4 * The contents of this file are subject to the terms of the
5 * Common Development and Distribution License (the "License").
6 * You may not use this file except in compliance with the License.
8 * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
9 * or https://opensource.org/licenses/CDDL-1.0.
10 * See the License for the specific language governing permissions
11 * and limitations under the License.
13 * When distributing Covered Code, include this CDDL HEADER in each
14 * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
15 * If applicable, add the following below this CDDL HEADER, with the
16 * fields enclosed by brackets "[]" replaced with your own identifying
17 * information: Portions Copyright [yyyy] [name of copyright owner]
23 * Based on public domain code in cppcrypto 0.10.
24 * Copyright (c) 2022 Tino Reichardt <milky-zfs@mcmilk.de>
27 #include <sys/zfs_context.h>
28 #include <sys/zfs_impl.h>
31 #include <sha2/sha2_impl.h>
34 * On i386, gcc brings this for sha512_generic():
35 * error: the frame size of 1040 bytes is larger than 1024
37 #if defined(__GNUC__) && defined(_ILP32)
38 #pragma GCC diagnostic ignored "-Wframe-larger-than="
42 static const uint32_t SHA256_K
[64] = {
43 0x428a2f98, 0x71374491, 0xb5c0fbcf, 0xe9b5dba5,
44 0x3956c25b, 0x59f111f1, 0x923f82a4, 0xab1c5ed5,
45 0xd807aa98, 0x12835b01, 0x243185be, 0x550c7dc3,
46 0x72be5d74, 0x80deb1fe, 0x9bdc06a7, 0xc19bf174,
47 0xe49b69c1, 0xefbe4786, 0x0fc19dc6, 0x240ca1cc,
48 0x2de92c6f, 0x4a7484aa, 0x5cb0a9dc, 0x76f988da,
49 0x983e5152, 0xa831c66d, 0xb00327c8, 0xbf597fc7,
50 0xc6e00bf3, 0xd5a79147, 0x06ca6351, 0x14292967,
51 0x27b70a85, 0x2e1b2138, 0x4d2c6dfc, 0x53380d13,
52 0x650a7354, 0x766a0abb, 0x81c2c92e, 0x92722c85,
53 0xa2bfe8a1, 0xa81a664b, 0xc24b8b70, 0xc76c51a3,
54 0xd192e819, 0xd6990624, 0xf40e3585, 0x106aa070,
55 0x19a4c116, 0x1e376c08, 0x2748774c, 0x34b0bcb5,
56 0x391c0cb3, 0x4ed8aa4a, 0x5b9cca4f, 0x682e6ff3,
57 0x748f82ee, 0x78a5636f, 0x84c87814, 0x8cc70208,
58 0x90befffa, 0xa4506ceb, 0xbef9a3f7, 0xc67178f2
61 #define Ch(x, y, z) ((z) ^ ((x) & ((y) ^ (z))))
62 #define Maj(x, y, z) (((y) & (z)) | (((y) | (z)) & (x)))
64 #define rotr32(x, n) (((x) >> n) | ((x) << (32 - n)))
65 #define sum0(x) (rotr32((x), 2) ^ rotr32((x), 13) ^ rotr32((x), 22))
66 #define sum1(x) (rotr32((x), 6) ^ rotr32((x), 11) ^ rotr32((x), 25))
67 #define sigma0(x) (rotr32((x), 7) ^ rotr32((x), 18) ^ ((x) >> 3))
68 #define sigma1(x) (rotr32((x), 17) ^ rotr32((x), 19) ^ ((x) >> 10))
70 #define WU(j) (W[j & 15] += sigma1(W[(j + 14) & 15]) \
71 + W[(j + 9) & 15] + sigma0(W[(j + 1) & 15]))
73 #define COMPRESS(i, j, K) \
74 T1 = h + sum1(e) + Ch(e, f, g) + K[i + j] + (i? WU(j): W[j]); \
75 T2 = sum0(a) + Maj(a, b, c); \
76 h = g, g = f, f = e, e = d + T1; \
77 d = c, c = b, b = a, a = T1 + T2;
79 static void sha256_generic(uint32_t state
[8], const void *data
, size_t num_blks
)
83 for (blk
= 0; blk
< num_blks
; blk
++) {
85 uint32_t a
, b
, c
, d
, e
, f
, g
, h
;
89 for (i
= 0; i
< 16; i
++) {
91 (((const uint32_t *)(data
))[blk
* 16 + i
]));
103 for (i
= 0; i
<= 63; i
+= 16) {
104 COMPRESS(i
, 0, SHA256_K
);
105 COMPRESS(i
, 1, SHA256_K
);
106 COMPRESS(i
, 2, SHA256_K
);
107 COMPRESS(i
, 3, SHA256_K
);
108 COMPRESS(i
, 4, SHA256_K
);
109 COMPRESS(i
, 5, SHA256_K
);
110 COMPRESS(i
, 6, SHA256_K
);
111 COMPRESS(i
, 7, SHA256_K
);
112 COMPRESS(i
, 8, SHA256_K
);
113 COMPRESS(i
, 9, SHA256_K
);
114 COMPRESS(i
, 10, SHA256_K
);
115 COMPRESS(i
, 11, SHA256_K
);
116 COMPRESS(i
, 12, SHA256_K
);
117 COMPRESS(i
, 13, SHA256_K
);
118 COMPRESS(i
, 14, SHA256_K
);
119 COMPRESS(i
, 15, SHA256_K
);
138 #define rotr64(x, n) (((x) >> n) | ((x) << (64 - n)))
139 #define sum0(x) (rotr64((x), 28) ^ rotr64((x), 34) ^ rotr64((x), 39))
140 #define sum1(x) (rotr64((x), 14) ^ rotr64((x), 18) ^ rotr64((x), 41))
141 #define sigma0(x) (rotr64((x), 1) ^ rotr64((x), 8) ^ ((x) >> 7))
142 #define sigma1(x) (rotr64((x), 19) ^ rotr64((x), 61) ^ ((x) >> 6))
145 static const uint64_t SHA512_K
[80] = {
146 0x428a2f98d728ae22, 0x7137449123ef65cd, 0xb5c0fbcfec4d3b2f,
147 0xe9b5dba58189dbbc, 0x3956c25bf348b538, 0x59f111f1b605d019,
148 0x923f82a4af194f9b, 0xab1c5ed5da6d8118, 0xd807aa98a3030242,
149 0x12835b0145706fbe, 0x243185be4ee4b28c, 0x550c7dc3d5ffb4e2,
150 0x72be5d74f27b896f, 0x80deb1fe3b1696b1, 0x9bdc06a725c71235,
151 0xc19bf174cf692694, 0xe49b69c19ef14ad2, 0xefbe4786384f25e3,
152 0x0fc19dc68b8cd5b5, 0x240ca1cc77ac9c65, 0x2de92c6f592b0275,
153 0x4a7484aa6ea6e483, 0x5cb0a9dcbd41fbd4, 0x76f988da831153b5,
154 0x983e5152ee66dfab, 0xa831c66d2db43210, 0xb00327c898fb213f,
155 0xbf597fc7beef0ee4, 0xc6e00bf33da88fc2, 0xd5a79147930aa725,
156 0x06ca6351e003826f, 0x142929670a0e6e70, 0x27b70a8546d22ffc,
157 0x2e1b21385c26c926, 0x4d2c6dfc5ac42aed, 0x53380d139d95b3df,
158 0x650a73548baf63de, 0x766a0abb3c77b2a8, 0x81c2c92e47edaee6,
159 0x92722c851482353b, 0xa2bfe8a14cf10364, 0xa81a664bbc423001,
160 0xc24b8b70d0f89791, 0xc76c51a30654be30, 0xd192e819d6ef5218,
161 0xd69906245565a910, 0xf40e35855771202a, 0x106aa07032bbd1b8,
162 0x19a4c116b8d2d0c8, 0x1e376c085141ab53, 0x2748774cdf8eeb99,
163 0x34b0bcb5e19b48a8, 0x391c0cb3c5c95a63, 0x4ed8aa4ae3418acb,
164 0x5b9cca4f7763e373, 0x682e6ff3d6b2b8a3, 0x748f82ee5defb2fc,
165 0x78a5636f43172f60, 0x84c87814a1f0ab72, 0x8cc702081a6439ec,
166 0x90befffa23631e28, 0xa4506cebde82bde9, 0xbef9a3f7b2c67915,
167 0xc67178f2e372532b, 0xca273eceea26619c, 0xd186b8c721c0c207,
168 0xeada7dd6cde0eb1e, 0xf57d4f7fee6ed178, 0x06f067aa72176fba,
169 0x0a637dc5a2c898a6, 0x113f9804bef90dae, 0x1b710b35131c471b,
170 0x28db77f523047d84, 0x32caab7b40c72493, 0x3c9ebe0a15c9bebc,
171 0x431d67c49c100d4c, 0x4cc5d4becb3e42b6, 0x597f299cfc657e2a,
172 0x5fcb6fab3ad6faec, 0x6c44198c4a475817
175 static void sha512_generic(uint64_t state
[8], const void *data
, size_t num_blks
)
179 for (blk
= 0; blk
< num_blks
; blk
++) {
181 uint64_t a
, b
, c
, d
, e
, f
, g
, h
;
185 for (i
= 0; i
< 16; i
++) {
187 (((const uint64_t *)(data
))[blk
* 16 + i
]));
199 for (i
= 0; i
<= 79; i
+= 16) {
200 COMPRESS(i
, 0, SHA512_K
);
201 COMPRESS(i
, 1, SHA512_K
);
202 COMPRESS(i
, 2, SHA512_K
);
203 COMPRESS(i
, 3, SHA512_K
);
204 COMPRESS(i
, 4, SHA512_K
);
205 COMPRESS(i
, 5, SHA512_K
);
206 COMPRESS(i
, 6, SHA512_K
);
207 COMPRESS(i
, 7, SHA512_K
);
208 COMPRESS(i
, 8, SHA512_K
);
209 COMPRESS(i
, 9, SHA512_K
);
210 COMPRESS(i
, 10, SHA512_K
);
211 COMPRESS(i
, 11, SHA512_K
);
212 COMPRESS(i
, 12, SHA512_K
);
213 COMPRESS(i
, 13, SHA512_K
);
214 COMPRESS(i
, 14, SHA512_K
);
215 COMPRESS(i
, 15, SHA512_K
);
228 static void sha256_update(sha256_ctx
*ctx
, const uint8_t *data
, size_t len
)
230 uint64_t pos
= ctx
->count
[0];
231 uint64_t total
= ctx
->count
[1];
232 uint8_t *m
= ctx
->wbuf
;
233 const sha256_ops_t
*ops
= ctx
->ops
;
235 if (pos
&& pos
+ len
>= 64) {
236 memcpy(m
+ pos
, data
, 64 - pos
);
237 ops
->transform(ctx
->state
, m
, 1);
239 total
+= (64 - pos
) * 8;
245 uint32_t blocks
= len
/ 64;
246 uint32_t bytes
= blocks
* 64;
247 ops
->transform(ctx
->state
, data
, blocks
);
249 total
+= (bytes
) * 8;
252 memcpy(m
+ pos
, data
, len
);
257 ctx
->count
[1] = total
;
260 static void sha512_update(sha512_ctx
*ctx
, const uint8_t *data
, size_t len
)
262 uint64_t pos
= ctx
->count
[0];
263 uint64_t total
= ctx
->count
[1];
264 uint8_t *m
= ctx
->wbuf
;
265 const sha512_ops_t
*ops
= ctx
->ops
;
267 if (pos
&& pos
+ len
>= 128) {
268 memcpy(m
+ pos
, data
, 128 - pos
);
269 ops
->transform(ctx
->state
, m
, 1);
271 total
+= (128 - pos
) * 8;
277 uint64_t blocks
= len
/ 128;
278 uint64_t bytes
= blocks
* 128;
279 ops
->transform(ctx
->state
, data
, blocks
);
281 total
+= (bytes
) * 8;
284 memcpy(m
+ pos
, data
, len
);
289 ctx
->count
[1] = total
;
292 static void sha256_final(sha256_ctx
*ctx
, uint8_t *result
, int bits
)
294 uint64_t mlen
, pos
= ctx
->count
[0];
295 uint8_t *m
= ctx
->wbuf
;
296 uint32_t *R
= (uint32_t *)result
;
297 const sha256_ops_t
*ops
= ctx
->ops
;
301 memset(m
+ pos
, 0, 64 - pos
);
302 ops
->transform(ctx
->state
, m
, 1);
306 memset(m
+ pos
, 0, 64 - pos
);
307 mlen
= BE_64(ctx
->count
[1]);
308 memcpy(m
+ (64 - 8), &mlen
, 64 / 8);
309 ops
->transform(ctx
->state
, m
, 1);
312 case 224: /* 28 - unused currently /TR */
313 R
[0] = BE_32(ctx
->state
[0]);
314 R
[1] = BE_32(ctx
->state
[1]);
315 R
[2] = BE_32(ctx
->state
[2]);
316 R
[3] = BE_32(ctx
->state
[3]);
317 R
[4] = BE_32(ctx
->state
[4]);
318 R
[5] = BE_32(ctx
->state
[5]);
319 R
[6] = BE_32(ctx
->state
[6]);
322 R
[0] = BE_32(ctx
->state
[0]);
323 R
[1] = BE_32(ctx
->state
[1]);
324 R
[2] = BE_32(ctx
->state
[2]);
325 R
[3] = BE_32(ctx
->state
[3]);
326 R
[4] = BE_32(ctx
->state
[4]);
327 R
[5] = BE_32(ctx
->state
[5]);
328 R
[6] = BE_32(ctx
->state
[6]);
329 R
[7] = BE_32(ctx
->state
[7]);
333 memset(ctx
, 0, sizeof (*ctx
));
336 static void sha512_final(sha512_ctx
*ctx
, uint8_t *result
, int bits
)
338 uint64_t mlen
, pos
= ctx
->count
[0];
339 uint8_t *m
= ctx
->wbuf
, *r
;
340 uint64_t *R
= (uint64_t *)result
;
341 const sha512_ops_t
*ops
= ctx
->ops
;
345 memset(m
+ pos
, 0, 128 - pos
);
346 ops
->transform(ctx
->state
, m
, 1);
350 memset(m
+ pos
, 0, 128 - pos
);
351 mlen
= BE_64(ctx
->count
[1]);
352 memcpy(m
+ (128 - 8), &mlen
, 64 / 8);
353 ops
->transform(ctx
->state
, m
, 1);
356 case 224: /* 28 => 3,5 x 8 */
358 R
[0] = BE_64(ctx
->state
[0]);
359 R
[1] = BE_64(ctx
->state
[1]);
360 R
[2] = BE_64(ctx
->state
[2]);
361 /* last 4 bytes are special here */
362 *r
++ = (uint8_t)(ctx
->state
[3] >> 56);
363 *r
++ = (uint8_t)(ctx
->state
[3] >> 48);
364 *r
++ = (uint8_t)(ctx
->state
[3] >> 40);
365 *r
++ = (uint8_t)(ctx
->state
[3] >> 32);
368 R
[0] = BE_64(ctx
->state
[0]);
369 R
[1] = BE_64(ctx
->state
[1]);
370 R
[2] = BE_64(ctx
->state
[2]);
371 R
[3] = BE_64(ctx
->state
[3]);
374 R
[0] = BE_64(ctx
->state
[0]);
375 R
[1] = BE_64(ctx
->state
[1]);
376 R
[2] = BE_64(ctx
->state
[2]);
377 R
[3] = BE_64(ctx
->state
[3]);
378 R
[4] = BE_64(ctx
->state
[4]);
379 R
[5] = BE_64(ctx
->state
[5]);
382 R
[0] = BE_64(ctx
->state
[0]);
383 R
[1] = BE_64(ctx
->state
[1]);
384 R
[2] = BE_64(ctx
->state
[2]);
385 R
[3] = BE_64(ctx
->state
[3]);
386 R
[4] = BE_64(ctx
->state
[4]);
387 R
[5] = BE_64(ctx
->state
[5]);
388 R
[6] = BE_64(ctx
->state
[6]);
389 R
[7] = BE_64(ctx
->state
[7]);
393 memset(ctx
, 0, sizeof (*ctx
));
396 /* SHA2 Init function */
398 SHA2Init(int algotype
, SHA2_CTX
*ctx
)
400 sha256_ctx
*ctx256
= &ctx
->sha256
;
401 sha512_ctx
*ctx512
= &ctx
->sha512
;
403 ASSERT3S(algotype
, >=, SHA512_HMAC_MECH_INFO_TYPE
);
404 ASSERT3S(algotype
, <=, SHA512_256
);
406 memset(ctx
, 0, sizeof (*ctx
));
407 ctx
->algotype
= algotype
;
408 switch (ctx
->algotype
) {
410 ctx256
->state
[0] = 0x6a09e667;
411 ctx256
->state
[1] = 0xbb67ae85;
412 ctx256
->state
[2] = 0x3c6ef372;
413 ctx256
->state
[3] = 0xa54ff53a;
414 ctx256
->state
[4] = 0x510e527f;
415 ctx256
->state
[5] = 0x9b05688c;
416 ctx256
->state
[6] = 0x1f83d9ab;
417 ctx256
->state
[7] = 0x5be0cd19;
418 ctx256
->count
[0] = 0;
419 ctx256
->ops
= sha256_get_ops();
422 case SHA512_HMAC_MECH_INFO_TYPE
:
423 ctx512
->state
[0] = 0x6a09e667f3bcc908ULL
;
424 ctx512
->state
[1] = 0xbb67ae8584caa73bULL
;
425 ctx512
->state
[2] = 0x3c6ef372fe94f82bULL
;
426 ctx512
->state
[3] = 0xa54ff53a5f1d36f1ULL
;
427 ctx512
->state
[4] = 0x510e527fade682d1ULL
;
428 ctx512
->state
[5] = 0x9b05688c2b3e6c1fULL
;
429 ctx512
->state
[6] = 0x1f83d9abfb41bd6bULL
;
430 ctx512
->state
[7] = 0x5be0cd19137e2179ULL
;
431 ctx512
->count
[0] = 0;
432 ctx512
->count
[1] = 0;
433 ctx512
->ops
= sha512_get_ops();
436 ctx512
->state
[0] = 0x22312194fc2bf72cULL
;
437 ctx512
->state
[1] = 0x9f555fa3c84c64c2ULL
;
438 ctx512
->state
[2] = 0x2393b86b6f53b151ULL
;
439 ctx512
->state
[3] = 0x963877195940eabdULL
;
440 ctx512
->state
[4] = 0x96283ee2a88effe3ULL
;
441 ctx512
->state
[5] = 0xbe5e1e2553863992ULL
;
442 ctx512
->state
[6] = 0x2b0199fc2c85b8aaULL
;
443 ctx512
->state
[7] = 0x0eb72ddc81c52ca2ULL
;
444 ctx512
->count
[0] = 0;
445 ctx512
->count
[1] = 0;
446 ctx512
->ops
= sha512_get_ops();
451 /* SHA2 Update function */
453 SHA2Update(SHA2_CTX
*ctx
, const void *data
, size_t len
)
455 /* check for zero input length */
459 ASSERT3P(data
, !=, NULL
);
461 switch (ctx
->algotype
) {
463 sha256_update(&ctx
->sha256
, data
, len
);
466 case SHA512_HMAC_MECH_INFO_TYPE
:
467 sha512_update(&ctx
->sha512
, data
, len
);
470 sha512_update(&ctx
->sha512
, data
, len
);
475 /* SHA2Final function */
477 SHA2Final(void *digest
, SHA2_CTX
*ctx
)
479 switch (ctx
->algotype
) {
481 sha256_final(&ctx
->sha256
, digest
, 256);
484 case SHA512_HMAC_MECH_INFO_TYPE
:
485 sha512_final(&ctx
->sha512
, digest
, 512);
488 sha512_final(&ctx
->sha512
, digest
, 256);
493 /* the generic implementation is always okay */
494 static boolean_t
sha2_is_supported(void)
499 const sha256_ops_t sha256_generic_impl
= {
501 .transform
= sha256_generic
,
502 .is_supported
= sha2_is_supported
505 const sha512_ops_t sha512_generic_impl
= {
507 .transform
= sha512_generic
,
508 .is_supported
= sha2_is_supported