xref: /onnv-gate/usr/src/common/crypto/sha2/sha2.c (revision 11141:64e602617ba4) 
10Sstevel@tonic-gate /*
2*11141Sopensolaris@drydog.com  * Copyright 2009 Sun Microsystems, Inc.  All rights reserved.
30Sstevel@tonic-gate  * Use is subject to license terms.
40Sstevel@tonic-gate  */
50Sstevel@tonic-gate 
60Sstevel@tonic-gate /*
70Sstevel@tonic-gate  * The basic framework for this code came from the reference
80Sstevel@tonic-gate  * implementation for MD5.  That implementation is Copyright (C)
90Sstevel@tonic-gate  * 1991-2, RSA Data Security, Inc. Created 1991. All rights reserved.
100Sstevel@tonic-gate  *
110Sstevel@tonic-gate  * License to copy and use this software is granted provided that it
120Sstevel@tonic-gate  * is identified as the "RSA Data Security, Inc. MD5 Message-Digest
130Sstevel@tonic-gate  * Algorithm" in all material mentioning or referencing this software
140Sstevel@tonic-gate  * or this function.
150Sstevel@tonic-gate  *
160Sstevel@tonic-gate  * License is also granted to make and use derivative works provided
170Sstevel@tonic-gate  * that such works are identified as "derived from the RSA Data
180Sstevel@tonic-gate  * Security, Inc. MD5 Message-Digest Algorithm" in all material
190Sstevel@tonic-gate  * mentioning or referencing the derived work.
200Sstevel@tonic-gate  *
210Sstevel@tonic-gate  * RSA Data Security, Inc. makes no representations concerning either
220Sstevel@tonic-gate  * the merchantability of this software or the suitability of this
230Sstevel@tonic-gate  * software for any particular purpose. It is provided "as is"
240Sstevel@tonic-gate  * without express or implied warranty of any kind.
250Sstevel@tonic-gate  *
260Sstevel@tonic-gate  * These notices must be retained in any copies of any part of this
270Sstevel@tonic-gate  * documentation and/or software.
280Sstevel@tonic-gate  *
290Sstevel@tonic-gate  * NOTE: Cleaned-up and optimized, version of SHA2, based on the FIPS 180-2
307421SDaniel.Anderson@Sun.COM  * standard, available at
317421SDaniel.Anderson@Sun.COM  * http://csrc.nist.gov/publications/fips/fips180-2/fips180-2.pdf
320Sstevel@tonic-gate  * Not as fast as one would like -- further optimizations are encouraged
330Sstevel@tonic-gate  * and appreciated.
340Sstevel@tonic-gate  */
350Sstevel@tonic-gate 
36*11141Sopensolaris@drydog.com #ifndef _KERNEL
37*11141Sopensolaris@drydog.com #include <stdint.h>
38*11141Sopensolaris@drydog.com #include <strings.h>
39*11141Sopensolaris@drydog.com #include <stdlib.h>
40*11141Sopensolaris@drydog.com #include <errno.h>
41*11141Sopensolaris@drydog.com #endif /* _KERNEL */
42*11141Sopensolaris@drydog.com 
430Sstevel@tonic-gate #include <sys/types.h>
440Sstevel@tonic-gate #include <sys/param.h>
450Sstevel@tonic-gate #include <sys/systm.h>
460Sstevel@tonic-gate #include <sys/sysmacros.h>
471694Sdarrenm #define	_SHA2_IMPL
480Sstevel@tonic-gate #include <sys/sha2.h>
490Sstevel@tonic-gate #include <sys/sha2_consts.h>
500Sstevel@tonic-gate 
516281Sda73024 #ifdef _KERNEL
526281Sda73024 #include <sys/cmn_err.h>
530Sstevel@tonic-gate 
546281Sda73024 #else
551694Sdarrenm #pragma weak SHA256Update = SHA2Update
561694Sdarrenm #pragma weak SHA384Update = SHA2Update
571694Sdarrenm #pragma weak SHA512Update = SHA2Update
581694Sdarrenm 
591694Sdarrenm #pragma weak SHA256Final = SHA2Final
601694Sdarrenm #pragma weak SHA384Final = SHA2Final
611694Sdarrenm #pragma weak SHA512Final = SHA2Final
621694Sdarrenm 
636281Sda73024 #endif	/* _KERNEL */
641694Sdarrenm 
657421SDaniel.Anderson@Sun.COM #ifdef _LITTLE_ENDIAN
667421SDaniel.Anderson@Sun.COM #include <sys/byteorder.h>
677421SDaniel.Anderson@Sun.COM #define	HAVE_HTONL
687421SDaniel.Anderson@Sun.COM #endif
697421SDaniel.Anderson@Sun.COM 
700Sstevel@tonic-gate static void Encode(uint8_t *, uint32_t *, size_t);
710Sstevel@tonic-gate static void Encode64(uint8_t *, uint64_t *, size_t);
726281Sda73024 
736281Sda73024 #if	defined(__amd64)
746281Sda73024 #define	SHA512Transform(ctx, in) SHA512TransformBlocks((ctx), (in), 1)
756281Sda73024 #define	SHA256Transform(ctx, in) SHA256TransformBlocks((ctx), (in), 1)
766281Sda73024 
776281Sda73024 void SHA512TransformBlocks(SHA2_CTX *ctx, const void *in, size_t num);
786281Sda73024 void SHA256TransformBlocks(SHA2_CTX *ctx, const void *in, size_t num);
796281Sda73024 
806281Sda73024 #else
810Sstevel@tonic-gate static void SHA256Transform(SHA2_CTX *, const uint8_t *);
820Sstevel@tonic-gate static void SHA512Transform(SHA2_CTX *, const uint8_t *);
836281Sda73024 #endif	/* __amd64 */
840Sstevel@tonic-gate 
850Sstevel@tonic-gate static uint8_t PADDING[128] = { 0x80, /* all zeros */ };
860Sstevel@tonic-gate 
870Sstevel@tonic-gate /* Ch and Maj are the basic SHA2 functions. */
880Sstevel@tonic-gate #define	Ch(b, c, d)	(((b) & (c)) ^ ((~b) & (d)))
890Sstevel@tonic-gate #define	Maj(b, c, d)	(((b) & (c)) ^ ((b) & (d)) ^ ((c) & (d)))
900Sstevel@tonic-gate 
910Sstevel@tonic-gate /* Rotates x right n bits. */
920Sstevel@tonic-gate #define	ROTR(x, n)	\
930Sstevel@tonic-gate 	(((x) >> (n)) | ((x) << ((sizeof (x) * NBBY)-(n))))
940Sstevel@tonic-gate 
950Sstevel@tonic-gate /* Shift x right n bits */
960Sstevel@tonic-gate #define	SHR(x, n)	((x) >> (n))
970Sstevel@tonic-gate 
980Sstevel@tonic-gate /* SHA256 Functions */
990Sstevel@tonic-gate #define	BIGSIGMA0_256(x)	(ROTR((x), 2) ^ ROTR((x), 13) ^ ROTR((x), 22))
1000Sstevel@tonic-gate #define	BIGSIGMA1_256(x)	(ROTR((x), 6) ^ ROTR((x), 11) ^ ROTR((x), 25))
1010Sstevel@tonic-gate #define	SIGMA0_256(x)		(ROTR((x), 7) ^ ROTR((x), 18) ^ SHR((x), 3))
1020Sstevel@tonic-gate #define	SIGMA1_256(x)		(ROTR((x), 17) ^ ROTR((x), 19) ^ SHR((x), 10))
1030Sstevel@tonic-gate 
1040Sstevel@tonic-gate #define	SHA256ROUND(a, b, c, d, e, f, g, h, i, w)			\
1050Sstevel@tonic-gate 	T1 = h + BIGSIGMA1_256(e) + Ch(e, f, g) + SHA256_CONST(i) + w;	\
1060Sstevel@tonic-gate 	d += T1;							\
1070Sstevel@tonic-gate 	T2 = BIGSIGMA0_256(a) + Maj(a, b, c);				\
1080Sstevel@tonic-gate 	h = T1 + T2
1090Sstevel@tonic-gate 
1100Sstevel@tonic-gate /* SHA384/512 Functions */
1110Sstevel@tonic-gate #define	BIGSIGMA0(x)	(ROTR((x), 28) ^ ROTR((x), 34) ^ ROTR((x), 39))
1120Sstevel@tonic-gate #define	BIGSIGMA1(x)	(ROTR((x), 14) ^ ROTR((x), 18) ^ ROTR((x), 41))
1130Sstevel@tonic-gate #define	SIGMA0(x)	(ROTR((x), 1) ^ ROTR((x), 8) ^ SHR((x), 7))
1140Sstevel@tonic-gate #define	SIGMA1(x)	(ROTR((x), 19) ^ ROTR((x), 61) ^ SHR((x), 6))
1150Sstevel@tonic-gate #define	SHA512ROUND(a, b, c, d, e, f, g, h, i, w)			\
1160Sstevel@tonic-gate 	T1 = h + BIGSIGMA1(e) + Ch(e, f, g) + SHA512_CONST(i) + w;	\
1170Sstevel@tonic-gate 	d += T1;							\
1180Sstevel@tonic-gate 	T2 = BIGSIGMA0(a) + Maj(a, b, c);				\
1190Sstevel@tonic-gate 	h = T1 + T2
1200Sstevel@tonic-gate 
1210Sstevel@tonic-gate /*
1220Sstevel@tonic-gate  * sparc optimization:
1230Sstevel@tonic-gate  *
1240Sstevel@tonic-gate  * on the sparc, we can load big endian 32-bit data easily.  note that
1250Sstevel@tonic-gate  * special care must be taken to ensure the address is 32-bit aligned.
1260Sstevel@tonic-gate  * in the interest of speed, we don't check to make sure, since
1270Sstevel@tonic-gate  * careful programming can guarantee this for us.
1280Sstevel@tonic-gate  */
1290Sstevel@tonic-gate 
1300Sstevel@tonic-gate #if	defined(_BIG_ENDIAN)
1310Sstevel@tonic-gate #define	LOAD_BIG_32(addr)	(*(uint32_t *)(addr))
1327421SDaniel.Anderson@Sun.COM #define	LOAD_BIG_64(addr)	(*(uint64_t *)(addr))
1330Sstevel@tonic-gate 
1347421SDaniel.Anderson@Sun.COM #elif	defined(HAVE_HTONL)
1357421SDaniel.Anderson@Sun.COM #define	LOAD_BIG_32(addr) htonl(*((uint32_t *)(addr)))
1367421SDaniel.Anderson@Sun.COM #define	LOAD_BIG_64(addr) htonll(*((uint64_t *)(addr)))
1370Sstevel@tonic-gate 
1387421SDaniel.Anderson@Sun.COM #else
1397421SDaniel.Anderson@Sun.COM /* little endian -- will work on big endian, but slowly */
1400Sstevel@tonic-gate #define	LOAD_BIG_32(addr)	\
1410Sstevel@tonic-gate 	(((addr)[0] << 24) | ((addr)[1] << 16) | ((addr)[2] << 8) | (addr)[3])
1420Sstevel@tonic-gate #define	LOAD_BIG_64(addr)	\
1430Sstevel@tonic-gate 	(((uint64_t)(addr)[0] << 56) | ((uint64_t)(addr)[1] << 48) |	\
1440Sstevel@tonic-gate 	    ((uint64_t)(addr)[2] << 40) | ((uint64_t)(addr)[3] << 32) |	\
1450Sstevel@tonic-gate 	    ((uint64_t)(addr)[4] << 24) | ((uint64_t)(addr)[5] << 16) |	\
1460Sstevel@tonic-gate 	    ((uint64_t)(addr)[6] << 8) | (uint64_t)(addr)[7])
1477421SDaniel.Anderson@Sun.COM #endif	/* _BIG_ENDIAN */
1480Sstevel@tonic-gate 
1490Sstevel@tonic-gate 
1506281Sda73024 #if	!defined(__amd64)
1510Sstevel@tonic-gate /* SHA256 Transform */
1520Sstevel@tonic-gate 
1530Sstevel@tonic-gate static void
SHA256Transform(SHA2_CTX * ctx,const uint8_t * blk)1540Sstevel@tonic-gate SHA256Transform(SHA2_CTX *ctx, const uint8_t *blk)
1550Sstevel@tonic-gate {
1560Sstevel@tonic-gate 	uint32_t a = ctx->state.s32[0];
1570Sstevel@tonic-gate 	uint32_t b = ctx->state.s32[1];
1580Sstevel@tonic-gate 	uint32_t c = ctx->state.s32[2];
1590Sstevel@tonic-gate 	uint32_t d = ctx->state.s32[3];
1600Sstevel@tonic-gate 	uint32_t e = ctx->state.s32[4];
1610Sstevel@tonic-gate 	uint32_t f = ctx->state.s32[5];
1620Sstevel@tonic-gate 	uint32_t g = ctx->state.s32[6];
1630Sstevel@tonic-gate 	uint32_t h = ctx->state.s32[7];
1640Sstevel@tonic-gate 
1650Sstevel@tonic-gate 	uint32_t w0, w1, w2, w3, w4, w5, w6, w7;
1660Sstevel@tonic-gate 	uint32_t w8, w9, w10, w11, w12, w13, w14, w15;
1670Sstevel@tonic-gate 	uint32_t T1, T2;
1680Sstevel@tonic-gate 
1690Sstevel@tonic-gate #if	defined(__sparc)
1700Sstevel@tonic-gate 	static const uint32_t sha256_consts[] = {
1710Sstevel@tonic-gate 		SHA256_CONST_0, SHA256_CONST_1, SHA256_CONST_2,
1720Sstevel@tonic-gate 		SHA256_CONST_3, SHA256_CONST_4, SHA256_CONST_5,
1730Sstevel@tonic-gate 		SHA256_CONST_6, SHA256_CONST_7, SHA256_CONST_8,
1740Sstevel@tonic-gate 		SHA256_CONST_9, SHA256_CONST_10, SHA256_CONST_11,
1750Sstevel@tonic-gate 		SHA256_CONST_12, SHA256_CONST_13, SHA256_CONST_14,
1760Sstevel@tonic-gate 		SHA256_CONST_15, SHA256_CONST_16, SHA256_CONST_17,
1770Sstevel@tonic-gate 		SHA256_CONST_18, SHA256_CONST_19, SHA256_CONST_20,
1780Sstevel@tonic-gate 		SHA256_CONST_21, SHA256_CONST_22, SHA256_CONST_23,
1790Sstevel@tonic-gate 		SHA256_CONST_24, SHA256_CONST_25, SHA256_CONST_26,
1800Sstevel@tonic-gate 		SHA256_CONST_27, SHA256_CONST_28, SHA256_CONST_29,
1810Sstevel@tonic-gate 		SHA256_CONST_30, SHA256_CONST_31, SHA256_CONST_32,
1820Sstevel@tonic-gate 		SHA256_CONST_33, SHA256_CONST_34, SHA256_CONST_35,
1830Sstevel@tonic-gate 		SHA256_CONST_36, SHA256_CONST_37, SHA256_CONST_38,
1840Sstevel@tonic-gate 		SHA256_CONST_39, SHA256_CONST_40, SHA256_CONST_41,
1850Sstevel@tonic-gate 		SHA256_CONST_42, SHA256_CONST_43, SHA256_CONST_44,
1860Sstevel@tonic-gate 		SHA256_CONST_45, SHA256_CONST_46, SHA256_CONST_47,
1870Sstevel@tonic-gate 		SHA256_CONST_48, SHA256_CONST_49, SHA256_CONST_50,
1880Sstevel@tonic-gate 		SHA256_CONST_51, SHA256_CONST_52, SHA256_CONST_53,
1890Sstevel@tonic-gate 		SHA256_CONST_54, SHA256_CONST_55, SHA256_CONST_56,
1900Sstevel@tonic-gate 		SHA256_CONST_57, SHA256_CONST_58, SHA256_CONST_59,
1910Sstevel@tonic-gate 		SHA256_CONST_60, SHA256_CONST_61, SHA256_CONST_62,
1920Sstevel@tonic-gate 		SHA256_CONST_63
1930Sstevel@tonic-gate 	};
1946281Sda73024 #endif	/* __sparc */
1950Sstevel@tonic-gate 
1960Sstevel@tonic-gate 	if ((uintptr_t)blk & 0x3) {		/* not 4-byte aligned? */
1970Sstevel@tonic-gate 		bcopy(blk, ctx->buf_un.buf32,  sizeof (ctx->buf_un.buf32));
1980Sstevel@tonic-gate 		blk = (uint8_t *)ctx->buf_un.buf32;
1990Sstevel@tonic-gate 	}
2000Sstevel@tonic-gate 
2011694Sdarrenm 	/* LINTED E_BAD_PTR_CAST_ALIGN */
202676Sizick 	w0 =  LOAD_BIG_32(blk + 4 * 0);
203676Sizick 	SHA256ROUND(a, b, c, d, e, f, g, h, 0, w0);
2041694Sdarrenm 	/* LINTED E_BAD_PTR_CAST_ALIGN */
205676Sizick 	w1 =  LOAD_BIG_32(blk + 4 * 1);
206676Sizick 	SHA256ROUND(h, a, b, c, d, e, f, g, 1, w1);
2071694Sdarrenm 	/* LINTED E_BAD_PTR_CAST_ALIGN */
208676Sizick 	w2 =  LOAD_BIG_32(blk + 4 * 2);
209676Sizick 	SHA256ROUND(g, h, a, b, c, d, e, f, 2, w2);
2101694Sdarrenm 	/* LINTED E_BAD_PTR_CAST_ALIGN */
211676Sizick 	w3 =  LOAD_BIG_32(blk + 4 * 3);
212676Sizick 	SHA256ROUND(f, g, h, a, b, c, d, e, 3, w3);
2131694Sdarrenm 	/* LINTED E_BAD_PTR_CAST_ALIGN */
214676Sizick 	w4 =  LOAD_BIG_32(blk + 4 * 4);
215676Sizick 	SHA256ROUND(e, f, g, h, a, b, c, d, 4, w4);
2161694Sdarrenm 	/* LINTED E_BAD_PTR_CAST_ALIGN */
217676Sizick 	w5 =  LOAD_BIG_32(blk + 4 * 5);
218676Sizick 	SHA256ROUND(d, e, f, g, h, a, b, c, 5, w5);
2191694Sdarrenm 	/* LINTED E_BAD_PTR_CAST_ALIGN */
220676Sizick 	w6 =  LOAD_BIG_32(blk + 4 * 6);
221676Sizick 	SHA256ROUND(c, d, e, f, g, h, a, b, 6, w6);
2221694Sdarrenm 	/* LINTED E_BAD_PTR_CAST_ALIGN */
223676Sizick 	w7 =  LOAD_BIG_32(blk + 4 * 7);
224676Sizick 	SHA256ROUND(b, c, d, e, f, g, h, a, 7, w7);
2251694Sdarrenm 	/* LINTED E_BAD_PTR_CAST_ALIGN */
226676Sizick 	w8 =  LOAD_BIG_32(blk + 4 * 8);
227676Sizick 	SHA256ROUND(a, b, c, d, e, f, g, h, 8, w8);
2281694Sdarrenm 	/* LINTED E_BAD_PTR_CAST_ALIGN */
229676Sizick 	w9 =  LOAD_BIG_32(blk + 4 * 9);
230676Sizick 	SHA256ROUND(h, a, b, c, d, e, f, g, 9, w9);
2311694Sdarrenm 	/* LINTED E_BAD_PTR_CAST_ALIGN */
232676Sizick 	w10 =  LOAD_BIG_32(blk + 4 * 10);
233676Sizick 	SHA256ROUND(g, h, a, b, c, d, e, f, 10, w10);
2341694Sdarrenm 	/* LINTED E_BAD_PTR_CAST_ALIGN */
235676Sizick 	w11 =  LOAD_BIG_32(blk + 4 * 11);
236676Sizick 	SHA256ROUND(f, g, h, a, b, c, d, e, 11, w11);
2371694Sdarrenm 	/* LINTED E_BAD_PTR_CAST_ALIGN */
238676Sizick 	w12 =  LOAD_BIG_32(blk + 4 * 12);
239676Sizick 	SHA256ROUND(e, f, g, h, a, b, c, d, 12, w12);
2401694Sdarrenm 	/* LINTED E_BAD_PTR_CAST_ALIGN */
241676Sizick 	w13 =  LOAD_BIG_32(blk + 4 * 13);
242676Sizick 	SHA256ROUND(d, e, f, g, h, a, b, c, 13, w13);
2431694Sdarrenm 	/* LINTED E_BAD_PTR_CAST_ALIGN */
244676Sizick 	w14 =  LOAD_BIG_32(blk + 4 * 14);
245676Sizick 	SHA256ROUND(c, d, e, f, g, h, a, b, 14, w14);
2461694Sdarrenm 	/* LINTED E_BAD_PTR_CAST_ALIGN */
247676Sizick 	w15 =  LOAD_BIG_32(blk + 4 * 15);
248676Sizick 	SHA256ROUND(b, c, d, e, f, g, h, a, 15, w15);
249676Sizick 
2500Sstevel@tonic-gate 	w0 = SIGMA1_256(w14) + w9 + SIGMA0_256(w1) + w0;
2510Sstevel@tonic-gate 	SHA256ROUND(a, b, c, d, e, f, g, h, 16, w0);
2520Sstevel@tonic-gate 	w1 = SIGMA1_256(w15) + w10 + SIGMA0_256(w2) + w1;
2530Sstevel@tonic-gate 	SHA256ROUND(h, a, b, c, d, e, f, g, 17, w1);
2540Sstevel@tonic-gate 	w2 = SIGMA1_256(w0) + w11 + SIGMA0_256(w3) + w2;
2550Sstevel@tonic-gate 	SHA256ROUND(g, h, a, b, c, d, e, f, 18, w2);
2560Sstevel@tonic-gate 	w3 = SIGMA1_256(w1) + w12 + SIGMA0_256(w4) + w3;
2570Sstevel@tonic-gate 	SHA256ROUND(f, g, h, a, b, c, d, e, 19, w3);
2580Sstevel@tonic-gate 	w4 = SIGMA1_256(w2) + w13 + SIGMA0_256(w5) + w4;
2590Sstevel@tonic-gate 	SHA256ROUND(e, f, g, h, a, b, c, d, 20, w4);
2600Sstevel@tonic-gate 	w5 = SIGMA1_256(w3) + w14 + SIGMA0_256(w6) + w5;
2610Sstevel@tonic-gate 	SHA256ROUND(d, e, f, g, h, a, b, c, 21, w5);
2620Sstevel@tonic-gate 	w6 = SIGMA1_256(w4) + w15 + SIGMA0_256(w7) + w6;
2630Sstevel@tonic-gate 	SHA256ROUND(c, d, e, f, g, h, a, b, 22, w6);
2640Sstevel@tonic-gate 	w7 = SIGMA1_256(w5) + w0 + SIGMA0_256(w8) + w7;
2650Sstevel@tonic-gate 	SHA256ROUND(b, c, d, e, f, g, h, a, 23, w7);
2660Sstevel@tonic-gate 	w8 = SIGMA1_256(w6) + w1 + SIGMA0_256(w9) + w8;
2670Sstevel@tonic-gate 	SHA256ROUND(a, b, c, d, e, f, g, h, 24, w8);
2680Sstevel@tonic-gate 	w9 = SIGMA1_256(w7) + w2 + SIGMA0_256(w10) + w9;
2690Sstevel@tonic-gate 	SHA256ROUND(h, a, b, c, d, e, f, g, 25, w9);
2700Sstevel@tonic-gate 	w10 = SIGMA1_256(w8) + w3 + SIGMA0_256(w11) + w10;
2710Sstevel@tonic-gate 	SHA256ROUND(g, h, a, b, c, d, e, f, 26, w10);
2720Sstevel@tonic-gate 	w11 = SIGMA1_256(w9) + w4 + SIGMA0_256(w12) + w11;
2730Sstevel@tonic-gate 	SHA256ROUND(f, g, h, a, b, c, d, e, 27, w11);
2740Sstevel@tonic-gate 	w12 = SIGMA1_256(w10) + w5 + SIGMA0_256(w13) + w12;
2750Sstevel@tonic-gate 	SHA256ROUND(e, f, g, h, a, b, c, d, 28, w12);
2760Sstevel@tonic-gate 	w13 = SIGMA1_256(w11) + w6 + SIGMA0_256(w14) + w13;
2770Sstevel@tonic-gate 	SHA256ROUND(d, e, f, g, h, a, b, c, 29, w13);
2780Sstevel@tonic-gate 	w14 = SIGMA1_256(w12) + w7 + SIGMA0_256(w15) + w14;
2790Sstevel@tonic-gate 	SHA256ROUND(c, d, e, f, g, h, a, b, 30, w14);
2800Sstevel@tonic-gate 	w15 = SIGMA1_256(w13) + w8 + SIGMA0_256(w0) + w15;
2810Sstevel@tonic-gate 	SHA256ROUND(b, c, d, e, f, g, h, a, 31, w15);
2820Sstevel@tonic-gate 
2830Sstevel@tonic-gate 	w0 = SIGMA1_256(w14) + w9 + SIGMA0_256(w1) + w0;
2840Sstevel@tonic-gate 	SHA256ROUND(a, b, c, d, e, f, g, h, 32, w0);
2850Sstevel@tonic-gate 	w1 = SIGMA1_256(w15) + w10 + SIGMA0_256(w2) + w1;
2860Sstevel@tonic-gate 	SHA256ROUND(h, a, b, c, d, e, f, g, 33, w1);
2870Sstevel@tonic-gate 	w2 = SIGMA1_256(w0) + w11 + SIGMA0_256(w3) + w2;
2880Sstevel@tonic-gate 	SHA256ROUND(g, h, a, b, c, d, e, f, 34, w2);
2890Sstevel@tonic-gate 	w3 = SIGMA1_256(w1) + w12 + SIGMA0_256(w4) + w3;
2900Sstevel@tonic-gate 	SHA256ROUND(f, g, h, a, b, c, d, e, 35, w3);
2910Sstevel@tonic-gate 	w4 = SIGMA1_256(w2) + w13 + SIGMA0_256(w5) + w4;
2920Sstevel@tonic-gate 	SHA256ROUND(e, f, g, h, a, b, c, d, 36, w4);
2930Sstevel@tonic-gate 	w5 = SIGMA1_256(w3) + w14 + SIGMA0_256(w6) + w5;
2940Sstevel@tonic-gate 	SHA256ROUND(d, e, f, g, h, a, b, c, 37, w5);
2950Sstevel@tonic-gate 	w6 = SIGMA1_256(w4) + w15 + SIGMA0_256(w7) + w6;
2960Sstevel@tonic-gate 	SHA256ROUND(c, d, e, f, g, h, a, b, 38, w6);
2970Sstevel@tonic-gate 	w7 = SIGMA1_256(w5) + w0 + SIGMA0_256(w8) + w7;
2980Sstevel@tonic-gate 	SHA256ROUND(b, c, d, e, f, g, h, a, 39, w7);
2990Sstevel@tonic-gate 	w8 = SIGMA1_256(w6) + w1 + SIGMA0_256(w9) + w8;
3000Sstevel@tonic-gate 	SHA256ROUND(a, b, c, d, e, f, g, h, 40, w8);
3010Sstevel@tonic-gate 	w9 = SIGMA1_256(w7) + w2 + SIGMA0_256(w10) + w9;
3020Sstevel@tonic-gate 	SHA256ROUND(h, a, b, c, d, e, f, g, 41, w9);
3030Sstevel@tonic-gate 	w10 = SIGMA1_256(w8) + w3 + SIGMA0_256(w11) + w10;
3040Sstevel@tonic-gate 	SHA256ROUND(g, h, a, b, c, d, e, f, 42, w10);
3050Sstevel@tonic-gate 	w11 = SIGMA1_256(w9) + w4 + SIGMA0_256(w12) + w11;
3060Sstevel@tonic-gate 	SHA256ROUND(f, g, h, a, b, c, d, e, 43, w11);
3070Sstevel@tonic-gate 	w12 = SIGMA1_256(w10) + w5 + SIGMA0_256(w13) + w12;
3080Sstevel@tonic-gate 	SHA256ROUND(e, f, g, h, a, b, c, d, 44, w12);
3090Sstevel@tonic-gate 	w13 = SIGMA1_256(w11) + w6 + SIGMA0_256(w14) + w13;
3100Sstevel@tonic-gate 	SHA256ROUND(d, e, f, g, h, a, b, c, 45, w13);
3110Sstevel@tonic-gate 	w14 = SIGMA1_256(w12) + w7 + SIGMA0_256(w15) + w14;
3120Sstevel@tonic-gate 	SHA256ROUND(c, d, e, f, g, h, a, b, 46, w14);
3130Sstevel@tonic-gate 	w15 = SIGMA1_256(w13) + w8 + SIGMA0_256(w0) + w15;
3140Sstevel@tonic-gate 	SHA256ROUND(b, c, d, e, f, g, h, a, 47, w15);
3150Sstevel@tonic-gate 
3160Sstevel@tonic-gate 	w0 = SIGMA1_256(w14) + w9 + SIGMA0_256(w1) + w0;
3170Sstevel@tonic-gate 	SHA256ROUND(a, b, c, d, e, f, g, h, 48, w0);
3180Sstevel@tonic-gate 	w1 = SIGMA1_256(w15) + w10 + SIGMA0_256(w2) + w1;
3190Sstevel@tonic-gate 	SHA256ROUND(h, a, b, c, d, e, f, g, 49, w1);
3200Sstevel@tonic-gate 	w2 = SIGMA1_256(w0) + w11 + SIGMA0_256(w3) + w2;
3210Sstevel@tonic-gate 	SHA256ROUND(g, h, a, b, c, d, e, f, 50, w2);
3220Sstevel@tonic-gate 	w3 = SIGMA1_256(w1) + w12 + SIGMA0_256(w4) + w3;
3230Sstevel@tonic-gate 	SHA256ROUND(f, g, h, a, b, c, d, e, 51, w3);
3240Sstevel@tonic-gate 	w4 = SIGMA1_256(w2) + w13 + SIGMA0_256(w5) + w4;
3250Sstevel@tonic-gate 	SHA256ROUND(e, f, g, h, a, b, c, d, 52, w4);
3260Sstevel@tonic-gate 	w5 = SIGMA1_256(w3) + w14 + SIGMA0_256(w6) + w5;
3270Sstevel@tonic-gate 	SHA256ROUND(d, e, f, g, h, a, b, c, 53, w5);
3280Sstevel@tonic-gate 	w6 = SIGMA1_256(w4) + w15 + SIGMA0_256(w7) + w6;
3290Sstevel@tonic-gate 	SHA256ROUND(c, d, e, f, g, h, a, b, 54, w6);
3300Sstevel@tonic-gate 	w7 = SIGMA1_256(w5) + w0 + SIGMA0_256(w8) + w7;
3310Sstevel@tonic-gate 	SHA256ROUND(b, c, d, e, f, g, h, a, 55, w7);
3320Sstevel@tonic-gate 	w8 = SIGMA1_256(w6) + w1 + SIGMA0_256(w9) + w8;
3330Sstevel@tonic-gate 	SHA256ROUND(a, b, c, d, e, f, g, h, 56, w8);
3340Sstevel@tonic-gate 	w9 = SIGMA1_256(w7) + w2 + SIGMA0_256(w10) + w9;
3350Sstevel@tonic-gate 	SHA256ROUND(h, a, b, c, d, e, f, g, 57, w9);
3360Sstevel@tonic-gate 	w10 = SIGMA1_256(w8) + w3 + SIGMA0_256(w11) + w10;
3370Sstevel@tonic-gate 	SHA256ROUND(g, h, a, b, c, d, e, f, 58, w10);
3380Sstevel@tonic-gate 	w11 = SIGMA1_256(w9) + w4 + SIGMA0_256(w12) + w11;
3390Sstevel@tonic-gate 	SHA256ROUND(f, g, h, a, b, c, d, e, 59, w11);
3400Sstevel@tonic-gate 	w12 = SIGMA1_256(w10) + w5 + SIGMA0_256(w13) + w12;
3410Sstevel@tonic-gate 	SHA256ROUND(e, f, g, h, a, b, c, d, 60, w12);
3420Sstevel@tonic-gate 	w13 = SIGMA1_256(w11) + w6 + SIGMA0_256(w14) + w13;
3430Sstevel@tonic-gate 	SHA256ROUND(d, e, f, g, h, a, b, c, 61, w13);
3440Sstevel@tonic-gate 	w14 = SIGMA1_256(w12) + w7 + SIGMA0_256(w15) + w14;
3450Sstevel@tonic-gate 	SHA256ROUND(c, d, e, f, g, h, a, b, 62, w14);
3460Sstevel@tonic-gate 	w15 = SIGMA1_256(w13) + w8 + SIGMA0_256(w0) + w15;
3470Sstevel@tonic-gate 	SHA256ROUND(b, c, d, e, f, g, h, a, 63, w15);
3480Sstevel@tonic-gate 
3490Sstevel@tonic-gate 	ctx->state.s32[0] += a;
3500Sstevel@tonic-gate 	ctx->state.s32[1] += b;
3510Sstevel@tonic-gate 	ctx->state.s32[2] += c;
3520Sstevel@tonic-gate 	ctx->state.s32[3] += d;
3530Sstevel@tonic-gate 	ctx->state.s32[4] += e;
3540Sstevel@tonic-gate 	ctx->state.s32[5] += f;
3550Sstevel@tonic-gate 	ctx->state.s32[6] += g;
3560Sstevel@tonic-gate 	ctx->state.s32[7] += h;
3570Sstevel@tonic-gate }
3580Sstevel@tonic-gate 
3590Sstevel@tonic-gate 
3600Sstevel@tonic-gate /* SHA384 and SHA512 Transform */
3610Sstevel@tonic-gate 
3620Sstevel@tonic-gate static void
SHA512Transform(SHA2_CTX * ctx,const uint8_t * blk)3630Sstevel@tonic-gate SHA512Transform(SHA2_CTX *ctx, const uint8_t *blk)
3640Sstevel@tonic-gate {
3650Sstevel@tonic-gate 
3660Sstevel@tonic-gate 	uint64_t a = ctx->state.s64[0];
3670Sstevel@tonic-gate 	uint64_t b = ctx->state.s64[1];
3680Sstevel@tonic-gate 	uint64_t c = ctx->state.s64[2];
3690Sstevel@tonic-gate 	uint64_t d = ctx->state.s64[3];
3700Sstevel@tonic-gate 	uint64_t e = ctx->state.s64[4];
3710Sstevel@tonic-gate 	uint64_t f = ctx->state.s64[5];
3720Sstevel@tonic-gate 	uint64_t g = ctx->state.s64[6];
3730Sstevel@tonic-gate 	uint64_t h = ctx->state.s64[7];
3740Sstevel@tonic-gate 
3750Sstevel@tonic-gate 	uint64_t w0, w1, w2, w3, w4, w5, w6, w7;
3760Sstevel@tonic-gate 	uint64_t w8, w9, w10, w11, w12, w13, w14, w15;
3770Sstevel@tonic-gate 	uint64_t T1, T2;
3780Sstevel@tonic-gate 
3790Sstevel@tonic-gate #if	defined(__sparc)
3800Sstevel@tonic-gate 	static const uint64_t sha512_consts[] = {
3810Sstevel@tonic-gate 		SHA512_CONST_0, SHA512_CONST_1, SHA512_CONST_2,
3820Sstevel@tonic-gate 		SHA512_CONST_3, SHA512_CONST_4, SHA512_CONST_5,
3830Sstevel@tonic-gate 		SHA512_CONST_6, SHA512_CONST_7, SHA512_CONST_8,
3840Sstevel@tonic-gate 		SHA512_CONST_9, SHA512_CONST_10, SHA512_CONST_11,
3850Sstevel@tonic-gate 		SHA512_CONST_12, SHA512_CONST_13, SHA512_CONST_14,
3860Sstevel@tonic-gate 		SHA512_CONST_15, SHA512_CONST_16, SHA512_CONST_17,
3870Sstevel@tonic-gate 		SHA512_CONST_18, SHA512_CONST_19, SHA512_CONST_20,
3880Sstevel@tonic-gate 		SHA512_CONST_21, SHA512_CONST_22, SHA512_CONST_23,
3890Sstevel@tonic-gate 		SHA512_CONST_24, SHA512_CONST_25, SHA512_CONST_26,
3900Sstevel@tonic-gate 		SHA512_CONST_27, SHA512_CONST_28, SHA512_CONST_29,
3910Sstevel@tonic-gate 		SHA512_CONST_30, SHA512_CONST_31, SHA512_CONST_32,
3920Sstevel@tonic-gate 		SHA512_CONST_33, SHA512_CONST_34, SHA512_CONST_35,
3930Sstevel@tonic-gate 		SHA512_CONST_36, SHA512_CONST_37, SHA512_CONST_38,
3940Sstevel@tonic-gate 		SHA512_CONST_39, SHA512_CONST_40, SHA512_CONST_41,
3950Sstevel@tonic-gate 		SHA512_CONST_42, SHA512_CONST_43, SHA512_CONST_44,
3960Sstevel@tonic-gate 		SHA512_CONST_45, SHA512_CONST_46, SHA512_CONST_47,
3970Sstevel@tonic-gate 		SHA512_CONST_48, SHA512_CONST_49, SHA512_CONST_50,
3980Sstevel@tonic-gate 		SHA512_CONST_51, SHA512_CONST_52, SHA512_CONST_53,
3990Sstevel@tonic-gate 		SHA512_CONST_54, SHA512_CONST_55, SHA512_CONST_56,
4000Sstevel@tonic-gate 		SHA512_CONST_57, SHA512_CONST_58, SHA512_CONST_59,
4010Sstevel@tonic-gate 		SHA512_CONST_60, SHA512_CONST_61, SHA512_CONST_62,
4020Sstevel@tonic-gate 		SHA512_CONST_63, SHA512_CONST_64, SHA512_CONST_65,
4030Sstevel@tonic-gate 		SHA512_CONST_66, SHA512_CONST_67, SHA512_CONST_68,
4040Sstevel@tonic-gate 		SHA512_CONST_69, SHA512_CONST_70, SHA512_CONST_71,
4050Sstevel@tonic-gate 		SHA512_CONST_72, SHA512_CONST_73, SHA512_CONST_74,
4060Sstevel@tonic-gate 		SHA512_CONST_75, SHA512_CONST_76, SHA512_CONST_77,
4070Sstevel@tonic-gate 		SHA512_CONST_78, SHA512_CONST_79
4080Sstevel@tonic-gate 	};
4096281Sda73024 #endif	/* __sparc */
4100Sstevel@tonic-gate 
4110Sstevel@tonic-gate 
4120Sstevel@tonic-gate 	if ((uintptr_t)blk & 0x7) {		/* not 8-byte aligned? */
4130Sstevel@tonic-gate 		bcopy(blk, ctx->buf_un.buf64,  sizeof (ctx->buf_un.buf64));
4140Sstevel@tonic-gate 		blk = (uint8_t *)ctx->buf_un.buf64;
4150Sstevel@tonic-gate 	}
4160Sstevel@tonic-gate 
4171694Sdarrenm 	/* LINTED E_BAD_PTR_CAST_ALIGN */
418676Sizick 	w0 =  LOAD_BIG_64(blk + 8 * 0);
419676Sizick 	SHA512ROUND(a, b, c, d, e, f, g, h, 0, w0);
4201694Sdarrenm 	/* LINTED E_BAD_PTR_CAST_ALIGN */
421676Sizick 	w1 =  LOAD_BIG_64(blk + 8 * 1);
422676Sizick 	SHA512ROUND(h, a, b, c, d, e, f, g, 1, w1);
4231694Sdarrenm 	/* LINTED E_BAD_PTR_CAST_ALIGN */
424676Sizick 	w2 =  LOAD_BIG_64(blk + 8 * 2);
425676Sizick 	SHA512ROUND(g, h, a, b, c, d, e, f, 2, w2);
4261694Sdarrenm 	/* LINTED E_BAD_PTR_CAST_ALIGN */
427676Sizick 	w3 =  LOAD_BIG_64(blk + 8 * 3);
428676Sizick 	SHA512ROUND(f, g, h, a, b, c, d, e, 3, w3);
4291694Sdarrenm 	/* LINTED E_BAD_PTR_CAST_ALIGN */
430676Sizick 	w4 =  LOAD_BIG_64(blk + 8 * 4);
431676Sizick 	SHA512ROUND(e, f, g, h, a, b, c, d, 4, w4);
4321694Sdarrenm 	/* LINTED E_BAD_PTR_CAST_ALIGN */
433676Sizick 	w5 =  LOAD_BIG_64(blk + 8 * 5);
434676Sizick 	SHA512ROUND(d, e, f, g, h, a, b, c, 5, w5);
4351694Sdarrenm 	/* LINTED E_BAD_PTR_CAST_ALIGN */
436676Sizick 	w6 =  LOAD_BIG_64(blk + 8 * 6);
437676Sizick 	SHA512ROUND(c, d, e, f, g, h, a, b, 6, w6);
4381694Sdarrenm 	/* LINTED E_BAD_PTR_CAST_ALIGN */
439676Sizick 	w7 =  LOAD_BIG_64(blk + 8 * 7);
440676Sizick 	SHA512ROUND(b, c, d, e, f, g, h, a, 7, w7);
4411694Sdarrenm 	/* LINTED E_BAD_PTR_CAST_ALIGN */
442676Sizick 	w8 =  LOAD_BIG_64(blk + 8 * 8);
443676Sizick 	SHA512ROUND(a, b, c, d, e, f, g, h, 8, w8);
4441694Sdarrenm 	/* LINTED E_BAD_PTR_CAST_ALIGN */
445676Sizick 	w9 =  LOAD_BIG_64(blk + 8 * 9);
446676Sizick 	SHA512ROUND(h, a, b, c, d, e, f, g, 9, w9);
4471694Sdarrenm 	/* LINTED E_BAD_PTR_CAST_ALIGN */
448676Sizick 	w10 =  LOAD_BIG_64(blk + 8 * 10);
449676Sizick 	SHA512ROUND(g, h, a, b, c, d, e, f, 10, w10);
4501694Sdarrenm 	/* LINTED E_BAD_PTR_CAST_ALIGN */
451676Sizick 	w11 =  LOAD_BIG_64(blk + 8 * 11);
452676Sizick 	SHA512ROUND(f, g, h, a, b, c, d, e, 11, w11);
4531694Sdarrenm 	/* LINTED E_BAD_PTR_CAST_ALIGN */
454676Sizick 	w12 =  LOAD_BIG_64(blk + 8 * 12);
455676Sizick 	SHA512ROUND(e, f, g, h, a, b, c, d, 12, w12);
4561694Sdarrenm 	/* LINTED E_BAD_PTR_CAST_ALIGN */
457676Sizick 	w13 =  LOAD_BIG_64(blk + 8 * 13);
458676Sizick 	SHA512ROUND(d, e, f, g, h, a, b, c, 13, w13);
4591694Sdarrenm 	/* LINTED E_BAD_PTR_CAST_ALIGN */
460676Sizick 	w14 =  LOAD_BIG_64(blk + 8 * 14);
461676Sizick 	SHA512ROUND(c, d, e, f, g, h, a, b, 14, w14);
4621694Sdarrenm 	/* LINTED E_BAD_PTR_CAST_ALIGN */
463676Sizick 	w15 =  LOAD_BIG_64(blk + 8 * 15);
464676Sizick 	SHA512ROUND(b, c, d, e, f, g, h, a, 15, w15);
465676Sizick 
4660Sstevel@tonic-gate 	w0 = SIGMA1(w14) + w9 + SIGMA0(w1) + w0;
4670Sstevel@tonic-gate 	SHA512ROUND(a, b, c, d, e, f, g, h, 16, w0);
4680Sstevel@tonic-gate 	w1 = SIGMA1(w15) + w10 + SIGMA0(w2) + w1;
4690Sstevel@tonic-gate 	SHA512ROUND(h, a, b, c, d, e, f, g, 17, w1);
4700Sstevel@tonic-gate 	w2 = SIGMA1(w0) + w11 + SIGMA0(w3) + w2;
4710Sstevel@tonic-gate 	SHA512ROUND(g, h, a, b, c, d, e, f, 18, w2);
4720Sstevel@tonic-gate 	w3 = SIGMA1(w1) + w12 + SIGMA0(w4) + w3;
4730Sstevel@tonic-gate 	SHA512ROUND(f, g, h, a, b, c, d, e, 19, w3);
4740Sstevel@tonic-gate 	w4 = SIGMA1(w2) + w13 + SIGMA0(w5) + w4;
4750Sstevel@tonic-gate 	SHA512ROUND(e, f, g, h, a, b, c, d, 20, w4);
4760Sstevel@tonic-gate 	w5 = SIGMA1(w3) + w14 + SIGMA0(w6) + w5;
4770Sstevel@tonic-gate 	SHA512ROUND(d, e, f, g, h, a, b, c, 21, w5);
4780Sstevel@tonic-gate 	w6 = SIGMA1(w4) + w15 + SIGMA0(w7) + w6;
4790Sstevel@tonic-gate 	SHA512ROUND(c, d, e, f, g, h, a, b, 22, w6);
4800Sstevel@tonic-gate 	w7 = SIGMA1(w5) + w0 + SIGMA0(w8) + w7;
4810Sstevel@tonic-gate 	SHA512ROUND(b, c, d, e, f, g, h, a, 23, w7);
4820Sstevel@tonic-gate 	w8 = SIGMA1(w6) + w1 + SIGMA0(w9) + w8;
4830Sstevel@tonic-gate 	SHA512ROUND(a, b, c, d, e, f, g, h, 24, w8);
4840Sstevel@tonic-gate 	w9 = SIGMA1(w7) + w2 + SIGMA0(w10) + w9;
4850Sstevel@tonic-gate 	SHA512ROUND(h, a, b, c, d, e, f, g, 25, w9);
4860Sstevel@tonic-gate 	w10 = SIGMA1(w8) + w3 + SIGMA0(w11) + w10;
4870Sstevel@tonic-gate 	SHA512ROUND(g, h, a, b, c, d, e, f, 26, w10);
4880Sstevel@tonic-gate 	w11 = SIGMA1(w9) + w4 + SIGMA0(w12) + w11;
4890Sstevel@tonic-gate 	SHA512ROUND(f, g, h, a, b, c, d, e, 27, w11);
4900Sstevel@tonic-gate 	w12 = SIGMA1(w10) + w5 + SIGMA0(w13) + w12;
4910Sstevel@tonic-gate 	SHA512ROUND(e, f, g, h, a, b, c, d, 28, w12);
4920Sstevel@tonic-gate 	w13 = SIGMA1(w11) + w6 + SIGMA0(w14) + w13;
4930Sstevel@tonic-gate 	SHA512ROUND(d, e, f, g, h, a, b, c, 29, w13);
4940Sstevel@tonic-gate 	w14 = SIGMA1(w12) + w7 + SIGMA0(w15) + w14;
4950Sstevel@tonic-gate 	SHA512ROUND(c, d, e, f, g, h, a, b, 30, w14);
4960Sstevel@tonic-gate 	w15 = SIGMA1(w13) + w8 + SIGMA0(w0) + w15;
4970Sstevel@tonic-gate 	SHA512ROUND(b, c, d, e, f, g, h, a, 31, w15);
4980Sstevel@tonic-gate 
4990Sstevel@tonic-gate 	w0 = SIGMA1(w14) + w9 + SIGMA0(w1) + w0;
5000Sstevel@tonic-gate 	SHA512ROUND(a, b, c, d, e, f, g, h, 32, w0);
5010Sstevel@tonic-gate 	w1 = SIGMA1(w15) + w10 + SIGMA0(w2) + w1;
5020Sstevel@tonic-gate 	SHA512ROUND(h, a, b, c, d, e, f, g, 33, w1);
5030Sstevel@tonic-gate 	w2 = SIGMA1(w0) + w11 + SIGMA0(w3) + w2;
5040Sstevel@tonic-gate 	SHA512ROUND(g, h, a, b, c, d, e, f, 34, w2);
5050Sstevel@tonic-gate 	w3 = SIGMA1(w1) + w12 + SIGMA0(w4) + w3;
5060Sstevel@tonic-gate 	SHA512ROUND(f, g, h, a, b, c, d, e, 35, w3);
5070Sstevel@tonic-gate 	w4 = SIGMA1(w2) + w13 + SIGMA0(w5) + w4;
5080Sstevel@tonic-gate 	SHA512ROUND(e, f, g, h, a, b, c, d, 36, w4);
5090Sstevel@tonic-gate 	w5 = SIGMA1(w3) + w14 + SIGMA0(w6) + w5;
5100Sstevel@tonic-gate 	SHA512ROUND(d, e, f, g, h, a, b, c, 37, w5);
5110Sstevel@tonic-gate 	w6 = SIGMA1(w4) + w15 + SIGMA0(w7) + w6;
5120Sstevel@tonic-gate 	SHA512ROUND(c, d, e, f, g, h, a, b, 38, w6);
5130Sstevel@tonic-gate 	w7 = SIGMA1(w5) + w0 + SIGMA0(w8) + w7;
5140Sstevel@tonic-gate 	SHA512ROUND(b, c, d, e, f, g, h, a, 39, w7);
5150Sstevel@tonic-gate 	w8 = SIGMA1(w6) + w1 + SIGMA0(w9) + w8;
5160Sstevel@tonic-gate 	SHA512ROUND(a, b, c, d, e, f, g, h, 40, w8);
5170Sstevel@tonic-gate 	w9 = SIGMA1(w7) + w2 + SIGMA0(w10) + w9;
5180Sstevel@tonic-gate 	SHA512ROUND(h, a, b, c, d, e, f, g, 41, w9);
5190Sstevel@tonic-gate 	w10 = SIGMA1(w8) + w3 + SIGMA0(w11) + w10;
5200Sstevel@tonic-gate 	SHA512ROUND(g, h, a, b, c, d, e, f, 42, w10);
5210Sstevel@tonic-gate 	w11 = SIGMA1(w9) + w4 + SIGMA0(w12) + w11;
5220Sstevel@tonic-gate 	SHA512ROUND(f, g, h, a, b, c, d, e, 43, w11);
5230Sstevel@tonic-gate 	w12 = SIGMA1(w10) + w5 + SIGMA0(w13) + w12;
5240Sstevel@tonic-gate 	SHA512ROUND(e, f, g, h, a, b, c, d, 44, w12);
5250Sstevel@tonic-gate 	w13 = SIGMA1(w11) + w6 + SIGMA0(w14) + w13;
5260Sstevel@tonic-gate 	SHA512ROUND(d, e, f, g, h, a, b, c, 45, w13);
5270Sstevel@tonic-gate 	w14 = SIGMA1(w12) + w7 + SIGMA0(w15) + w14;
5280Sstevel@tonic-gate 	SHA512ROUND(c, d, e, f, g, h, a, b, 46, w14);
5290Sstevel@tonic-gate 	w15 = SIGMA1(w13) + w8 + SIGMA0(w0) + w15;
5300Sstevel@tonic-gate 	SHA512ROUND(b, c, d, e, f, g, h, a, 47, w15);
5310Sstevel@tonic-gate 
5320Sstevel@tonic-gate 	w0 = SIGMA1(w14) + w9 + SIGMA0(w1) + w0;
5330Sstevel@tonic-gate 	SHA512ROUND(a, b, c, d, e, f, g, h, 48, w0);
5340Sstevel@tonic-gate 	w1 = SIGMA1(w15) + w10 + SIGMA0(w2) + w1;
5350Sstevel@tonic-gate 	SHA512ROUND(h, a, b, c, d, e, f, g, 49, w1);
5360Sstevel@tonic-gate 	w2 = SIGMA1(w0) + w11 + SIGMA0(w3) + w2;
5370Sstevel@tonic-gate 	SHA512ROUND(g, h, a, b, c, d, e, f, 50, w2);
5380Sstevel@tonic-gate 	w3 = SIGMA1(w1) + w12 + SIGMA0(w4) + w3;
5390Sstevel@tonic-gate 	SHA512ROUND(f, g, h, a, b, c, d, e, 51, w3);
5400Sstevel@tonic-gate 	w4 = SIGMA1(w2) + w13 + SIGMA0(w5) + w4;
5410Sstevel@tonic-gate 	SHA512ROUND(e, f, g, h, a, b, c, d, 52, w4);
5420Sstevel@tonic-gate 	w5 = SIGMA1(w3) + w14 + SIGMA0(w6) + w5;
5430Sstevel@tonic-gate 	SHA512ROUND(d, e, f, g, h, a, b, c, 53, w5);
5440Sstevel@tonic-gate 	w6 = SIGMA1(w4) + w15 + SIGMA0(w7) + w6;
5450Sstevel@tonic-gate 	SHA512ROUND(c, d, e, f, g, h, a, b, 54, w6);
5460Sstevel@tonic-gate 	w7 = SIGMA1(w5) + w0 + SIGMA0(w8) + w7;
5470Sstevel@tonic-gate 	SHA512ROUND(b, c, d, e, f, g, h, a, 55, w7);
5480Sstevel@tonic-gate 	w8 = SIGMA1(w6) + w1 + SIGMA0(w9) + w8;
5490Sstevel@tonic-gate 	SHA512ROUND(a, b, c, d, e, f, g, h, 56, w8);
5500Sstevel@tonic-gate 	w9 = SIGMA1(w7) + w2 + SIGMA0(w10) + w9;
5510Sstevel@tonic-gate 	SHA512ROUND(h, a, b, c, d, e, f, g, 57, w9);
5520Sstevel@tonic-gate 	w10 = SIGMA1(w8) + w3 + SIGMA0(w11) + w10;
5530Sstevel@tonic-gate 	SHA512ROUND(g, h, a, b, c, d, e, f, 58, w10);
5540Sstevel@tonic-gate 	w11 = SIGMA1(w9) + w4 + SIGMA0(w12) + w11;
5550Sstevel@tonic-gate 	SHA512ROUND(f, g, h, a, b, c, d, e, 59, w11);
5560Sstevel@tonic-gate 	w12 = SIGMA1(w10) + w5 + SIGMA0(w13) + w12;
5570Sstevel@tonic-gate 	SHA512ROUND(e, f, g, h, a, b, c, d, 60, w12);
5580Sstevel@tonic-gate 	w13 = SIGMA1(w11) + w6 + SIGMA0(w14) + w13;
5590Sstevel@tonic-gate 	SHA512ROUND(d, e, f, g, h, a, b, c, 61, w13);
5600Sstevel@tonic-gate 	w14 = SIGMA1(w12) + w7 + SIGMA0(w15) + w14;
5610Sstevel@tonic-gate 	SHA512ROUND(c, d, e, f, g, h, a, b, 62, w14);
5620Sstevel@tonic-gate 	w15 = SIGMA1(w13) + w8 + SIGMA0(w0) + w15;
5630Sstevel@tonic-gate 	SHA512ROUND(b, c, d, e, f, g, h, a, 63, w15);
5640Sstevel@tonic-gate 
5650Sstevel@tonic-gate 	w0 = SIGMA1(w14) + w9 + SIGMA0(w1) + w0;
5660Sstevel@tonic-gate 	SHA512ROUND(a, b, c, d, e, f, g, h, 64, w0);
5670Sstevel@tonic-gate 	w1 = SIGMA1(w15) + w10 + SIGMA0(w2) + w1;
5680Sstevel@tonic-gate 	SHA512ROUND(h, a, b, c, d, e, f, g, 65, w1);
5690Sstevel@tonic-gate 	w2 = SIGMA1(w0) + w11 + SIGMA0(w3) + w2;
5700Sstevel@tonic-gate 	SHA512ROUND(g, h, a, b, c, d, e, f, 66, w2);
5710Sstevel@tonic-gate 	w3 = SIGMA1(w1) + w12 + SIGMA0(w4) + w3;
5720Sstevel@tonic-gate 	SHA512ROUND(f, g, h, a, b, c, d, e, 67, w3);
5730Sstevel@tonic-gate 	w4 = SIGMA1(w2) + w13 + SIGMA0(w5) + w4;
5740Sstevel@tonic-gate 	SHA512ROUND(e, f, g, h, a, b, c, d, 68, w4);
5750Sstevel@tonic-gate 	w5 = SIGMA1(w3) + w14 + SIGMA0(w6) + w5;
5760Sstevel@tonic-gate 	SHA512ROUND(d, e, f, g, h, a, b, c, 69, w5);
5770Sstevel@tonic-gate 	w6 = SIGMA1(w4) + w15 + SIGMA0(w7) + w6;
5780Sstevel@tonic-gate 	SHA512ROUND(c, d, e, f, g, h, a, b, 70, w6);
5790Sstevel@tonic-gate 	w7 = SIGMA1(w5) + w0 + SIGMA0(w8) + w7;
5800Sstevel@tonic-gate 	SHA512ROUND(b, c, d, e, f, g, h, a, 71, w7);
5810Sstevel@tonic-gate 	w8 = SIGMA1(w6) + w1 + SIGMA0(w9) + w8;
5820Sstevel@tonic-gate 	SHA512ROUND(a, b, c, d, e, f, g, h, 72, w8);
5830Sstevel@tonic-gate 	w9 = SIGMA1(w7) + w2 + SIGMA0(w10) + w9;
5840Sstevel@tonic-gate 	SHA512ROUND(h, a, b, c, d, e, f, g, 73, w9);
5850Sstevel@tonic-gate 	w10 = SIGMA1(w8) + w3 + SIGMA0(w11) + w10;
5860Sstevel@tonic-gate 	SHA512ROUND(g, h, a, b, c, d, e, f, 74, w10);
5870Sstevel@tonic-gate 	w11 = SIGMA1(w9) + w4 + SIGMA0(w12) + w11;
5880Sstevel@tonic-gate 	SHA512ROUND(f, g, h, a, b, c, d, e, 75, w11);
5890Sstevel@tonic-gate 	w12 = SIGMA1(w10) + w5 + SIGMA0(w13) + w12;
5900Sstevel@tonic-gate 	SHA512ROUND(e, f, g, h, a, b, c, d, 76, w12);
5910Sstevel@tonic-gate 	w13 = SIGMA1(w11) + w6 + SIGMA0(w14) + w13;
5920Sstevel@tonic-gate 	SHA512ROUND(d, e, f, g, h, a, b, c, 77, w13);
5930Sstevel@tonic-gate 	w14 = SIGMA1(w12) + w7 + SIGMA0(w15) + w14;
5940Sstevel@tonic-gate 	SHA512ROUND(c, d, e, f, g, h, a, b, 78, w14);
5950Sstevel@tonic-gate 	w15 = SIGMA1(w13) + w8 + SIGMA0(w0) + w15;
5960Sstevel@tonic-gate 	SHA512ROUND(b, c, d, e, f, g, h, a, 79, w15);
5970Sstevel@tonic-gate 
5980Sstevel@tonic-gate 	ctx->state.s64[0] += a;
5990Sstevel@tonic-gate 	ctx->state.s64[1] += b;
6000Sstevel@tonic-gate 	ctx->state.s64[2] += c;
6010Sstevel@tonic-gate 	ctx->state.s64[3] += d;
6020Sstevel@tonic-gate 	ctx->state.s64[4] += e;
6030Sstevel@tonic-gate 	ctx->state.s64[5] += f;
6040Sstevel@tonic-gate 	ctx->state.s64[6] += g;
6050Sstevel@tonic-gate 	ctx->state.s64[7] += h;
6060Sstevel@tonic-gate 
6070Sstevel@tonic-gate }
6086281Sda73024 #endif	/* !__amd64 */
6090Sstevel@tonic-gate 
6100Sstevel@tonic-gate 
6110Sstevel@tonic-gate /*
6120Sstevel@tonic-gate  * Encode()
6130Sstevel@tonic-gate  *
6140Sstevel@tonic-gate  * purpose: to convert a list of numbers from little endian to big endian
6150Sstevel@tonic-gate  *   input: uint8_t *	: place to store the converted big endian numbers
6160Sstevel@tonic-gate  *	    uint32_t *	: place to get numbers to convert from
6170Sstevel@tonic-gate  *          size_t	: the length of the input in bytes
6180Sstevel@tonic-gate  *  output: void
6190Sstevel@tonic-gate  */
6200Sstevel@tonic-gate 
6210Sstevel@tonic-gate static void
Encode(uint8_t * _RESTRICT_KYWD output,uint32_t * _RESTRICT_KYWD input,size_t len)6221694Sdarrenm Encode(uint8_t *_RESTRICT_KYWD output, uint32_t *_RESTRICT_KYWD input,
6231694Sdarrenm     size_t len)
6240Sstevel@tonic-gate {
6250Sstevel@tonic-gate 	size_t		i, j;
6260Sstevel@tonic-gate 
6270Sstevel@tonic-gate #if	defined(__sparc)
6280Sstevel@tonic-gate 	if (IS_P2ALIGNED(output, sizeof (uint32_t))) {
6290Sstevel@tonic-gate 		for (i = 0, j = 0; j < len; i++, j += 4) {
630*11141Sopensolaris@drydog.com 			/* LINTED E_BAD_PTR_CAST_ALIGN */
6310Sstevel@tonic-gate 			*((uint32_t *)(output + j)) = input[i];
6320Sstevel@tonic-gate 		}
6330Sstevel@tonic-gate 	} else {
6340Sstevel@tonic-gate #endif	/* little endian -- will work on big endian, but slowly */
6350Sstevel@tonic-gate 		for (i = 0, j = 0; j < len; i++, j += 4) {
6360Sstevel@tonic-gate 			output[j]	= (input[i] >> 24) & 0xff;
6370Sstevel@tonic-gate 			output[j + 1]	= (input[i] >> 16) & 0xff;
6380Sstevel@tonic-gate 			output[j + 2]	= (input[i] >>  8) & 0xff;
6390Sstevel@tonic-gate 			output[j + 3]	= input[i] & 0xff;
6400Sstevel@tonic-gate 		}
6410Sstevel@tonic-gate #if	defined(__sparc)
6420Sstevel@tonic-gate 	}
6430Sstevel@tonic-gate #endif
6440Sstevel@tonic-gate }
6450Sstevel@tonic-gate 
6460Sstevel@tonic-gate static void
Encode64(uint8_t * _RESTRICT_KYWD output,uint64_t * _RESTRICT_KYWD input,size_t len)6471694Sdarrenm Encode64(uint8_t *_RESTRICT_KYWD output, uint64_t *_RESTRICT_KYWD input,
6481694Sdarrenm     size_t len)
6490Sstevel@tonic-gate {
6500Sstevel@tonic-gate 	size_t		i, j;
6510Sstevel@tonic-gate 
6520Sstevel@tonic-gate #if	defined(__sparc)
6530Sstevel@tonic-gate 	if (IS_P2ALIGNED(output, sizeof (uint64_t))) {
6540Sstevel@tonic-gate 		for (i = 0, j = 0; j < len; i++, j += 8) {
655*11141Sopensolaris@drydog.com 			/* LINTED E_BAD_PTR_CAST_ALIGN */
6560Sstevel@tonic-gate 			*((uint64_t *)(output + j)) = input[i];
6570Sstevel@tonic-gate 		}
6580Sstevel@tonic-gate 	} else {
6590Sstevel@tonic-gate #endif	/* little endian -- will work on big endian, but slowly */
6600Sstevel@tonic-gate 		for (i = 0, j = 0; j < len; i++, j += 8) {
6610Sstevel@tonic-gate 
6620Sstevel@tonic-gate 			output[j]	= (input[i] >> 56) & 0xff;
6630Sstevel@tonic-gate 			output[j + 1]	= (input[i] >> 48) & 0xff;
6640Sstevel@tonic-gate 			output[j + 2]	= (input[i] >> 40) & 0xff;
6650Sstevel@tonic-gate 			output[j + 3]	= (input[i] >> 32) & 0xff;
6660Sstevel@tonic-gate 			output[j + 4]	= (input[i] >> 24) & 0xff;
6670Sstevel@tonic-gate 			output[j + 5]	= (input[i] >> 16) & 0xff;
6680Sstevel@tonic-gate 			output[j + 6]	= (input[i] >>  8) & 0xff;
6690Sstevel@tonic-gate 			output[j + 7]	= input[i] & 0xff;
6700Sstevel@tonic-gate 		}
6710Sstevel@tonic-gate #if	defined(__sparc)
6720Sstevel@tonic-gate 	}
6730Sstevel@tonic-gate #endif
6740Sstevel@tonic-gate }
6750Sstevel@tonic-gate 
6760Sstevel@tonic-gate 
6770Sstevel@tonic-gate void
SHA2Init(uint64_t mech,SHA2_CTX * ctx)6780Sstevel@tonic-gate SHA2Init(uint64_t mech, SHA2_CTX *ctx)
6790Sstevel@tonic-gate {
6800Sstevel@tonic-gate 
6810Sstevel@tonic-gate 	switch (mech) {
6820Sstevel@tonic-gate 	case SHA256_MECH_INFO_TYPE:
6830Sstevel@tonic-gate 	case SHA256_HMAC_MECH_INFO_TYPE:
6840Sstevel@tonic-gate 	case SHA256_HMAC_GEN_MECH_INFO_TYPE:
6850Sstevel@tonic-gate 		ctx->state.s32[0] = 0x6a09e667U;
6860Sstevel@tonic-gate 		ctx->state.s32[1] = 0xbb67ae85U;
6870Sstevel@tonic-gate 		ctx->state.s32[2] = 0x3c6ef372U;
6880Sstevel@tonic-gate 		ctx->state.s32[3] = 0xa54ff53aU;
6890Sstevel@tonic-gate 		ctx->state.s32[4] = 0x510e527fU;
6900Sstevel@tonic-gate 		ctx->state.s32[5] = 0x9b05688cU;
6910Sstevel@tonic-gate 		ctx->state.s32[6] = 0x1f83d9abU;
6920Sstevel@tonic-gate 		ctx->state.s32[7] = 0x5be0cd19U;
6930Sstevel@tonic-gate 		break;
6940Sstevel@tonic-gate 	case SHA384_MECH_INFO_TYPE:
6950Sstevel@tonic-gate 	case SHA384_HMAC_MECH_INFO_TYPE:
6960Sstevel@tonic-gate 	case SHA384_HMAC_GEN_MECH_INFO_TYPE:
6970Sstevel@tonic-gate 		ctx->state.s64[0] = 0xcbbb9d5dc1059ed8ULL;
6980Sstevel@tonic-gate 		ctx->state.s64[1] = 0x629a292a367cd507ULL;
6990Sstevel@tonic-gate 		ctx->state.s64[2] = 0x9159015a3070dd17ULL;
7000Sstevel@tonic-gate 		ctx->state.s64[3] = 0x152fecd8f70e5939ULL;
7010Sstevel@tonic-gate 		ctx->state.s64[4] = 0x67332667ffc00b31ULL;
7020Sstevel@tonic-gate 		ctx->state.s64[5] = 0x8eb44a8768581511ULL;
7030Sstevel@tonic-gate 		ctx->state.s64[6] = 0xdb0c2e0d64f98fa7ULL;
7040Sstevel@tonic-gate 		ctx->state.s64[7] = 0x47b5481dbefa4fa4ULL;
7050Sstevel@tonic-gate 		break;
7060Sstevel@tonic-gate 	case SHA512_MECH_INFO_TYPE:
7070Sstevel@tonic-gate 	case SHA512_HMAC_MECH_INFO_TYPE:
7080Sstevel@tonic-gate 	case SHA512_HMAC_GEN_MECH_INFO_TYPE:
7090Sstevel@tonic-gate 		ctx->state.s64[0] = 0x6a09e667f3bcc908ULL;
7100Sstevel@tonic-gate 		ctx->state.s64[1] = 0xbb67ae8584caa73bULL;
7110Sstevel@tonic-gate 		ctx->state.s64[2] = 0x3c6ef372fe94f82bULL;
7120Sstevel@tonic-gate 		ctx->state.s64[3] = 0xa54ff53a5f1d36f1ULL;
7130Sstevel@tonic-gate 		ctx->state.s64[4] = 0x510e527fade682d1ULL;
7140Sstevel@tonic-gate 		ctx->state.s64[5] = 0x9b05688c2b3e6c1fULL;
7150Sstevel@tonic-gate 		ctx->state.s64[6] = 0x1f83d9abfb41bd6bULL;
7160Sstevel@tonic-gate 		ctx->state.s64[7] = 0x5be0cd19137e2179ULL;
7170Sstevel@tonic-gate 		break;
7180Sstevel@tonic-gate #ifdef _KERNEL
7190Sstevel@tonic-gate 	default:
7207421SDaniel.Anderson@Sun.COM 		cmn_err(CE_PANIC,
7217421SDaniel.Anderson@Sun.COM 		    "sha2_init: failed to find a supported algorithm: 0x%x",
7220Sstevel@tonic-gate 		    (uint32_t)mech);
7230Sstevel@tonic-gate 
7240Sstevel@tonic-gate #endif /* _KERNEL */
7250Sstevel@tonic-gate 	}
7260Sstevel@tonic-gate 
727*11141Sopensolaris@drydog.com 	ctx->algotype = (uint32_t)mech;
7280Sstevel@tonic-gate 	ctx->count.c64[0] = ctx->count.c64[1] = 0;
7290Sstevel@tonic-gate }
7300Sstevel@tonic-gate 
7311694Sdarrenm #ifndef _KERNEL
7321694Sdarrenm 
7331694Sdarrenm #pragma inline(SHA256Init, SHA384Init, SHA512Init)
7341694Sdarrenm void
SHA256Init(SHA256_CTX * ctx)7351694Sdarrenm SHA256Init(SHA256_CTX *ctx)
7361694Sdarrenm {
7371694Sdarrenm 	SHA2Init(SHA256, ctx);
7381694Sdarrenm }
7391694Sdarrenm 
7401694Sdarrenm void
SHA384Init(SHA384_CTX * ctx)7411694Sdarrenm SHA384Init(SHA384_CTX *ctx)
7421694Sdarrenm {
7431694Sdarrenm 	SHA2Init(SHA384, ctx);
7441694Sdarrenm }
7451694Sdarrenm 
7461694Sdarrenm void
SHA512Init(SHA512_CTX * ctx)7471694Sdarrenm SHA512Init(SHA512_CTX *ctx)
7481694Sdarrenm {
7491694Sdarrenm 	SHA2Init(SHA512, ctx);
7501694Sdarrenm }
7511694Sdarrenm 
7521694Sdarrenm #endif /* _KERNEL */
7531694Sdarrenm 
7540Sstevel@tonic-gate /*
7550Sstevel@tonic-gate  * SHA2Update()
7560Sstevel@tonic-gate  *
7570Sstevel@tonic-gate  * purpose: continues an sha2 digest operation, using the message block
7580Sstevel@tonic-gate  *          to update the context.
7590Sstevel@tonic-gate  *   input: SHA2_CTX *	: the context to update
7601694Sdarrenm  *          void *	: the message block
7616281Sda73024  *          size_t      : the length of the message block, in bytes
7620Sstevel@tonic-gate  *  output: void
7630Sstevel@tonic-gate  */
7640Sstevel@tonic-gate 
7650Sstevel@tonic-gate void
SHA2Update(SHA2_CTX * ctx,const void * inptr,size_t input_len)7661694Sdarrenm SHA2Update(SHA2_CTX *ctx, const void *inptr, size_t input_len)
7670Sstevel@tonic-gate {
7686281Sda73024 	uint32_t	i, buf_index, buf_len, buf_limit;
7696281Sda73024 	const uint8_t	*input = inptr;
7706281Sda73024 	uint32_t	algotype = ctx->algotype;
7716281Sda73024 #if defined(__amd64)
7726281Sda73024 	uint32_t	block_count;
7736281Sda73024 #endif	/* !__amd64 */
7746281Sda73024 
7750Sstevel@tonic-gate 
7760Sstevel@tonic-gate 	/* check for noop */
7770Sstevel@tonic-gate 	if (input_len == 0)
7780Sstevel@tonic-gate 		return;
7790Sstevel@tonic-gate 
7806281Sda73024 	if (algotype <= SHA256_HMAC_GEN_MECH_INFO_TYPE) {
7810Sstevel@tonic-gate 		buf_limit = 64;
7820Sstevel@tonic-gate 
7830Sstevel@tonic-gate 		/* compute number of bytes mod 64 */
7840Sstevel@tonic-gate 		buf_index = (ctx->count.c32[1] >> 3) & 0x3F;
7850Sstevel@tonic-gate 
7860Sstevel@tonic-gate 		/* update number of bits */
7870Sstevel@tonic-gate 		if ((ctx->count.c32[1] += (input_len << 3)) < (input_len << 3))
7880Sstevel@tonic-gate 			ctx->count.c32[0]++;
7890Sstevel@tonic-gate 
7900Sstevel@tonic-gate 		ctx->count.c32[0] += (input_len >> 29);
7910Sstevel@tonic-gate 
7920Sstevel@tonic-gate 	} else {
7930Sstevel@tonic-gate 		buf_limit = 128;
7940Sstevel@tonic-gate 
7950Sstevel@tonic-gate 		/* compute number of bytes mod 128 */
7960Sstevel@tonic-gate 		buf_index = (ctx->count.c64[1] >> 3) & 0x7F;
7970Sstevel@tonic-gate 
7980Sstevel@tonic-gate 		/* update number of bits */
7990Sstevel@tonic-gate 		if ((ctx->count.c64[1] += (input_len << 3)) < (input_len << 3))
8000Sstevel@tonic-gate 			ctx->count.c64[0]++;
8010Sstevel@tonic-gate 
8020Sstevel@tonic-gate 		ctx->count.c64[0] += (input_len >> 29);
8030Sstevel@tonic-gate 	}
8040Sstevel@tonic-gate 
8050Sstevel@tonic-gate 	buf_len = buf_limit - buf_index;
8060Sstevel@tonic-gate 
8070Sstevel@tonic-gate 	/* transform as many times as possible */
8080Sstevel@tonic-gate 	i = 0;
8090Sstevel@tonic-gate 	if (input_len >= buf_len) {
8100Sstevel@tonic-gate 
8110Sstevel@tonic-gate 		/*
8120Sstevel@tonic-gate 		 * general optimization:
8130Sstevel@tonic-gate 		 *
8140Sstevel@tonic-gate 		 * only do initial bcopy() and SHA2Transform() if
8150Sstevel@tonic-gate 		 * buf_index != 0.  if buf_index == 0, we're just
8160Sstevel@tonic-gate 		 * wasting our time doing the bcopy() since there
8170Sstevel@tonic-gate 		 * wasn't any data left over from a previous call to
8180Sstevel@tonic-gate 		 * SHA2Update().
8190Sstevel@tonic-gate 		 */
8200Sstevel@tonic-gate 		if (buf_index) {
8210Sstevel@tonic-gate 			bcopy(input, &ctx->buf_un.buf8[buf_index], buf_len);
8226281Sda73024 			if (algotype <= SHA256_HMAC_GEN_MECH_INFO_TYPE)
8230Sstevel@tonic-gate 				SHA256Transform(ctx, ctx->buf_un.buf8);
8240Sstevel@tonic-gate 			else
8250Sstevel@tonic-gate 				SHA512Transform(ctx, ctx->buf_un.buf8);
8260Sstevel@tonic-gate 
8270Sstevel@tonic-gate 			i = buf_len;
8280Sstevel@tonic-gate 		}
8290Sstevel@tonic-gate 
8306281Sda73024 #if !defined(__amd64)
8316281Sda73024 		if (algotype <= SHA256_HMAC_GEN_MECH_INFO_TYPE) {
8326281Sda73024 			for (; i + buf_limit - 1 < input_len; i += buf_limit) {
8330Sstevel@tonic-gate 				SHA256Transform(ctx, &input[i]);
8346281Sda73024 			}
8356281Sda73024 		} else {
8366281Sda73024 			for (; i + buf_limit - 1 < input_len; i += buf_limit) {
8370Sstevel@tonic-gate 				SHA512Transform(ctx, &input[i]);
8386281Sda73024 			}
8390Sstevel@tonic-gate 		}
8400Sstevel@tonic-gate 
8416281Sda73024 #else
8426281Sda73024 		if (algotype <= SHA256_HMAC_GEN_MECH_INFO_TYPE) {
8436281Sda73024 			block_count = (input_len - i) >> 6;
8446281Sda73024 			if (block_count > 0) {
8456281Sda73024 				SHA256TransformBlocks(ctx, &input[i],
8466281Sda73024 				    block_count);
8476281Sda73024 				i += block_count << 6;
8486281Sda73024 			}
8496281Sda73024 		} else {
8506281Sda73024 			block_count = (input_len - i) >> 7;
8516281Sda73024 			if (block_count > 0) {
8526281Sda73024 				SHA512TransformBlocks(ctx, &input[i],
8536281Sda73024 				    block_count);
8546281Sda73024 				i += block_count << 7;
8556281Sda73024 			}
8566281Sda73024 		}
8576281Sda73024 #endif	/* !__amd64 */
8586281Sda73024 
8590Sstevel@tonic-gate 		/*
8600Sstevel@tonic-gate 		 * general optimization:
8610Sstevel@tonic-gate 		 *
8620Sstevel@tonic-gate 		 * if i and input_len are the same, return now instead
8630Sstevel@tonic-gate 		 * of calling bcopy(), since the bcopy() in this case
8646281Sda73024 		 * will be an expensive noop.
8650Sstevel@tonic-gate 		 */
8660Sstevel@tonic-gate 
8670Sstevel@tonic-gate 		if (input_len == i)
8680Sstevel@tonic-gate 			return;
8690Sstevel@tonic-gate 
8700Sstevel@tonic-gate 		buf_index = 0;
8710Sstevel@tonic-gate 	}
8720Sstevel@tonic-gate 
8730Sstevel@tonic-gate 	/* buffer remaining input */
8740Sstevel@tonic-gate 	bcopy(&input[i], &ctx->buf_un.buf8[buf_index], input_len - i);
8750Sstevel@tonic-gate }
8760Sstevel@tonic-gate 
8770Sstevel@tonic-gate 
8780Sstevel@tonic-gate /*
8790Sstevel@tonic-gate  * SHA2Final()
8800Sstevel@tonic-gate  *
8810Sstevel@tonic-gate  * purpose: ends an sha2 digest operation, finalizing the message digest and
8820Sstevel@tonic-gate  *          zeroing the context.
8836281Sda73024  *   input: uchar_t *	: a buffer to store the digest
8844002Sdarrenm  *			: The function actually uses void* because many
8854002Sdarrenm  *			: callers pass things other than uchar_t here.
8860Sstevel@tonic-gate  *          SHA2_CTX *  : the context to finalize, save, and zero
8870Sstevel@tonic-gate  *  output: void
8880Sstevel@tonic-gate  */
8890Sstevel@tonic-gate 
8900Sstevel@tonic-gate void
SHA2Final(void * digest,SHA2_CTX * ctx)8911694Sdarrenm SHA2Final(void *digest, SHA2_CTX *ctx)
8920Sstevel@tonic-gate {
8930Sstevel@tonic-gate 	uint8_t		bitcount_be[sizeof (ctx->count.c32)];
8940Sstevel@tonic-gate 	uint8_t		bitcount_be64[sizeof (ctx->count.c64)];
8950Sstevel@tonic-gate 	uint32_t	index;
8966281Sda73024 	uint32_t	algotype = ctx->algotype;
8970Sstevel@tonic-gate 
8986281Sda73024 	if (algotype <= SHA256_HMAC_GEN_MECH_INFO_TYPE) {
8990Sstevel@tonic-gate 		index  = (ctx->count.c32[1] >> 3) & 0x3f;
9000Sstevel@tonic-gate 		Encode(bitcount_be, ctx->count.c32, sizeof (bitcount_be));
9010Sstevel@tonic-gate 		SHA2Update(ctx, PADDING, ((index < 56) ? 56 : 120) - index);
9020Sstevel@tonic-gate 		SHA2Update(ctx, bitcount_be, sizeof (bitcount_be));
9030Sstevel@tonic-gate 		Encode(digest, ctx->state.s32, sizeof (ctx->state.s32));
9040Sstevel@tonic-gate 
9050Sstevel@tonic-gate 	} else {
9060Sstevel@tonic-gate 		index  = (ctx->count.c64[1] >> 3) & 0x7f;
9070Sstevel@tonic-gate 		Encode64(bitcount_be64, ctx->count.c64,
9080Sstevel@tonic-gate 		    sizeof (bitcount_be64));
9090Sstevel@tonic-gate 		SHA2Update(ctx, PADDING, ((index < 112) ? 112 : 240) - index);
9100Sstevel@tonic-gate 		SHA2Update(ctx, bitcount_be64, sizeof (bitcount_be64));
9116281Sda73024 		if (algotype <= SHA384_HMAC_GEN_MECH_INFO_TYPE) {
9120Sstevel@tonic-gate 			ctx->state.s64[6] = ctx->state.s64[7] = 0;
9130Sstevel@tonic-gate 			Encode64(digest, ctx->state.s64,
9140Sstevel@tonic-gate 			    sizeof (uint64_t) * 6);
9150Sstevel@tonic-gate 		} else
9160Sstevel@tonic-gate 			Encode64(digest, ctx->state.s64,
9170Sstevel@tonic-gate 			    sizeof (ctx->state.s64));
9180Sstevel@tonic-gate 	}
9191551Sdarrenm 
9201551Sdarrenm 	/* zeroize sensitive information */
9211551Sdarrenm 	bzero(ctx, sizeof (*ctx));
9220Sstevel@tonic-gate }
923