3 * Copyright (C) 1999,2000,2001,2002,2003,2004 Free Software Foundation, Inc.
4 *
5 * This program is free software; you can redistribute it and/or modify
6 * it under the terms of the GNU General Public License as published by
7 * the Free Software Foundation; either version 2 of the License, or
8 * (at your option) any later version.
9 *
10 * This program is distributed in the hope that it will be useful,
11 * but WITHOUT ANY WARRANTY; without even the implied warranty of
12 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
13 * GNU General Public License for more details.
14 *
15 * You should have received a copy of the GNU General Public License
16 * along with this program; if not, write to the Free Software
17 * Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
18 */
19 /*
20 * Copyright 2007 Sun Microsystems, Inc. All rights reserved.
21 * Use is subject to license terms.
22 */
23
24 #pragma ident "%Z%%M% %I% %E% SMI"
25
26 #include "fsys_zfs.h"
27
28 /*
29 * SHA-256 checksum, as specified in FIPS 180-2, available at:
30 * http://csrc.nist.gov/cryptval
31 *
32 * This is a very compact implementation of SHA-256.
33 * It is designed to be simple and portable, not to be fast.
34 */
35
36 /*
37 * The literal definitions according to FIPS180-2 would be:
38 *
39 * Ch(x, y, z) (((x) & (y)) ^ ((~(x)) & (z)))
40 * Maj(x, y, z) (((x) & (y)) | ((x) & (z)) | ((y) & (z)))
41 *
42 * We use logical equivalents which require one less op.
43 */
44 #define Ch(x, y, z) ((z) ^ ((x) & ((y) ^ (z))))
45 #define Maj(x, y, z) (((x) & (y)) ^ ((z) & ((x) ^ (y))))
46 #define Rot32(x, s) (((x) >> s) | ((x) << (32 - s)))
47 #define SIGMA0(x) (Rot32(x, 2) ^ Rot32(x, 13) ^ Rot32(x, 22))
48 #define SIGMA1(x) (Rot32(x, 6) ^ Rot32(x, 11) ^ Rot32(x, 25))
49 #define sigma0(x) (Rot32(x, 7) ^ Rot32(x, 18) ^ ((x) >> 3))
50 #define sigma1(x) (Rot32(x, 17) ^ Rot32(x, 19) ^ ((x) >> 10))
51
52 static const uint32_t SHA256_K[64] = {
53 0x428a2f98, 0x71374491, 0xb5c0fbcf, 0xe9b5dba5,
54 0x3956c25b, 0x59f111f1, 0x923f82a4, 0xab1c5ed5,
55 0xd807aa98, 0x12835b01, 0x243185be, 0x550c7dc3,
56 0x72be5d74, 0x80deb1fe, 0x9bdc06a7, 0xc19bf174,
57 0xe49b69c1, 0xefbe4786, 0x0fc19dc6, 0x240ca1cc,
58 0x2de92c6f, 0x4a7484aa, 0x5cb0a9dc, 0x76f988da,
59 0x983e5152, 0xa831c66d, 0xb00327c8, 0xbf597fc7,
60 0xc6e00bf3, 0xd5a79147, 0x06ca6351, 0x14292967,
61 0x27b70a85, 0x2e1b2138, 0x4d2c6dfc, 0x53380d13,
62 0x650a7354, 0x766a0abb, 0x81c2c92e, 0x92722c85,
63 0xa2bfe8a1, 0xa81a664b, 0xc24b8b70, 0xc76c51a3,
64 0xd192e819, 0xd6990624, 0xf40e3585, 0x106aa070,
65 0x19a4c116, 0x1e376c08, 0x2748774c, 0x34b0bcb5,
66 0x391c0cb3, 0x4ed8aa4a, 0x5b9cca4f, 0x682e6ff3,
67 0x748f82ee, 0x78a5636f, 0x84c87814, 0x8cc70208,
68 0x90befffa, 0xa4506ceb, 0xbef9a3f7, 0xc67178f2
69 };
70
71 static void
72 SHA256Transform(uint32_t *H, const uint8_t *cp)
73 {
74 uint32_t a, b, c, d, e, f, g, h, t, T1, T2, W[64];
75
76 for (t = 0; t < 16; t++, cp += 4)
77 W[t] = (cp[0] << 24) | (cp[1] << 16) | (cp[2] << 8) | cp[3];
78
79 for (t = 16; t < 64; t++)
80 W[t] = sigma1(W[t - 2]) + W[t - 7] +
81 sigma0(W[t - 15]) + W[t - 16];
82
83 a = H[0]; b = H[1]; c = H[2]; d = H[3];
84 e = H[4]; f = H[5]; g = H[6]; h = H[7];
85
86 for (t = 0; t < 64; t++) {
87 T1 = h + SIGMA1(e) + Ch(e, f, g) + SHA256_K[t] + W[t];
88 T2 = SIGMA0(a) + Maj(a, b, c);
89 h = g; g = f; f = e; e = d + T1;
90 d = c; c = b; b = a; a = T1 + T2;
91 }
92
93 H[0] += a; H[1] += b; H[2] += c; H[3] += d;
94 H[4] += e; H[5] += f; H[6] += g; H[7] += h;
95 }
96
97 void
98 zio_checksum_SHA256(const void *buf, uint64_t size, zio_cksum_t *zcp)
99 {
100 uint32_t H[8] = { 0x6a09e667, 0xbb67ae85, 0x3c6ef372, 0xa54ff53a,
101 0x510e527f, 0x9b05688c, 0x1f83d9ab, 0x5be0cd19 };
102 uint8_t pad[128];
103 int padsize = size & 63;
104 int i;
105
106 for (i = 0; i < size - padsize; i += 64)
107 SHA256Transform(H, (uint8_t *)buf + i);
108
109 for (i = 0; i < padsize; i++)
110 pad[i] = ((uint8_t *)buf)[i];
111
112 for (pad[padsize++] = 0x80; (padsize & 63) != 56; padsize++)
113 pad[padsize] = 0;
114
115 for (i = 0; i < 8; i++)
116 pad[padsize++] = (size << 3) >> (56 - 8 * i);
117
118 for (i = 0; i < padsize; i += 64)
119 SHA256Transform(H, pad + i);
120
121 ZIO_SET_CHECKSUM(zcp,
122 (uint64_t)H[0] << 32 | H[1],
123 (uint64_t)H[2] << 32 | H[3],
124 (uint64_t)H[4] << 32 | H[5],
125 (uint64_t)H[6] << 32 | H[7]);
126 }
|
3 * Copyright (C) 1999,2000,2001,2002,2003,2004 Free Software Foundation, Inc.
4 *
5 * This program is free software; you can redistribute it and/or modify
6 * it under the terms of the GNU General Public License as published by
7 * the Free Software Foundation; either version 2 of the License, or
8 * (at your option) any later version.
9 *
10 * This program is distributed in the hope that it will be useful,
11 * but WITHOUT ANY WARRANTY; without even the implied warranty of
12 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
13 * GNU General Public License for more details.
14 *
15 * You should have received a copy of the GNU General Public License
16 * along with this program; if not, write to the Free Software
17 * Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
18 */
19 /*
20 * Copyright 2007 Sun Microsystems, Inc. All rights reserved.
21 * Use is subject to license terms.
22 */
23 /*
24 * Copyright 2013 Saso Kiselkov. All rights reserved.
25 */
26
27 #include "fsys_zfs.h"
28
29 /*
30 * SHA-256 and SHA-512/256 hashes, as specified in FIPS 180-4, available at:
31 * http://csrc.nist.gov/cryptval
32 *
33 * This is a very compact implementation of SHA-256 and SHA-512/256.
34 * It is designed to be simple and portable, not to be fast.
35 */
36
37 /*
38 * The literal definitions according to FIPS180-4 would be:
39 *
40 * Ch(x, y, z) (((x) & (y)) ^ ((~(x)) & (z)))
41 * Maj(x, y, z) (((x) & (y)) | ((x) & (z)) | ((y) & (z)))
42 *
43 * We use logical equivalents which require one less op.
44 */
45 #define Ch(x, y, z) ((z) ^ ((x) & ((y) ^ (z))))
46 #define Maj(x, y, z) (((x) & (y)) ^ ((z) & ((x) ^ (y))))
47 #define ROTR(x, n) (((x) >> (n)) | ((x) << ((sizeof (x) * NBBY)-(n))))
48
49 /* SHA-224/256 operations */
50 #define BIGSIGMA0_256(x) (ROTR(x, 2) ^ ROTR(x, 13) ^ ROTR(x, 22))
51 #define BIGSIGMA1_256(x) (ROTR(x, 6) ^ ROTR(x, 11) ^ ROTR(x, 25))
52 #define SIGMA0_256(x) (ROTR(x, 7) ^ ROTR(x, 18) ^ ((x) >> 3))
53 #define SIGMA1_256(x) (ROTR(x, 17) ^ ROTR(x, 19) ^ ((x) >> 10))
54
55 /* SHA-384/512 operations */
56 #define BIGSIGMA0_512(x) (ROTR((x), 28) ^ ROTR((x), 34) ^ ROTR((x), 39))
57 #define BIGSIGMA1_512(x) (ROTR((x), 14) ^ ROTR((x), 18) ^ ROTR((x), 41))
58 #define SIGMA0_512(x) (ROTR((x), 1) ^ ROTR((x), 8) ^ ((x) >> 7))
59 #define SIGMA1_512(x) (ROTR((x), 19) ^ ROTR((x), 61) ^ ((x) >> 6))
60
61 /* SHA-256 round constants */
62 static const uint32_t SHA256_K[64] = {
63 0x428a2f98, 0x71374491, 0xb5c0fbcf, 0xe9b5dba5,
64 0x3956c25b, 0x59f111f1, 0x923f82a4, 0xab1c5ed5,
65 0xd807aa98, 0x12835b01, 0x243185be, 0x550c7dc3,
66 0x72be5d74, 0x80deb1fe, 0x9bdc06a7, 0xc19bf174,
67 0xe49b69c1, 0xefbe4786, 0x0fc19dc6, 0x240ca1cc,
68 0x2de92c6f, 0x4a7484aa, 0x5cb0a9dc, 0x76f988da,
69 0x983e5152, 0xa831c66d, 0xb00327c8, 0xbf597fc7,
70 0xc6e00bf3, 0xd5a79147, 0x06ca6351, 0x14292967,
71 0x27b70a85, 0x2e1b2138, 0x4d2c6dfc, 0x53380d13,
72 0x650a7354, 0x766a0abb, 0x81c2c92e, 0x92722c85,
73 0xa2bfe8a1, 0xa81a664b, 0xc24b8b70, 0xc76c51a3,
74 0xd192e819, 0xd6990624, 0xf40e3585, 0x106aa070,
75 0x19a4c116, 0x1e376c08, 0x2748774c, 0x34b0bcb5,
76 0x391c0cb3, 0x4ed8aa4a, 0x5b9cca4f, 0x682e6ff3,
77 0x748f82ee, 0x78a5636f, 0x84c87814, 0x8cc70208,
78 0x90befffa, 0xa4506ceb, 0xbef9a3f7, 0xc67178f2
79 };
80
81 /* SHA-512 round constants */
82 static const uint64_t SHA512_K[80] = {
83 0x428A2F98D728AE22ULL, 0x7137449123EF65CDULL,
84 0xB5C0FBCFEC4D3B2FULL, 0xE9B5DBA58189DBBCULL,
85 0x3956C25BF348B538ULL, 0x59F111F1B605D019ULL,
86 0x923F82A4AF194F9BULL, 0xAB1C5ED5DA6D8118ULL,
87 0xD807AA98A3030242ULL, 0x12835B0145706FBEULL,
88 0x243185BE4EE4B28CULL, 0x550C7DC3D5FFB4E2ULL,
89 0x72BE5D74F27B896FULL, 0x80DEB1FE3B1696B1ULL,
90 0x9BDC06A725C71235ULL, 0xC19BF174CF692694ULL,
91 0xE49B69C19EF14AD2ULL, 0xEFBE4786384F25E3ULL,
92 0x0FC19DC68B8CD5B5ULL, 0x240CA1CC77AC9C65ULL,
93 0x2DE92C6F592B0275ULL, 0x4A7484AA6EA6E483ULL,
94 0x5CB0A9DCBD41FBD4ULL, 0x76F988DA831153B5ULL,
95 0x983E5152EE66DFABULL, 0xA831C66D2DB43210ULL,
96 0xB00327C898FB213FULL, 0xBF597FC7BEEF0EE4ULL,
97 0xC6E00BF33DA88FC2ULL, 0xD5A79147930AA725ULL,
98 0x06CA6351E003826FULL, 0x142929670A0E6E70ULL,
99 0x27B70A8546D22FFCULL, 0x2E1B21385C26C926ULL,
100 0x4D2C6DFC5AC42AEDULL, 0x53380D139D95B3DFULL,
101 0x650A73548BAF63DEULL, 0x766A0ABB3C77B2A8ULL,
102 0x81C2C92E47EDAEE6ULL, 0x92722C851482353BULL,
103 0xA2BFE8A14CF10364ULL, 0xA81A664BBC423001ULL,
104 0xC24B8B70D0F89791ULL, 0xC76C51A30654BE30ULL,
105 0xD192E819D6EF5218ULL, 0xD69906245565A910ULL,
106 0xF40E35855771202AULL, 0x106AA07032BBD1B8ULL,
107 0x19A4C116B8D2D0C8ULL, 0x1E376C085141AB53ULL,
108 0x2748774CDF8EEB99ULL, 0x34B0BCB5E19B48A8ULL,
109 0x391C0CB3C5C95A63ULL, 0x4ED8AA4AE3418ACBULL,
110 0x5B9CCA4F7763E373ULL, 0x682E6FF3D6B2B8A3ULL,
111 0x748F82EE5DEFB2FCULL, 0x78A5636F43172F60ULL,
112 0x84C87814A1F0AB72ULL, 0x8CC702081A6439ECULL,
113 0x90BEFFFA23631E28ULL, 0xA4506CEBDE82BDE9ULL,
114 0xBEF9A3F7B2C67915ULL, 0xC67178F2E372532BULL,
115 0xCA273ECEEA26619CULL, 0xD186B8C721C0C207ULL,
116 0xEADA7DD6CDE0EB1EULL, 0xF57D4F7FEE6ED178ULL,
117 0x06F067AA72176FBAULL, 0x0A637DC5A2C898A6ULL,
118 0x113F9804BEF90DAEULL, 0x1B710B35131C471BULL,
119 0x28DB77F523047D84ULL, 0x32CAAB7B40C72493ULL,
120 0x3C9EBE0A15C9BEBCULL, 0x431D67C49C100D4CULL,
121 0x4CC5D4BECB3E42B6ULL, 0x597F299CFC657E2AULL,
122 0x5FCB6FAB3AD6FAECULL, 0x6C44198C4A475817ULL
123 };
124
125 static void
126 SHA256Transform(uint32_t *H, const uint8_t *cp)
127 {
128 uint32_t a, b, c, d, e, f, g, h, t, T1, T2, W[64];
129
130 /* copy chunk into the first 16 words of the message schedule */
131 for (t = 0; t < 16; t++, cp += sizeof (uint32_t))
132 W[t] = (cp[0] << 24) | (cp[1] << 16) | (cp[2] << 8) | cp[3];
133
134 /* extend the first 16 words into the remaining 48 words */
135 for (t = 16; t < 64; t++)
136 W[t] = SIGMA1_256(W[t - 2]) + W[t - 7] +
137 SIGMA0_256(W[t - 15]) + W[t - 16];
138
139 /* init working variables to the current hash value */
140 a = H[0]; b = H[1]; c = H[2]; d = H[3];
141 e = H[4]; f = H[5]; g = H[6]; h = H[7];
142
143 /* iterate the compression function for all rounds of the hash */
144 for (t = 0; t < 64; t++) {
145 T1 = h + BIGSIGMA1_256(e) + Ch(e, f, g) + SHA256_K[t] + W[t];
146 T2 = BIGSIGMA0_256(a) + Maj(a, b, c);
147 h = g; g = f; f = e; e = d + T1;
148 d = c; c = b; b = a; a = T1 + T2;
149 }
150
151 /* add the compressed chunk to the current hash value */
152 H[0] += a; H[1] += b; H[2] += c; H[3] += d;
153 H[4] += e; H[5] += f; H[6] += g; H[7] += h;
154 }
155
156 static void
157 SHA512Transform(uint64_t *H, const uint8_t *cp)
158 {
159 uint64_t a, b, c, d, e, f, g, h, t, T1, T2, W[80];
160
161 /* copy chunk into the first 16 words of the message schedule */
162 for (t = 0; t < 16; t++, cp += sizeof (uint64_t))
163 W[t] = ((uint64_t)cp[0] << 56) | ((uint64_t)cp[1] << 48) |
164 ((uint64_t)cp[2] << 40) | ((uint64_t)cp[3] << 32) |
165 (cp[4] << 24) | (cp[5] << 16) | (cp[6] << 8) | cp[7];
166
167 /* extend the first 16 words into the remaining 64 words */
168 for (t = 16; t < 80; t++)
169 W[t] = SIGMA1_512(W[t - 2]) + W[t - 7] +
170 SIGMA0_512(W[t - 15]) + W[t - 16];
171
172 /* init working variables to the current hash value */
173 a = H[0]; b = H[1]; c = H[2]; d = H[3];
174 e = H[4]; f = H[5]; g = H[6]; h = H[7];
175
176 /* iterate the compression function for all rounds of the hash */
177 for (t = 0; t < 80; t++) {
178 T1 = h + BIGSIGMA1_512(e) + Ch(e, f, g) + SHA512_K[t] + W[t];
179 T2 = BIGSIGMA0_512(a) + Maj(a, b, c);
180 h = g; g = f; f = e; e = d + T1;
181 d = c; c = b; b = a; a = T1 + T2;
182 }
183
184 /* add the compressed chunk to the current hash value */
185 H[0] += a; H[1] += b; H[2] += c; H[3] += d;
186 H[4] += e; H[5] += f; H[6] += g; H[7] += h;
187 }
188
189 /*
190 * Implements the SHA-224 and SHA-256 hash algos - to select between them
191 * pass the appropriate initial values of 'H' and truncate the last 32 bits
192 * in case of SHA-224.
193 */
194 static void
195 SHA256(uint32_t *H, const void *buf, uint64_t size, zio_cksum_t *zcp)
196 {
197 uint8_t pad[128];
198 unsigned padsize = size & 63;
199 unsigned i;
200
201 /* process all blocks up to the last one */
202 for (i = 0; i < size - padsize; i += 64)
203 SHA256Transform(H, (uint8_t *)buf + i);
204
205 /* process the last block and padding */
206 for (i = 0; i < padsize; i++)
207 pad[i] = ((uint8_t *)buf)[i];
208
209 for (pad[padsize++] = 0x80; (padsize & 63) != 56; padsize++)
210 pad[padsize] = 0;
211
212 for (i = 0; i < 8; i++)
213 pad[padsize++] = (size << 3) >> (56 - 8 * i);
214
215 for (i = 0; i < padsize; i += 64)
216 SHA256Transform(H, pad + i);
217
218 ZIO_SET_CHECKSUM(zcp,
219 (uint64_t)H[0] << 32 | H[1],
220 (uint64_t)H[2] << 32 | H[3],
221 (uint64_t)H[4] << 32 | H[5],
222 (uint64_t)H[6] << 32 | H[7]);
223 }
224
225 /*
226 * Implements the SHA-384, SHA-512 and SHA-512/t hash algos - to select
227 * between them pass the appropriate initial values for 'H'. The output
228 * of this function is truncated to the first 256 bits that fit into 'zcp'.
229 */
230 static void
231 SHA512(uint64_t *H, const void *buf, uint64_t size, zio_cksum_t *zcp)
232 {
233 uint8_t pad[256];
234 unsigned padsize = size & 127;
235 unsigned i;
236
237 /* process all blocks up to the last one */
238 for (i = 0; i < size - padsize; i += 128)
239 SHA512Transform(H, (uint8_t *)buf + i);
240
241 /* process the last block and padding */
242 for (i = 0; i < padsize; i++)
243 pad[i] = ((uint8_t *)buf)[i];
244
245 for (pad[padsize++] = 0x80; (padsize & 127) != 120; padsize++)
246 pad[padsize] = 0;
247
248 for (i = 0; i < 8; i++)
249 pad[padsize++] = (size << 3) >> (120 - 8 * i);
250
251 for (i = 0; i < padsize; i += 128)
252 SHA512Transform(H, pad + i);
253
254 /* truncate the output to the first 256 bits which fit into 'zcp' */
255 ZIO_SET_CHECKSUM(zcp, H[0], H[1], H[2], H[3]);
256 }
257
258 void
259 zio_checksum_SHA256(const void *buf, uint64_t size, zio_cksum_t *zcp)
260 {
261 /* SHA-256 as per FIPS 180-4. */
262 uint32_t H[] = {
263 0x6a09e667, 0xbb67ae85, 0x3c6ef372, 0xa54ff53a,
264 0x510e527f, 0x9b05688c, 0x1f83d9ab, 0x5be0cd19
265 };
266 SHA256(H, buf, size, zcp);
267 }
268
269 void
270 zio_checksum_SHA512(const void *buf, uint64_t size, zio_cksum_t *zcp)
271 {
272 /* SHA-512/256 as per FIPS 180-4. */
273 uint64_t H[] = {
274 0x22312194FC2BF72CULL, 0x9F555FA3C84C64C2ULL,
275 0x2393B86B6F53B151ULL, 0x963877195940EABDULL,
276 0x96283EE2A88EFFE3ULL, 0xBE5E1E2553863992ULL,
277 0x2B0199FC2C85B8AAULL, 0x0EB72DDC81C52CA2ULL
278 };
279 SHA512(H, buf, size, zcp);
280 }
|