1 /* 2 * Copyright 2009 Sun Microsystems, Inc. All rights reserved. 3 * Use is subject to license terms. 4 */ 5 6 /* 7 * The basic framework for this code came from the reference 8 * implementation for MD5. That implementation is Copyright (C) 9 * 1991-2, RSA Data Security, Inc. Created 1991. All rights reserved. 10 * 11 * License to copy and use this software is granted provided that it 12 * is identified as the "RSA Data Security, Inc. MD5 Message-Digest 13 * Algorithm" in all material mentioning or referencing this software 14 * or this function. 15 * 16 * License is also granted to make and use derivative works provided 17 * that such works are identified as "derived from the RSA Data 18 * Security, Inc. MD5 Message-Digest Algorithm" in all material 19 * mentioning or referencing the derived work. 20 * 21 * RSA Data Security, Inc. makes no representations concerning either 22 * the merchantability of this software or the suitability of this 23 * software for any particular purpose. It is provided "as is" 24 * without express or implied warranty of any kind. 25 * 26 * These notices must be retained in any copies of any part of this 27 * documentation and/or software. 28 * 29 * NOTE: Cleaned-up and optimized, version of SHA2, based on the FIPS 180-2 30 * standard, available at 31 * http://csrc.nist.gov/publications/fips/fips180-2/fips180-2.pdf 32 * Not as fast as one would like -- further optimizations are encouraged 33 * and appreciated. 34 */ 35 36 #ifndef _KERNEL 37 #include <stdint.h> 38 #include <strings.h> 39 #include <stdlib.h> 40 #include <errno.h> 41 #endif /* _KERNEL */ 42 43 #include <sys/types.h> 44 #include <sys/param.h> 45 #include <sys/systm.h> 46 #include <sys/sysmacros.h> 47 #define _SHA2_IMPL 48 #include <sys/sha2.h> 49 #include <sys/sha2_consts.h> 50 51 #ifdef _KERNEL 52 #include <sys/cmn_err.h> 53 54 #else 55 #pragma weak SHA256Update = SHA2Update 56 #pragma weak SHA384Update = SHA2Update 57 #pragma weak SHA512Update = SHA2Update 58 59 #pragma weak SHA256Final = SHA2Final 60 #pragma weak SHA384Final = SHA2Final 61 #pragma weak SHA512Final = SHA2Final 62 63 #endif /* _KERNEL */ 64 65 #ifdef _LITTLE_ENDIAN 66 #include <sys/byteorder.h> 67 #define HAVE_HTONL 68 #endif 69 70 static void Encode(uint8_t *, uint32_t *, size_t); 71 static void Encode64(uint8_t *, uint64_t *, size_t); 72 73 #if defined(__amd64) 74 #define SHA512Transform(ctx, in) SHA512TransformBlocks((ctx), (in), 1) 75 #define SHA256Transform(ctx, in) SHA256TransformBlocks((ctx), (in), 1) 76 77 void SHA512TransformBlocks(SHA2_CTX *ctx, const void *in, size_t num); 78 void SHA256TransformBlocks(SHA2_CTX *ctx, const void *in, size_t num); 79 80 #else 81 static void SHA256Transform(SHA2_CTX *, const uint8_t *); 82 static void SHA512Transform(SHA2_CTX *, const uint8_t *); 83 #endif /* __amd64 */ 84 85 static uint8_t PADDING[128] = { 0x80, /* all zeros */ }; 86 87 /* Ch and Maj are the basic SHA2 functions. */ 88 #define Ch(b, c, d) (((b) & (c)) ^ ((~b) & (d))) 89 #define Maj(b, c, d) (((b) & (c)) ^ ((b) & (d)) ^ ((c) & (d))) 90 91 /* Rotates x right n bits. */ 92 #define ROTR(x, n) \ 93 (((x) >> (n)) | ((x) << ((sizeof (x) * NBBY)-(n)))) 94 95 /* Shift x right n bits */ 96 #define SHR(x, n) ((x) >> (n)) 97 98 /* SHA256 Functions */ 99 #define BIGSIGMA0_256(x) (ROTR((x), 2) ^ ROTR((x), 13) ^ ROTR((x), 22)) 100 #define BIGSIGMA1_256(x) (ROTR((x), 6) ^ ROTR((x), 11) ^ ROTR((x), 25)) 101 #define SIGMA0_256(x) (ROTR((x), 7) ^ ROTR((x), 18) ^ SHR((x), 3)) 102 #define SIGMA1_256(x) (ROTR((x), 17) ^ ROTR((x), 19) ^ SHR((x), 10)) 103 104 #define SHA256ROUND(a, b, c, d, e, f, g, h, i, w) \ 105 T1 = h + BIGSIGMA1_256(e) + Ch(e, f, g) + SHA256_CONST(i) + w; \ 106 d += T1; \ 107 T2 = BIGSIGMA0_256(a) + Maj(a, b, c); \ 108 h = T1 + T2 109 110 /* SHA384/512 Functions */ 111 #define BIGSIGMA0(x) (ROTR((x), 28) ^ ROTR((x), 34) ^ ROTR((x), 39)) 112 #define BIGSIGMA1(x) (ROTR((x), 14) ^ ROTR((x), 18) ^ ROTR((x), 41)) 113 #define SIGMA0(x) (ROTR((x), 1) ^ ROTR((x), 8) ^ SHR((x), 7)) 114 #define SIGMA1(x) (ROTR((x), 19) ^ ROTR((x), 61) ^ SHR((x), 6)) 115 #define SHA512ROUND(a, b, c, d, e, f, g, h, i, w) \ 116 T1 = h + BIGSIGMA1(e) + Ch(e, f, g) + SHA512_CONST(i) + w; \ 117 d += T1; \ 118 T2 = BIGSIGMA0(a) + Maj(a, b, c); \ 119 h = T1 + T2 120 121 /* 122 * sparc optimization: 123 * 124 * on the sparc, we can load big endian 32-bit data easily. note that 125 * special care must be taken to ensure the address is 32-bit aligned. 126 * in the interest of speed, we don't check to make sure, since 127 * careful programming can guarantee this for us. 128 */ 129 130 #if defined(_BIG_ENDIAN) 131 #define LOAD_BIG_32(addr) (*(uint32_t *)(addr)) 132 #define LOAD_BIG_64(addr) (*(uint64_t *)(addr)) 133 134 #elif defined(HAVE_HTONL) 135 #define LOAD_BIG_32(addr) htonl(*((uint32_t *)(addr))) 136 #define LOAD_BIG_64(addr) htonll(*((uint64_t *)(addr))) 137 138 #else 139 /* little endian -- will work on big endian, but slowly */ 140 #define LOAD_BIG_32(addr) \ 141 (((addr)[0] << 24) | ((addr)[1] << 16) | ((addr)[2] << 8) | (addr)[3]) 142 #define LOAD_BIG_64(addr) \ 143 (((uint64_t)(addr)[0] << 56) | ((uint64_t)(addr)[1] << 48) | \ 144 ((uint64_t)(addr)[2] << 40) | ((uint64_t)(addr)[3] << 32) | \ 145 ((uint64_t)(addr)[4] << 24) | ((uint64_t)(addr)[5] << 16) | \ 146 ((uint64_t)(addr)[6] << 8) | (uint64_t)(addr)[7]) 147 #endif /* _BIG_ENDIAN */ 148 149 150 #if !defined(__amd64) 151 /* SHA256 Transform */ 152 153 static void 154 SHA256Transform(SHA2_CTX *ctx, const uint8_t *blk) 155 { 156 uint32_t a = ctx->state.s32[0]; 157 uint32_t b = ctx->state.s32[1]; 158 uint32_t c = ctx->state.s32[2]; 159 uint32_t d = ctx->state.s32[3]; 160 uint32_t e = ctx->state.s32[4]; 161 uint32_t f = ctx->state.s32[5]; 162 uint32_t g = ctx->state.s32[6]; 163 uint32_t h = ctx->state.s32[7]; 164 165 uint32_t w0, w1, w2, w3, w4, w5, w6, w7; 166 uint32_t w8, w9, w10, w11, w12, w13, w14, w15; 167 uint32_t T1, T2; 168 169 #if defined(__sparc) 170 static const uint32_t sha256_consts[] = { 171 SHA256_CONST_0, SHA256_CONST_1, SHA256_CONST_2, 172 SHA256_CONST_3, SHA256_CONST_4, SHA256_CONST_5, 173 SHA256_CONST_6, SHA256_CONST_7, SHA256_CONST_8, 174 SHA256_CONST_9, SHA256_CONST_10, SHA256_CONST_11, 175 SHA256_CONST_12, SHA256_CONST_13, SHA256_CONST_14, 176 SHA256_CONST_15, SHA256_CONST_16, SHA256_CONST_17, 177 SHA256_CONST_18, SHA256_CONST_19, SHA256_CONST_20, 178 SHA256_CONST_21, SHA256_CONST_22, SHA256_CONST_23, 179 SHA256_CONST_24, SHA256_CONST_25, SHA256_CONST_26, 180 SHA256_CONST_27, SHA256_CONST_28, SHA256_CONST_29, 181 SHA256_CONST_30, SHA256_CONST_31, SHA256_CONST_32, 182 SHA256_CONST_33, SHA256_CONST_34, SHA256_CONST_35, 183 SHA256_CONST_36, SHA256_CONST_37, SHA256_CONST_38, 184 SHA256_CONST_39, SHA256_CONST_40, SHA256_CONST_41, 185 SHA256_CONST_42, SHA256_CONST_43, SHA256_CONST_44, 186 SHA256_CONST_45, SHA256_CONST_46, SHA256_CONST_47, 187 SHA256_CONST_48, SHA256_CONST_49, SHA256_CONST_50, 188 SHA256_CONST_51, SHA256_CONST_52, SHA256_CONST_53, 189 SHA256_CONST_54, SHA256_CONST_55, SHA256_CONST_56, 190 SHA256_CONST_57, SHA256_CONST_58, SHA256_CONST_59, 191 SHA256_CONST_60, SHA256_CONST_61, SHA256_CONST_62, 192 SHA256_CONST_63 193 }; 194 #endif /* __sparc */ 195 196 if ((uintptr_t)blk & 0x3) { /* not 4-byte aligned? */ 197 bcopy(blk, ctx->buf_un.buf32, sizeof (ctx->buf_un.buf32)); 198 blk = (uint8_t *)ctx->buf_un.buf32; 199 } 200 201 /* LINTED E_BAD_PTR_CAST_ALIGN */ 202 w0 = LOAD_BIG_32(blk + 4 * 0); 203 SHA256ROUND(a, b, c, d, e, f, g, h, 0, w0); 204 /* LINTED E_BAD_PTR_CAST_ALIGN */ 205 w1 = LOAD_BIG_32(blk + 4 * 1); 206 SHA256ROUND(h, a, b, c, d, e, f, g, 1, w1); 207 /* LINTED E_BAD_PTR_CAST_ALIGN */ 208 w2 = LOAD_BIG_32(blk + 4 * 2); 209 SHA256ROUND(g, h, a, b, c, d, e, f, 2, w2); 210 /* LINTED E_BAD_PTR_CAST_ALIGN */ 211 w3 = LOAD_BIG_32(blk + 4 * 3); 212 SHA256ROUND(f, g, h, a, b, c, d, e, 3, w3); 213 /* LINTED E_BAD_PTR_CAST_ALIGN */ 214 w4 = LOAD_BIG_32(blk + 4 * 4); 215 SHA256ROUND(e, f, g, h, a, b, c, d, 4, w4); 216 /* LINTED E_BAD_PTR_CAST_ALIGN */ 217 w5 = LOAD_BIG_32(blk + 4 * 5); 218 SHA256ROUND(d, e, f, g, h, a, b, c, 5, w5); 219 /* LINTED E_BAD_PTR_CAST_ALIGN */ 220 w6 = LOAD_BIG_32(blk + 4 * 6); 221 SHA256ROUND(c, d, e, f, g, h, a, b, 6, w6); 222 /* LINTED E_BAD_PTR_CAST_ALIGN */ 223 w7 = LOAD_BIG_32(blk + 4 * 7); 224 SHA256ROUND(b, c, d, e, f, g, h, a, 7, w7); 225 /* LINTED E_BAD_PTR_CAST_ALIGN */ 226 w8 = LOAD_BIG_32(blk + 4 * 8); 227 SHA256ROUND(a, b, c, d, e, f, g, h, 8, w8); 228 /* LINTED E_BAD_PTR_CAST_ALIGN */ 229 w9 = LOAD_BIG_32(blk + 4 * 9); 230 SHA256ROUND(h, a, b, c, d, e, f, g, 9, w9); 231 /* LINTED E_BAD_PTR_CAST_ALIGN */ 232 w10 = LOAD_BIG_32(blk + 4 * 10); 233 SHA256ROUND(g, h, a, b, c, d, e, f, 10, w10); 234 /* LINTED E_BAD_PTR_CAST_ALIGN */ 235 w11 = LOAD_BIG_32(blk + 4 * 11); 236 SHA256ROUND(f, g, h, a, b, c, d, e, 11, w11); 237 /* LINTED E_BAD_PTR_CAST_ALIGN */ 238 w12 = LOAD_BIG_32(blk + 4 * 12); 239 SHA256ROUND(e, f, g, h, a, b, c, d, 12, w12); 240 /* LINTED E_BAD_PTR_CAST_ALIGN */ 241 w13 = LOAD_BIG_32(blk + 4 * 13); 242 SHA256ROUND(d, e, f, g, h, a, b, c, 13, w13); 243 /* LINTED E_BAD_PTR_CAST_ALIGN */ 244 w14 = LOAD_BIG_32(blk + 4 * 14); 245 SHA256ROUND(c, d, e, f, g, h, a, b, 14, w14); 246 /* LINTED E_BAD_PTR_CAST_ALIGN */ 247 w15 = LOAD_BIG_32(blk + 4 * 15); 248 SHA256ROUND(b, c, d, e, f, g, h, a, 15, w15); 249 250 w0 = SIGMA1_256(w14) + w9 + SIGMA0_256(w1) + w0; 251 SHA256ROUND(a, b, c, d, e, f, g, h, 16, w0); 252 w1 = SIGMA1_256(w15) + w10 + SIGMA0_256(w2) + w1; 253 SHA256ROUND(h, a, b, c, d, e, f, g, 17, w1); 254 w2 = SIGMA1_256(w0) + w11 + SIGMA0_256(w3) + w2; 255 SHA256ROUND(g, h, a, b, c, d, e, f, 18, w2); 256 w3 = SIGMA1_256(w1) + w12 + SIGMA0_256(w4) + w3; 257 SHA256ROUND(f, g, h, a, b, c, d, e, 19, w3); 258 w4 = SIGMA1_256(w2) + w13 + SIGMA0_256(w5) + w4; 259 SHA256ROUND(e, f, g, h, a, b, c, d, 20, w4); 260 w5 = SIGMA1_256(w3) + w14 + SIGMA0_256(w6) + w5; 261 SHA256ROUND(d, e, f, g, h, a, b, c, 21, w5); 262 w6 = SIGMA1_256(w4) + w15 + SIGMA0_256(w7) + w6; 263 SHA256ROUND(c, d, e, f, g, h, a, b, 22, w6); 264 w7 = SIGMA1_256(w5) + w0 + SIGMA0_256(w8) + w7; 265 SHA256ROUND(b, c, d, e, f, g, h, a, 23, w7); 266 w8 = SIGMA1_256(w6) + w1 + SIGMA0_256(w9) + w8; 267 SHA256ROUND(a, b, c, d, e, f, g, h, 24, w8); 268 w9 = SIGMA1_256(w7) + w2 + SIGMA0_256(w10) + w9; 269 SHA256ROUND(h, a, b, c, d, e, f, g, 25, w9); 270 w10 = SIGMA1_256(w8) + w3 + SIGMA0_256(w11) + w10; 271 SHA256ROUND(g, h, a, b, c, d, e, f, 26, w10); 272 w11 = SIGMA1_256(w9) + w4 + SIGMA0_256(w12) + w11; 273 SHA256ROUND(f, g, h, a, b, c, d, e, 27, w11); 274 w12 = SIGMA1_256(w10) + w5 + SIGMA0_256(w13) + w12; 275 SHA256ROUND(e, f, g, h, a, b, c, d, 28, w12); 276 w13 = SIGMA1_256(w11) + w6 + SIGMA0_256(w14) + w13; 277 SHA256ROUND(d, e, f, g, h, a, b, c, 29, w13); 278 w14 = SIGMA1_256(w12) + w7 + SIGMA0_256(w15) + w14; 279 SHA256ROUND(c, d, e, f, g, h, a, b, 30, w14); 280 w15 = SIGMA1_256(w13) + w8 + SIGMA0_256(w0) + w15; 281 SHA256ROUND(b, c, d, e, f, g, h, a, 31, w15); 282 283 w0 = SIGMA1_256(w14) + w9 + SIGMA0_256(w1) + w0; 284 SHA256ROUND(a, b, c, d, e, f, g, h, 32, w0); 285 w1 = SIGMA1_256(w15) + w10 + SIGMA0_256(w2) + w1; 286 SHA256ROUND(h, a, b, c, d, e, f, g, 33, w1); 287 w2 = SIGMA1_256(w0) + w11 + SIGMA0_256(w3) + w2; 288 SHA256ROUND(g, h, a, b, c, d, e, f, 34, w2); 289 w3 = SIGMA1_256(w1) + w12 + SIGMA0_256(w4) + w3; 290 SHA256ROUND(f, g, h, a, b, c, d, e, 35, w3); 291 w4 = SIGMA1_256(w2) + w13 + SIGMA0_256(w5) + w4; 292 SHA256ROUND(e, f, g, h, a, b, c, d, 36, w4); 293 w5 = SIGMA1_256(w3) + w14 + SIGMA0_256(w6) + w5; 294 SHA256ROUND(d, e, f, g, h, a, b, c, 37, w5); 295 w6 = SIGMA1_256(w4) + w15 + SIGMA0_256(w7) + w6; 296 SHA256ROUND(c, d, e, f, g, h, a, b, 38, w6); 297 w7 = SIGMA1_256(w5) + w0 + SIGMA0_256(w8) + w7; 298 SHA256ROUND(b, c, d, e, f, g, h, a, 39, w7); 299 w8 = SIGMA1_256(w6) + w1 + SIGMA0_256(w9) + w8; 300 SHA256ROUND(a, b, c, d, e, f, g, h, 40, w8); 301 w9 = SIGMA1_256(w7) + w2 + SIGMA0_256(w10) + w9; 302 SHA256ROUND(h, a, b, c, d, e, f, g, 41, w9); 303 w10 = SIGMA1_256(w8) + w3 + SIGMA0_256(w11) + w10; 304 SHA256ROUND(g, h, a, b, c, d, e, f, 42, w10); 305 w11 = SIGMA1_256(w9) + w4 + SIGMA0_256(w12) + w11; 306 SHA256ROUND(f, g, h, a, b, c, d, e, 43, w11); 307 w12 = SIGMA1_256(w10) + w5 + SIGMA0_256(w13) + w12; 308 SHA256ROUND(e, f, g, h, a, b, c, d, 44, w12); 309 w13 = SIGMA1_256(w11) + w6 + SIGMA0_256(w14) + w13; 310 SHA256ROUND(d, e, f, g, h, a, b, c, 45, w13); 311 w14 = SIGMA1_256(w12) + w7 + SIGMA0_256(w15) + w14; 312 SHA256ROUND(c, d, e, f, g, h, a, b, 46, w14); 313 w15 = SIGMA1_256(w13) + w8 + SIGMA0_256(w0) + w15; 314 SHA256ROUND(b, c, d, e, f, g, h, a, 47, w15); 315 316 w0 = SIGMA1_256(w14) + w9 + SIGMA0_256(w1) + w0; 317 SHA256ROUND(a, b, c, d, e, f, g, h, 48, w0); 318 w1 = SIGMA1_256(w15) + w10 + SIGMA0_256(w2) + w1; 319 SHA256ROUND(h, a, b, c, d, e, f, g, 49, w1); 320 w2 = SIGMA1_256(w0) + w11 + SIGMA0_256(w3) + w2; 321 SHA256ROUND(g, h, a, b, c, d, e, f, 50, w2); 322 w3 = SIGMA1_256(w1) + w12 + SIGMA0_256(w4) + w3; 323 SHA256ROUND(f, g, h, a, b, c, d, e, 51, w3); 324 w4 = SIGMA1_256(w2) + w13 + SIGMA0_256(w5) + w4; 325 SHA256ROUND(e, f, g, h, a, b, c, d, 52, w4); 326 w5 = SIGMA1_256(w3) + w14 + SIGMA0_256(w6) + w5; 327 SHA256ROUND(d, e, f, g, h, a, b, c, 53, w5); 328 w6 = SIGMA1_256(w4) + w15 + SIGMA0_256(w7) + w6; 329 SHA256ROUND(c, d, e, f, g, h, a, b, 54, w6); 330 w7 = SIGMA1_256(w5) + w0 + SIGMA0_256(w8) + w7; 331 SHA256ROUND(b, c, d, e, f, g, h, a, 55, w7); 332 w8 = SIGMA1_256(w6) + w1 + SIGMA0_256(w9) + w8; 333 SHA256ROUND(a, b, c, d, e, f, g, h, 56, w8); 334 w9 = SIGMA1_256(w7) + w2 + SIGMA0_256(w10) + w9; 335 SHA256ROUND(h, a, b, c, d, e, f, g, 57, w9); 336 w10 = SIGMA1_256(w8) + w3 + SIGMA0_256(w11) + w10; 337 SHA256ROUND(g, h, a, b, c, d, e, f, 58, w10); 338 w11 = SIGMA1_256(w9) + w4 + SIGMA0_256(w12) + w11; 339 SHA256ROUND(f, g, h, a, b, c, d, e, 59, w11); 340 w12 = SIGMA1_256(w10) + w5 + SIGMA0_256(w13) + w12; 341 SHA256ROUND(e, f, g, h, a, b, c, d, 60, w12); 342 w13 = SIGMA1_256(w11) + w6 + SIGMA0_256(w14) + w13; 343 SHA256ROUND(d, e, f, g, h, a, b, c, 61, w13); 344 w14 = SIGMA1_256(w12) + w7 + SIGMA0_256(w15) + w14; 345 SHA256ROUND(c, d, e, f, g, h, a, b, 62, w14); 346 w15 = SIGMA1_256(w13) + w8 + SIGMA0_256(w0) + w15; 347 SHA256ROUND(b, c, d, e, f, g, h, a, 63, w15); 348 349 ctx->state.s32[0] += a; 350 ctx->state.s32[1] += b; 351 ctx->state.s32[2] += c; 352 ctx->state.s32[3] += d; 353 ctx->state.s32[4] += e; 354 ctx->state.s32[5] += f; 355 ctx->state.s32[6] += g; 356 ctx->state.s32[7] += h; 357 } 358 359 360 /* SHA384 and SHA512 Transform */ 361 362 static void 363 SHA512Transform(SHA2_CTX *ctx, const uint8_t *blk) 364 { 365 366 uint64_t a = ctx->state.s64[0]; 367 uint64_t b = ctx->state.s64[1]; 368 uint64_t c = ctx->state.s64[2]; 369 uint64_t d = ctx->state.s64[3]; 370 uint64_t e = ctx->state.s64[4]; 371 uint64_t f = ctx->state.s64[5]; 372 uint64_t g = ctx->state.s64[6]; 373 uint64_t h = ctx->state.s64[7]; 374 375 uint64_t w0, w1, w2, w3, w4, w5, w6, w7; 376 uint64_t w8, w9, w10, w11, w12, w13, w14, w15; 377 uint64_t T1, T2; 378 379 #if defined(__sparc) 380 static const uint64_t sha512_consts[] = { 381 SHA512_CONST_0, SHA512_CONST_1, SHA512_CONST_2, 382 SHA512_CONST_3, SHA512_CONST_4, SHA512_CONST_5, 383 SHA512_CONST_6, SHA512_CONST_7, SHA512_CONST_8, 384 SHA512_CONST_9, SHA512_CONST_10, SHA512_CONST_11, 385 SHA512_CONST_12, SHA512_CONST_13, SHA512_CONST_14, 386 SHA512_CONST_15, SHA512_CONST_16, SHA512_CONST_17, 387 SHA512_CONST_18, SHA512_CONST_19, SHA512_CONST_20, 388 SHA512_CONST_21, SHA512_CONST_22, SHA512_CONST_23, 389 SHA512_CONST_24, SHA512_CONST_25, SHA512_CONST_26, 390 SHA512_CONST_27, SHA512_CONST_28, SHA512_CONST_29, 391 SHA512_CONST_30, SHA512_CONST_31, SHA512_CONST_32, 392 SHA512_CONST_33, SHA512_CONST_34, SHA512_CONST_35, 393 SHA512_CONST_36, SHA512_CONST_37, SHA512_CONST_38, 394 SHA512_CONST_39, SHA512_CONST_40, SHA512_CONST_41, 395 SHA512_CONST_42, SHA512_CONST_43, SHA512_CONST_44, 396 SHA512_CONST_45, SHA512_CONST_46, SHA512_CONST_47, 397 SHA512_CONST_48, SHA512_CONST_49, SHA512_CONST_50, 398 SHA512_CONST_51, SHA512_CONST_52, SHA512_CONST_53, 399 SHA512_CONST_54, SHA512_CONST_55, SHA512_CONST_56, 400 SHA512_CONST_57, SHA512_CONST_58, SHA512_CONST_59, 401 SHA512_CONST_60, SHA512_CONST_61, SHA512_CONST_62, 402 SHA512_CONST_63, SHA512_CONST_64, SHA512_CONST_65, 403 SHA512_CONST_66, SHA512_CONST_67, SHA512_CONST_68, 404 SHA512_CONST_69, SHA512_CONST_70, SHA512_CONST_71, 405 SHA512_CONST_72, SHA512_CONST_73, SHA512_CONST_74, 406 SHA512_CONST_75, SHA512_CONST_76, SHA512_CONST_77, 407 SHA512_CONST_78, SHA512_CONST_79 408 }; 409 #endif /* __sparc */ 410 411 412 if ((uintptr_t)blk & 0x7) { /* not 8-byte aligned? */ 413 bcopy(blk, ctx->buf_un.buf64, sizeof (ctx->buf_un.buf64)); 414 blk = (uint8_t *)ctx->buf_un.buf64; 415 } 416 417 /* LINTED E_BAD_PTR_CAST_ALIGN */ 418 w0 = LOAD_BIG_64(blk + 8 * 0); 419 SHA512ROUND(a, b, c, d, e, f, g, h, 0, w0); 420 /* LINTED E_BAD_PTR_CAST_ALIGN */ 421 w1 = LOAD_BIG_64(blk + 8 * 1); 422 SHA512ROUND(h, a, b, c, d, e, f, g, 1, w1); 423 /* LINTED E_BAD_PTR_CAST_ALIGN */ 424 w2 = LOAD_BIG_64(blk + 8 * 2); 425 SHA512ROUND(g, h, a, b, c, d, e, f, 2, w2); 426 /* LINTED E_BAD_PTR_CAST_ALIGN */ 427 w3 = LOAD_BIG_64(blk + 8 * 3); 428 SHA512ROUND(f, g, h, a, b, c, d, e, 3, w3); 429 /* LINTED E_BAD_PTR_CAST_ALIGN */ 430 w4 = LOAD_BIG_64(blk + 8 * 4); 431 SHA512ROUND(e, f, g, h, a, b, c, d, 4, w4); 432 /* LINTED E_BAD_PTR_CAST_ALIGN */ 433 w5 = LOAD_BIG_64(blk + 8 * 5); 434 SHA512ROUND(d, e, f, g, h, a, b, c, 5, w5); 435 /* LINTED E_BAD_PTR_CAST_ALIGN */ 436 w6 = LOAD_BIG_64(blk + 8 * 6); 437 SHA512ROUND(c, d, e, f, g, h, a, b, 6, w6); 438 /* LINTED E_BAD_PTR_CAST_ALIGN */ 439 w7 = LOAD_BIG_64(blk + 8 * 7); 440 SHA512ROUND(b, c, d, e, f, g, h, a, 7, w7); 441 /* LINTED E_BAD_PTR_CAST_ALIGN */ 442 w8 = LOAD_BIG_64(blk + 8 * 8); 443 SHA512ROUND(a, b, c, d, e, f, g, h, 8, w8); 444 /* LINTED E_BAD_PTR_CAST_ALIGN */ 445 w9 = LOAD_BIG_64(blk + 8 * 9); 446 SHA512ROUND(h, a, b, c, d, e, f, g, 9, w9); 447 /* LINTED E_BAD_PTR_CAST_ALIGN */ 448 w10 = LOAD_BIG_64(blk + 8 * 10); 449 SHA512ROUND(g, h, a, b, c, d, e, f, 10, w10); 450 /* LINTED E_BAD_PTR_CAST_ALIGN */ 451 w11 = LOAD_BIG_64(blk + 8 * 11); 452 SHA512ROUND(f, g, h, a, b, c, d, e, 11, w11); 453 /* LINTED E_BAD_PTR_CAST_ALIGN */ 454 w12 = LOAD_BIG_64(blk + 8 * 12); 455 SHA512ROUND(e, f, g, h, a, b, c, d, 12, w12); 456 /* LINTED E_BAD_PTR_CAST_ALIGN */ 457 w13 = LOAD_BIG_64(blk + 8 * 13); 458 SHA512ROUND(d, e, f, g, h, a, b, c, 13, w13); 459 /* LINTED E_BAD_PTR_CAST_ALIGN */ 460 w14 = LOAD_BIG_64(blk + 8 * 14); 461 SHA512ROUND(c, d, e, f, g, h, a, b, 14, w14); 462 /* LINTED E_BAD_PTR_CAST_ALIGN */ 463 w15 = LOAD_BIG_64(blk + 8 * 15); 464 SHA512ROUND(b, c, d, e, f, g, h, a, 15, w15); 465 466 w0 = SIGMA1(w14) + w9 + SIGMA0(w1) + w0; 467 SHA512ROUND(a, b, c, d, e, f, g, h, 16, w0); 468 w1 = SIGMA1(w15) + w10 + SIGMA0(w2) + w1; 469 SHA512ROUND(h, a, b, c, d, e, f, g, 17, w1); 470 w2 = SIGMA1(w0) + w11 + SIGMA0(w3) + w2; 471 SHA512ROUND(g, h, a, b, c, d, e, f, 18, w2); 472 w3 = SIGMA1(w1) + w12 + SIGMA0(w4) + w3; 473 SHA512ROUND(f, g, h, a, b, c, d, e, 19, w3); 474 w4 = SIGMA1(w2) + w13 + SIGMA0(w5) + w4; 475 SHA512ROUND(e, f, g, h, a, b, c, d, 20, w4); 476 w5 = SIGMA1(w3) + w14 + SIGMA0(w6) + w5; 477 SHA512ROUND(d, e, f, g, h, a, b, c, 21, w5); 478 w6 = SIGMA1(w4) + w15 + SIGMA0(w7) + w6; 479 SHA512ROUND(c, d, e, f, g, h, a, b, 22, w6); 480 w7 = SIGMA1(w5) + w0 + SIGMA0(w8) + w7; 481 SHA512ROUND(b, c, d, e, f, g, h, a, 23, w7); 482 w8 = SIGMA1(w6) + w1 + SIGMA0(w9) + w8; 483 SHA512ROUND(a, b, c, d, e, f, g, h, 24, w8); 484 w9 = SIGMA1(w7) + w2 + SIGMA0(w10) + w9; 485 SHA512ROUND(h, a, b, c, d, e, f, g, 25, w9); 486 w10 = SIGMA1(w8) + w3 + SIGMA0(w11) + w10; 487 SHA512ROUND(g, h, a, b, c, d, e, f, 26, w10); 488 w11 = SIGMA1(w9) + w4 + SIGMA0(w12) + w11; 489 SHA512ROUND(f, g, h, a, b, c, d, e, 27, w11); 490 w12 = SIGMA1(w10) + w5 + SIGMA0(w13) + w12; 491 SHA512ROUND(e, f, g, h, a, b, c, d, 28, w12); 492 w13 = SIGMA1(w11) + w6 + SIGMA0(w14) + w13; 493 SHA512ROUND(d, e, f, g, h, a, b, c, 29, w13); 494 w14 = SIGMA1(w12) + w7 + SIGMA0(w15) + w14; 495 SHA512ROUND(c, d, e, f, g, h, a, b, 30, w14); 496 w15 = SIGMA1(w13) + w8 + SIGMA0(w0) + w15; 497 SHA512ROUND(b, c, d, e, f, g, h, a, 31, w15); 498 499 w0 = SIGMA1(w14) + w9 + SIGMA0(w1) + w0; 500 SHA512ROUND(a, b, c, d, e, f, g, h, 32, w0); 501 w1 = SIGMA1(w15) + w10 + SIGMA0(w2) + w1; 502 SHA512ROUND(h, a, b, c, d, e, f, g, 33, w1); 503 w2 = SIGMA1(w0) + w11 + SIGMA0(w3) + w2; 504 SHA512ROUND(g, h, a, b, c, d, e, f, 34, w2); 505 w3 = SIGMA1(w1) + w12 + SIGMA0(w4) + w3; 506 SHA512ROUND(f, g, h, a, b, c, d, e, 35, w3); 507 w4 = SIGMA1(w2) + w13 + SIGMA0(w5) + w4; 508 SHA512ROUND(e, f, g, h, a, b, c, d, 36, w4); 509 w5 = SIGMA1(w3) + w14 + SIGMA0(w6) + w5; 510 SHA512ROUND(d, e, f, g, h, a, b, c, 37, w5); 511 w6 = SIGMA1(w4) + w15 + SIGMA0(w7) + w6; 512 SHA512ROUND(c, d, e, f, g, h, a, b, 38, w6); 513 w7 = SIGMA1(w5) + w0 + SIGMA0(w8) + w7; 514 SHA512ROUND(b, c, d, e, f, g, h, a, 39, w7); 515 w8 = SIGMA1(w6) + w1 + SIGMA0(w9) + w8; 516 SHA512ROUND(a, b, c, d, e, f, g, h, 40, w8); 517 w9 = SIGMA1(w7) + w2 + SIGMA0(w10) + w9; 518 SHA512ROUND(h, a, b, c, d, e, f, g, 41, w9); 519 w10 = SIGMA1(w8) + w3 + SIGMA0(w11) + w10; 520 SHA512ROUND(g, h, a, b, c, d, e, f, 42, w10); 521 w11 = SIGMA1(w9) + w4 + SIGMA0(w12) + w11; 522 SHA512ROUND(f, g, h, a, b, c, d, e, 43, w11); 523 w12 = SIGMA1(w10) + w5 + SIGMA0(w13) + w12; 524 SHA512ROUND(e, f, g, h, a, b, c, d, 44, w12); 525 w13 = SIGMA1(w11) + w6 + SIGMA0(w14) + w13; 526 SHA512ROUND(d, e, f, g, h, a, b, c, 45, w13); 527 w14 = SIGMA1(w12) + w7 + SIGMA0(w15) + w14; 528 SHA512ROUND(c, d, e, f, g, h, a, b, 46, w14); 529 w15 = SIGMA1(w13) + w8 + SIGMA0(w0) + w15; 530 SHA512ROUND(b, c, d, e, f, g, h, a, 47, w15); 531 532 w0 = SIGMA1(w14) + w9 + SIGMA0(w1) + w0; 533 SHA512ROUND(a, b, c, d, e, f, g, h, 48, w0); 534 w1 = SIGMA1(w15) + w10 + SIGMA0(w2) + w1; 535 SHA512ROUND(h, a, b, c, d, e, f, g, 49, w1); 536 w2 = SIGMA1(w0) + w11 + SIGMA0(w3) + w2; 537 SHA512ROUND(g, h, a, b, c, d, e, f, 50, w2); 538 w3 = SIGMA1(w1) + w12 + SIGMA0(w4) + w3; 539 SHA512ROUND(f, g, h, a, b, c, d, e, 51, w3); 540 w4 = SIGMA1(w2) + w13 + SIGMA0(w5) + w4; 541 SHA512ROUND(e, f, g, h, a, b, c, d, 52, w4); 542 w5 = SIGMA1(w3) + w14 + SIGMA0(w6) + w5; 543 SHA512ROUND(d, e, f, g, h, a, b, c, 53, w5); 544 w6 = SIGMA1(w4) + w15 + SIGMA0(w7) + w6; 545 SHA512ROUND(c, d, e, f, g, h, a, b, 54, w6); 546 w7 = SIGMA1(w5) + w0 + SIGMA0(w8) + w7; 547 SHA512ROUND(b, c, d, e, f, g, h, a, 55, w7); 548 w8 = SIGMA1(w6) + w1 + SIGMA0(w9) + w8; 549 SHA512ROUND(a, b, c, d, e, f, g, h, 56, w8); 550 w9 = SIGMA1(w7) + w2 + SIGMA0(w10) + w9; 551 SHA512ROUND(h, a, b, c, d, e, f, g, 57, w9); 552 w10 = SIGMA1(w8) + w3 + SIGMA0(w11) + w10; 553 SHA512ROUND(g, h, a, b, c, d, e, f, 58, w10); 554 w11 = SIGMA1(w9) + w4 + SIGMA0(w12) + w11; 555 SHA512ROUND(f, g, h, a, b, c, d, e, 59, w11); 556 w12 = SIGMA1(w10) + w5 + SIGMA0(w13) + w12; 557 SHA512ROUND(e, f, g, h, a, b, c, d, 60, w12); 558 w13 = SIGMA1(w11) + w6 + SIGMA0(w14) + w13; 559 SHA512ROUND(d, e, f, g, h, a, b, c, 61, w13); 560 w14 = SIGMA1(w12) + w7 + SIGMA0(w15) + w14; 561 SHA512ROUND(c, d, e, f, g, h, a, b, 62, w14); 562 w15 = SIGMA1(w13) + w8 + SIGMA0(w0) + w15; 563 SHA512ROUND(b, c, d, e, f, g, h, a, 63, w15); 564 565 w0 = SIGMA1(w14) + w9 + SIGMA0(w1) + w0; 566 SHA512ROUND(a, b, c, d, e, f, g, h, 64, w0); 567 w1 = SIGMA1(w15) + w10 + SIGMA0(w2) + w1; 568 SHA512ROUND(h, a, b, c, d, e, f, g, 65, w1); 569 w2 = SIGMA1(w0) + w11 + SIGMA0(w3) + w2; 570 SHA512ROUND(g, h, a, b, c, d, e, f, 66, w2); 571 w3 = SIGMA1(w1) + w12 + SIGMA0(w4) + w3; 572 SHA512ROUND(f, g, h, a, b, c, d, e, 67, w3); 573 w4 = SIGMA1(w2) + w13 + SIGMA0(w5) + w4; 574 SHA512ROUND(e, f, g, h, a, b, c, d, 68, w4); 575 w5 = SIGMA1(w3) + w14 + SIGMA0(w6) + w5; 576 SHA512ROUND(d, e, f, g, h, a, b, c, 69, w5); 577 w6 = SIGMA1(w4) + w15 + SIGMA0(w7) + w6; 578 SHA512ROUND(c, d, e, f, g, h, a, b, 70, w6); 579 w7 = SIGMA1(w5) + w0 + SIGMA0(w8) + w7; 580 SHA512ROUND(b, c, d, e, f, g, h, a, 71, w7); 581 w8 = SIGMA1(w6) + w1 + SIGMA0(w9) + w8; 582 SHA512ROUND(a, b, c, d, e, f, g, h, 72, w8); 583 w9 = SIGMA1(w7) + w2 + SIGMA0(w10) + w9; 584 SHA512ROUND(h, a, b, c, d, e, f, g, 73, w9); 585 w10 = SIGMA1(w8) + w3 + SIGMA0(w11) + w10; 586 SHA512ROUND(g, h, a, b, c, d, e, f, 74, w10); 587 w11 = SIGMA1(w9) + w4 + SIGMA0(w12) + w11; 588 SHA512ROUND(f, g, h, a, b, c, d, e, 75, w11); 589 w12 = SIGMA1(w10) + w5 + SIGMA0(w13) + w12; 590 SHA512ROUND(e, f, g, h, a, b, c, d, 76, w12); 591 w13 = SIGMA1(w11) + w6 + SIGMA0(w14) + w13; 592 SHA512ROUND(d, e, f, g, h, a, b, c, 77, w13); 593 w14 = SIGMA1(w12) + w7 + SIGMA0(w15) + w14; 594 SHA512ROUND(c, d, e, f, g, h, a, b, 78, w14); 595 w15 = SIGMA1(w13) + w8 + SIGMA0(w0) + w15; 596 SHA512ROUND(b, c, d, e, f, g, h, a, 79, w15); 597 598 ctx->state.s64[0] += a; 599 ctx->state.s64[1] += b; 600 ctx->state.s64[2] += c; 601 ctx->state.s64[3] += d; 602 ctx->state.s64[4] += e; 603 ctx->state.s64[5] += f; 604 ctx->state.s64[6] += g; 605 ctx->state.s64[7] += h; 606 607 } 608 #endif /* !__amd64 */ 609 610 611 /* 612 * Encode() 613 * 614 * purpose: to convert a list of numbers from little endian to big endian 615 * input: uint8_t * : place to store the converted big endian numbers 616 * uint32_t * : place to get numbers to convert from 617 * size_t : the length of the input in bytes 618 * output: void 619 */ 620 621 static void 622 Encode(uint8_t *_RESTRICT_KYWD output, uint32_t *_RESTRICT_KYWD input, 623 size_t len) 624 { 625 size_t i, j; 626 627 #if defined(__sparc) 628 if (IS_P2ALIGNED(output, sizeof (uint32_t))) { 629 for (i = 0, j = 0; j < len; i++, j += 4) { 630 /* LINTED E_BAD_PTR_CAST_ALIGN */ 631 *((uint32_t *)(output + j)) = input[i]; 632 } 633 } else { 634 #endif /* little endian -- will work on big endian, but slowly */ 635 for (i = 0, j = 0; j < len; i++, j += 4) { 636 output[j] = (input[i] >> 24) & 0xff; 637 output[j + 1] = (input[i] >> 16) & 0xff; 638 output[j + 2] = (input[i] >> 8) & 0xff; 639 output[j + 3] = input[i] & 0xff; 640 } 641 #if defined(__sparc) 642 } 643 #endif 644 } 645 646 static void 647 Encode64(uint8_t *_RESTRICT_KYWD output, uint64_t *_RESTRICT_KYWD input, 648 size_t len) 649 { 650 size_t i, j; 651 652 #if defined(__sparc) 653 if (IS_P2ALIGNED(output, sizeof (uint64_t))) { 654 for (i = 0, j = 0; j < len; i++, j += 8) { 655 /* LINTED E_BAD_PTR_CAST_ALIGN */ 656 *((uint64_t *)(output + j)) = input[i]; 657 } 658 } else { 659 #endif /* little endian -- will work on big endian, but slowly */ 660 for (i = 0, j = 0; j < len; i++, j += 8) { 661 662 output[j] = (input[i] >> 56) & 0xff; 663 output[j + 1] = (input[i] >> 48) & 0xff; 664 output[j + 2] = (input[i] >> 40) & 0xff; 665 output[j + 3] = (input[i] >> 32) & 0xff; 666 output[j + 4] = (input[i] >> 24) & 0xff; 667 output[j + 5] = (input[i] >> 16) & 0xff; 668 output[j + 6] = (input[i] >> 8) & 0xff; 669 output[j + 7] = input[i] & 0xff; 670 } 671 #if defined(__sparc) 672 } 673 #endif 674 } 675 676 677 void 678 SHA2Init(uint64_t mech, SHA2_CTX *ctx) 679 { 680 681 switch (mech) { 682 case SHA256_MECH_INFO_TYPE: 683 case SHA256_HMAC_MECH_INFO_TYPE: 684 case SHA256_HMAC_GEN_MECH_INFO_TYPE: 685 ctx->state.s32[0] = 0x6a09e667U; 686 ctx->state.s32[1] = 0xbb67ae85U; 687 ctx->state.s32[2] = 0x3c6ef372U; 688 ctx->state.s32[3] = 0xa54ff53aU; 689 ctx->state.s32[4] = 0x510e527fU; 690 ctx->state.s32[5] = 0x9b05688cU; 691 ctx->state.s32[6] = 0x1f83d9abU; 692 ctx->state.s32[7] = 0x5be0cd19U; 693 break; 694 case SHA384_MECH_INFO_TYPE: 695 case SHA384_HMAC_MECH_INFO_TYPE: 696 case SHA384_HMAC_GEN_MECH_INFO_TYPE: 697 ctx->state.s64[0] = 0xcbbb9d5dc1059ed8ULL; 698 ctx->state.s64[1] = 0x629a292a367cd507ULL; 699 ctx->state.s64[2] = 0x9159015a3070dd17ULL; 700 ctx->state.s64[3] = 0x152fecd8f70e5939ULL; 701 ctx->state.s64[4] = 0x67332667ffc00b31ULL; 702 ctx->state.s64[5] = 0x8eb44a8768581511ULL; 703 ctx->state.s64[6] = 0xdb0c2e0d64f98fa7ULL; 704 ctx->state.s64[7] = 0x47b5481dbefa4fa4ULL; 705 break; 706 case SHA512_MECH_INFO_TYPE: 707 case SHA512_HMAC_MECH_INFO_TYPE: 708 case SHA512_HMAC_GEN_MECH_INFO_TYPE: 709 ctx->state.s64[0] = 0x6a09e667f3bcc908ULL; 710 ctx->state.s64[1] = 0xbb67ae8584caa73bULL; 711 ctx->state.s64[2] = 0x3c6ef372fe94f82bULL; 712 ctx->state.s64[3] = 0xa54ff53a5f1d36f1ULL; 713 ctx->state.s64[4] = 0x510e527fade682d1ULL; 714 ctx->state.s64[5] = 0x9b05688c2b3e6c1fULL; 715 ctx->state.s64[6] = 0x1f83d9abfb41bd6bULL; 716 ctx->state.s64[7] = 0x5be0cd19137e2179ULL; 717 break; 718 #ifdef _KERNEL 719 default: 720 cmn_err(CE_PANIC, 721 "sha2_init: failed to find a supported algorithm: 0x%x", 722 (uint32_t)mech); 723 724 #endif /* _KERNEL */ 725 } 726 727 ctx->algotype = (uint32_t)mech; 728 ctx->count.c64[0] = ctx->count.c64[1] = 0; 729 } 730 731 #ifndef _KERNEL 732 733 #pragma inline(SHA256Init, SHA384Init, SHA512Init) 734 void 735 SHA256Init(SHA256_CTX *ctx) 736 { 737 SHA2Init(SHA256, ctx); 738 } 739 740 void 741 SHA384Init(SHA384_CTX *ctx) 742 { 743 SHA2Init(SHA384, ctx); 744 } 745 746 void 747 SHA512Init(SHA512_CTX *ctx) 748 { 749 SHA2Init(SHA512, ctx); 750 } 751 752 #endif /* _KERNEL */ 753 754 /* 755 * SHA2Update() 756 * 757 * purpose: continues an sha2 digest operation, using the message block 758 * to update the context. 759 * input: SHA2_CTX * : the context to update 760 * void * : the message block 761 * size_t : the length of the message block, in bytes 762 * output: void 763 */ 764 765 void 766 SHA2Update(SHA2_CTX *ctx, const void *inptr, size_t input_len) 767 { 768 uint32_t i, buf_index, buf_len, buf_limit; 769 const uint8_t *input = inptr; 770 uint32_t algotype = ctx->algotype; 771 #if defined(__amd64) 772 uint32_t block_count; 773 #endif /* !__amd64 */ 774 775 776 /* check for noop */ 777 if (input_len == 0) 778 return; 779 780 if (algotype <= SHA256_HMAC_GEN_MECH_INFO_TYPE) { 781 buf_limit = 64; 782 783 /* compute number of bytes mod 64 */ 784 buf_index = (ctx->count.c32[1] >> 3) & 0x3F; 785 786 /* update number of bits */ 787 if ((ctx->count.c32[1] += (input_len << 3)) < (input_len << 3)) 788 ctx->count.c32[0]++; 789 790 ctx->count.c32[0] += (input_len >> 29); 791 792 } else { 793 buf_limit = 128; 794 795 /* compute number of bytes mod 128 */ 796 buf_index = (ctx->count.c64[1] >> 3) & 0x7F; 797 798 /* update number of bits */ 799 if ((ctx->count.c64[1] += (input_len << 3)) < (input_len << 3)) 800 ctx->count.c64[0]++; 801 802 ctx->count.c64[0] += (input_len >> 29); 803 } 804 805 buf_len = buf_limit - buf_index; 806 807 /* transform as many times as possible */ 808 i = 0; 809 if (input_len >= buf_len) { 810 811 /* 812 * general optimization: 813 * 814 * only do initial bcopy() and SHA2Transform() if 815 * buf_index != 0. if buf_index == 0, we're just 816 * wasting our time doing the bcopy() since there 817 * wasn't any data left over from a previous call to 818 * SHA2Update(). 819 */ 820 if (buf_index) { 821 bcopy(input, &ctx->buf_un.buf8[buf_index], buf_len); 822 if (algotype <= SHA256_HMAC_GEN_MECH_INFO_TYPE) 823 SHA256Transform(ctx, ctx->buf_un.buf8); 824 else 825 SHA512Transform(ctx, ctx->buf_un.buf8); 826 827 i = buf_len; 828 } 829 830 #if !defined(__amd64) 831 if (algotype <= SHA256_HMAC_GEN_MECH_INFO_TYPE) { 832 for (; i + buf_limit - 1 < input_len; i += buf_limit) { 833 SHA256Transform(ctx, &input[i]); 834 } 835 } else { 836 for (; i + buf_limit - 1 < input_len; i += buf_limit) { 837 SHA512Transform(ctx, &input[i]); 838 } 839 } 840 841 #else 842 if (algotype <= SHA256_HMAC_GEN_MECH_INFO_TYPE) { 843 block_count = (input_len - i) >> 6; 844 if (block_count > 0) { 845 SHA256TransformBlocks(ctx, &input[i], 846 block_count); 847 i += block_count << 6; 848 } 849 } else { 850 block_count = (input_len - i) >> 7; 851 if (block_count > 0) { 852 SHA512TransformBlocks(ctx, &input[i], 853 block_count); 854 i += block_count << 7; 855 } 856 } 857 #endif /* !__amd64 */ 858 859 /* 860 * general optimization: 861 * 862 * if i and input_len are the same, return now instead 863 * of calling bcopy(), since the bcopy() in this case 864 * will be an expensive noop. 865 */ 866 867 if (input_len == i) 868 return; 869 870 buf_index = 0; 871 } 872 873 /* buffer remaining input */ 874 bcopy(&input[i], &ctx->buf_un.buf8[buf_index], input_len - i); 875 } 876 877 878 /* 879 * SHA2Final() 880 * 881 * purpose: ends an sha2 digest operation, finalizing the message digest and 882 * zeroing the context. 883 * input: uchar_t * : a buffer to store the digest 884 * : The function actually uses void* because many 885 * : callers pass things other than uchar_t here. 886 * SHA2_CTX * : the context to finalize, save, and zero 887 * output: void 888 */ 889 890 void 891 SHA2Final(void *digest, SHA2_CTX *ctx) 892 { 893 uint8_t bitcount_be[sizeof (ctx->count.c32)]; 894 uint8_t bitcount_be64[sizeof (ctx->count.c64)]; 895 uint32_t index; 896 uint32_t algotype = ctx->algotype; 897 898 if (algotype <= SHA256_HMAC_GEN_MECH_INFO_TYPE) { 899 index = (ctx->count.c32[1] >> 3) & 0x3f; 900 Encode(bitcount_be, ctx->count.c32, sizeof (bitcount_be)); 901 SHA2Update(ctx, PADDING, ((index < 56) ? 56 : 120) - index); 902 SHA2Update(ctx, bitcount_be, sizeof (bitcount_be)); 903 Encode(digest, ctx->state.s32, sizeof (ctx->state.s32)); 904 905 } else { 906 index = (ctx->count.c64[1] >> 3) & 0x7f; 907 Encode64(bitcount_be64, ctx->count.c64, 908 sizeof (bitcount_be64)); 909 SHA2Update(ctx, PADDING, ((index < 112) ? 112 : 240) - index); 910 SHA2Update(ctx, bitcount_be64, sizeof (bitcount_be64)); 911 if (algotype <= SHA384_HMAC_GEN_MECH_INFO_TYPE) { 912 ctx->state.s64[6] = ctx->state.s64[7] = 0; 913 Encode64(digest, ctx->state.s64, 914 sizeof (uint64_t) * 6); 915 } else 916 Encode64(digest, ctx->state.s64, 917 sizeof (ctx->state.s64)); 918 } 919 920 /* zeroize sensitive information */ 921 bzero(ctx, sizeof (*ctx)); 922 }