> 8) & 0xff; 636 output[j + 3] = input[i] & 0xff; 637 } 638 #if defined(__sparc) 639 } 640 #endif 641 } 642 643 static void 644 Encode64(uint8_t *_RESTRICT_KYWD output, uint64_t *_RESTRICT_KYWD input, 645 size_t len) 646 { 647 size_t i, j; 648 649 #if defined(__sparc) 650 if (IS_P2ALIGNED(output, sizeof (uint64_t))) { 651 for (i = 0, j = 0; j < len; i++, j += 8) { 652 /* LINTED E_BAD_PTR_CAST_ALIGN */ 653 *((uint64_t *)(output + j)) = input[i]; 654 } 655 } else { 656 #endif /* little endian -- will work on big endian, but slowly */ 657 for (i = 0, j = 0; j < len; i++, j += 8) { 658 659 output[j] = (input[i] >> 56) & 0xff; 660 output[j + 1] = (input[i] >> 48) & 0xff; 661 output[j + 2] = (input[i] >> 40) & 0xff; 662 output[j + 3] = (input[i] >> 32) & 0xff; 663 output[j + 4] = (input[i] >> 24) & 0xff; 664 output[j + 5] = (input[i] >> 16) & 0xff; 665 output[j + 6] = (input[i] >> 8) & 0xff; 666 output[j + 7] = input[i] & 0xff; 667 } 668 #if defined(__sparc) 669 } 670 #endif 671 } 672 673 674 void 675 SHA2Init(uint64_t mech, SHA2_CTX *ctx) 676 { 677 678 switch (mech) { 679 case SHA256_MECH_INFO_TYPE: 680 case SHA256_HMAC_MECH_INFO_TYPE: 681 case SHA256_HMAC_GEN_MECH_INFO_TYPE: 682 ctx->state.s32[0] = 0x6a09e667U; 683 ctx->state.s32[1] = 0xbb67ae85U; 684 ctx->state.s32[2] = 0x3c6ef372U; 685 ctx->state.s32[3] = 0xa54ff53aU; 686 ctx->state.s32[4] = 0x510e527fU; 687 ctx->state.s32[5] = 0x9b05688cU; 688 ctx->state.s32[6] = 0x1f83d9abU; 689 ctx->state.s32[7] = 0x5be0cd19U; 690 break; 691 case SHA384_MECH_INFO_TYPE: 692 case SHA384_HMAC_MECH_INFO_TYPE: 693 case SHA384_HMAC_GEN_MECH_INFO_TYPE: 694 ctx->state.s64[0] = 0xcbbb9d5dc1059ed8ULL; 695 ctx->state.s64[1] = 0x629a292a367cd507ULL; 696 ctx->state.s64[2] = 0x9159015a3070dd17ULL; 697 ctx->state.s64[3] = 0x152fecd8f70e5939ULL; 698 ctx->state.s64[4] = 0x67332667ffc00b31ULL; 699 ctx->state.s64[5] = 0x8eb44a8768581511ULL; 700 ctx->state.s64[6] = 0xdb0c2e0d64f98fa7ULL; 701 ctx->state.s64[7] = 0x47b5481dbefa4fa4ULL; 702 break; 703 case SHA512_MECH_INFO_TYPE: 704 case SHA512_HMAC_MECH_INFO_TYPE: 705 case SHA512_HMAC_GEN_MECH_INFO_TYPE: 706 ctx->state.s64[0] = 0x6a09e667f3bcc908ULL; 707 ctx->state.s64[1] = 0xbb67ae8584caa73bULL; 708 ctx->state.s64[2] = 0x3c6ef372fe94f82bULL; 709 ctx->state.s64[3] = 0xa54ff53a5f1d36f1ULL; 710 ctx->state.s64[4] = 0x510e527fade682d1ULL; 711 ctx->state.s64[5] = 0x9b05688c2b3e6c1fULL; 712 ctx->state.s64[6] = 0x1f83d9abfb41bd6bULL; 713 ctx->state.s64[7] = 0x5be0cd19137e2179ULL; 714 break; 715 case SHA512_224_MECH_INFO_TYPE: 716 ctx->state.s64[0] = 0x8C3D37C819544DA2ULL; 717 ctx->state.s64[1] = 0x73E1996689DCD4D6ULL; 718 ctx->state.s64[2] = 0x1DFAB7AE32FF9C82ULL; 719 ctx->state.s64[3] = 0x679DD514582F9FCFULL; 720 ctx->state.s64[4] = 0x0F6D2B697BD44DA8ULL; 721 ctx->state.s64[5] = 0x77E36F7304C48942ULL; 722 ctx->state.s64[6] = 0x3F9D85A86A1D36C8ULL; 723 ctx->state.s64[7] = 0x1112E6AD91D692A1ULL; 724 break; 725 case SHA512_256_MECH_INFO_TYPE: 726 ctx->state.s64[0] = 0x22312194FC2BF72CULL; 727 ctx->state.s64[1] = 0x9F555FA3C84C64C2ULL; 728 ctx->state.s64[2] = 0x2393B86B6F53B151ULL; 729 ctx->state.s64[3] = 0x963877195940EABDULL; 730 ctx->state.s64[4] = 0x96283EE2A88EFFE3ULL; 731 ctx->state.s64[5] = 0xBE5E1E2553863992ULL; 732 ctx->state.s64[6] = 0x2B0199FC2C85B8AAULL; 733 ctx->state.s64[7] = 0x0EB72DDC81C52CA2ULL; 734 break; 735 #ifdef _KERNEL 736 default: 737 cmn_err(CE_PANIC, 738 "sha2_init: failed to find a supported algorithm: 0x%x", 739 (uint32_t)mech); 740 741 #endif /* _KERNEL */ 742 } 743 744 ctx->algotype = (uint32_t)mech; 745 ctx->count.c64[0] = ctx->count.c64[1] = 0; 746 } 747 748 #ifndef _KERNEL 749 750 // #pragma inline(SHA256Init, SHA384Init, SHA512Init) 751 void 752 SHA256Init(SHA256_CTX *ctx) 753 { 754 SHA2Init(SHA256, ctx); 755 } 756 757 void 758 SHA384Init(SHA384_CTX *ctx) 759 { 760 SHA2Init(SHA384, ctx); 761 } 762 763 void 764 SHA512Init(SHA512_CTX *ctx) 765 { 766 SHA2Init(SHA512, ctx); 767 } 768 769 #endif /* _KERNEL */ 770 771 /* 772 * SHA2Update() 773 * 774 * purpose: continues an sha2 digest operation, using the message block 775 * to update the context. 776 * input: SHA2_CTX * : the context to update 777 * void * : the message block 778 * size_t : the length of the message block, in bytes 779 * output: void 780 */ 781 782 void 783 SHA2Update(SHA2_CTX *ctx, const void *inptr, size_t input_len) 784 { 785 uint32_t i, buf_index, buf_len, buf_limit; 786 const uint8_t *input = inptr; 787 uint32_t algotype = ctx->algotype; 788 789 /* check for noop */ 790 if (input_len == 0) 791 return; 792 793 if (algotype <= SHA256_HMAC_GEN_MECH_INFO_TYPE) { 794 buf_limit = 64; 795 796 /* compute number of bytes mod 64 */ 797 buf_index = (ctx->count.c32[1] >> 3) & 0x3F; 798 799 /* update number of bits */ 800 if ((ctx->count.c32[1] += (input_len << 3)) < (input_len << 3)) 801 ctx->count.c32[0]++; 802 803 ctx->count.c32[0] += (input_len >> 29); 804 805 } else { 806 buf_limit = 128; 807 808 /* compute number of bytes mod 128 */ 809 buf_index = (ctx->count.c64[1] >> 3) & 0x7F; 810 811 /* update number of bits */ 812 if ((ctx->count.c64[1] += (input_len << 3)) < (input_len << 3)) 813 ctx->count.c64[0]++; 814 815 ctx->count.c64[0] += (input_len >> 29); 816 } 817 818 buf_len = buf_limit - buf_index; 819 820 /* transform as many times as possible */ 821 i = 0; 822 if (input_len >= buf_len) { 823 824 /* 825 * general optimization: 826 * 827 * only do initial memcpy() and SHA2Transform() if 828 * buf_index != 0. if buf_index == 0, we're just 829 * wasting our time doing the memcpy() since there 830 * wasn't any data left over from a previous call to 831 * SHA2Update(). 832 */ 833 if (buf_index) { 834 memcpy(&ctx->buf_un.buf8[buf_index], input, buf_len); 835 if (algotype <= SHA256_HMAC_GEN_MECH_INFO_TYPE) 836 SHA256Transform(ctx, ctx->buf_un.buf8); 837 else 838 SHA512Transform(ctx, ctx->buf_un.buf8); 839 840 i = buf_len; 841 } 842 843 #if !defined(__amd64) || !defined(_KERNEL) 844 if (algotype <= SHA256_HMAC_GEN_MECH_INFO_TYPE) { 845 for (; i + buf_limit - 1 < input_len; i += buf_limit) { 846 SHA256Transform(ctx, &input[i]); 847 } 848 } else { 849 for (; i + buf_limit - 1 < input_len; i += buf_limit) { 850 SHA512Transform(ctx, &input[i]); 851 } 852 } 853 854 #else 855 uint32_t block_count; 856 if (algotype <= SHA256_HMAC_GEN_MECH_INFO_TYPE) { 857 block_count = (input_len - i) >> 6; 858 if (block_count > 0) { 859 SHA256TransformBlocks(ctx, &input[i], 860 block_count); 861 i += block_count << 6; 862 } 863 } else { 864 block_count = (input_len - i) >> 7; 865 if (block_count > 0) { 866 SHA512TransformBlocks(ctx, &input[i], 867 block_count); 868 i += block_count << 7; 869 } 870 } 871 #endif /* !__amd64 || !_KERNEL */ 872 873 /* 874 * general optimization: 875 * 876 * if i and input_len are the same, return now instead 877 * of calling memcpy(), since the memcpy() in this case 878 * will be an expensive noop. 879 */ 880 881 if (input_len == i) 882 return; 883 884 buf_index = 0; 885 } 886 887 /* buffer remaining input */ 888 memcpy(&ctx->buf_un.buf8[buf_index], &input[i], input_len - i); 889 } 890 891 892 /* 893 * SHA2Final() 894 * 895 * purpose: ends an sha2 digest operation, finalizing the message digest and 896 * zeroing the context. 897 * input: uchar_t * : a buffer to store the digest 898 * : The function actually uses void* because many 899 * : callers pass things other than uchar_t here. 900 * SHA2_CTX * : the context to finalize, save, and zero 901 * output: void 902 */ 903 904 void 905 SHA2Final(void *digest, SHA2_CTX *ctx) 906 { 907 uint8_t bitcount_be[sizeof (ctx->count.c32)]; 908 uint8_t bitcount_be64[sizeof (ctx->count.c64)]; 909 uint32_t index; 910 uint32_t algotype = ctx->algotype; 911 912 if (algotype <= SHA256_HMAC_GEN_MECH_INFO_TYPE) { 913 index = (ctx->count.c32[1] >> 3) & 0x3f; 914 Encode(bitcount_be, ctx->count.c32, sizeof (bitcount_be)); 915 SHA2Update(ctx, PADDING, ((index < 56) ? 56 : 120) - index); 916 SHA2Update(ctx, bitcount_be, sizeof (bitcount_be)); 917 Encode(digest, ctx->state.s32, sizeof (ctx->state.s32)); 918 } else { 919 index = (ctx->count.c64[1] >> 3) & 0x7f; 920 Encode64(bitcount_be64, ctx->count.c64, 921 sizeof (bitcount_be64)); 922 SHA2Update(ctx, PADDING, ((index < 112) ? 112 : 240) - index); 923 SHA2Update(ctx, bitcount_be64, sizeof (bitcount_be64)); 924 if (algotype <= SHA384_HMAC_GEN_MECH_INFO_TYPE) { 925 ctx->state.s64[6] = ctx->state.s64[7] = 0; 926 Encode64(digest, ctx->state.s64, 927 sizeof (uint64_t) * 6); 928 } else if (algotype == SHA512_224_MECH_INFO_TYPE) { 929 uint8_t last[sizeof (uint64_t)]; 930 /* 931 * Since SHA-512/224 doesn't align well to 64-bit 932 * boundaries, we must do the encoding in three steps: 933 * 1) encode the three 64-bit words that fit neatly 934 * 2) encode the last 64-bit word to a temp buffer 935 * 3) chop out the lower 32-bits from the temp buffer 936 * and append them to the digest 937 */ 938 Encode64(digest, ctx->state.s64, sizeof (uint64_t) * 3); 939 Encode64(last, &ctx->state.s64[3], sizeof (uint64_t)); 940 memcpy((uint8_t *)digest + 24, last, 4); 941 } else if (algotype == SHA512_256_MECH_INFO_TYPE) { 942 Encode64(digest, ctx->state.s64, sizeof (uint64_t) * 4); 943 } else { 944 Encode64(digest, ctx->state.s64, 945 sizeof (ctx->state.s64)); 946 } 947 } 948 949 /* zeroize sensitive information */ 950 memset(ctx, 0, sizeof (*ctx)); 951 } 952 953 #ifdef _KERNEL 954 EXPORT_SYMBOL(SHA2Init); 955 EXPORT_SYMBOL(SHA2Update); 956 EXPORT_SYMBOL(SHA2Final); 957 #endif

Cache object: 7f6f189a99364195037e7333f08775a6

FreeBSD/Linux Kernel Cross Reference sys/contrib/openzfs/module/icp/algs/sha2/sha2.c

FreeBSD/Linux Kernel Cross Reference
sys/contrib/openzfs/module/icp/algs/sha2/sha2.c