1 /*
2 * Copyright 2009 Sun Microsystems, Inc. All rights reserved.
3 * Use is subject to license terms.
4 */
5
6 /*
7 * The basic framework for this code came from the reference
8 * implementation for MD5. That implementation is Copyright (C)
9 * 1991-2, RSA Data Security, Inc. Created 1991. All rights reserved.
10 *
11 * License to copy and use this software is granted provided that it
12 * is identified as the "RSA Data Security, Inc. MD5 Message-Digest
13 * Algorithm" in all material mentioning or referencing this software
14 * or this function.
15 *
16 * License is also granted to make and use derivative works provided
17 * that such works are identified as "derived from the RSA Data
18 * Security, Inc. MD5 Message-Digest Algorithm" in all material
19 * mentioning or referencing the derived work.
20 *
21 * RSA Data Security, Inc. makes no representations concerning either
22 * the merchantability of this software or the suitability of this
23 * software for any particular purpose. It is provided "as is"
24 * without express or implied warranty of any kind.
25 *
26 * These notices must be retained in any copies of any part of this
27 * documentation and/or software.
28 *
29 * NOTE: Cleaned-up and optimized, version of SHA1, based on the FIPS 180-1
30 * standard, available at http://www.itl.nist.gov/fipspubs/fip180-1.htm
31 * Not as fast as one would like -- further optimizations are encouraged
32 * and appreciated.
33 */
34
35 #ifndef _KERNEL
36 #include <stdint.h>
37 #include <strings.h>
38 #include <stdlib.h>
39 #include <errno.h>
40 #include <sys/systeminfo.h>
41 #endif /* !_KERNEL */
42
43 #include <sys/types.h>
44 #include <sys/param.h>
45 #include <sys/systm.h>
46 #include <sys/sysmacros.h>
47 #include <sys/sha1.h>
48 #include <sys/sha1_consts.h>
49
50 #ifdef _LITTLE_ENDIAN
51 #include <sys/byteorder.h>
52 #define HAVE_HTONL
53 #endif
54
55 static void Encode(uint8_t *, const uint32_t *, size_t);
56
57 #if defined(__sparc)
58
59 #define SHA1_TRANSFORM(ctx, in) \
60 SHA1Transform((ctx)->state[0], (ctx)->state[1], (ctx)->state[2], \
61 (ctx)->state[3], (ctx)->state[4], (ctx), (in))
62
63 static void SHA1Transform(uint32_t, uint32_t, uint32_t, uint32_t, uint32_t,
64 SHA1_CTX *, const uint8_t *);
65
66 #elif defined(__amd64)
67
68 #define SHA1_TRANSFORM(ctx, in) sha1_block_data_order((ctx), (in), 1)
69 #define SHA1_TRANSFORM_BLOCKS(ctx, in, num) sha1_block_data_order((ctx), \
70 (in), (num))
71
72 void sha1_block_data_order(SHA1_CTX *ctx, const void *inpp, size_t num_blocks);
73
74 #else
75
76 #define SHA1_TRANSFORM(ctx, in) SHA1Transform((ctx), (in))
77
78 static void SHA1Transform(SHA1_CTX *, const uint8_t *);
79
80 #endif
81
82
83 static uint8_t PADDING[64] = { 0x80, /* all zeros */ };
84
85 /*
86 * F, G, and H are the basic SHA1 functions.
87 */
88 #define F(b, c, d) (((b) & (c)) | ((~b) & (d)))
89 #define G(b, c, d) ((b) ^ (c) ^ (d))
90 #define H(b, c, d) (((b) & (c)) | (((b)|(c)) & (d)))
91
92 /*
93 * ROTATE_LEFT rotates x left n bits.
94 */
95
96 #if defined(__GNUC__) && defined(_LP64)
97 static __inline__ uint64_t
98 ROTATE_LEFT(uint64_t value, uint32_t n)
99 {
100 uint32_t t32;
101
102 t32 = (uint32_t)value;
103 return ((t32 << n) | (t32 >> (32 - n)));
104 }
105
106 #else
107
108 #define ROTATE_LEFT(x, n) \
109 (((x) << (n)) | ((x) >> ((sizeof (x) * NBBY)-(n))))
110
111 #endif
112
113
114 /*
115 * SHA1Init()
116 *
117 * purpose: initializes the sha1 context and begins and sha1 digest operation
118 * input: SHA1_CTX * : the context to initializes.
119 * output: void
120 */
121
122 void
123 SHA1Init(SHA1_CTX *ctx)
124 {
125 ctx->count[0] = ctx->count[1] = 0;
126
127 /*
128 * load magic initialization constants. Tell lint
129 * that these constants are unsigned by using U.
130 */
131
132 ctx->state[0] = 0x67452301U;
133 ctx->state[1] = 0xefcdab89U;
134 ctx->state[2] = 0x98badcfeU;
135 ctx->state[3] = 0x10325476U;
136 ctx->state[4] = 0xc3d2e1f0U;
137 }
138
139 #ifdef VIS_SHA1
140 #ifdef _KERNEL
141
142 #include <sys/regset.h>
143 #include <sys/vis.h>
144 #include <sys/fpu/fpusystm.h>
145
146 /* the alignment for block stores to save fp registers */
147 #define VIS_ALIGN (64)
148
149 extern int sha1_savefp(kfpu_t *, int);
150 extern void sha1_restorefp(kfpu_t *);
151
152 uint32_t vis_sha1_svfp_threshold = 128;
153
154 #endif /* _KERNEL */
155
156 /*
157 * VIS SHA-1 consts.
158 */
159 static uint64_t VIS[] = {
160 0x8000000080000000ULL,
161 0x0002000200020002ULL,
162 0x5a8279996ed9eba1ULL,
163 0x8f1bbcdcca62c1d6ULL,
164 0x012389ab456789abULL};
165
166 extern void SHA1TransformVIS(uint64_t *, uint32_t *, uint32_t *, uint64_t *);
167
168
169 /*
170 * SHA1Update()
171 *
172 * purpose: continues an sha1 digest operation, using the message block
173 * to update the context.
174 * input: SHA1_CTX * : the context to update
175 * void * : the message block
176 * size_t : the length of the message block in bytes
177 * output: void
178 */
179
180 void
181 SHA1Update(SHA1_CTX *ctx, const void *inptr, size_t input_len)
182 {
183 uint32_t i, buf_index, buf_len;
184 uint64_t X0[40], input64[8];
185 const uint8_t *input = inptr;
186 #ifdef _KERNEL
187 int usevis = 0;
188 #else
189 int usevis = 1;
190 #endif /* _KERNEL */
191
192 /* check for noop */
193 if (input_len == 0)
194 return;
195
196 /* compute number of bytes mod 64 */
197 buf_index = (ctx->count[1] >> 3) & 0x3F;
198
199 /* update number of bits */
200 if ((ctx->count[1] += (input_len << 3)) < (input_len << 3))
201 ctx->count[0]++;
202
203 ctx->count[0] += (input_len >> 29);
204
205 buf_len = 64 - buf_index;
206
207 /* transform as many times as possible */
208 i = 0;
209 if (input_len >= buf_len) {
210 #ifdef _KERNEL
211 kfpu_t *fpu;
212 if (fpu_exists) {
213 uint8_t fpua[sizeof (kfpu_t) + GSR_SIZE + VIS_ALIGN];
214 uint32_t len = (input_len + buf_index) & ~0x3f;
215 int svfp_ok;
216
217 fpu = (kfpu_t *)P2ROUNDUP((uintptr_t)fpua, 64);
218 svfp_ok = ((len >= vis_sha1_svfp_threshold) ? 1 : 0);
219 usevis = fpu_exists && sha1_savefp(fpu, svfp_ok);
220 } else {
221 usevis = 0;
222 }
223 #endif /* _KERNEL */
224
225 /*
226 * general optimization:
227 *
228 * only do initial bcopy() and SHA1Transform() if
229 * buf_index != 0. if buf_index == 0, we're just
230 * wasting our time doing the bcopy() since there
231 * wasn't any data left over from a previous call to
232 * SHA1Update().
233 */
234
235 if (buf_index) {
236 bcopy(input, &ctx->buf_un.buf8[buf_index], buf_len);
237 if (usevis) {
238 SHA1TransformVIS(X0,
239 ctx->buf_un.buf32,
240 &ctx->state[0], VIS);
241 } else {
242 SHA1_TRANSFORM(ctx, ctx->buf_un.buf8);
243 }
244 i = buf_len;
245 }
246
247 /*
248 * VIS SHA-1: uses the VIS 1.0 instructions to accelerate
249 * SHA-1 processing. This is achieved by "offloading" the
250 * computation of the message schedule (MS) to the VIS units.
251 * This allows the VIS computation of the message schedule
252 * to be performed in parallel with the standard integer
253 * processing of the remainder of the SHA-1 computation.
254 * performance by up to around 1.37X, compared to an optimized
255 * integer-only implementation.
256 *
257 * The VIS implementation of SHA1Transform has a different API
258 * to the standard integer version:
259 *
260 * void SHA1TransformVIS(
261 * uint64_t *, // Pointer to MS for ith block
262 * uint32_t *, // Pointer to ith block of message data
263 * uint32_t *, // Pointer to SHA state i.e ctx->state
264 * uint64_t *, // Pointer to various VIS constants
265 * )
266 *
267 * Note: the message data must by 4-byte aligned.
268 *
269 * Function requires VIS 1.0 support.
270 *
271 * Handling is provided to deal with arbitrary byte alingment
272 * of the input data but the performance gains are reduced
273 * for alignments other than 4-bytes.
274 */
275 if (usevis) {
276 if (!IS_P2ALIGNED(&input[i], sizeof (uint32_t))) {
277 /*
278 * Main processing loop - input misaligned
279 */
280 for (; i + 63 < input_len; i += 64) {
281 bcopy(&input[i], input64, 64);
282 SHA1TransformVIS(X0,
283 (uint32_t *)input64,
284 &ctx->state[0], VIS);
285 }
286 } else {
287 /*
288 * Main processing loop - input 8-byte aligned
289 */
290 for (; i + 63 < input_len; i += 64) {
291 SHA1TransformVIS(X0,
292 /* LINTED E_BAD_PTR_CAST_ALIGN */
293 (uint32_t *)&input[i], /* CSTYLED */
294 &ctx->state[0], VIS);
295 }
296
297 }
298 #ifdef _KERNEL
299 sha1_restorefp(fpu);
300 #endif /* _KERNEL */
301 } else {
302 for (; i + 63 < input_len; i += 64) {
303 SHA1_TRANSFORM(ctx, &input[i]);
304 }
305 }
306
307 /*
308 * general optimization:
309 *
310 * if i and input_len are the same, return now instead
311 * of calling bcopy(), since the bcopy() in this case
312 * will be an expensive nop.
313 */
314
315 if (input_len == i)
316 return;
317
318 buf_index = 0;
319 }
320
321 /* buffer remaining input */
322 bcopy(&input[i], &ctx->buf_un.buf8[buf_index], input_len - i);
323 }
324
325 #else /* VIS_SHA1 */
326
327 void
328 SHA1Update(SHA1_CTX *ctx, const void *inptr, size_t input_len)
329 {
330 uint32_t i, buf_index, buf_len;
331 const uint8_t *input = inptr;
332 #if defined(__amd64)
333 uint32_t block_count;
334 #endif /* __amd64 */
335
336 /* check for noop */
337 if (input_len == 0)
338 return;
339
340 /* compute number of bytes mod 64 */
341 buf_index = (ctx->count[1] >> 3) & 0x3F;
342
343 /* update number of bits */
344 if ((ctx->count[1] += (input_len << 3)) < (input_len << 3))
345 ctx->count[0]++;
346
347 ctx->count[0] += (input_len >> 29);
348
349 buf_len = 64 - buf_index;
350
351 /* transform as many times as possible */
352 i = 0;
353 if (input_len >= buf_len) {
354
355 /*
356 * general optimization:
357 *
358 * only do initial bcopy() and SHA1Transform() if
359 * buf_index != 0. if buf_index == 0, we're just
360 * wasting our time doing the bcopy() since there
361 * wasn't any data left over from a previous call to
362 * SHA1Update().
363 */
364
365 if (buf_index) {
366 bcopy(input, &ctx->buf_un.buf8[buf_index], buf_len);
367 SHA1_TRANSFORM(ctx, ctx->buf_un.buf8);
368 i = buf_len;
369 }
370
371 #if !defined(__amd64)
372 for (; i + 63 < input_len; i += 64)
373 SHA1_TRANSFORM(ctx, &input[i]);
374 #else
375 block_count = (input_len - i) >> 6;
376 if (block_count > 0) {
377 SHA1_TRANSFORM_BLOCKS(ctx, &input[i], block_count);
378 i += block_count << 6;
379 }
380 #endif /* !__amd64 */
381
382 /*
383 * general optimization:
384 *
385 * if i and input_len are the same, return now instead
386 * of calling bcopy(), since the bcopy() in this case
387 * will be an expensive nop.
388 */
389
390 if (input_len == i)
391 return;
392
393 buf_index = 0;
394 }
395
396 /* buffer remaining input */
397 bcopy(&input[i], &ctx->buf_un.buf8[buf_index], input_len - i);
398 }
399
400 #endif /* VIS_SHA1 */
401
402 /*
403 * SHA1Final()
404 *
405 * purpose: ends an sha1 digest operation, finalizing the message digest and
406 * zeroing the context.
407 * input: uchar_t * : A buffer to store the digest.
408 * : The function actually uses void* because many
409 * : callers pass things other than uchar_t here.
410 * SHA1_CTX * : the context to finalize, save, and zero
411 * output: void
412 */
413
414 void
415 SHA1Final(void *digest, SHA1_CTX *ctx)
416 {
417 uint8_t bitcount_be[sizeof (ctx->count)];
418 uint32_t index = (ctx->count[1] >> 3) & 0x3f;
419
420 /* store bit count, big endian */
421 Encode(bitcount_be, ctx->count, sizeof (bitcount_be));
422
423 /* pad out to 56 mod 64 */
424 SHA1Update(ctx, PADDING, ((index < 56) ? 56 : 120) - index);
425
426 /* append length (before padding) */
427 SHA1Update(ctx, bitcount_be, sizeof (bitcount_be));
428
429 /* store state in digest */
430 Encode(digest, ctx->state, sizeof (ctx->state));
431
432 /* zeroize sensitive information */
433 bzero(ctx, sizeof (*ctx));
434 }
435
436
437 #if !defined(__amd64)
438
439 typedef uint32_t sha1word;
440
441 /*
442 * sparc optimization:
443 *
444 * on the sparc, we can load big endian 32-bit data easily. note that
445 * special care must be taken to ensure the address is 32-bit aligned.
446 * in the interest of speed, we don't check to make sure, since
447 * careful programming can guarantee this for us.
448 */
449
450 #if defined(_BIG_ENDIAN)
451 #define LOAD_BIG_32(addr) (*(uint32_t *)(addr))
452
453 #elif defined(HAVE_HTONL)
454 #define LOAD_BIG_32(addr) htonl(*((uint32_t *)(addr)))
455
456 #else
457 /* little endian -- will work on big endian, but slowly */
458 #define LOAD_BIG_32(addr) \
459 (((addr)[0] << 24) | ((addr)[1] << 16) | ((addr)[2] << 8) | (addr)[3])
460 #endif /* _BIG_ENDIAN */
461
462 /*
463 * SHA1Transform()
464 */
465 #if defined(W_ARRAY)
466 #define W(n) w[n]
467 #else /* !defined(W_ARRAY) */
468 #define W(n) w_ ## n
469 #endif /* !defined(W_ARRAY) */
470
471
472 #if defined(__sparc)
473
474 /*
475 * sparc register window optimization:
476 *
477 * `a', `b', `c', `d', and `e' are passed into SHA1Transform
478 * explicitly since it increases the number of registers available to
479 * the compiler. under this scheme, these variables can be held in
480 * %i0 - %i4, which leaves more local and out registers available.
481 *
482 * purpose: sha1 transformation -- updates the digest based on `block'
483 * input: uint32_t : bytes 1 - 4 of the digest
484 * uint32_t : bytes 5 - 8 of the digest
485 * uint32_t : bytes 9 - 12 of the digest
486 * uint32_t : bytes 12 - 16 of the digest
487 * uint32_t : bytes 16 - 20 of the digest
488 * SHA1_CTX * : the context to update
489 * uint8_t [64]: the block to use to update the digest
490 * output: void
491 */
492
493 void
494 SHA1Transform(uint32_t a, uint32_t b, uint32_t c, uint32_t d, uint32_t e,
495 SHA1_CTX *ctx, const uint8_t blk[64])
496 {
497 /*
498 * sparc optimization:
499 *
500 * while it is somewhat counter-intuitive, on sparc, it is
501 * more efficient to place all the constants used in this
502 * function in an array and load the values out of the array
503 * than to manually load the constants. this is because
504 * setting a register to a 32-bit value takes two ops in most
505 * cases: a `sethi' and an `or', but loading a 32-bit value
506 * from memory only takes one `ld' (or `lduw' on v9). while
507 * this increases memory usage, the compiler can find enough
508 * other things to do while waiting to keep the pipeline does
509 * not stall. additionally, it is likely that many of these
510 * constants are cached so that later accesses do not even go
511 * out to the bus.
512 *
513 * this array is declared `static' to keep the compiler from
514 * having to bcopy() this array onto the stack frame of
515 * SHA1Transform() each time it is called -- which is
516 * unacceptably expensive.
517 *
518 * the `const' is to ensure that callers are good citizens and
519 * do not try to munge the array. since these routines are
520 * going to be called from inside multithreaded kernelland,
521 * this is a good safety check. -- `sha1_consts' will end up in
522 * .rodata.
523 *
524 * unfortunately, loading from an array in this manner hurts
525 * performance under Intel. So, there is a macro,
526 * SHA1_CONST(), used in SHA1Transform(), that either expands to
527 * a reference to this array, or to the actual constant,
528 * depending on what platform this code is compiled for.
529 */
530
531 static const uint32_t sha1_consts[] = {
532 SHA1_CONST_0, SHA1_CONST_1, SHA1_CONST_2, SHA1_CONST_3
533 };
534
535 /*
536 * general optimization:
537 *
538 * use individual integers instead of using an array. this is a
539 * win, although the amount it wins by seems to vary quite a bit.
540 */
541
542 uint32_t w_0, w_1, w_2, w_3, w_4, w_5, w_6, w_7;
543 uint32_t w_8, w_9, w_10, w_11, w_12, w_13, w_14, w_15;
544
545 /*
546 * sparc optimization:
547 *
548 * if `block' is already aligned on a 4-byte boundary, use
549 * LOAD_BIG_32() directly. otherwise, bcopy() into a
550 * buffer that *is* aligned on a 4-byte boundary and then do
551 * the LOAD_BIG_32() on that buffer. benchmarks have shown
552 * that using the bcopy() is better than loading the bytes
553 * individually and doing the endian-swap by hand.
554 *
555 * even though it's quite tempting to assign to do:
556 *
557 * blk = bcopy(ctx->buf_un.buf32, blk, sizeof (ctx->buf_un.buf32));
558 *
559 * and only have one set of LOAD_BIG_32()'s, the compiler
560 * *does not* like that, so please resist the urge.
561 */
562
563 if ((uintptr_t)blk & 0x3) { /* not 4-byte aligned? */
564 bcopy(blk, ctx->buf_un.buf32, sizeof (ctx->buf_un.buf32));
565 w_15 = LOAD_BIG_32(ctx->buf_un.buf32 + 15);
566 w_14 = LOAD_BIG_32(ctx->buf_un.buf32 + 14);
567 w_13 = LOAD_BIG_32(ctx->buf_un.buf32 + 13);
568 w_12 = LOAD_BIG_32(ctx->buf_un.buf32 + 12);
569 w_11 = LOAD_BIG_32(ctx->buf_un.buf32 + 11);
570 w_10 = LOAD_BIG_32(ctx->buf_un.buf32 + 10);
571 w_9 = LOAD_BIG_32(ctx->buf_un.buf32 + 9);
572 w_8 = LOAD_BIG_32(ctx->buf_un.buf32 + 8);
573 w_7 = LOAD_BIG_32(ctx->buf_un.buf32 + 7);
574 w_6 = LOAD_BIG_32(ctx->buf_un.buf32 + 6);
575 w_5 = LOAD_BIG_32(ctx->buf_un.buf32 + 5);
576 w_4 = LOAD_BIG_32(ctx->buf_un.buf32 + 4);
577 w_3 = LOAD_BIG_32(ctx->buf_un.buf32 + 3);
578 w_2 = LOAD_BIG_32(ctx->buf_un.buf32 + 2);
579 w_1 = LOAD_BIG_32(ctx->buf_un.buf32 + 1);
580 w_0 = LOAD_BIG_32(ctx->buf_un.buf32 + 0);
581 } else {
582 /* LINTED E_BAD_PTR_CAST_ALIGN */
583 w_15 = LOAD_BIG_32(blk + 60);
584 /* LINTED E_BAD_PTR_CAST_ALIGN */
585 w_14 = LOAD_BIG_32(blk + 56);
586 /* LINTED E_BAD_PTR_CAST_ALIGN */
587 w_13 = LOAD_BIG_32(blk + 52);
588 /* LINTED E_BAD_PTR_CAST_ALIGN */
589 w_12 = LOAD_BIG_32(blk + 48);
590 /* LINTED E_BAD_PTR_CAST_ALIGN */
591 w_11 = LOAD_BIG_32(blk + 44);
592 /* LINTED E_BAD_PTR_CAST_ALIGN */
593 w_10 = LOAD_BIG_32(blk + 40);
594 /* LINTED E_BAD_PTR_CAST_ALIGN */
595 w_9 = LOAD_BIG_32(blk + 36);
596 /* LINTED E_BAD_PTR_CAST_ALIGN */
597 w_8 = LOAD_BIG_32(blk + 32);
598 /* LINTED E_BAD_PTR_CAST_ALIGN */
599 w_7 = LOAD_BIG_32(blk + 28);
600 /* LINTED E_BAD_PTR_CAST_ALIGN */
601 w_6 = LOAD_BIG_32(blk + 24);
602 /* LINTED E_BAD_PTR_CAST_ALIGN */
603 w_5 = LOAD_BIG_32(blk + 20);
604 /* LINTED E_BAD_PTR_CAST_ALIGN */
605 w_4 = LOAD_BIG_32(blk + 16);
606 /* LINTED E_BAD_PTR_CAST_ALIGN */
607 w_3 = LOAD_BIG_32(blk + 12);
608 /* LINTED E_BAD_PTR_CAST_ALIGN */
609 w_2 = LOAD_BIG_32(blk + 8);
610 /* LINTED E_BAD_PTR_CAST_ALIGN */
611 w_1 = LOAD_BIG_32(blk + 4);
612 /* LINTED E_BAD_PTR_CAST_ALIGN */
613 w_0 = LOAD_BIG_32(blk + 0);
614 }
615 #else /* !defined(__sparc) */
616
617 void /* CSTYLED */
618 SHA1Transform(SHA1_CTX *ctx, const uint8_t blk[64])
619 {
620 /* CSTYLED */
621 sha1word a = ctx->state[0];
622 sha1word b = ctx->state[1];
623 sha1word c = ctx->state[2];
624 sha1word d = ctx->state[3];
625 sha1word e = ctx->state[4];
626
627 #if defined(W_ARRAY)
628 sha1word w[16];
629 #else /* !defined(W_ARRAY) */
630 sha1word w_0, w_1, w_2, w_3, w_4, w_5, w_6, w_7;
631 sha1word w_8, w_9, w_10, w_11, w_12, w_13, w_14, w_15;
632 #endif /* !defined(W_ARRAY) */
633
634 W(0) = LOAD_BIG_32((void *)(blk + 0));
635 W(1) = LOAD_BIG_32((void *)(blk + 4));
636 W(2) = LOAD_BIG_32((void *)(blk + 8));
637 W(3) = LOAD_BIG_32((void *)(blk + 12));
638 W(4) = LOAD_BIG_32((void *)(blk + 16));
639 W(5) = LOAD_BIG_32((void *)(blk + 20));
640 W(6) = LOAD_BIG_32((void *)(blk + 24));
641 W(7) = LOAD_BIG_32((void *)(blk + 28));
642 W(8) = LOAD_BIG_32((void *)(blk + 32));
643 W(9) = LOAD_BIG_32((void *)(blk + 36));
644 W(10) = LOAD_BIG_32((void *)(blk + 40));
645 W(11) = LOAD_BIG_32((void *)(blk + 44));
646 W(12) = LOAD_BIG_32((void *)(blk + 48));
647 W(13) = LOAD_BIG_32((void *)(blk + 52));
648 W(14) = LOAD_BIG_32((void *)(blk + 56));
649 W(15) = LOAD_BIG_32((void *)(blk + 60));
650
651 #endif /* !defined(__sparc) */
652
653 /*
654 * general optimization:
655 *
656 * even though this approach is described in the standard as
657 * being slower algorithmically, it is 30-40% faster than the
658 * "faster" version under SPARC, because this version has more
659 * of the constraints specified at compile-time and uses fewer
660 * variables (and therefore has better register utilization)
661 * than its "speedier" brother. (i've tried both, trust me)
662 *
663 * for either method given in the spec, there is an "assignment"
664 * phase where the following takes place:
665 *
666 * tmp = (main_computation);
667 * e = d; d = c; c = rotate_left(b, 30); b = a; a = tmp;
668 *
669 * we can make the algorithm go faster by not doing this work,
670 * but just pretending that `d' is now `e', etc. this works
671 * really well and obviates the need for a temporary variable.
672 * however, we still explicitly perform the rotate action,
673 * since it is cheaper on SPARC to do it once than to have to
674 * do it over and over again.
675 */
676
677 /* round 1 */
678 e = ROTATE_LEFT(a, 5) + F(b, c, d) + e + W(0) + SHA1_CONST(0); /* 0 */
679 b = ROTATE_LEFT(b, 30);
680
681 d = ROTATE_LEFT(e, 5) + F(a, b, c) + d + W(1) + SHA1_CONST(0); /* 1 */
682 a = ROTATE_LEFT(a, 30);
683
684 c = ROTATE_LEFT(d, 5) + F(e, a, b) + c + W(2) + SHA1_CONST(0); /* 2 */
685 e = ROTATE_LEFT(e, 30);
686
687 b = ROTATE_LEFT(c, 5) + F(d, e, a) + b + W(3) + SHA1_CONST(0); /* 3 */
688 d = ROTATE_LEFT(d, 30);
689
690 a = ROTATE_LEFT(b, 5) + F(c, d, e) + a + W(4) + SHA1_CONST(0); /* 4 */
691 c = ROTATE_LEFT(c, 30);
692
693 e = ROTATE_LEFT(a, 5) + F(b, c, d) + e + W(5) + SHA1_CONST(0); /* 5 */
694 b = ROTATE_LEFT(b, 30);
695
696 d = ROTATE_LEFT(e, 5) + F(a, b, c) + d + W(6) + SHA1_CONST(0); /* 6 */
697 a = ROTATE_LEFT(a, 30);
698
699 c = ROTATE_LEFT(d, 5) + F(e, a, b) + c + W(7) + SHA1_CONST(0); /* 7 */
700 e = ROTATE_LEFT(e, 30);
701
702 b = ROTATE_LEFT(c, 5) + F(d, e, a) + b + W(8) + SHA1_CONST(0); /* 8 */
703 d = ROTATE_LEFT(d, 30);
704
705 a = ROTATE_LEFT(b, 5) + F(c, d, e) + a + W(9) + SHA1_CONST(0); /* 9 */
706 c = ROTATE_LEFT(c, 30);
707
708 e = ROTATE_LEFT(a, 5) + F(b, c, d) + e + W(10) + SHA1_CONST(0); /* 10 */
709 b = ROTATE_LEFT(b, 30);
710
711 d = ROTATE_LEFT(e, 5) + F(a, b, c) + d + W(11) + SHA1_CONST(0); /* 11 */
712 a = ROTATE_LEFT(a, 30);
713
714 c = ROTATE_LEFT(d, 5) + F(e, a, b) + c + W(12) + SHA1_CONST(0); /* 12 */
715 e = ROTATE_LEFT(e, 30);
716
717 b = ROTATE_LEFT(c, 5) + F(d, e, a) + b + W(13) + SHA1_CONST(0); /* 13 */
718 d = ROTATE_LEFT(d, 30);
719
720 a = ROTATE_LEFT(b, 5) + F(c, d, e) + a + W(14) + SHA1_CONST(0); /* 14 */
721 c = ROTATE_LEFT(c, 30);
722
723 e = ROTATE_LEFT(a, 5) + F(b, c, d) + e + W(15) + SHA1_CONST(0); /* 15 */
724 b = ROTATE_LEFT(b, 30);
725
726 W(0) = ROTATE_LEFT((W(13) ^ W(8) ^ W(2) ^ W(0)), 1); /* 16 */
727 d = ROTATE_LEFT(e, 5) + F(a, b, c) + d + W(0) + SHA1_CONST(0);
728 a = ROTATE_LEFT(a, 30);
729
730 W(1) = ROTATE_LEFT((W(14) ^ W(9) ^ W(3) ^ W(1)), 1); /* 17 */
731 c = ROTATE_LEFT(d, 5) + F(e, a, b) + c + W(1) + SHA1_CONST(0);
732 e = ROTATE_LEFT(e, 30);
733
734 W(2) = ROTATE_LEFT((W(15) ^ W(10) ^ W(4) ^ W(2)), 1); /* 18 */
735 b = ROTATE_LEFT(c, 5) + F(d, e, a) + b + W(2) + SHA1_CONST(0);
736 d = ROTATE_LEFT(d, 30);
737
738 W(3) = ROTATE_LEFT((W(0) ^ W(11) ^ W(5) ^ W(3)), 1); /* 19 */
739 a = ROTATE_LEFT(b, 5) + F(c, d, e) + a + W(3) + SHA1_CONST(0);
740 c = ROTATE_LEFT(c, 30);
741
742 /* round 2 */
743 W(4) = ROTATE_LEFT((W(1) ^ W(12) ^ W(6) ^ W(4)), 1); /* 20 */
744 e = ROTATE_LEFT(a, 5) + G(b, c, d) + e + W(4) + SHA1_CONST(1);
745 b = ROTATE_LEFT(b, 30);
746
747 W(5) = ROTATE_LEFT((W(2) ^ W(13) ^ W(7) ^ W(5)), 1); /* 21 */
748 d = ROTATE_LEFT(e, 5) + G(a, b, c) + d + W(5) + SHA1_CONST(1);
749 a = ROTATE_LEFT(a, 30);
750
751 W(6) = ROTATE_LEFT((W(3) ^ W(14) ^ W(8) ^ W(6)), 1); /* 22 */
752 c = ROTATE_LEFT(d, 5) + G(e, a, b) + c + W(6) + SHA1_CONST(1);
753 e = ROTATE_LEFT(e, 30);
754
755 W(7) = ROTATE_LEFT((W(4) ^ W(15) ^ W(9) ^ W(7)), 1); /* 23 */
756 b = ROTATE_LEFT(c, 5) + G(d, e, a) + b + W(7) + SHA1_CONST(1);
757 d = ROTATE_LEFT(d, 30);
758
759 W(8) = ROTATE_LEFT((W(5) ^ W(0) ^ W(10) ^ W(8)), 1); /* 24 */
760 a = ROTATE_LEFT(b, 5) + G(c, d, e) + a + W(8) + SHA1_CONST(1);
761 c = ROTATE_LEFT(c, 30);
762
763 W(9) = ROTATE_LEFT((W(6) ^ W(1) ^ W(11) ^ W(9)), 1); /* 25 */
764 e = ROTATE_LEFT(a, 5) + G(b, c, d) + e + W(9) + SHA1_CONST(1);
765 b = ROTATE_LEFT(b, 30);
766
767 W(10) = ROTATE_LEFT((W(7) ^ W(2) ^ W(12) ^ W(10)), 1); /* 26 */
768 d = ROTATE_LEFT(e, 5) + G(a, b, c) + d + W(10) + SHA1_CONST(1);
769 a = ROTATE_LEFT(a, 30);
770
771 W(11) = ROTATE_LEFT((W(8) ^ W(3) ^ W(13) ^ W(11)), 1); /* 27 */
772 c = ROTATE_LEFT(d, 5) + G(e, a, b) + c + W(11) + SHA1_CONST(1);
773 e = ROTATE_LEFT(e, 30);
774
775 W(12) = ROTATE_LEFT((W(9) ^ W(4) ^ W(14) ^ W(12)), 1); /* 28 */
776 b = ROTATE_LEFT(c, 5) + G(d, e, a) + b + W(12) + SHA1_CONST(1);
777 d = ROTATE_LEFT(d, 30);
778
779 W(13) = ROTATE_LEFT((W(10) ^ W(5) ^ W(15) ^ W(13)), 1); /* 29 */
780 a = ROTATE_LEFT(b, 5) + G(c, d, e) + a + W(13) + SHA1_CONST(1);
781 c = ROTATE_LEFT(c, 30);
782
783 W(14) = ROTATE_LEFT((W(11) ^ W(6) ^ W(0) ^ W(14)), 1); /* 30 */
784 e = ROTATE_LEFT(a, 5) + G(b, c, d) + e + W(14) + SHA1_CONST(1);
785 b = ROTATE_LEFT(b, 30);
786
787 W(15) = ROTATE_LEFT((W(12) ^ W(7) ^ W(1) ^ W(15)), 1); /* 31 */
788 d = ROTATE_LEFT(e, 5) + G(a, b, c) + d + W(15) + SHA1_CONST(1);
789 a = ROTATE_LEFT(a, 30);
790
791 W(0) = ROTATE_LEFT((W(13) ^ W(8) ^ W(2) ^ W(0)), 1); /* 32 */
792 c = ROTATE_LEFT(d, 5) + G(e, a, b) + c + W(0) + SHA1_CONST(1);
793 e = ROTATE_LEFT(e, 30);
794
795 W(1) = ROTATE_LEFT((W(14) ^ W(9) ^ W(3) ^ W(1)), 1); /* 33 */
796 b = ROTATE_LEFT(c, 5) + G(d, e, a) + b + W(1) + SHA1_CONST(1);
797 d = ROTATE_LEFT(d, 30);
798
799 W(2) = ROTATE_LEFT((W(15) ^ W(10) ^ W(4) ^ W(2)), 1); /* 34 */
800 a = ROTATE_LEFT(b, 5) + G(c, d, e) + a + W(2) + SHA1_CONST(1);
801 c = ROTATE_LEFT(c, 30);
802
803 W(3) = ROTATE_LEFT((W(0) ^ W(11) ^ W(5) ^ W(3)), 1); /* 35 */
804 e = ROTATE_LEFT(a, 5) + G(b, c, d) + e + W(3) + SHA1_CONST(1);
805 b = ROTATE_LEFT(b, 30);
806
807 W(4) = ROTATE_LEFT((W(1) ^ W(12) ^ W(6) ^ W(4)), 1); /* 36 */
808 d = ROTATE_LEFT(e, 5) + G(a, b, c) + d + W(4) + SHA1_CONST(1);
809 a = ROTATE_LEFT(a, 30);
810
811 W(5) = ROTATE_LEFT((W(2) ^ W(13) ^ W(7) ^ W(5)), 1); /* 37 */
812 c = ROTATE_LEFT(d, 5) + G(e, a, b) + c + W(5) + SHA1_CONST(1);
813 e = ROTATE_LEFT(e, 30);
814
815 W(6) = ROTATE_LEFT((W(3) ^ W(14) ^ W(8) ^ W(6)), 1); /* 38 */
816 b = ROTATE_LEFT(c, 5) + G(d, e, a) + b + W(6) + SHA1_CONST(1);
817 d = ROTATE_LEFT(d, 30);
818
819 W(7) = ROTATE_LEFT((W(4) ^ W(15) ^ W(9) ^ W(7)), 1); /* 39 */
820 a = ROTATE_LEFT(b, 5) + G(c, d, e) + a + W(7) + SHA1_CONST(1);
821 c = ROTATE_LEFT(c, 30);
822
823 /* round 3 */
824 W(8) = ROTATE_LEFT((W(5) ^ W(0) ^ W(10) ^ W(8)), 1); /* 40 */
825 e = ROTATE_LEFT(a, 5) + H(b, c, d) + e + W(8) + SHA1_CONST(2);
826 b = ROTATE_LEFT(b, 30);
827
828 W(9) = ROTATE_LEFT((W(6) ^ W(1) ^ W(11) ^ W(9)), 1); /* 41 */
829 d = ROTATE_LEFT(e, 5) + H(a, b, c) + d + W(9) + SHA1_CONST(2);
830 a = ROTATE_LEFT(a, 30);
831
832 W(10) = ROTATE_LEFT((W(7) ^ W(2) ^ W(12) ^ W(10)), 1); /* 42 */
833 c = ROTATE_LEFT(d, 5) + H(e, a, b) + c + W(10) + SHA1_CONST(2);
834 e = ROTATE_LEFT(e, 30);
835
836 W(11) = ROTATE_LEFT((W(8) ^ W(3) ^ W(13) ^ W(11)), 1); /* 43 */
837 b = ROTATE_LEFT(c, 5) + H(d, e, a) + b + W(11) + SHA1_CONST(2);
838 d = ROTATE_LEFT(d, 30);
839
840 W(12) = ROTATE_LEFT((W(9) ^ W(4) ^ W(14) ^ W(12)), 1); /* 44 */
841 a = ROTATE_LEFT(b, 5) + H(c, d, e) + a + W(12) + SHA1_CONST(2);
842 c = ROTATE_LEFT(c, 30);
843
844 W(13) = ROTATE_LEFT((W(10) ^ W(5) ^ W(15) ^ W(13)), 1); /* 45 */
845 e = ROTATE_LEFT(a, 5) + H(b, c, d) + e + W(13) + SHA1_CONST(2);
846 b = ROTATE_LEFT(b, 30);
847
848 W(14) = ROTATE_LEFT((W(11) ^ W(6) ^ W(0) ^ W(14)), 1); /* 46 */
849 d = ROTATE_LEFT(e, 5) + H(a, b, c) + d + W(14) + SHA1_CONST(2);
850 a = ROTATE_LEFT(a, 30);
851
852 W(15) = ROTATE_LEFT((W(12) ^ W(7) ^ W(1) ^ W(15)), 1); /* 47 */
853 c = ROTATE_LEFT(d, 5) + H(e, a, b) + c + W(15) + SHA1_CONST(2);
854 e = ROTATE_LEFT(e, 30);
855
856 W(0) = ROTATE_LEFT((W(13) ^ W(8) ^ W(2) ^ W(0)), 1); /* 48 */
857 b = ROTATE_LEFT(c, 5) + H(d, e, a) + b + W(0) + SHA1_CONST(2);
858 d = ROTATE_LEFT(d, 30);
859
860 W(1) = ROTATE_LEFT((W(14) ^ W(9) ^ W(3) ^ W(1)), 1); /* 49 */
861 a = ROTATE_LEFT(b, 5) + H(c, d, e) + a + W(1) + SHA1_CONST(2);
862 c = ROTATE_LEFT(c, 30);
863
864 W(2) = ROTATE_LEFT((W(15) ^ W(10) ^ W(4) ^ W(2)), 1); /* 50 */
865 e = ROTATE_LEFT(a, 5) + H(b, c, d) + e + W(2) + SHA1_CONST(2);
866 b = ROTATE_LEFT(b, 30);
867
868 W(3) = ROTATE_LEFT((W(0) ^ W(11) ^ W(5) ^ W(3)), 1); /* 51 */
869 d = ROTATE_LEFT(e, 5) + H(a, b, c) + d + W(3) + SHA1_CONST(2);
870 a = ROTATE_LEFT(a, 30);
871
872 W(4) = ROTATE_LEFT((W(1) ^ W(12) ^ W(6) ^ W(4)), 1); /* 52 */
873 c = ROTATE_LEFT(d, 5) + H(e, a, b) + c + W(4) + SHA1_CONST(2);
874 e = ROTATE_LEFT(e, 30);
875
876 W(5) = ROTATE_LEFT((W(2) ^ W(13) ^ W(7) ^ W(5)), 1); /* 53 */
877 b = ROTATE_LEFT(c, 5) + H(d, e, a) + b + W(5) + SHA1_CONST(2);
878 d = ROTATE_LEFT(d, 30);
879
880 W(6) = ROTATE_LEFT((W(3) ^ W(14) ^ W(8) ^ W(6)), 1); /* 54 */
881 a = ROTATE_LEFT(b, 5) + H(c, d, e) + a + W(6) + SHA1_CONST(2);
882 c = ROTATE_LEFT(c, 30);
883
884 W(7) = ROTATE_LEFT((W(4) ^ W(15) ^ W(9) ^ W(7)), 1); /* 55 */
885 e = ROTATE_LEFT(a, 5) + H(b, c, d) + e + W(7) + SHA1_CONST(2);
886 b = ROTATE_LEFT(b, 30);
887
888 W(8) = ROTATE_LEFT((W(5) ^ W(0) ^ W(10) ^ W(8)), 1); /* 56 */
889 d = ROTATE_LEFT(e, 5) + H(a, b, c) + d + W(8) + SHA1_CONST(2);
890 a = ROTATE_LEFT(a, 30);
891
892 W(9) = ROTATE_LEFT((W(6) ^ W(1) ^ W(11) ^ W(9)), 1); /* 57 */
893 c = ROTATE_LEFT(d, 5) + H(e, a, b) + c + W(9) + SHA1_CONST(2);
894 e = ROTATE_LEFT(e, 30);
895
896 W(10) = ROTATE_LEFT((W(7) ^ W(2) ^ W(12) ^ W(10)), 1); /* 58 */
897 b = ROTATE_LEFT(c, 5) + H(d, e, a) + b + W(10) + SHA1_CONST(2);
898 d = ROTATE_LEFT(d, 30);
899
900 W(11) = ROTATE_LEFT((W(8) ^ W(3) ^ W(13) ^ W(11)), 1); /* 59 */
901 a = ROTATE_LEFT(b, 5) + H(c, d, e) + a + W(11) + SHA1_CONST(2);
902 c = ROTATE_LEFT(c, 30);
903
904 /* round 4 */
905 W(12) = ROTATE_LEFT((W(9) ^ W(4) ^ W(14) ^ W(12)), 1); /* 60 */
906 e = ROTATE_LEFT(a, 5) + G(b, c, d) + e + W(12) + SHA1_CONST(3);
907 b = ROTATE_LEFT(b, 30);
908
909 W(13) = ROTATE_LEFT((W(10) ^ W(5) ^ W(15) ^ W(13)), 1); /* 61 */
910 d = ROTATE_LEFT(e, 5) + G(a, b, c) + d + W(13) + SHA1_CONST(3);
911 a = ROTATE_LEFT(a, 30);
912
913 W(14) = ROTATE_LEFT((W(11) ^ W(6) ^ W(0) ^ W(14)), 1); /* 62 */
914 c = ROTATE_LEFT(d, 5) + G(e, a, b) + c + W(14) + SHA1_CONST(3);
915 e = ROTATE_LEFT(e, 30);
916
917 W(15) = ROTATE_LEFT((W(12) ^ W(7) ^ W(1) ^ W(15)), 1); /* 63 */
918 b = ROTATE_LEFT(c, 5) + G(d, e, a) + b + W(15) + SHA1_CONST(3);
919 d = ROTATE_LEFT(d, 30);
920
921 W(0) = ROTATE_LEFT((W(13) ^ W(8) ^ W(2) ^ W(0)), 1); /* 64 */
922 a = ROTATE_LEFT(b, 5) + G(c, d, e) + a + W(0) + SHA1_CONST(3);
923 c = ROTATE_LEFT(c, 30);
924
925 W(1) = ROTATE_LEFT((W(14) ^ W(9) ^ W(3) ^ W(1)), 1); /* 65 */
926 e = ROTATE_LEFT(a, 5) + G(b, c, d) + e + W(1) + SHA1_CONST(3);
927 b = ROTATE_LEFT(b, 30);
928
929 W(2) = ROTATE_LEFT((W(15) ^ W(10) ^ W(4) ^ W(2)), 1); /* 66 */
930 d = ROTATE_LEFT(e, 5) + G(a, b, c) + d + W(2) + SHA1_CONST(3);
931 a = ROTATE_LEFT(a, 30);
932
933 W(3) = ROTATE_LEFT((W(0) ^ W(11) ^ W(5) ^ W(3)), 1); /* 67 */
934 c = ROTATE_LEFT(d, 5) + G(e, a, b) + c + W(3) + SHA1_CONST(3);
935 e = ROTATE_LEFT(e, 30);
936
937 W(4) = ROTATE_LEFT((W(1) ^ W(12) ^ W(6) ^ W(4)), 1); /* 68 */
938 b = ROTATE_LEFT(c, 5) + G(d, e, a) + b + W(4) + SHA1_CONST(3);
939 d = ROTATE_LEFT(d, 30);
940
941 W(5) = ROTATE_LEFT((W(2) ^ W(13) ^ W(7) ^ W(5)), 1); /* 69 */
942 a = ROTATE_LEFT(b, 5) + G(c, d, e) + a + W(5) + SHA1_CONST(3);
943 c = ROTATE_LEFT(c, 30);
944
945 W(6) = ROTATE_LEFT((W(3) ^ W(14) ^ W(8) ^ W(6)), 1); /* 70 */
946 e = ROTATE_LEFT(a, 5) + G(b, c, d) + e + W(6) + SHA1_CONST(3);
947 b = ROTATE_LEFT(b, 30);
948
949 W(7) = ROTATE_LEFT((W(4) ^ W(15) ^ W(9) ^ W(7)), 1); /* 71 */
950 d = ROTATE_LEFT(e, 5) + G(a, b, c) + d + W(7) + SHA1_CONST(3);
951 a = ROTATE_LEFT(a, 30);
952
953 W(8) = ROTATE_LEFT((W(5) ^ W(0) ^ W(10) ^ W(8)), 1); /* 72 */
954 c = ROTATE_LEFT(d, 5) + G(e, a, b) + c + W(8) + SHA1_CONST(3);
955 e = ROTATE_LEFT(e, 30);
956
957 W(9) = ROTATE_LEFT((W(6) ^ W(1) ^ W(11) ^ W(9)), 1); /* 73 */
958 b = ROTATE_LEFT(c, 5) + G(d, e, a) + b + W(9) + SHA1_CONST(3);
959 d = ROTATE_LEFT(d, 30);
960
961 W(10) = ROTATE_LEFT((W(7) ^ W(2) ^ W(12) ^ W(10)), 1); /* 74 */
962 a = ROTATE_LEFT(b, 5) + G(c, d, e) + a + W(10) + SHA1_CONST(3);
963 c = ROTATE_LEFT(c, 30);
964
965 W(11) = ROTATE_LEFT((W(8) ^ W(3) ^ W(13) ^ W(11)), 1); /* 75 */
966 e = ROTATE_LEFT(a, 5) + G(b, c, d) + e + W(11) + SHA1_CONST(3);
967 b = ROTATE_LEFT(b, 30);
968
969 W(12) = ROTATE_LEFT((W(9) ^ W(4) ^ W(14) ^ W(12)), 1); /* 76 */
970 d = ROTATE_LEFT(e, 5) + G(a, b, c) + d + W(12) + SHA1_CONST(3);
971 a = ROTATE_LEFT(a, 30);
972
973 W(13) = ROTATE_LEFT((W(10) ^ W(5) ^ W(15) ^ W(13)), 1); /* 77 */
974 c = ROTATE_LEFT(d, 5) + G(e, a, b) + c + W(13) + SHA1_CONST(3);
975 e = ROTATE_LEFT(e, 30);
976
977 W(14) = ROTATE_LEFT((W(11) ^ W(6) ^ W(0) ^ W(14)), 1); /* 78 */
978 b = ROTATE_LEFT(c, 5) + G(d, e, a) + b + W(14) + SHA1_CONST(3);
979 d = ROTATE_LEFT(d, 30);
980
981 W(15) = ROTATE_LEFT((W(12) ^ W(7) ^ W(1) ^ W(15)), 1); /* 79 */
982
983 ctx->state[0] += ROTATE_LEFT(b, 5) + G(c, d, e) + a + W(15) +
984 SHA1_CONST(3);
985 ctx->state[1] += b;
986 ctx->state[2] += ROTATE_LEFT(c, 30);
987 ctx->state[3] += d;
988 ctx->state[4] += e;
989
990 /* zeroize sensitive information */
991 W(0) = W(1) = W(2) = W(3) = W(4) = W(5) = W(6) = W(7) = W(8) = 0;
992 W(9) = W(10) = W(11) = W(12) = W(13) = W(14) = W(15) = 0;
993 }
994 #endif /* !__amd64 */
995
996
997 /*
998 * Encode()
999 *
1000 * purpose: to convert a list of numbers from little endian to big endian
1001 * input: uint8_t * : place to store the converted big endian numbers
1002 * uint32_t * : place to get numbers to convert from
1003 * size_t : the length of the input in bytes
1004 * output: void
1005 */
1006
1007 static void
1008 Encode(uint8_t *_RESTRICT_KYWD output, const uint32_t *_RESTRICT_KYWD input,
1009 size_t len)
1010 {
1011 size_t i, j;
1012
1013 #if defined(__sparc)
1014 if (IS_P2ALIGNED(output, sizeof (uint32_t))) {
1015 for (i = 0, j = 0; j < len; i++, j += 4) {
1016 /* LINTED E_BAD_PTR_CAST_ALIGN */
1017 *((uint32_t *)(output + j)) = input[i];
1018 }
1019 } else {
1020 #endif /* little endian -- will work on big endian, but slowly */
1021 for (i = 0, j = 0; j < len; i++, j += 4) {
1022 output[j] = (input[i] >> 24) & 0xff;
1023 output[j + 1] = (input[i] >> 16) & 0xff;
1024 output[j + 2] = (input[i] >> 8) & 0xff;
1025 output[j + 3] = input[i] & 0xff;
1026 }
1027 #if defined(__sparc)
1028 }
1029 #endif
1030 }