xref: /illumos-gate/usr/src/common/crypto/sha1/sha1.c (revision 0dee7919e2f2a6479d16b370af93747b9416b242)
1 /*
2  * Copyright 2005 Sun Microsystems, Inc.  All rights reserved.
3  * Use is subject to license terms.
4  */
5 
6 #pragma ident	"%Z%%M%	%I%	%E% SMI"
7 
8 /*
9  * The basic framework for this code came from the reference
10  * implementation for MD5.  That implementation is Copyright (C)
11  * 1991-2, RSA Data Security, Inc. Created 1991. All rights reserved.
12  *
13  * License to copy and use this software is granted provided that it
14  * is identified as the "RSA Data Security, Inc. MD5 Message-Digest
15  * Algorithm" in all material mentioning or referencing this software
16  * or this function.
17  *
18  * License is also granted to make and use derivative works provided
19  * that such works are identified as "derived from the RSA Data
20  * Security, Inc. MD5 Message-Digest Algorithm" in all material
21  * mentioning or referencing the derived work.
22  *
23  * RSA Data Security, Inc. makes no representations concerning either
24  * the merchantability of this software or the suitability of this
25  * software for any particular purpose. It is provided "as is"
26  * without express or implied warranty of any kind.
27  *
28  * These notices must be retained in any copies of any part of this
29  * documentation and/or software.
30  *
31  * NOTE: Cleaned-up and optimized, version of SHA1, based on the FIPS 180-1
32  * standard, available at http://www.itl.nist.gov/div897/pubs/fip180-1.htm
33  * Not as fast as one would like -- further optimizations are encouraged
34  * and appreciated.
35  */
36 
37 #include <sys/types.h>
38 #include <sys/param.h>
39 #include <sys/systm.h>
40 #include <sys/sysmacros.h>
41 #include <sys/sha1.h>
42 #include <sys/sha1_consts.h>
43 
44 #ifdef _KERNEL
45 
46 #include <sys/modctl.h>
47 #include <sys/cmn_err.h>
48 #include <sys/note.h>
49 #include <sys/crypto/common.h>
50 #include <sys/crypto/spi.h>
51 #include <sys/strsun.h>
52 
53 /*
54  * The sha1 module is created with two modlinkages:
55  * - a modlmisc that allows consumers to directly call the entry points
56  *   SHA1Init, SHA1Update, and SHA1Final.
57  * - a modlcrypto that allows the module to register with the Kernel
58  *   Cryptographic Framework (KCF) as a software provider for the SHA1
59  *   mechanisms.
60  */
61 
62 #endif /* _KERNEL */
63 #ifndef	_KERNEL
64 #include <strings.h>
65 #include <stdlib.h>
66 #include <errno.h>
67 #include <sys/systeminfo.h>
68 #endif	/* !_KERNEL */
69 
70 static void Encode(uint8_t *, uint32_t *, size_t);
71 static void SHA1Transform(uint32_t, uint32_t, uint32_t, uint32_t, uint32_t,
72     SHA1_CTX *, const uint8_t *);
73 
74 static uint8_t PADDING[64] = { 0x80, /* all zeros */ };
75 
76 /*
77  * F, G, and H are the basic SHA1 functions.
78  */
79 #define	F(b, c, d)	(((b) & (c)) | ((~b) & (d)))
80 #define	G(b, c, d)	((b) ^ (c) ^ (d))
81 #define	H(b, c, d)	(((b) & (c)) | ((b) & (d)) | ((c) & (d)))
82 
83 /*
84  * ROTATE_LEFT rotates x left n bits.
85  */
86 #define	ROTATE_LEFT(x, n)	\
87 	(((x) << (n)) | ((x) >> ((sizeof (x) * NBBY)-(n))))
88 
89 #ifdef _KERNEL
90 
91 static struct modlmisc modlmisc = {
92 	&mod_miscops,
93 	"SHA1 Message-Digest Algorithm"
94 };
95 
96 static struct modlcrypto modlcrypto = {
97 	&mod_cryptoops,
98 	"SHA1 Kernel SW Provider %I%"
99 };
100 
101 static struct modlinkage modlinkage = {
102 	MODREV_1, &modlmisc, &modlcrypto, NULL
103 };
104 
105 /*
106  * CSPI information (entry points, provider info, etc.)
107  */
108 
109 typedef enum sha1_mech_type {
110 	SHA1_MECH_INFO_TYPE,		/* SUN_CKM_SHA1 */
111 	SHA1_HMAC_MECH_INFO_TYPE,	/* SUN_CKM_SHA1_HMAC */
112 	SHA1_HMAC_GEN_MECH_INFO_TYPE	/* SUN_CKM_SHA1_HMAC_GENERAL */
113 } sha1_mech_type_t;
114 
115 #define	SHA1_DIGEST_LENGTH	20	/* SHA1 digest length in bytes */
116 #define	SHA1_HMAC_BLOCK_SIZE	64	/* SHA1-HMAC block size */
117 #define	SHA1_HMAC_MIN_KEY_LEN	8	/* SHA1-HMAC min key length in bits */
118 #define	SHA1_HMAC_MAX_KEY_LEN	INT_MAX /* SHA1-HMAC max key length in bits */
119 #define	SHA1_HMAC_INTS_PER_BLOCK	(SHA1_HMAC_BLOCK_SIZE/sizeof (uint32_t))
120 
121 /*
122  * Context for SHA1 mechanism.
123  */
124 typedef struct sha1_ctx {
125 	sha1_mech_type_t	sc_mech_type;	/* type of context */
126 	SHA1_CTX		sc_sha1_ctx;	/* SHA1 context */
127 } sha1_ctx_t;
128 
129 /*
130  * Context for SHA1-HMAC and SHA1-HMAC-GENERAL mechanisms.
131  */
132 typedef struct sha1_hmac_ctx {
133 	sha1_mech_type_t	hc_mech_type;	/* type of context */
134 	uint32_t		hc_digest_len;	/* digest len in bytes */
135 	SHA1_CTX		hc_icontext;	/* inner SHA1 context */
136 	SHA1_CTX		hc_ocontext;	/* outer SHA1 context */
137 } sha1_hmac_ctx_t;
138 
139 /*
140  * Macros to access the SHA1 or SHA1-HMAC contexts from a context passed
141  * by KCF to one of the entry points.
142  */
143 
144 #define	PROV_SHA1_CTX(ctx)	((sha1_ctx_t *)(ctx)->cc_provider_private)
145 #define	PROV_SHA1_HMAC_CTX(ctx)	((sha1_hmac_ctx_t *)(ctx)->cc_provider_private)
146 
147 /* to extract the digest length passed as mechanism parameter */
148 #define	PROV_SHA1_GET_DIGEST_LEN(m, len) {				\
149 	if (IS_P2ALIGNED((m)->cm_param, sizeof (ulong_t)))		\
150 		(len) = (uint32_t)*((ulong_t *)mechanism->cm_param);	\
151 	else {								\
152 		ulong_t tmp_ulong;					\
153 		bcopy((m)->cm_param, &tmp_ulong, sizeof (ulong_t));	\
154 		(len) = (uint32_t)tmp_ulong;				\
155 	}								\
156 }
157 
158 #define	PROV_SHA1_DIGEST_KEY(ctx, key, len, digest) {	\
159 	SHA1Init(ctx);					\
160 	SHA1Update(ctx, key, len);			\
161 	SHA1Final(digest, ctx);				\
162 }
163 
164 /*
165  * Mechanism info structure passed to KCF during registration.
166  */
167 static crypto_mech_info_t sha1_mech_info_tab[] = {
168 	/* SHA1 */
169 	{SUN_CKM_SHA1, SHA1_MECH_INFO_TYPE,
170 	    CRYPTO_FG_DIGEST | CRYPTO_FG_DIGEST_ATOMIC,
171 	    0, 0, CRYPTO_KEYSIZE_UNIT_IN_BITS},
172 	/* SHA1-HMAC */
173 	{SUN_CKM_SHA1_HMAC, SHA1_HMAC_MECH_INFO_TYPE,
174 	    CRYPTO_FG_MAC | CRYPTO_FG_MAC_ATOMIC,
175 	    SHA1_HMAC_MIN_KEY_LEN, SHA1_HMAC_MAX_KEY_LEN,
176 	    CRYPTO_KEYSIZE_UNIT_IN_BITS},
177 	/* SHA1-HMAC GENERAL */
178 	{SUN_CKM_SHA1_HMAC_GENERAL, SHA1_HMAC_GEN_MECH_INFO_TYPE,
179 	    CRYPTO_FG_MAC | CRYPTO_FG_MAC_ATOMIC,
180 	    SHA1_HMAC_MIN_KEY_LEN, SHA1_HMAC_MAX_KEY_LEN,
181 	    CRYPTO_KEYSIZE_UNIT_IN_BITS}
182 };
183 
184 static void sha1_provider_status(crypto_provider_handle_t, uint_t *);
185 
186 static crypto_control_ops_t sha1_control_ops = {
187 	sha1_provider_status
188 };
189 
190 static int sha1_digest_init(crypto_ctx_t *, crypto_mechanism_t *,
191     crypto_req_handle_t);
192 static int sha1_digest(crypto_ctx_t *, crypto_data_t *, crypto_data_t *,
193     crypto_req_handle_t);
194 static int sha1_digest_update(crypto_ctx_t *, crypto_data_t *,
195     crypto_req_handle_t);
196 static int sha1_digest_final(crypto_ctx_t *, crypto_data_t *,
197     crypto_req_handle_t);
198 static int sha1_digest_atomic(crypto_provider_handle_t, crypto_session_id_t,
199     crypto_mechanism_t *, crypto_data_t *, crypto_data_t *,
200     crypto_req_handle_t);
201 
202 static crypto_digest_ops_t sha1_digest_ops = {
203 	sha1_digest_init,
204 	sha1_digest,
205 	sha1_digest_update,
206 	NULL,
207 	sha1_digest_final,
208 	sha1_digest_atomic
209 };
210 
211 static int sha1_mac_init(crypto_ctx_t *, crypto_mechanism_t *, crypto_key_t *,
212     crypto_spi_ctx_template_t, crypto_req_handle_t);
213 static int sha1_mac_update(crypto_ctx_t *, crypto_data_t *,
214     crypto_req_handle_t);
215 static int sha1_mac_final(crypto_ctx_t *, crypto_data_t *, crypto_req_handle_t);
216 static int sha1_mac_atomic(crypto_provider_handle_t, crypto_session_id_t,
217     crypto_mechanism_t *, crypto_key_t *, crypto_data_t *, crypto_data_t *,
218     crypto_spi_ctx_template_t, crypto_req_handle_t);
219 static int sha1_mac_verify_atomic(crypto_provider_handle_t, crypto_session_id_t,
220     crypto_mechanism_t *, crypto_key_t *, crypto_data_t *, crypto_data_t *,
221     crypto_spi_ctx_template_t, crypto_req_handle_t);
222 
223 static crypto_mac_ops_t sha1_mac_ops = {
224 	sha1_mac_init,
225 	NULL,
226 	sha1_mac_update,
227 	sha1_mac_final,
228 	sha1_mac_atomic,
229 	sha1_mac_verify_atomic
230 };
231 
232 static int sha1_create_ctx_template(crypto_provider_handle_t,
233     crypto_mechanism_t *, crypto_key_t *, crypto_spi_ctx_template_t *,
234     size_t *, crypto_req_handle_t);
235 static int sha1_free_context(crypto_ctx_t *);
236 
237 static crypto_ctx_ops_t sha1_ctx_ops = {
238 	sha1_create_ctx_template,
239 	sha1_free_context
240 };
241 
242 static crypto_ops_t sha1_crypto_ops = {
243 	&sha1_control_ops,
244 	&sha1_digest_ops,
245 	NULL,
246 	&sha1_mac_ops,
247 	NULL,
248 	NULL,
249 	NULL,
250 	NULL,
251 	NULL,
252 	NULL,
253 	NULL,
254 	NULL,
255 	NULL,
256 	&sha1_ctx_ops
257 };
258 
259 static crypto_provider_info_t sha1_prov_info = {
260 	CRYPTO_SPI_VERSION_1,
261 	"SHA1 Software Provider",
262 	CRYPTO_SW_PROVIDER,
263 	{&modlinkage},
264 	NULL,
265 	&sha1_crypto_ops,
266 	sizeof (sha1_mech_info_tab)/sizeof (crypto_mech_info_t),
267 	sha1_mech_info_tab
268 };
269 
270 static crypto_kcf_provider_handle_t sha1_prov_handle = NULL;
271 
272 int
273 _init()
274 {
275 	int ret;
276 
277 	if ((ret = mod_install(&modlinkage)) != 0)
278 		return (ret);
279 
280 	/*
281 	 * Register with KCF. If the registration fails, log an
282 	 * error but do not uninstall the module, since the functionality
283 	 * provided by misc/sha1 should still be available.
284 	 */
285 	if ((ret = crypto_register_provider(&sha1_prov_info,
286 	    &sha1_prov_handle)) != CRYPTO_SUCCESS)
287 		cmn_err(CE_WARN, "sha1 _init: "
288 		    "crypto_register_provider() failed (0x%x)", ret);
289 
290 	return (0);
291 }
292 
293 int
294 _info(struct modinfo *modinfop)
295 {
296 	return (mod_info(&modlinkage, modinfop));
297 }
298 
299 #endif /* _KERNEL */
300 
301 /*
302  * SHA1Init()
303  *
304  * purpose: initializes the sha1 context and begins and sha1 digest operation
305  *   input: SHA1_CTX *	: the context to initializes.
306  *  output: void
307  */
308 
309 void
310 SHA1Init(SHA1_CTX *ctx)
311 {
312 	ctx->count[0] = ctx->count[1] = 0;
313 
314 	/*
315 	 * load magic initialization constants. Tell lint
316 	 * that these constants are unsigned by using U.
317 	 */
318 
319 	ctx->state[0] = 0x67452301U;
320 	ctx->state[1] = 0xefcdab89U;
321 	ctx->state[2] = 0x98badcfeU;
322 	ctx->state[3] = 0x10325476U;
323 	ctx->state[4] = 0xc3d2e1f0U;
324 }
325 
326 #ifdef VIS_SHA1
327 
328 static int usevis = 0;
329 
330 #ifdef _KERNEL
331 
332 #include <sys/regset.h>
333 #include <sys/vis.h>
334 
335 /* the alignment for block stores to save fp registers */
336 #define	VIS_ALIGN	(64)
337 
338 extern int sha1_savefp(kfpu_t *, int);
339 extern void sha1_restorefp(kfpu_t *);
340 
341 uint32_t	vis_sha1_svfp_threshold = 128;
342 
343 #else /* !_KERNEL */
344 
345 static boolean_t checked_vis = B_FALSE;
346 
347 static int
348 havevis()
349 {
350 	char *buf = NULL;
351 	char *isa_token;
352 	char *lasts;
353 	int ret = 0;
354 	size_t bufsize = 255; /* UltraSPARC III needs 115 chars */
355 	int v9_isa_token, vis_isa_token, isa_token_num;
356 
357 	if (checked_vis) {
358 		return (usevis);
359 	}
360 
361 	if ((buf = malloc(bufsize)) == NULL) {
362 		return (0);
363 	}
364 
365 	if ((ret = sysinfo(SI_ISALIST, buf, bufsize)) == -1) {
366 		free(buf);
367 		return (0);
368 	} else if (ret > bufsize) {
369 		/* We lost some because our buffer was too small  */
370 		if ((buf = realloc(buf, bufsize = ret)) == NULL) {
371 			return (0);
372 		}
373 		if ((ret = sysinfo(SI_ISALIST, buf, bufsize)) == -1) {
374 			free(buf);
375 			return (0);
376 		}
377 	}
378 
379 	/*
380 	 * Check the relative posistions of sparcv9 & sparcv9+vis
381 	 * because they are listed in (best) performance order.
382 	 * For example: The Niagara chip reports it has VIS but the
383 	 * SHA1 code runs faster without this optimisation.
384 	 */
385 	isa_token = strtok_r(buf, " ", &lasts);
386 	v9_isa_token = vis_isa_token = -1;
387 	isa_token_num = 0;
388 	do {
389 		if (strcmp(isa_token, "sparcv9") == 0) {
390 			v9_isa_token = isa_token_num;
391 		} else if (strcmp(isa_token, "sparcv9+vis") == 0) {
392 			vis_isa_token = isa_token_num;
393 		}
394 		isa_token_num++;
395 	} while (isa_token = strtok_r(NULL, " ", &lasts));
396 
397 	if (vis_isa_token != -1 && vis_isa_token < v9_isa_token)
398 		usevis = 1;
399 	free(buf);
400 
401 	checked_vis = B_TRUE;
402 	return (usevis);
403 }
404 
405 #endif /* _KERNEL */
406 
407 /*
408  * VIS SHA-1 consts.
409  */
410 static uint64_t VIS[] = {
411 	0x8000000080000000ULL,
412 	0x0002000200020002ULL,
413 	0x5a8279996ed9eba1ULL,
414 	0x8f1bbcdcca62c1d6ULL,
415 	0x012389ab456789abULL};
416 
417 extern void SHA1TransformVIS(uint64_t *, uint64_t *, uint32_t *, uint64_t *);
418 
419 
420 /*
421  * SHA1Update()
422  *
423  * purpose: continues an sha1 digest operation, using the message block
424  *          to update the context.
425  *   input: SHA1_CTX *	: the context to update
426  *          uint8_t *	: the message block
427  *          uint32_t    : the length of the message block in bytes
428  *  output: void
429  */
430 
431 void
432 SHA1Update(SHA1_CTX *ctx, const uint8_t *input, uint32_t input_len)
433 {
434 	uint32_t i, buf_index, buf_len;
435 
436 	uint64_t X0[40], input64[8];
437 
438 	/* check for noop */
439 	if (input_len == 0)
440 		return;
441 
442 	/* compute number of bytes mod 64 */
443 	buf_index = (ctx->count[1] >> 3) & 0x3F;
444 
445 	/* update number of bits */
446 	if ((ctx->count[1] += (input_len << 3)) < (input_len << 3))
447 		ctx->count[0]++;
448 
449 	ctx->count[0] += (input_len >> 29);
450 
451 	buf_len = 64 - buf_index;
452 
453 	/* transform as many times as possible */
454 	i = 0;
455 	if (input_len >= buf_len) {
456 #ifdef _KERNEL
457 		uint8_t fpua[sizeof (kfpu_t) + GSR_SIZE + VIS_ALIGN];
458 		kfpu_t *fpu;
459 
460 		uint32_t len = (input_len + buf_index) & ~0x3f;
461 		int svfp_ok;
462 
463 		fpu = (kfpu_t *)P2ROUNDUP((uintptr_t)fpua, 64);
464 		svfp_ok = ((len >= vis_sha1_svfp_threshold) ? 1 : 0);
465 		usevis = sha1_savefp(fpu, svfp_ok);
466 #else
467 		if (!checked_vis)
468 			usevis = havevis();
469 #endif /* _KERNEL */
470 
471 		/*
472 		 * general optimization:
473 		 *
474 		 * only do initial bcopy() and SHA1Transform() if
475 		 * buf_index != 0.  if buf_index == 0, we're just
476 		 * wasting our time doing the bcopy() since there
477 		 * wasn't any data left over from a previous call to
478 		 * SHA1Update().
479 		 */
480 
481 		if (buf_index) {
482 			bcopy(input, &ctx->buf_un.buf8[buf_index], buf_len);
483 			if (usevis) {
484 				SHA1TransformVIS(X0,
485 				    (uint64_t *)ctx->buf_un.buf8,
486 				    &ctx->state[0], VIS);
487 			} else {
488 				SHA1Transform(ctx->state[0], ctx->state[1],
489 				    ctx->state[2], ctx->state[3],
490 				    ctx->state[4], ctx, ctx->buf_un.buf8);
491 			}
492 			i = buf_len;
493 		}
494 
495 		/*
496 		 * VIS SHA-1: uses the VIS 1.0 instructions to accelerate
497 		 * SHA-1 processing. This is achieved by "offloading" the
498 		 * computation of the message schedule (MS) to the VIS units.
499 		 * This allows the VIS computation of the message schedule
500 		 * to be performed in parallel with the standard integer
501 		 * processing of the remainder of the SHA-1 computation.
502 		 * performance by up to around 1.37X, compared to an optimized
503 		 * integer-only implementation.
504 		 *
505 		 * The VIS implementation of SHA1Transform has a different API
506 		 * to the standard integer version:
507 		 *
508 		 * void SHA1TransformVIS(
509 		 *	 uint64_t *, // Pointer to MS for ith block
510 		 *	 uint64_t *, // Pointer to ith block of message data
511 		 *	 uint32_t *, // Pointer to SHA state i.e ctx->state
512 		 *	 uint64_t *, // Pointer to various VIS constants
513 		 * )
514 		 *
515 		 * Note: the message data must by 4-byte aligned.
516 		 *
517 		 * Function requires VIS 1.0 support.
518 		 *
519 		 * Handling is provided to deal with arbitrary byte alingment
520 		 * of the input data but the performance gains are reduced
521 		 * for alignments other than 4-bytes.
522 		 */
523 		if (usevis) {
524 			if (((uint64_t)(uintptr_t)(&input[i]) & 0x3)) {
525 				/*
526 				 * Main processing loop - input misaligned
527 				 */
528 				for (; i + 63 < input_len; i += 64) {
529 				    bcopy(&input[i], input64, 64);
530 				    SHA1TransformVIS(X0, input64,
531 					&ctx->state[0], VIS);
532 				}
533 			} else {
534 				/*
535 				 * Main processing loop - input 8-byte aligned
536 				 */
537 				for (; i + 63 < input_len; i += 64) {
538 					SHA1TransformVIS(X0,
539 					    (uint64_t *)&input[i],
540 					    &ctx->state[0], VIS);
541 				}
542 
543 			}
544 #ifdef _KERNEL
545 			sha1_restorefp(fpu);
546 #endif /* _KERNEL */
547 		} else {
548 			for (; i + 63 < input_len; i += 64) {
549 			    SHA1Transform(ctx->state[0], ctx->state[1],
550 				ctx->state[2], ctx->state[3], ctx->state[4],
551 				ctx, &input[i]);
552 			}
553 		}
554 
555 		/*
556 		 * general optimization:
557 		 *
558 		 * if i and input_len are the same, return now instead
559 		 * of calling bcopy(), since the bcopy() in this case
560 		 * will be an expensive nop.
561 		 */
562 
563 		if (input_len == i)
564 			return;
565 
566 		buf_index = 0;
567 	}
568 
569 	/* buffer remaining input */
570 	bcopy(&input[i], &ctx->buf_un.buf8[buf_index], input_len - i);
571 }
572 
573 #else /* VIS_SHA1 */
574 
575 void
576 SHA1Update(SHA1_CTX *ctx, const uint8_t *input, uint32_t input_len)
577 {
578 	uint32_t i, buf_index, buf_len;
579 
580 	/* check for noop */
581 	if (input_len == 0)
582 		return;
583 
584 	/* compute number of bytes mod 64 */
585 	buf_index = (ctx->count[1] >> 3) & 0x3F;
586 
587 	/* update number of bits */
588 	if ((ctx->count[1] += (input_len << 3)) < (input_len << 3))
589 		ctx->count[0]++;
590 
591 	ctx->count[0] += (input_len >> 29);
592 
593 	buf_len = 64 - buf_index;
594 
595 	/* transform as many times as possible */
596 	i = 0;
597 	if (input_len >= buf_len) {
598 
599 		/*
600 		 * general optimization:
601 		 *
602 		 * only do initial bcopy() and SHA1Transform() if
603 		 * buf_index != 0.  if buf_index == 0, we're just
604 		 * wasting our time doing the bcopy() since there
605 		 * wasn't any data left over from a previous call to
606 		 * SHA1Update().
607 		 */
608 
609 		if (buf_index) {
610 			bcopy(input, &ctx->buf_un.buf8[buf_index], buf_len);
611 
612 
613 			SHA1Transform(ctx->state[0], ctx->state[1],
614 			    ctx->state[2], ctx->state[3], ctx->state[4], ctx,
615 			    ctx->buf_un.buf8);
616 
617 			i = buf_len;
618 		}
619 
620 		for (; i + 63 < input_len; i += 64)
621 			SHA1Transform(ctx->state[0], ctx->state[1],
622 			    ctx->state[2], ctx->state[3], ctx->state[4],
623 			    ctx, &input[i]);
624 
625 		/*
626 		 * general optimization:
627 		 *
628 		 * if i and input_len are the same, return now instead
629 		 * of calling bcopy(), since the bcopy() in this case
630 		 * will be an expensive nop.
631 		 */
632 
633 		if (input_len == i)
634 			return;
635 
636 		buf_index = 0;
637 	}
638 
639 	/* buffer remaining input */
640 	bcopy(&input[i], &ctx->buf_un.buf8[buf_index], input_len - i);
641 }
642 
643 #endif /* VIS_SHA1 */
644 
645 /*
646  * SHA1Final()
647  *
648  * purpose: ends an sha1 digest operation, finalizing the message digest and
649  *          zeroing the context.
650  *   input: uint8_t *	: a buffer to store the digest in
651  *          SHA1_CTX *  : the context to finalize, save, and zero
652  *  output: void
653  */
654 
655 void
656 SHA1Final(uint8_t *digest, SHA1_CTX *ctx)
657 {
658 	uint8_t		bitcount_be[sizeof (ctx->count)];
659 	uint32_t	index = (ctx->count[1] >> 3) & 0x3f;
660 
661 	/* store bit count, big endian */
662 	Encode(bitcount_be, ctx->count, sizeof (bitcount_be));
663 
664 	/* pad out to 56 mod 64 */
665 	SHA1Update(ctx, PADDING, ((index < 56) ? 56 : 120) - index);
666 
667 	/* append length (before padding) */
668 	SHA1Update(ctx, bitcount_be, sizeof (bitcount_be));
669 
670 	/* store state in digest */
671 	Encode(digest, ctx->state, sizeof (ctx->state));
672 }
673 
674 /*
675  * sparc optimization:
676  *
677  * on the sparc, we can load big endian 32-bit data easily.  note that
678  * special care must be taken to ensure the address is 32-bit aligned.
679  * in the interest of speed, we don't check to make sure, since
680  * careful programming can guarantee this for us.
681  */
682 
683 #if	defined(_BIG_ENDIAN)
684 
685 #define	LOAD_BIG_32(addr)	(*(uint32_t *)(addr))
686 
687 #else	/* little endian -- will work on big endian, but slowly */
688 
689 #define	LOAD_BIG_32(addr)	\
690 	(((addr)[0] << 24) | ((addr)[1] << 16) | ((addr)[2] << 8) | (addr)[3])
691 #endif
692 
693 /*
694  * sparc register window optimization:
695  *
696  * `a', `b', `c', `d', and `e' are passed into SHA1Transform
697  * explicitly since it increases the number of registers available to
698  * the compiler.  under this scheme, these variables can be held in
699  * %i0 - %i4, which leaves more local and out registers available.
700  */
701 
702 /*
703  * SHA1Transform()
704  *
705  * purpose: sha1 transformation -- updates the digest based on `block'
706  *   input: uint32_t	: bytes  1 -  4 of the digest
707  *          uint32_t	: bytes  5 -  8 of the digest
708  *          uint32_t	: bytes  9 - 12 of the digest
709  *          uint32_t	: bytes 12 - 16 of the digest
710  *          uint32_t	: bytes 16 - 20 of the digest
711  *          SHA1_CTX *	: the context to update
712  *          uint8_t [64]: the block to use to update the digest
713  *  output: void
714  */
715 
716 void
717 SHA1Transform(uint32_t a, uint32_t b, uint32_t c, uint32_t d, uint32_t e,
718     SHA1_CTX *ctx, const uint8_t blk[64])
719 {
720 	/*
721 	 * sparc optimization:
722 	 *
723 	 * while it is somewhat counter-intuitive, on sparc, it is
724 	 * more efficient to place all the constants used in this
725 	 * function in an array and load the values out of the array
726 	 * than to manually load the constants.  this is because
727 	 * setting a register to a 32-bit value takes two ops in most
728 	 * cases: a `sethi' and an `or', but loading a 32-bit value
729 	 * from memory only takes one `ld' (or `lduw' on v9).  while
730 	 * this increases memory usage, the compiler can find enough
731 	 * other things to do while waiting to keep the pipeline does
732 	 * not stall.  additionally, it is likely that many of these
733 	 * constants are cached so that later accesses do not even go
734 	 * out to the bus.
735 	 *
736 	 * this array is declared `static' to keep the compiler from
737 	 * having to bcopy() this array onto the stack frame of
738 	 * SHA1Transform() each time it is called -- which is
739 	 * unacceptably expensive.
740 	 *
741 	 * the `const' is to ensure that callers are good citizens and
742 	 * do not try to munge the array.  since these routines are
743 	 * going to be called from inside multithreaded kernelland,
744 	 * this is a good safety check. -- `sha1_consts' will end up in
745 	 * .rodata.
746 	 *
747 	 * unfortunately, loading from an array in this manner hurts
748 	 * performance under intel.  so, there is a macro,
749 	 * SHA1_CONST(), used in SHA1Transform(), that either expands to
750 	 * a reference to this array, or to the actual constant,
751 	 * depending on what platform this code is compiled for.
752 	 */
753 
754 #if	defined(__sparc)
755 	static const uint32_t sha1_consts[] = {
756 		SHA1_CONST_0,	SHA1_CONST_1,	SHA1_CONST_2,	SHA1_CONST_3,
757 	};
758 #endif
759 
760 	/*
761 	 * general optimization:
762 	 *
763 	 * use individual integers instead of using an array.  this is a
764 	 * win, although the amount it wins by seems to vary quite a bit.
765 	 */
766 
767 	uint32_t	w_0, w_1, w_2,  w_3,  w_4,  w_5,  w_6,  w_7;
768 	uint32_t	w_8, w_9, w_10, w_11, w_12, w_13, w_14, w_15;
769 
770 	/*
771 	 * sparc optimization:
772 	 *
773 	 * if `block' is already aligned on a 4-byte boundary, use
774 	 * LOAD_BIG_32() directly.  otherwise, bcopy() into a
775 	 * buffer that *is* aligned on a 4-byte boundary and then do
776 	 * the LOAD_BIG_32() on that buffer.  benchmarks have shown
777 	 * that using the bcopy() is better than loading the bytes
778 	 * individually and doing the endian-swap by hand.
779 	 *
780 	 * even though it's quite tempting to assign to do:
781 	 *
782 	 * blk = bcopy(ctx->buf_un.buf32, blk, sizeof (ctx->buf_un.buf32));
783 	 *
784 	 * and only have one set of LOAD_BIG_32()'s, the compiler
785 	 * *does not* like that, so please resist the urge.
786 	 */
787 
788 #if	defined(__sparc)
789 	if ((uintptr_t)blk & 0x3) {		/* not 4-byte aligned? */
790 		bcopy(blk, ctx->buf_un.buf32,  sizeof (ctx->buf_un.buf32));
791 		w_15 = LOAD_BIG_32(ctx->buf_un.buf32 + 15);
792 		w_14 = LOAD_BIG_32(ctx->buf_un.buf32 + 14);
793 		w_13 = LOAD_BIG_32(ctx->buf_un.buf32 + 13);
794 		w_12 = LOAD_BIG_32(ctx->buf_un.buf32 + 12);
795 		w_11 = LOAD_BIG_32(ctx->buf_un.buf32 + 11);
796 		w_10 = LOAD_BIG_32(ctx->buf_un.buf32 + 10);
797 		w_9  = LOAD_BIG_32(ctx->buf_un.buf32 +  9);
798 		w_8  = LOAD_BIG_32(ctx->buf_un.buf32 +  8);
799 		w_7  = LOAD_BIG_32(ctx->buf_un.buf32 +  7);
800 		w_6  = LOAD_BIG_32(ctx->buf_un.buf32 +  6);
801 		w_5  = LOAD_BIG_32(ctx->buf_un.buf32 +  5);
802 		w_4  = LOAD_BIG_32(ctx->buf_un.buf32 +  4);
803 		w_3  = LOAD_BIG_32(ctx->buf_un.buf32 +  3);
804 		w_2  = LOAD_BIG_32(ctx->buf_un.buf32 +  2);
805 		w_1  = LOAD_BIG_32(ctx->buf_un.buf32 +  1);
806 		w_0  = LOAD_BIG_32(ctx->buf_un.buf32 +  0);
807 	} else {
808 		/*LINTED*/
809 		w_15 = LOAD_BIG_32(blk + 60);
810 		/*LINTED*/
811 		w_14 = LOAD_BIG_32(blk + 56);
812 		/*LINTED*/
813 		w_13 = LOAD_BIG_32(blk + 52);
814 		/*LINTED*/
815 		w_12 = LOAD_BIG_32(blk + 48);
816 		/*LINTED*/
817 		w_11 = LOAD_BIG_32(blk + 44);
818 		/*LINTED*/
819 		w_10 = LOAD_BIG_32(blk + 40);
820 		/*LINTED*/
821 		w_9  = LOAD_BIG_32(blk + 36);
822 		/*LINTED*/
823 		w_8  = LOAD_BIG_32(blk + 32);
824 		/*LINTED*/
825 		w_7  = LOAD_BIG_32(blk + 28);
826 		/*LINTED*/
827 		w_6  = LOAD_BIG_32(blk + 24);
828 		/*LINTED*/
829 		w_5  = LOAD_BIG_32(blk + 20);
830 		/*LINTED*/
831 		w_4  = LOAD_BIG_32(blk + 16);
832 		/*LINTED*/
833 		w_3  = LOAD_BIG_32(blk + 12);
834 		/*LINTED*/
835 		w_2  = LOAD_BIG_32(blk +  8);
836 		/*LINTED*/
837 		w_1  = LOAD_BIG_32(blk +  4);
838 		/*LINTED*/
839 		w_0  = LOAD_BIG_32(blk +  0);
840 	}
841 #else
842 	w_15 = LOAD_BIG_32(blk + 60);
843 	w_14 = LOAD_BIG_32(blk + 56);
844 	w_13 = LOAD_BIG_32(blk + 52);
845 	w_12 = LOAD_BIG_32(blk + 48);
846 	w_11 = LOAD_BIG_32(blk + 44);
847 	w_10 = LOAD_BIG_32(blk + 40);
848 	w_9  = LOAD_BIG_32(blk + 36);
849 	w_8  = LOAD_BIG_32(blk + 32);
850 	w_7  = LOAD_BIG_32(blk + 28);
851 	w_6  = LOAD_BIG_32(blk + 24);
852 	w_5  = LOAD_BIG_32(blk + 20);
853 	w_4  = LOAD_BIG_32(blk + 16);
854 	w_3  = LOAD_BIG_32(blk + 12);
855 	w_2  = LOAD_BIG_32(blk +  8);
856 	w_1  = LOAD_BIG_32(blk +  4);
857 	w_0  = LOAD_BIG_32(blk +  0);
858 #endif
859 	/*
860 	 * general optimization:
861 	 *
862 	 * even though this approach is described in the standard as
863 	 * being slower algorithmically, it is 30-40% faster than the
864 	 * "faster" version under SPARC, because this version has more
865 	 * of the constraints specified at compile-time and uses fewer
866 	 * variables (and therefore has better register utilization)
867 	 * than its "speedier" brother.  (i've tried both, trust me)
868 	 *
869 	 * for either method given in the spec, there is an "assignment"
870 	 * phase where the following takes place:
871 	 *
872 	 *	tmp = (main_computation);
873 	 *	e = d; d = c; c = rotate_left(b, 30); b = a; a = tmp;
874 	 *
875 	 * we can make the algorithm go faster by not doing this work,
876 	 * but just pretending that `d' is now `e', etc. this works
877 	 * really well and obviates the need for a temporary variable.
878 	 * however, we still explictly perform the rotate action,
879 	 * since it is cheaper on SPARC to do it once than to have to
880 	 * do it over and over again.
881 	 */
882 
883 	/* round 1 */
884 	e = ROTATE_LEFT(a, 5) + F(b, c, d) + e + w_0 + SHA1_CONST(0); /* 0 */
885 	b = ROTATE_LEFT(b, 30);
886 
887 	d = ROTATE_LEFT(e, 5) + F(a, b, c) + d + w_1 + SHA1_CONST(0); /* 1 */
888 	a = ROTATE_LEFT(a, 30);
889 
890 	c = ROTATE_LEFT(d, 5) + F(e, a, b) + c + w_2 + SHA1_CONST(0); /* 2 */
891 	e = ROTATE_LEFT(e, 30);
892 
893 	b = ROTATE_LEFT(c, 5) + F(d, e, a) + b + w_3 + SHA1_CONST(0); /* 3 */
894 	d = ROTATE_LEFT(d, 30);
895 
896 	a = ROTATE_LEFT(b, 5) + F(c, d, e) + a + w_4 + SHA1_CONST(0); /* 4 */
897 	c = ROTATE_LEFT(c, 30);
898 
899 	e = ROTATE_LEFT(a, 5) + F(b, c, d) + e + w_5 + SHA1_CONST(0); /* 5 */
900 	b = ROTATE_LEFT(b, 30);
901 
902 	d = ROTATE_LEFT(e, 5) + F(a, b, c) + d + w_6 + SHA1_CONST(0); /* 6 */
903 	a = ROTATE_LEFT(a, 30);
904 
905 	c = ROTATE_LEFT(d, 5) + F(e, a, b) + c + w_7 + SHA1_CONST(0); /* 7 */
906 	e = ROTATE_LEFT(e, 30);
907 
908 	b = ROTATE_LEFT(c, 5) + F(d, e, a) + b + w_8 + SHA1_CONST(0); /* 8 */
909 	d = ROTATE_LEFT(d, 30);
910 
911 	a = ROTATE_LEFT(b, 5) + F(c, d, e) + a + w_9 + SHA1_CONST(0); /* 9 */
912 	c = ROTATE_LEFT(c, 30);
913 
914 	e = ROTATE_LEFT(a, 5) + F(b, c, d) + e + w_10 + SHA1_CONST(0); /* 10 */
915 	b = ROTATE_LEFT(b, 30);
916 
917 	d = ROTATE_LEFT(e, 5) + F(a, b, c) + d + w_11 + SHA1_CONST(0); /* 11 */
918 	a = ROTATE_LEFT(a, 30);
919 
920 	c = ROTATE_LEFT(d, 5) + F(e, a, b) + c + w_12 + SHA1_CONST(0); /* 12 */
921 	e = ROTATE_LEFT(e, 30);
922 
923 	b = ROTATE_LEFT(c, 5) + F(d, e, a) + b + w_13 + SHA1_CONST(0); /* 13 */
924 	d = ROTATE_LEFT(d, 30);
925 
926 	a = ROTATE_LEFT(b, 5) + F(c, d, e) + a + w_14 + SHA1_CONST(0); /* 14 */
927 	c = ROTATE_LEFT(c, 30);
928 
929 	e = ROTATE_LEFT(a, 5) + F(b, c, d) + e + w_15 + SHA1_CONST(0); /* 15 */
930 	b = ROTATE_LEFT(b, 30);
931 
932 	w_0 = ROTATE_LEFT((w_13 ^ w_8 ^ w_2 ^ w_0), 1);		/* 16 */
933 	d = ROTATE_LEFT(e, 5) + F(a, b, c) + d + w_0 + SHA1_CONST(0);
934 	a = ROTATE_LEFT(a, 30);
935 
936 	w_1 = ROTATE_LEFT((w_14 ^ w_9 ^ w_3 ^ w_1), 1);		/* 17 */
937 	c = ROTATE_LEFT(d, 5) + F(e, a, b) + c + w_1 + SHA1_CONST(0);
938 	e = ROTATE_LEFT(e, 30);
939 
940 	w_2 = ROTATE_LEFT((w_15 ^ w_10 ^ w_4 ^ w_2), 1);	/* 18 */
941 	b = ROTATE_LEFT(c, 5) + F(d, e, a) + b + w_2 + SHA1_CONST(0);
942 	d = ROTATE_LEFT(d, 30);
943 
944 	w_3 = ROTATE_LEFT((w_0 ^ w_11 ^ w_5 ^ w_3), 1);		/* 19 */
945 	a = ROTATE_LEFT(b, 5) + F(c, d, e) + a + w_3 + SHA1_CONST(0);
946 	c = ROTATE_LEFT(c, 30);
947 
948 	/* round 2 */
949 	w_4 = ROTATE_LEFT((w_1 ^ w_12 ^ w_6 ^ w_4), 1);		/* 20 */
950 	e = ROTATE_LEFT(a, 5) + G(b, c, d) + e + w_4 + SHA1_CONST(1);
951 	b = ROTATE_LEFT(b, 30);
952 
953 	w_5 = ROTATE_LEFT((w_2 ^ w_13 ^ w_7 ^ w_5), 1);		/* 21 */
954 	d = ROTATE_LEFT(e, 5) + G(a, b, c) + d + w_5 + SHA1_CONST(1);
955 	a = ROTATE_LEFT(a, 30);
956 
957 	w_6 = ROTATE_LEFT((w_3 ^ w_14 ^ w_8 ^ w_6), 1);		/* 22 */
958 	c = ROTATE_LEFT(d, 5) + G(e, a, b) + c + w_6 + SHA1_CONST(1);
959 	e = ROTATE_LEFT(e, 30);
960 
961 	w_7 = ROTATE_LEFT((w_4 ^ w_15 ^ w_9 ^ w_7), 1);		/* 23 */
962 	b = ROTATE_LEFT(c, 5) + G(d, e, a) + b + w_7 + SHA1_CONST(1);
963 	d = ROTATE_LEFT(d, 30);
964 
965 	w_8 = ROTATE_LEFT((w_5 ^ w_0 ^ w_10 ^ w_8), 1);		/* 24 */
966 	a = ROTATE_LEFT(b, 5) + G(c, d, e) + a + w_8 + SHA1_CONST(1);
967 	c = ROTATE_LEFT(c, 30);
968 
969 	w_9 = ROTATE_LEFT((w_6 ^ w_1 ^ w_11 ^ w_9), 1);		/* 25 */
970 	e = ROTATE_LEFT(a, 5) + G(b, c, d) + e + w_9 + SHA1_CONST(1);
971 	b = ROTATE_LEFT(b, 30);
972 
973 	w_10 = ROTATE_LEFT((w_7 ^ w_2 ^ w_12 ^ w_10), 1);	/* 26 */
974 	d = ROTATE_LEFT(e, 5) + G(a, b, c) + d + w_10 + SHA1_CONST(1);
975 	a = ROTATE_LEFT(a, 30);
976 
977 	w_11 = ROTATE_LEFT((w_8 ^ w_3 ^ w_13 ^ w_11), 1);	/* 27 */
978 	c = ROTATE_LEFT(d, 5) + G(e, a, b) + c + w_11 + SHA1_CONST(1);
979 	e = ROTATE_LEFT(e, 30);
980 
981 	w_12 = ROTATE_LEFT((w_9 ^ w_4 ^ w_14 ^ w_12), 1);	/* 28 */
982 	b = ROTATE_LEFT(c, 5) + G(d, e, a) + b + w_12 + SHA1_CONST(1);
983 	d = ROTATE_LEFT(d, 30);
984 
985 	w_13 = ROTATE_LEFT((w_10 ^ w_5 ^ w_15 ^ w_13), 1);	/* 29 */
986 	a = ROTATE_LEFT(b, 5) + G(c, d, e) + a + w_13 + SHA1_CONST(1);
987 	c = ROTATE_LEFT(c, 30);
988 
989 	w_14 = ROTATE_LEFT((w_11 ^ w_6 ^ w_0 ^ w_14), 1);	/* 30 */
990 	e = ROTATE_LEFT(a, 5) + G(b, c, d) + e + w_14 + SHA1_CONST(1);
991 	b = ROTATE_LEFT(b, 30);
992 
993 	w_15 = ROTATE_LEFT((w_12 ^ w_7 ^ w_1 ^ w_15), 1);	/* 31 */
994 	d = ROTATE_LEFT(e, 5) + G(a, b, c) + d + w_15 + SHA1_CONST(1);
995 	a = ROTATE_LEFT(a, 30);
996 
997 	w_0 = ROTATE_LEFT((w_13 ^ w_8 ^ w_2 ^ w_0), 1);		/* 32 */
998 	c = ROTATE_LEFT(d, 5) + G(e, a, b) + c + w_0 + SHA1_CONST(1);
999 	e = ROTATE_LEFT(e, 30);
1000 
1001 	w_1 = ROTATE_LEFT((w_14 ^ w_9 ^ w_3 ^ w_1), 1);		/* 33 */
1002 	b = ROTATE_LEFT(c, 5) + G(d, e, a) + b + w_1 + SHA1_CONST(1);
1003 	d = ROTATE_LEFT(d, 30);
1004 
1005 	w_2 = ROTATE_LEFT((w_15 ^ w_10 ^ w_4 ^ w_2), 1);	/* 34 */
1006 	a = ROTATE_LEFT(b, 5) + G(c, d, e) + a + w_2 + SHA1_CONST(1);
1007 	c = ROTATE_LEFT(c, 30);
1008 
1009 	w_3 = ROTATE_LEFT((w_0 ^ w_11 ^ w_5 ^ w_3), 1);		/* 35 */
1010 	e = ROTATE_LEFT(a, 5) + G(b, c, d) + e + w_3 + SHA1_CONST(1);
1011 	b = ROTATE_LEFT(b, 30);
1012 
1013 	w_4 = ROTATE_LEFT((w_1 ^ w_12 ^ w_6 ^ w_4), 1);		/* 36 */
1014 	d = ROTATE_LEFT(e, 5) + G(a, b, c) + d + w_4 + SHA1_CONST(1);
1015 	a = ROTATE_LEFT(a, 30);
1016 
1017 	w_5 = ROTATE_LEFT((w_2 ^ w_13 ^ w_7 ^ w_5), 1);		/* 37 */
1018 	c = ROTATE_LEFT(d, 5) + G(e, a, b) + c + w_5 + SHA1_CONST(1);
1019 	e = ROTATE_LEFT(e, 30);
1020 
1021 	w_6 = ROTATE_LEFT((w_3 ^ w_14 ^ w_8 ^ w_6), 1);		/* 38 */
1022 	b = ROTATE_LEFT(c, 5) + G(d, e, a) + b + w_6 + SHA1_CONST(1);
1023 	d = ROTATE_LEFT(d, 30);
1024 
1025 	w_7 = ROTATE_LEFT((w_4 ^ w_15 ^ w_9 ^ w_7), 1);		/* 39 */
1026 	a = ROTATE_LEFT(b, 5) + G(c, d, e) + a + w_7 + SHA1_CONST(1);
1027 	c = ROTATE_LEFT(c, 30);
1028 
1029 	/* round 3 */
1030 	w_8 = ROTATE_LEFT((w_5 ^ w_0 ^ w_10 ^ w_8), 1);		/* 40 */
1031 	e = ROTATE_LEFT(a, 5) + H(b, c, d) + e + w_8 + SHA1_CONST(2);
1032 	b = ROTATE_LEFT(b, 30);
1033 
1034 	w_9 = ROTATE_LEFT((w_6 ^ w_1 ^ w_11 ^ w_9), 1);		/* 41 */
1035 	d = ROTATE_LEFT(e, 5) + H(a, b, c) + d + w_9 + SHA1_CONST(2);
1036 	a = ROTATE_LEFT(a, 30);
1037 
1038 	w_10 = ROTATE_LEFT((w_7 ^ w_2 ^ w_12 ^ w_10), 1);	/* 42 */
1039 	c = ROTATE_LEFT(d, 5) + H(e, a, b) + c + w_10 + SHA1_CONST(2);
1040 	e = ROTATE_LEFT(e, 30);
1041 
1042 	w_11 = ROTATE_LEFT((w_8 ^ w_3 ^ w_13 ^ w_11), 1);	/* 43 */
1043 	b = ROTATE_LEFT(c, 5) + H(d, e, a) + b + w_11 + SHA1_CONST(2);
1044 	d = ROTATE_LEFT(d, 30);
1045 
1046 	w_12 = ROTATE_LEFT((w_9 ^ w_4 ^ w_14 ^ w_12), 1);	/* 44 */
1047 	a = ROTATE_LEFT(b, 5) + H(c, d, e) + a + w_12 + SHA1_CONST(2);
1048 	c = ROTATE_LEFT(c, 30);
1049 
1050 	w_13 = ROTATE_LEFT((w_10 ^ w_5 ^ w_15 ^ w_13), 1);	/* 45 */
1051 	e = ROTATE_LEFT(a, 5) + H(b, c, d) + e + w_13 + SHA1_CONST(2);
1052 	b = ROTATE_LEFT(b, 30);
1053 
1054 	w_14 = ROTATE_LEFT((w_11 ^ w_6 ^ w_0 ^ w_14), 1);	/* 46 */
1055 	d = ROTATE_LEFT(e, 5) + H(a, b, c) + d + w_14 + SHA1_CONST(2);
1056 	a = ROTATE_LEFT(a, 30);
1057 
1058 	w_15 = ROTATE_LEFT((w_12 ^ w_7 ^ w_1 ^ w_15), 1);	/* 47 */
1059 	c = ROTATE_LEFT(d, 5) + H(e, a, b) + c + w_15 + SHA1_CONST(2);
1060 	e = ROTATE_LEFT(e, 30);
1061 
1062 	w_0 = ROTATE_LEFT((w_13 ^ w_8 ^ w_2 ^ w_0), 1);		/* 48 */
1063 	b = ROTATE_LEFT(c, 5) + H(d, e, a) + b + w_0 + SHA1_CONST(2);
1064 	d = ROTATE_LEFT(d, 30);
1065 
1066 	w_1 = ROTATE_LEFT((w_14 ^ w_9 ^ w_3 ^ w_1), 1);		/* 49 */
1067 	a = ROTATE_LEFT(b, 5) + H(c, d, e) + a + w_1 + SHA1_CONST(2);
1068 	c = ROTATE_LEFT(c, 30);
1069 
1070 	w_2 = ROTATE_LEFT((w_15 ^ w_10 ^ w_4 ^ w_2), 1);	/* 50 */
1071 	e = ROTATE_LEFT(a, 5) + H(b, c, d) + e + w_2 + SHA1_CONST(2);
1072 	b = ROTATE_LEFT(b, 30);
1073 
1074 	w_3 = ROTATE_LEFT((w_0 ^ w_11 ^ w_5 ^ w_3), 1);		/* 51 */
1075 	d = ROTATE_LEFT(e, 5) + H(a, b, c) + d + w_3 + SHA1_CONST(2);
1076 	a = ROTATE_LEFT(a, 30);
1077 
1078 	w_4 = ROTATE_LEFT((w_1 ^ w_12 ^ w_6 ^ w_4), 1);		/* 52 */
1079 	c = ROTATE_LEFT(d, 5) + H(e, a, b) + c + w_4 + SHA1_CONST(2);
1080 	e = ROTATE_LEFT(e, 30);
1081 
1082 	w_5 = ROTATE_LEFT((w_2 ^ w_13 ^ w_7 ^ w_5), 1);		/* 53 */
1083 	b = ROTATE_LEFT(c, 5) + H(d, e, a) + b + w_5 + SHA1_CONST(2);
1084 	d = ROTATE_LEFT(d, 30);
1085 
1086 	w_6 = ROTATE_LEFT((w_3 ^ w_14 ^ w_8 ^ w_6), 1);		/* 54 */
1087 	a = ROTATE_LEFT(b, 5) + H(c, d, e) + a + w_6 + SHA1_CONST(2);
1088 	c = ROTATE_LEFT(c, 30);
1089 
1090 	w_7 = ROTATE_LEFT((w_4 ^ w_15 ^ w_9 ^ w_7), 1);		/* 55 */
1091 	e = ROTATE_LEFT(a, 5) + H(b, c, d) + e + w_7 + SHA1_CONST(2);
1092 	b = ROTATE_LEFT(b, 30);
1093 
1094 	w_8 = ROTATE_LEFT((w_5 ^ w_0 ^ w_10 ^ w_8), 1);		/* 56 */
1095 	d = ROTATE_LEFT(e, 5) + H(a, b, c) + d + w_8 + SHA1_CONST(2);
1096 	a = ROTATE_LEFT(a, 30);
1097 
1098 	w_9 = ROTATE_LEFT((w_6 ^ w_1 ^ w_11 ^ w_9), 1);		/* 57 */
1099 	c = ROTATE_LEFT(d, 5) + H(e, a, b) + c + w_9 + SHA1_CONST(2);
1100 	e = ROTATE_LEFT(e, 30);
1101 
1102 	w_10 = ROTATE_LEFT((w_7 ^ w_2 ^ w_12 ^ w_10), 1);	/* 58 */
1103 	b = ROTATE_LEFT(c, 5) + H(d, e, a) + b + w_10 + SHA1_CONST(2);
1104 	d = ROTATE_LEFT(d, 30);
1105 
1106 	w_11 = ROTATE_LEFT((w_8 ^ w_3 ^ w_13 ^ w_11), 1);	/* 59 */
1107 	a = ROTATE_LEFT(b, 5) + H(c, d, e) + a + w_11 + SHA1_CONST(2);
1108 	c = ROTATE_LEFT(c, 30);
1109 
1110 	/* round 4 */
1111 	w_12 = ROTATE_LEFT((w_9 ^ w_4 ^ w_14 ^ w_12), 1);	/* 60 */
1112 	e = ROTATE_LEFT(a, 5) + G(b, c, d) + e + w_12 + SHA1_CONST(3);
1113 	b = ROTATE_LEFT(b, 30);
1114 
1115 	w_13 = ROTATE_LEFT((w_10 ^ w_5 ^ w_15 ^ w_13), 1);	/* 61 */
1116 	d = ROTATE_LEFT(e, 5) + G(a, b, c) + d + w_13 + SHA1_CONST(3);
1117 	a = ROTATE_LEFT(a, 30);
1118 
1119 	w_14 = ROTATE_LEFT((w_11 ^ w_6 ^ w_0 ^ w_14), 1);	/* 62 */
1120 	c = ROTATE_LEFT(d, 5) + G(e, a, b) + c + w_14 + SHA1_CONST(3);
1121 	e = ROTATE_LEFT(e, 30);
1122 
1123 	w_15 = ROTATE_LEFT((w_12 ^ w_7 ^ w_1 ^ w_15), 1);	/* 63 */
1124 	b = ROTATE_LEFT(c, 5) + G(d, e, a) + b + w_15 + SHA1_CONST(3);
1125 	d = ROTATE_LEFT(d, 30);
1126 
1127 	w_0 = ROTATE_LEFT((w_13 ^ w_8 ^ w_2 ^ w_0), 1);		/* 64 */
1128 	a = ROTATE_LEFT(b, 5) + G(c, d, e) + a + w_0 + SHA1_CONST(3);
1129 	c = ROTATE_LEFT(c, 30);
1130 
1131 	w_1 = ROTATE_LEFT((w_14 ^ w_9 ^ w_3 ^ w_1), 1);		/* 65 */
1132 	e = ROTATE_LEFT(a, 5) + G(b, c, d) + e + w_1 + SHA1_CONST(3);
1133 	b = ROTATE_LEFT(b, 30);
1134 
1135 	w_2 = ROTATE_LEFT((w_15 ^ w_10 ^ w_4 ^ w_2), 1);	/* 66 */
1136 	d = ROTATE_LEFT(e, 5) + G(a, b, c) + d + w_2 + SHA1_CONST(3);
1137 	a = ROTATE_LEFT(a, 30);
1138 
1139 	w_3 = ROTATE_LEFT((w_0 ^ w_11 ^ w_5 ^ w_3), 1);		/* 67 */
1140 	c = ROTATE_LEFT(d, 5) + G(e, a, b) + c + w_3 + SHA1_CONST(3);
1141 	e = ROTATE_LEFT(e, 30);
1142 
1143 	w_4 = ROTATE_LEFT((w_1 ^ w_12 ^ w_6 ^ w_4), 1);		/* 68 */
1144 	b = ROTATE_LEFT(c, 5) + G(d, e, a) + b + w_4 + SHA1_CONST(3);
1145 	d = ROTATE_LEFT(d, 30);
1146 
1147 	w_5 = ROTATE_LEFT((w_2 ^ w_13 ^ w_7 ^ w_5), 1);		/* 69 */
1148 	a = ROTATE_LEFT(b, 5) + G(c, d, e) + a + w_5 + SHA1_CONST(3);
1149 	c = ROTATE_LEFT(c, 30);
1150 
1151 	w_6 = ROTATE_LEFT((w_3 ^ w_14 ^ w_8 ^ w_6), 1);		/* 70 */
1152 	e = ROTATE_LEFT(a, 5) + G(b, c, d) + e + w_6 + SHA1_CONST(3);
1153 	b = ROTATE_LEFT(b, 30);
1154 
1155 	w_7 = ROTATE_LEFT((w_4 ^ w_15 ^ w_9 ^ w_7), 1);		/* 71 */
1156 	d = ROTATE_LEFT(e, 5) + G(a, b, c) + d + w_7 + SHA1_CONST(3);
1157 	a = ROTATE_LEFT(a, 30);
1158 
1159 	w_8 = ROTATE_LEFT((w_5 ^ w_0 ^ w_10 ^ w_8), 1);		/* 72 */
1160 	c = ROTATE_LEFT(d, 5) + G(e, a, b) + c + w_8 + SHA1_CONST(3);
1161 	e = ROTATE_LEFT(e, 30);
1162 
1163 	w_9 = ROTATE_LEFT((w_6 ^ w_1 ^ w_11 ^ w_9), 1);		/* 73 */
1164 	b = ROTATE_LEFT(c, 5) + G(d, e, a) + b + w_9 + SHA1_CONST(3);
1165 	d = ROTATE_LEFT(d, 30);
1166 
1167 	w_10 = ROTATE_LEFT((w_7 ^ w_2 ^ w_12 ^ w_10), 1);	/* 74 */
1168 	a = ROTATE_LEFT(b, 5) + G(c, d, e) + a + w_10 + SHA1_CONST(3);
1169 	c = ROTATE_LEFT(c, 30);
1170 
1171 	w_11 = ROTATE_LEFT((w_8 ^ w_3 ^ w_13 ^ w_11), 1);	/* 75 */
1172 	e = ROTATE_LEFT(a, 5) + G(b, c, d) + e + w_11 + SHA1_CONST(3);
1173 	b = ROTATE_LEFT(b, 30);
1174 
1175 	w_12 = ROTATE_LEFT((w_9 ^ w_4 ^ w_14 ^ w_12), 1);	/* 76 */
1176 	d = ROTATE_LEFT(e, 5) + G(a, b, c) + d + w_12 + SHA1_CONST(3);
1177 	a = ROTATE_LEFT(a, 30);
1178 
1179 	w_13 = ROTATE_LEFT((w_10 ^ w_5 ^ w_15 ^ w_13), 1);	/* 77 */
1180 	c = ROTATE_LEFT(d, 5) + G(e, a, b) + c + w_13 + SHA1_CONST(3);
1181 	e = ROTATE_LEFT(e, 30);
1182 
1183 	w_14 = ROTATE_LEFT((w_11 ^ w_6 ^ w_0 ^ w_14), 1);	/* 78 */
1184 	b = ROTATE_LEFT(c, 5) + G(d, e, a) + b + w_14 + SHA1_CONST(3);
1185 	d = ROTATE_LEFT(d, 30);
1186 
1187 	w_15 = ROTATE_LEFT((w_12 ^ w_7 ^ w_1 ^ w_15), 1);	/* 79 */
1188 
1189 	ctx->state[0] += ROTATE_LEFT(b, 5) + G(c, d, e) + a + w_15 +
1190 	    SHA1_CONST(3);
1191 	ctx->state[1] += b;
1192 	ctx->state[2] += ROTATE_LEFT(c, 30);
1193 	ctx->state[3] += d;
1194 	ctx->state[4] += e;
1195 
1196 	/* zeroize sensitive information */
1197 	w_0 = w_1 = w_2 = w_3 = w_4 = w_5 = w_6 = w_7 = w_8 = 0;
1198 	w_9 = w_10 = w_11 = w_12 = w_13 = w_14 = w_15 = 0;
1199 }
1200 
1201 /*
1202  * devpro compiler optimization:
1203  *
1204  * the compiler can generate better code if it knows that `input' and
1205  * `output' do not point to the same source.  there is no portable
1206  * way to tell the compiler this, but the sun compiler recognizes the
1207  * `_Restrict' keyword to indicate this condition.  use it if possible.
1208  */
1209 
1210 #ifdef	__RESTRICT
1211 #define	restrict	_Restrict
1212 #else
1213 #define	restrict	/* nothing */
1214 #endif
1215 
1216 /*
1217  * Encode()
1218  *
1219  * purpose: to convert a list of numbers from little endian to big endian
1220  *   input: uint8_t *	: place to store the converted big endian numbers
1221  *	    uint32_t *	: place to get numbers to convert from
1222  *          size_t	: the length of the input in bytes
1223  *  output: void
1224  */
1225 
1226 static void
1227 Encode(uint8_t *restrict output, uint32_t *restrict input, size_t len)
1228 {
1229 	size_t		i, j;
1230 
1231 #if	defined(__sparc)
1232 	if (IS_P2ALIGNED(output, sizeof (uint32_t))) {
1233 		for (i = 0, j = 0; j < len; i++, j += 4) {
1234 			/* LINTED: pointer alignment */
1235 			*((uint32_t *)(output + j)) = input[i];
1236 		}
1237 	} else {
1238 #endif	/* little endian -- will work on big endian, but slowly */
1239 		for (i = 0, j = 0; j < len; i++, j += 4) {
1240 			output[j]	= (input[i] >> 24) & 0xff;
1241 			output[j + 1]	= (input[i] >> 16) & 0xff;
1242 			output[j + 2]	= (input[i] >>  8) & 0xff;
1243 			output[j + 3]	= input[i] & 0xff;
1244 		}
1245 #if	defined(__sparc)
1246 	}
1247 #endif
1248 }
1249 
1250 
1251 #ifdef _KERNEL
1252 
1253 /*
1254  * KCF software provider control entry points.
1255  */
1256 /* ARGSUSED */
1257 static void
1258 sha1_provider_status(crypto_provider_handle_t provider, uint_t *status)
1259 {
1260 	*status = CRYPTO_PROVIDER_READY;
1261 }
1262 
1263 /*
1264  * KCF software provider digest entry points.
1265  */
1266 
1267 static int
1268 sha1_digest_init(crypto_ctx_t *ctx, crypto_mechanism_t *mechanism,
1269     crypto_req_handle_t req)
1270 {
1271 	if (mechanism->cm_type != SHA1_MECH_INFO_TYPE)
1272 		return (CRYPTO_MECHANISM_INVALID);
1273 
1274 	/*
1275 	 * Allocate and initialize SHA1 context.
1276 	 */
1277 	ctx->cc_provider_private = kmem_alloc(sizeof (sha1_ctx_t),
1278 	    crypto_kmflag(req));
1279 	if (ctx->cc_provider_private == NULL)
1280 		return (CRYPTO_HOST_MEMORY);
1281 
1282 	PROV_SHA1_CTX(ctx)->sc_mech_type = SHA1_MECH_INFO_TYPE;
1283 	SHA1Init(&PROV_SHA1_CTX(ctx)->sc_sha1_ctx);
1284 
1285 	return (CRYPTO_SUCCESS);
1286 }
1287 
1288 /*
1289  * Helper SHA1 digest update function for uio data.
1290  */
1291 static int
1292 sha1_digest_update_uio(SHA1_CTX *sha1_ctx, crypto_data_t *data)
1293 {
1294 	off_t offset = data->cd_offset;
1295 	size_t length = data->cd_length;
1296 	uint_t vec_idx;
1297 	size_t cur_len;
1298 
1299 	/* we support only kernel buffer */
1300 	if (data->cd_uio->uio_segflg != UIO_SYSSPACE)
1301 		return (CRYPTO_ARGUMENTS_BAD);
1302 
1303 	/*
1304 	 * Jump to the first iovec containing data to be
1305 	 * digested.
1306 	 */
1307 	for (vec_idx = 0; vec_idx < data->cd_uio->uio_iovcnt &&
1308 	    offset >= data->cd_uio->uio_iov[vec_idx].iov_len;
1309 	    offset -= data->cd_uio->uio_iov[vec_idx++].iov_len);
1310 	if (vec_idx == data->cd_uio->uio_iovcnt) {
1311 		/*
1312 		 * The caller specified an offset that is larger than the
1313 		 * total size of the buffers it provided.
1314 		 */
1315 		return (CRYPTO_DATA_LEN_RANGE);
1316 	}
1317 
1318 	/*
1319 	 * Now do the digesting on the iovecs.
1320 	 */
1321 	while (vec_idx < data->cd_uio->uio_iovcnt && length > 0) {
1322 		cur_len = MIN(data->cd_uio->uio_iov[vec_idx].iov_len -
1323 		    offset, length);
1324 
1325 		SHA1Update(sha1_ctx,
1326 		    (uint8_t *)data->cd_uio->uio_iov[vec_idx].iov_base + offset,
1327 		    cur_len);
1328 
1329 		length -= cur_len;
1330 		vec_idx++;
1331 		offset = 0;
1332 	}
1333 
1334 	if (vec_idx == data->cd_uio->uio_iovcnt && length > 0) {
1335 		/*
1336 		 * The end of the specified iovec's was reached but
1337 		 * the length requested could not be processed, i.e.
1338 		 * The caller requested to digest more data than it provided.
1339 		 */
1340 		return (CRYPTO_DATA_LEN_RANGE);
1341 	}
1342 
1343 	return (CRYPTO_SUCCESS);
1344 }
1345 
1346 /*
1347  * Helper SHA1 digest final function for uio data.
1348  * digest_len is the length of the desired digest. If digest_len
1349  * is smaller than the default SHA1 digest length, the caller
1350  * must pass a scratch buffer, digest_scratch, which must
1351  * be at least SHA1_DIGEST_LENGTH bytes.
1352  */
1353 static int
1354 sha1_digest_final_uio(SHA1_CTX *sha1_ctx, crypto_data_t *digest,
1355     ulong_t digest_len, uchar_t *digest_scratch)
1356 {
1357 	off_t offset = digest->cd_offset;
1358 	uint_t vec_idx;
1359 
1360 	/* we support only kernel buffer */
1361 	if (digest->cd_uio->uio_segflg != UIO_SYSSPACE)
1362 		return (CRYPTO_ARGUMENTS_BAD);
1363 
1364 	/*
1365 	 * Jump to the first iovec containing ptr to the digest to
1366 	 * be returned.
1367 	 */
1368 	for (vec_idx = 0; offset >= digest->cd_uio->uio_iov[vec_idx].iov_len &&
1369 	    vec_idx < digest->cd_uio->uio_iovcnt;
1370 	    offset -= digest->cd_uio->uio_iov[vec_idx++].iov_len);
1371 	if (vec_idx == digest->cd_uio->uio_iovcnt) {
1372 		/*
1373 		 * The caller specified an offset that is
1374 		 * larger than the total size of the buffers
1375 		 * it provided.
1376 		 */
1377 		return (CRYPTO_DATA_LEN_RANGE);
1378 	}
1379 
1380 	if (offset + digest_len <=
1381 	    digest->cd_uio->uio_iov[vec_idx].iov_len) {
1382 		/*
1383 		 * The computed SHA1 digest will fit in the current
1384 		 * iovec.
1385 		 */
1386 		if (digest_len != SHA1_DIGEST_LENGTH) {
1387 			/*
1388 			 * The caller requested a short digest. Digest
1389 			 * into a scratch buffer and return to
1390 			 * the user only what was requested.
1391 			 */
1392 			SHA1Final(digest_scratch, sha1_ctx);
1393 			bcopy(digest_scratch, (uchar_t *)digest->
1394 			    cd_uio->uio_iov[vec_idx].iov_base + offset,
1395 			    digest_len);
1396 		} else {
1397 			SHA1Final((uchar_t *)digest->
1398 			    cd_uio->uio_iov[vec_idx].iov_base + offset,
1399 			    sha1_ctx);
1400 		}
1401 	} else {
1402 		/*
1403 		 * The computed digest will be crossing one or more iovec's.
1404 		 * This is bad performance-wise but we need to support it.
1405 		 * Allocate a small scratch buffer on the stack and
1406 		 * copy it piece meal to the specified digest iovec's.
1407 		 */
1408 		uchar_t digest_tmp[SHA1_DIGEST_LENGTH];
1409 		off_t scratch_offset = 0;
1410 		size_t length = digest_len;
1411 		size_t cur_len;
1412 
1413 		SHA1Final(digest_tmp, sha1_ctx);
1414 
1415 		while (vec_idx < digest->cd_uio->uio_iovcnt && length > 0) {
1416 			cur_len = MIN(digest->cd_uio->uio_iov[vec_idx].iov_len -
1417 			    offset, length);
1418 			bcopy(digest_tmp + scratch_offset,
1419 			    digest->cd_uio->uio_iov[vec_idx].iov_base + offset,
1420 			    cur_len);
1421 
1422 			length -= cur_len;
1423 			vec_idx++;
1424 			scratch_offset += cur_len;
1425 			offset = 0;
1426 		}
1427 
1428 		if (vec_idx == digest->cd_uio->uio_iovcnt && length > 0) {
1429 			/*
1430 			 * The end of the specified iovec's was reached but
1431 			 * the length requested could not be processed, i.e.
1432 			 * The caller requested to digest more data than it
1433 			 * provided.
1434 			 */
1435 			return (CRYPTO_DATA_LEN_RANGE);
1436 		}
1437 	}
1438 
1439 	return (CRYPTO_SUCCESS);
1440 }
1441 
1442 /*
1443  * Helper SHA1 digest update for mblk's.
1444  */
1445 static int
1446 sha1_digest_update_mblk(SHA1_CTX *sha1_ctx, crypto_data_t *data)
1447 {
1448 	off_t offset = data->cd_offset;
1449 	size_t length = data->cd_length;
1450 	mblk_t *mp;
1451 	size_t cur_len;
1452 
1453 	/*
1454 	 * Jump to the first mblk_t containing data to be digested.
1455 	 */
1456 	for (mp = data->cd_mp; mp != NULL && offset >= MBLKL(mp);
1457 	    offset -= MBLKL(mp), mp = mp->b_cont);
1458 	if (mp == NULL) {
1459 		/*
1460 		 * The caller specified an offset that is larger than the
1461 		 * total size of the buffers it provided.
1462 		 */
1463 		return (CRYPTO_DATA_LEN_RANGE);
1464 	}
1465 
1466 	/*
1467 	 * Now do the digesting on the mblk chain.
1468 	 */
1469 	while (mp != NULL && length > 0) {
1470 		cur_len = MIN(MBLKL(mp) - offset, length);
1471 		SHA1Update(sha1_ctx, mp->b_rptr + offset, cur_len);
1472 		length -= cur_len;
1473 		offset = 0;
1474 		mp = mp->b_cont;
1475 	}
1476 
1477 	if (mp == NULL && length > 0) {
1478 		/*
1479 		 * The end of the mblk was reached but the length requested
1480 		 * could not be processed, i.e. The caller requested
1481 		 * to digest more data than it provided.
1482 		 */
1483 		return (CRYPTO_DATA_LEN_RANGE);
1484 	}
1485 
1486 	return (CRYPTO_SUCCESS);
1487 }
1488 
1489 /*
1490  * Helper SHA1 digest final for mblk's.
1491  * digest_len is the length of the desired digest. If digest_len
1492  * is smaller than the default SHA1 digest length, the caller
1493  * must pass a scratch buffer, digest_scratch, which must
1494  * be at least SHA1_DIGEST_LENGTH bytes.
1495  */
1496 static int
1497 sha1_digest_final_mblk(SHA1_CTX *sha1_ctx, crypto_data_t *digest,
1498     ulong_t digest_len, uchar_t *digest_scratch)
1499 {
1500 	off_t offset = digest->cd_offset;
1501 	mblk_t *mp;
1502 
1503 	/*
1504 	 * Jump to the first mblk_t that will be used to store the digest.
1505 	 */
1506 	for (mp = digest->cd_mp; mp != NULL && offset >= MBLKL(mp);
1507 	    offset -= MBLKL(mp), mp = mp->b_cont);
1508 	if (mp == NULL) {
1509 		/*
1510 		 * The caller specified an offset that is larger than the
1511 		 * total size of the buffers it provided.
1512 		 */
1513 		return (CRYPTO_DATA_LEN_RANGE);
1514 	}
1515 
1516 	if (offset + digest_len <= MBLKL(mp)) {
1517 		/*
1518 		 * The computed SHA1 digest will fit in the current mblk.
1519 		 * Do the SHA1Final() in-place.
1520 		 */
1521 		if (digest_len != SHA1_DIGEST_LENGTH) {
1522 			/*
1523 			 * The caller requested a short digest. Digest
1524 			 * into a scratch buffer and return to
1525 			 * the user only what was requested.
1526 			 */
1527 			SHA1Final(digest_scratch, sha1_ctx);
1528 			bcopy(digest_scratch, mp->b_rptr + offset, digest_len);
1529 		} else {
1530 			SHA1Final(mp->b_rptr + offset, sha1_ctx);
1531 		}
1532 	} else {
1533 		/*
1534 		 * The computed digest will be crossing one or more mblk's.
1535 		 * This is bad performance-wise but we need to support it.
1536 		 * Allocate a small scratch buffer on the stack and
1537 		 * copy it piece meal to the specified digest iovec's.
1538 		 */
1539 		uchar_t digest_tmp[SHA1_DIGEST_LENGTH];
1540 		off_t scratch_offset = 0;
1541 		size_t length = digest_len;
1542 		size_t cur_len;
1543 
1544 		SHA1Final(digest_tmp, sha1_ctx);
1545 
1546 		while (mp != NULL && length > 0) {
1547 			cur_len = MIN(MBLKL(mp) - offset, length);
1548 			bcopy(digest_tmp + scratch_offset,
1549 			    mp->b_rptr + offset, cur_len);
1550 
1551 			length -= cur_len;
1552 			mp = mp->b_cont;
1553 			scratch_offset += cur_len;
1554 			offset = 0;
1555 		}
1556 
1557 		if (mp == NULL && length > 0) {
1558 			/*
1559 			 * The end of the specified mblk was reached but
1560 			 * the length requested could not be processed, i.e.
1561 			 * The caller requested to digest more data than it
1562 			 * provided.
1563 			 */
1564 			return (CRYPTO_DATA_LEN_RANGE);
1565 		}
1566 	}
1567 
1568 	return (CRYPTO_SUCCESS);
1569 }
1570 
1571 /* ARGSUSED */
1572 static int
1573 sha1_digest(crypto_ctx_t *ctx, crypto_data_t *data, crypto_data_t *digest,
1574     crypto_req_handle_t req)
1575 {
1576 	int ret = CRYPTO_SUCCESS;
1577 
1578 	ASSERT(ctx->cc_provider_private != NULL);
1579 
1580 	/*
1581 	 * We need to just return the length needed to store the output.
1582 	 * We should not destroy the context for the following cases.
1583 	 */
1584 	if ((digest->cd_length == 0) ||
1585 	    (digest->cd_length < SHA1_DIGEST_LENGTH)) {
1586 		digest->cd_length = SHA1_DIGEST_LENGTH;
1587 		return (CRYPTO_BUFFER_TOO_SMALL);
1588 	}
1589 
1590 	/*
1591 	 * Do the SHA1 update on the specified input data.
1592 	 */
1593 	switch (data->cd_format) {
1594 	case CRYPTO_DATA_RAW:
1595 		SHA1Update(&PROV_SHA1_CTX(ctx)->sc_sha1_ctx,
1596 		    (uint8_t *)data->cd_raw.iov_base + data->cd_offset,
1597 		    data->cd_length);
1598 		break;
1599 	case CRYPTO_DATA_UIO:
1600 		ret = sha1_digest_update_uio(&PROV_SHA1_CTX(ctx)->sc_sha1_ctx,
1601 		    data);
1602 		break;
1603 	case CRYPTO_DATA_MBLK:
1604 		ret = sha1_digest_update_mblk(&PROV_SHA1_CTX(ctx)->sc_sha1_ctx,
1605 		    data);
1606 		break;
1607 	default:
1608 		ret = CRYPTO_ARGUMENTS_BAD;
1609 	}
1610 
1611 	if (ret != CRYPTO_SUCCESS) {
1612 		/* the update failed, free context and bail */
1613 		kmem_free(ctx->cc_provider_private, sizeof (sha1_ctx_t));
1614 		ctx->cc_provider_private = NULL;
1615 		digest->cd_length = 0;
1616 		return (ret);
1617 	}
1618 
1619 	/*
1620 	 * Do a SHA1 final, must be done separately since the digest
1621 	 * type can be different than the input data type.
1622 	 */
1623 	switch (digest->cd_format) {
1624 	case CRYPTO_DATA_RAW:
1625 		SHA1Final((unsigned char *)digest->cd_raw.iov_base +
1626 		    digest->cd_offset, &PROV_SHA1_CTX(ctx)->sc_sha1_ctx);
1627 		break;
1628 	case CRYPTO_DATA_UIO:
1629 		ret = sha1_digest_final_uio(&PROV_SHA1_CTX(ctx)->sc_sha1_ctx,
1630 		    digest, SHA1_DIGEST_LENGTH, NULL);
1631 		break;
1632 	case CRYPTO_DATA_MBLK:
1633 		ret = sha1_digest_final_mblk(&PROV_SHA1_CTX(ctx)->sc_sha1_ctx,
1634 		    digest, SHA1_DIGEST_LENGTH, NULL);
1635 		break;
1636 	default:
1637 		ret = CRYPTO_ARGUMENTS_BAD;
1638 	}
1639 
1640 	/* all done, free context and return */
1641 
1642 	if (ret == CRYPTO_SUCCESS) {
1643 		digest->cd_length = SHA1_DIGEST_LENGTH;
1644 	} else {
1645 		digest->cd_length = 0;
1646 	}
1647 
1648 	kmem_free(ctx->cc_provider_private, sizeof (sha1_ctx_t));
1649 	ctx->cc_provider_private = NULL;
1650 	return (ret);
1651 }
1652 
1653 /* ARGSUSED */
1654 static int
1655 sha1_digest_update(crypto_ctx_t *ctx, crypto_data_t *data,
1656     crypto_req_handle_t req)
1657 {
1658 	int ret = CRYPTO_SUCCESS;
1659 
1660 	ASSERT(ctx->cc_provider_private != NULL);
1661 
1662 	/*
1663 	 * Do the SHA1 update on the specified input data.
1664 	 */
1665 	switch (data->cd_format) {
1666 	case CRYPTO_DATA_RAW:
1667 		SHA1Update(&PROV_SHA1_CTX(ctx)->sc_sha1_ctx,
1668 		    (uint8_t *)data->cd_raw.iov_base + data->cd_offset,
1669 		    data->cd_length);
1670 		break;
1671 	case CRYPTO_DATA_UIO:
1672 		ret = sha1_digest_update_uio(&PROV_SHA1_CTX(ctx)->sc_sha1_ctx,
1673 		    data);
1674 		break;
1675 	case CRYPTO_DATA_MBLK:
1676 		ret = sha1_digest_update_mblk(&PROV_SHA1_CTX(ctx)->sc_sha1_ctx,
1677 		    data);
1678 		break;
1679 	default:
1680 		ret = CRYPTO_ARGUMENTS_BAD;
1681 	}
1682 
1683 	return (ret);
1684 }
1685 
1686 /* ARGSUSED */
1687 static int
1688 sha1_digest_final(crypto_ctx_t *ctx, crypto_data_t *digest,
1689     crypto_req_handle_t req)
1690 {
1691 	int ret = CRYPTO_SUCCESS;
1692 
1693 	ASSERT(ctx->cc_provider_private != NULL);
1694 
1695 	/*
1696 	 * We need to just return the length needed to store the output.
1697 	 * We should not destroy the context for the following cases.
1698 	 */
1699 	if ((digest->cd_length == 0) ||
1700 	    (digest->cd_length < SHA1_DIGEST_LENGTH)) {
1701 		digest->cd_length = SHA1_DIGEST_LENGTH;
1702 		return (CRYPTO_BUFFER_TOO_SMALL);
1703 	}
1704 
1705 	/*
1706 	 * Do a SHA1 final.
1707 	 */
1708 	switch (digest->cd_format) {
1709 	case CRYPTO_DATA_RAW:
1710 		SHA1Final((unsigned char *)digest->cd_raw.iov_base +
1711 		    digest->cd_offset, &PROV_SHA1_CTX(ctx)->sc_sha1_ctx);
1712 		break;
1713 	case CRYPTO_DATA_UIO:
1714 		ret = sha1_digest_final_uio(&PROV_SHA1_CTX(ctx)->sc_sha1_ctx,
1715 		    digest, SHA1_DIGEST_LENGTH, NULL);
1716 		break;
1717 	case CRYPTO_DATA_MBLK:
1718 		ret = sha1_digest_final_mblk(&PROV_SHA1_CTX(ctx)->sc_sha1_ctx,
1719 		    digest, SHA1_DIGEST_LENGTH, NULL);
1720 		break;
1721 	default:
1722 		ret = CRYPTO_ARGUMENTS_BAD;
1723 	}
1724 
1725 	/* all done, free context and return */
1726 
1727 	if (ret == CRYPTO_SUCCESS) {
1728 		digest->cd_length = SHA1_DIGEST_LENGTH;
1729 	} else {
1730 		digest->cd_length = 0;
1731 	}
1732 
1733 	kmem_free(ctx->cc_provider_private, sizeof (sha1_ctx_t));
1734 	ctx->cc_provider_private = NULL;
1735 
1736 	return (ret);
1737 }
1738 
1739 /* ARGSUSED */
1740 static int
1741 sha1_digest_atomic(crypto_provider_handle_t provider,
1742     crypto_session_id_t session_id, crypto_mechanism_t *mechanism,
1743     crypto_data_t *data, crypto_data_t *digest,
1744     crypto_req_handle_t req)
1745 {
1746 	int ret = CRYPTO_SUCCESS;
1747 	SHA1_CTX sha1_ctx;
1748 
1749 	if (mechanism->cm_type != SHA1_MECH_INFO_TYPE)
1750 		return (CRYPTO_MECHANISM_INVALID);
1751 
1752 	/*
1753 	 * Do the SHA1 init.
1754 	 */
1755 	SHA1Init(&sha1_ctx);
1756 
1757 	/*
1758 	 * Do the SHA1 update on the specified input data.
1759 	 */
1760 	switch (data->cd_format) {
1761 	case CRYPTO_DATA_RAW:
1762 		SHA1Update(&sha1_ctx,
1763 		    (uint8_t *)data->cd_raw.iov_base + data->cd_offset,
1764 		    data->cd_length);
1765 		break;
1766 	case CRYPTO_DATA_UIO:
1767 		ret = sha1_digest_update_uio(&sha1_ctx, data);
1768 		break;
1769 	case CRYPTO_DATA_MBLK:
1770 		ret = sha1_digest_update_mblk(&sha1_ctx, data);
1771 		break;
1772 	default:
1773 		ret = CRYPTO_ARGUMENTS_BAD;
1774 	}
1775 
1776 	if (ret != CRYPTO_SUCCESS) {
1777 		/* the update failed, bail */
1778 		digest->cd_length = 0;
1779 		return (ret);
1780 	}
1781 
1782 	/*
1783 	 * Do a SHA1 final, must be done separately since the digest
1784 	 * type can be different than the input data type.
1785 	 */
1786 	switch (digest->cd_format) {
1787 	case CRYPTO_DATA_RAW:
1788 		SHA1Final((unsigned char *)digest->cd_raw.iov_base +
1789 		    digest->cd_offset, &sha1_ctx);
1790 		break;
1791 	case CRYPTO_DATA_UIO:
1792 		ret = sha1_digest_final_uio(&sha1_ctx, digest,
1793 		    SHA1_DIGEST_LENGTH, NULL);
1794 		break;
1795 	case CRYPTO_DATA_MBLK:
1796 		ret = sha1_digest_final_mblk(&sha1_ctx, digest,
1797 		    SHA1_DIGEST_LENGTH, NULL);
1798 		break;
1799 	default:
1800 		ret = CRYPTO_ARGUMENTS_BAD;
1801 	}
1802 
1803 	if (ret == CRYPTO_SUCCESS) {
1804 		digest->cd_length = SHA1_DIGEST_LENGTH;
1805 	} else {
1806 		digest->cd_length = 0;
1807 	}
1808 
1809 	return (ret);
1810 }
1811 
1812 /*
1813  * KCF software provider mac entry points.
1814  *
1815  * SHA1 HMAC is: SHA1(key XOR opad, SHA1(key XOR ipad, text))
1816  *
1817  * Init:
1818  * The initialization routine initializes what we denote
1819  * as the inner and outer contexts by doing
1820  * - for inner context: SHA1(key XOR ipad)
1821  * - for outer context: SHA1(key XOR opad)
1822  *
1823  * Update:
1824  * Each subsequent SHA1 HMAC update will result in an
1825  * update of the inner context with the specified data.
1826  *
1827  * Final:
1828  * The SHA1 HMAC final will do a SHA1 final operation on the
1829  * inner context, and the resulting digest will be used
1830  * as the data for an update on the outer context. Last
1831  * but not least, a SHA1 final on the outer context will
1832  * be performed to obtain the SHA1 HMAC digest to return
1833  * to the user.
1834  */
1835 
1836 /*
1837  * Initialize a SHA1-HMAC context.
1838  */
1839 static void
1840 sha1_mac_init_ctx(sha1_hmac_ctx_t *ctx, void *keyval, uint_t length_in_bytes)
1841 {
1842 	uint32_t ipad[SHA1_HMAC_INTS_PER_BLOCK];
1843 	uint32_t opad[SHA1_HMAC_INTS_PER_BLOCK];
1844 	uint_t i;
1845 
1846 	bzero(ipad, SHA1_HMAC_BLOCK_SIZE);
1847 	bzero(opad, SHA1_HMAC_BLOCK_SIZE);
1848 
1849 	bcopy(keyval, ipad, length_in_bytes);
1850 	bcopy(keyval, opad, length_in_bytes);
1851 
1852 	/* XOR key with ipad (0x36) and opad (0x5c) */
1853 	for (i = 0; i < SHA1_HMAC_INTS_PER_BLOCK; i++) {
1854 		ipad[i] ^= 0x36363636;
1855 		opad[i] ^= 0x5c5c5c5c;
1856 	}
1857 
1858 	/* perform SHA1 on ipad */
1859 	SHA1Init(&ctx->hc_icontext);
1860 	SHA1Update(&ctx->hc_icontext, (uint8_t *)ipad, SHA1_HMAC_BLOCK_SIZE);
1861 
1862 	/* perform SHA1 on opad */
1863 	SHA1Init(&ctx->hc_ocontext);
1864 	SHA1Update(&ctx->hc_ocontext, (uint8_t *)opad, SHA1_HMAC_BLOCK_SIZE);
1865 }
1866 
1867 /*
1868  */
1869 static int
1870 sha1_mac_init(crypto_ctx_t *ctx, crypto_mechanism_t *mechanism,
1871     crypto_key_t *key, crypto_spi_ctx_template_t ctx_template,
1872     crypto_req_handle_t req)
1873 {
1874 	int ret = CRYPTO_SUCCESS;
1875 	uint_t keylen_in_bytes = CRYPTO_BITS2BYTES(key->ck_length);
1876 
1877 	if (mechanism->cm_type != SHA1_HMAC_MECH_INFO_TYPE &&
1878 	    mechanism->cm_type != SHA1_HMAC_GEN_MECH_INFO_TYPE)
1879 		return (CRYPTO_MECHANISM_INVALID);
1880 
1881 	/* Add support for key by attributes (RFE 4706552) */
1882 	if (key->ck_format != CRYPTO_KEY_RAW)
1883 		return (CRYPTO_ARGUMENTS_BAD);
1884 
1885 	ctx->cc_provider_private = kmem_alloc(sizeof (sha1_hmac_ctx_t),
1886 	    crypto_kmflag(req));
1887 	if (ctx->cc_provider_private == NULL)
1888 		return (CRYPTO_HOST_MEMORY);
1889 
1890 	if (ctx_template != NULL) {
1891 		/* reuse context template */
1892 		bcopy(ctx_template, PROV_SHA1_HMAC_CTX(ctx),
1893 		    sizeof (sha1_hmac_ctx_t));
1894 	} else {
1895 		/* no context template, compute context */
1896 		if (keylen_in_bytes > SHA1_HMAC_BLOCK_SIZE) {
1897 			uchar_t digested_key[SHA1_DIGEST_LENGTH];
1898 			sha1_hmac_ctx_t *hmac_ctx = ctx->cc_provider_private;
1899 
1900 			/*
1901 			 * Hash the passed-in key to get a smaller key.
1902 			 * The inner context is used since it hasn't been
1903 			 * initialized yet.
1904 			 */
1905 			PROV_SHA1_DIGEST_KEY(&hmac_ctx->hc_icontext,
1906 			    key->ck_data, keylen_in_bytes, digested_key);
1907 			sha1_mac_init_ctx(PROV_SHA1_HMAC_CTX(ctx),
1908 			    digested_key, SHA1_DIGEST_LENGTH);
1909 		} else {
1910 			sha1_mac_init_ctx(PROV_SHA1_HMAC_CTX(ctx),
1911 			    key->ck_data, keylen_in_bytes);
1912 		}
1913 	}
1914 
1915 	/*
1916 	 * Get the mechanism parameters, if applicable.
1917 	 */
1918 	PROV_SHA1_HMAC_CTX(ctx)->hc_mech_type = mechanism->cm_type;
1919 	if (mechanism->cm_type == SHA1_HMAC_GEN_MECH_INFO_TYPE) {
1920 		if (mechanism->cm_param == NULL ||
1921 		    mechanism->cm_param_len != sizeof (ulong_t))
1922 			ret = CRYPTO_MECHANISM_PARAM_INVALID;
1923 		PROV_SHA1_GET_DIGEST_LEN(mechanism,
1924 		    PROV_SHA1_HMAC_CTX(ctx)->hc_digest_len);
1925 		if (PROV_SHA1_HMAC_CTX(ctx)->hc_digest_len >
1926 		    SHA1_DIGEST_LENGTH)
1927 			ret = CRYPTO_MECHANISM_PARAM_INVALID;
1928 	}
1929 
1930 	if (ret != CRYPTO_SUCCESS) {
1931 		bzero(ctx->cc_provider_private, sizeof (sha1_hmac_ctx_t));
1932 		kmem_free(ctx->cc_provider_private, sizeof (sha1_hmac_ctx_t));
1933 		ctx->cc_provider_private = NULL;
1934 	}
1935 
1936 	return (ret);
1937 }
1938 
1939 /* ARGSUSED */
1940 static int
1941 sha1_mac_update(crypto_ctx_t *ctx, crypto_data_t *data, crypto_req_handle_t req)
1942 {
1943 	int ret = CRYPTO_SUCCESS;
1944 
1945 	ASSERT(ctx->cc_provider_private != NULL);
1946 
1947 	/*
1948 	 * Do a SHA1 update of the inner context using the specified
1949 	 * data.
1950 	 */
1951 	switch (data->cd_format) {
1952 	case CRYPTO_DATA_RAW:
1953 		SHA1Update(&PROV_SHA1_HMAC_CTX(ctx)->hc_icontext,
1954 		    (uint8_t *)data->cd_raw.iov_base + data->cd_offset,
1955 		    data->cd_length);
1956 		break;
1957 	case CRYPTO_DATA_UIO:
1958 		ret = sha1_digest_update_uio(
1959 		    &PROV_SHA1_HMAC_CTX(ctx)->hc_icontext, data);
1960 		break;
1961 	case CRYPTO_DATA_MBLK:
1962 		ret = sha1_digest_update_mblk(
1963 		    &PROV_SHA1_HMAC_CTX(ctx)->hc_icontext, data);
1964 		break;
1965 	default:
1966 		ret = CRYPTO_ARGUMENTS_BAD;
1967 	}
1968 
1969 	return (ret);
1970 }
1971 
1972 /* ARGSUSED */
1973 static int
1974 sha1_mac_final(crypto_ctx_t *ctx, crypto_data_t *mac, crypto_req_handle_t req)
1975 {
1976 	int ret = CRYPTO_SUCCESS;
1977 	uchar_t digest[SHA1_DIGEST_LENGTH];
1978 	uint32_t digest_len = SHA1_DIGEST_LENGTH;
1979 
1980 	ASSERT(ctx->cc_provider_private != NULL);
1981 
1982 	if (PROV_SHA1_HMAC_CTX(ctx)->hc_mech_type ==
1983 	    SHA1_HMAC_GEN_MECH_INFO_TYPE)
1984 		digest_len = PROV_SHA1_HMAC_CTX(ctx)->hc_digest_len;
1985 
1986 	/*
1987 	 * We need to just return the length needed to store the output.
1988 	 * We should not destroy the context for the following cases.
1989 	 */
1990 	if ((mac->cd_length == 0) || (mac->cd_length < digest_len)) {
1991 		mac->cd_length = digest_len;
1992 		return (CRYPTO_BUFFER_TOO_SMALL);
1993 	}
1994 
1995 	/*
1996 	 * Do a SHA1 final on the inner context.
1997 	 */
1998 	SHA1Final(digest, &PROV_SHA1_HMAC_CTX(ctx)->hc_icontext);
1999 
2000 	/*
2001 	 * Do a SHA1 update on the outer context, feeding the inner
2002 	 * digest as data.
2003 	 */
2004 	SHA1Update(&PROV_SHA1_HMAC_CTX(ctx)->hc_ocontext, digest,
2005 	    SHA1_DIGEST_LENGTH);
2006 
2007 	/*
2008 	 * Do a SHA1 final on the outer context, storing the computing
2009 	 * digest in the users buffer.
2010 	 */
2011 	switch (mac->cd_format) {
2012 	case CRYPTO_DATA_RAW:
2013 		if (digest_len != SHA1_DIGEST_LENGTH) {
2014 			/*
2015 			 * The caller requested a short digest. Digest
2016 			 * into a scratch buffer and return to
2017 			 * the user only what was requested.
2018 			 */
2019 			SHA1Final(digest,
2020 			    &PROV_SHA1_HMAC_CTX(ctx)->hc_ocontext);
2021 			bcopy(digest, (unsigned char *)mac->cd_raw.iov_base +
2022 			    mac->cd_offset, digest_len);
2023 		} else {
2024 			SHA1Final((unsigned char *)mac->cd_raw.iov_base +
2025 			    mac->cd_offset,
2026 			    &PROV_SHA1_HMAC_CTX(ctx)->hc_ocontext);
2027 		}
2028 		break;
2029 	case CRYPTO_DATA_UIO:
2030 		ret = sha1_digest_final_uio(
2031 		    &PROV_SHA1_HMAC_CTX(ctx)->hc_ocontext, mac,
2032 		    digest_len, digest);
2033 		break;
2034 	case CRYPTO_DATA_MBLK:
2035 		ret = sha1_digest_final_mblk(
2036 		    &PROV_SHA1_HMAC_CTX(ctx)->hc_ocontext, mac,
2037 		    digest_len, digest);
2038 		break;
2039 	default:
2040 		ret = CRYPTO_ARGUMENTS_BAD;
2041 	}
2042 
2043 	if (ret == CRYPTO_SUCCESS) {
2044 		mac->cd_length = digest_len;
2045 	} else {
2046 		mac->cd_length = 0;
2047 	}
2048 
2049 	bzero(ctx->cc_provider_private, sizeof (sha1_hmac_ctx_t));
2050 	kmem_free(ctx->cc_provider_private, sizeof (sha1_hmac_ctx_t));
2051 	ctx->cc_provider_private = NULL;
2052 
2053 	return (ret);
2054 }
2055 
2056 #define	SHA1_MAC_UPDATE(data, ctx, ret) {				\
2057 	switch (data->cd_format) {					\
2058 	case CRYPTO_DATA_RAW:						\
2059 		SHA1Update(&(ctx).hc_icontext,				\
2060 		    (uint8_t *)data->cd_raw.iov_base +			\
2061 		    data->cd_offset, data->cd_length);			\
2062 		break;							\
2063 	case CRYPTO_DATA_UIO:						\
2064 		ret = sha1_digest_update_uio(&(ctx).hc_icontext, data); \
2065 		break;							\
2066 	case CRYPTO_DATA_MBLK:						\
2067 		ret = sha1_digest_update_mblk(&(ctx).hc_icontext,	\
2068 		    data);						\
2069 		break;							\
2070 	default:							\
2071 		ret = CRYPTO_ARGUMENTS_BAD;				\
2072 	}								\
2073 }
2074 
2075 /* ARGSUSED */
2076 static int
2077 sha1_mac_atomic(crypto_provider_handle_t provider,
2078     crypto_session_id_t session_id, crypto_mechanism_t *mechanism,
2079     crypto_key_t *key, crypto_data_t *data, crypto_data_t *mac,
2080     crypto_spi_ctx_template_t ctx_template, crypto_req_handle_t req)
2081 {
2082 	int ret = CRYPTO_SUCCESS;
2083 	uchar_t digest[SHA1_DIGEST_LENGTH];
2084 	sha1_hmac_ctx_t sha1_hmac_ctx;
2085 	uint32_t digest_len = SHA1_DIGEST_LENGTH;
2086 	uint_t keylen_in_bytes = CRYPTO_BITS2BYTES(key->ck_length);
2087 
2088 	if (mechanism->cm_type != SHA1_HMAC_MECH_INFO_TYPE &&
2089 	    mechanism->cm_type != SHA1_HMAC_GEN_MECH_INFO_TYPE)
2090 		return (CRYPTO_MECHANISM_INVALID);
2091 
2092 	/* Add support for key by attributes (RFE 4706552) */
2093 	if (key->ck_format != CRYPTO_KEY_RAW)
2094 		return (CRYPTO_ARGUMENTS_BAD);
2095 
2096 	if (ctx_template != NULL) {
2097 		/* reuse context template */
2098 		bcopy(ctx_template, &sha1_hmac_ctx, sizeof (sha1_hmac_ctx_t));
2099 	} else {
2100 		/* no context template, initialize context */
2101 		if (keylen_in_bytes > SHA1_HMAC_BLOCK_SIZE) {
2102 			/*
2103 			 * Hash the passed-in key to get a smaller key.
2104 			 * The inner context is used since it hasn't been
2105 			 * initialized yet.
2106 			 */
2107 			PROV_SHA1_DIGEST_KEY(&sha1_hmac_ctx.hc_icontext,
2108 			    key->ck_data, keylen_in_bytes, digest);
2109 			sha1_mac_init_ctx(&sha1_hmac_ctx, digest,
2110 			    SHA1_DIGEST_LENGTH);
2111 		} else {
2112 			sha1_mac_init_ctx(&sha1_hmac_ctx, key->ck_data,
2113 			    keylen_in_bytes);
2114 		}
2115 	}
2116 
2117 	/* get the mechanism parameters, if applicable */
2118 	if (mechanism->cm_type == SHA1_HMAC_GEN_MECH_INFO_TYPE) {
2119 		if (mechanism->cm_param == NULL ||
2120 		    mechanism->cm_param_len != sizeof (ulong_t)) {
2121 			ret = CRYPTO_MECHANISM_PARAM_INVALID;
2122 			goto bail;
2123 		}
2124 		PROV_SHA1_GET_DIGEST_LEN(mechanism, digest_len);
2125 		if (digest_len > SHA1_DIGEST_LENGTH) {
2126 			ret = CRYPTO_MECHANISM_PARAM_INVALID;
2127 			goto bail;
2128 		}
2129 	}
2130 
2131 	/* do a SHA1 update of the inner context using the specified data */
2132 	SHA1_MAC_UPDATE(data, sha1_hmac_ctx, ret);
2133 	if (ret != CRYPTO_SUCCESS)
2134 		/* the update failed, free context and bail */
2135 		goto bail;
2136 
2137 	/*
2138 	 * Do a SHA1 final on the inner context.
2139 	 */
2140 	SHA1Final(digest, &sha1_hmac_ctx.hc_icontext);
2141 
2142 	/*
2143 	 * Do an SHA1 update on the outer context, feeding the inner
2144 	 * digest as data.
2145 	 */
2146 	SHA1Update(&sha1_hmac_ctx.hc_ocontext, digest, SHA1_DIGEST_LENGTH);
2147 
2148 	/*
2149 	 * Do a SHA1 final on the outer context, storing the computed
2150 	 * digest in the users buffer.
2151 	 */
2152 	switch (mac->cd_format) {
2153 	case CRYPTO_DATA_RAW:
2154 		if (digest_len != SHA1_DIGEST_LENGTH) {
2155 			/*
2156 			 * The caller requested a short digest. Digest
2157 			 * into a scratch buffer and return to
2158 			 * the user only what was requested.
2159 			 */
2160 			SHA1Final(digest, &sha1_hmac_ctx.hc_ocontext);
2161 			bcopy(digest, (unsigned char *)mac->cd_raw.iov_base +
2162 			    mac->cd_offset, digest_len);
2163 		} else {
2164 			SHA1Final((unsigned char *)mac->cd_raw.iov_base +
2165 			    mac->cd_offset, &sha1_hmac_ctx.hc_ocontext);
2166 		}
2167 		break;
2168 	case CRYPTO_DATA_UIO:
2169 		ret = sha1_digest_final_uio(&sha1_hmac_ctx.hc_ocontext, mac,
2170 		    digest_len, digest);
2171 		break;
2172 	case CRYPTO_DATA_MBLK:
2173 		ret = sha1_digest_final_mblk(&sha1_hmac_ctx.hc_ocontext, mac,
2174 		    digest_len, digest);
2175 		break;
2176 	default:
2177 		ret = CRYPTO_ARGUMENTS_BAD;
2178 	}
2179 
2180 	if (ret == CRYPTO_SUCCESS) {
2181 		mac->cd_length = digest_len;
2182 	} else {
2183 		mac->cd_length = 0;
2184 	}
2185 	/* Extra paranoia: zeroize the context on the stack */
2186 	bzero(&sha1_hmac_ctx, sizeof (sha1_hmac_ctx_t));
2187 
2188 	return (ret);
2189 bail:
2190 	bzero(&sha1_hmac_ctx, sizeof (sha1_hmac_ctx_t));
2191 	mac->cd_length = 0;
2192 	return (ret);
2193 }
2194 
2195 /* ARGSUSED */
2196 static int
2197 sha1_mac_verify_atomic(crypto_provider_handle_t provider,
2198     crypto_session_id_t session_id, crypto_mechanism_t *mechanism,
2199     crypto_key_t *key, crypto_data_t *data, crypto_data_t *mac,
2200     crypto_spi_ctx_template_t ctx_template, crypto_req_handle_t req)
2201 {
2202 	int ret = CRYPTO_SUCCESS;
2203 	uchar_t digest[SHA1_DIGEST_LENGTH];
2204 	sha1_hmac_ctx_t sha1_hmac_ctx;
2205 	uint32_t digest_len = SHA1_DIGEST_LENGTH;
2206 	uint_t keylen_in_bytes = CRYPTO_BITS2BYTES(key->ck_length);
2207 
2208 	if (mechanism->cm_type != SHA1_HMAC_MECH_INFO_TYPE &&
2209 	    mechanism->cm_type != SHA1_HMAC_GEN_MECH_INFO_TYPE)
2210 		return (CRYPTO_MECHANISM_INVALID);
2211 
2212 	/* Add support for key by attributes (RFE 4706552) */
2213 	if (key->ck_format != CRYPTO_KEY_RAW)
2214 		return (CRYPTO_ARGUMENTS_BAD);
2215 
2216 	if (ctx_template != NULL) {
2217 		/* reuse context template */
2218 		bcopy(ctx_template, &sha1_hmac_ctx, sizeof (sha1_hmac_ctx_t));
2219 	} else {
2220 		/* no context template, initialize context */
2221 		if (keylen_in_bytes > SHA1_HMAC_BLOCK_SIZE) {
2222 			/*
2223 			 * Hash the passed-in key to get a smaller key.
2224 			 * The inner context is used since it hasn't been
2225 			 * initialized yet.
2226 			 */
2227 			PROV_SHA1_DIGEST_KEY(&sha1_hmac_ctx.hc_icontext,
2228 			    key->ck_data, keylen_in_bytes, digest);
2229 			sha1_mac_init_ctx(&sha1_hmac_ctx, digest,
2230 			    SHA1_DIGEST_LENGTH);
2231 		} else {
2232 			sha1_mac_init_ctx(&sha1_hmac_ctx, key->ck_data,
2233 			    keylen_in_bytes);
2234 		}
2235 	}
2236 
2237 	/* get the mechanism parameters, if applicable */
2238 	if (mechanism->cm_type == SHA1_HMAC_GEN_MECH_INFO_TYPE) {
2239 		if (mechanism->cm_param == NULL ||
2240 		    mechanism->cm_param_len != sizeof (ulong_t)) {
2241 			ret = CRYPTO_MECHANISM_PARAM_INVALID;
2242 			goto bail;
2243 		}
2244 		PROV_SHA1_GET_DIGEST_LEN(mechanism, digest_len);
2245 		if (digest_len > SHA1_DIGEST_LENGTH) {
2246 			ret = CRYPTO_MECHANISM_PARAM_INVALID;
2247 			goto bail;
2248 		}
2249 	}
2250 
2251 	if (mac->cd_length != digest_len) {
2252 		ret = CRYPTO_INVALID_MAC;
2253 		goto bail;
2254 	}
2255 
2256 	/* do a SHA1 update of the inner context using the specified data */
2257 	SHA1_MAC_UPDATE(data, sha1_hmac_ctx, ret);
2258 	if (ret != CRYPTO_SUCCESS)
2259 		/* the update failed, free context and bail */
2260 		goto bail;
2261 
2262 	/* do a SHA1 final on the inner context */
2263 	SHA1Final(digest, &sha1_hmac_ctx.hc_icontext);
2264 
2265 	/*
2266 	 * Do an SHA1 update on the outer context, feeding the inner
2267 	 * digest as data.
2268 	 */
2269 	SHA1Update(&sha1_hmac_ctx.hc_ocontext, digest, SHA1_DIGEST_LENGTH);
2270 
2271 	/*
2272 	 * Do a SHA1 final on the outer context, storing the computed
2273 	 * digest in the users buffer.
2274 	 */
2275 	SHA1Final(digest, &sha1_hmac_ctx.hc_ocontext);
2276 
2277 	/*
2278 	 * Compare the computed digest against the expected digest passed
2279 	 * as argument.
2280 	 */
2281 
2282 	switch (mac->cd_format) {
2283 
2284 	case CRYPTO_DATA_RAW:
2285 		if (bcmp(digest, (unsigned char *)mac->cd_raw.iov_base +
2286 		    mac->cd_offset, digest_len) != 0)
2287 			ret = CRYPTO_INVALID_MAC;
2288 		break;
2289 
2290 	case CRYPTO_DATA_UIO: {
2291 		off_t offset = mac->cd_offset;
2292 		uint_t vec_idx;
2293 		off_t scratch_offset = 0;
2294 		size_t length = digest_len;
2295 		size_t cur_len;
2296 
2297 		/* we support only kernel buffer */
2298 		if (mac->cd_uio->uio_segflg != UIO_SYSSPACE)
2299 			return (CRYPTO_ARGUMENTS_BAD);
2300 
2301 		/* jump to the first iovec containing the expected digest */
2302 		for (vec_idx = 0;
2303 		    offset >= mac->cd_uio->uio_iov[vec_idx].iov_len &&
2304 		    vec_idx < mac->cd_uio->uio_iovcnt;
2305 		    offset -= mac->cd_uio->uio_iov[vec_idx++].iov_len);
2306 		if (vec_idx == mac->cd_uio->uio_iovcnt) {
2307 			/*
2308 			 * The caller specified an offset that is
2309 			 * larger than the total size of the buffers
2310 			 * it provided.
2311 			 */
2312 			ret = CRYPTO_DATA_LEN_RANGE;
2313 			break;
2314 		}
2315 
2316 		/* do the comparison of computed digest vs specified one */
2317 		while (vec_idx < mac->cd_uio->uio_iovcnt && length > 0) {
2318 			cur_len = MIN(mac->cd_uio->uio_iov[vec_idx].iov_len -
2319 			    offset, length);
2320 
2321 			if (bcmp(digest + scratch_offset,
2322 			    mac->cd_uio->uio_iov[vec_idx].iov_base + offset,
2323 			    cur_len) != 0) {
2324 				ret = CRYPTO_INVALID_MAC;
2325 				break;
2326 			}
2327 
2328 			length -= cur_len;
2329 			vec_idx++;
2330 			scratch_offset += cur_len;
2331 			offset = 0;
2332 		}
2333 		break;
2334 	}
2335 
2336 	case CRYPTO_DATA_MBLK: {
2337 		off_t offset = mac->cd_offset;
2338 		mblk_t *mp;
2339 		off_t scratch_offset = 0;
2340 		size_t length = digest_len;
2341 		size_t cur_len;
2342 
2343 		/* jump to the first mblk_t containing the expected digest */
2344 		for (mp = mac->cd_mp; mp != NULL && offset >= MBLKL(mp);
2345 		    offset -= MBLKL(mp), mp = mp->b_cont);
2346 		if (mp == NULL) {
2347 			/*
2348 			 * The caller specified an offset that is larger than
2349 			 * the total size of the buffers it provided.
2350 			 */
2351 			ret = CRYPTO_DATA_LEN_RANGE;
2352 			break;
2353 		}
2354 
2355 		while (mp != NULL && length > 0) {
2356 			cur_len = MIN(MBLKL(mp) - offset, length);
2357 			if (bcmp(digest + scratch_offset,
2358 			    mp->b_rptr + offset, cur_len) != 0) {
2359 				ret = CRYPTO_INVALID_MAC;
2360 				break;
2361 			}
2362 
2363 			length -= cur_len;
2364 			mp = mp->b_cont;
2365 			scratch_offset += cur_len;
2366 			offset = 0;
2367 		}
2368 		break;
2369 	}
2370 
2371 	default:
2372 		ret = CRYPTO_ARGUMENTS_BAD;
2373 	}
2374 
2375 	bzero(&sha1_hmac_ctx, sizeof (sha1_hmac_ctx_t));
2376 	return (ret);
2377 bail:
2378 	bzero(&sha1_hmac_ctx, sizeof (sha1_hmac_ctx_t));
2379 	mac->cd_length = 0;
2380 	return (ret);
2381 }
2382 
2383 /*
2384  * KCF software provider context management entry points.
2385  */
2386 
2387 /* ARGSUSED */
2388 static int
2389 sha1_create_ctx_template(crypto_provider_handle_t provider,
2390     crypto_mechanism_t *mechanism, crypto_key_t *key,
2391     crypto_spi_ctx_template_t *ctx_template, size_t *ctx_template_size,
2392     crypto_req_handle_t req)
2393 {
2394 	sha1_hmac_ctx_t *sha1_hmac_ctx_tmpl;
2395 	uint_t keylen_in_bytes = CRYPTO_BITS2BYTES(key->ck_length);
2396 
2397 	if ((mechanism->cm_type != SHA1_HMAC_MECH_INFO_TYPE) &&
2398 	    (mechanism->cm_type != SHA1_HMAC_GEN_MECH_INFO_TYPE)) {
2399 		return (CRYPTO_MECHANISM_INVALID);
2400 	}
2401 
2402 	/* Add support for key by attributes (RFE 4706552) */
2403 	if (key->ck_format != CRYPTO_KEY_RAW)
2404 		return (CRYPTO_ARGUMENTS_BAD);
2405 
2406 	/*
2407 	 * Allocate and initialize SHA1 context.
2408 	 */
2409 	sha1_hmac_ctx_tmpl = kmem_alloc(sizeof (sha1_hmac_ctx_t),
2410 	    crypto_kmflag(req));
2411 	if (sha1_hmac_ctx_tmpl == NULL)
2412 		return (CRYPTO_HOST_MEMORY);
2413 
2414 	if (keylen_in_bytes > SHA1_HMAC_BLOCK_SIZE) {
2415 		uchar_t digested_key[SHA1_DIGEST_LENGTH];
2416 
2417 		/*
2418 		 * Hash the passed-in key to get a smaller key.
2419 		 * The inner context is used since it hasn't been
2420 		 * initialized yet.
2421 		 */
2422 		PROV_SHA1_DIGEST_KEY(&sha1_hmac_ctx_tmpl->hc_icontext,
2423 		    key->ck_data, keylen_in_bytes, digested_key);
2424 		sha1_mac_init_ctx(sha1_hmac_ctx_tmpl, digested_key,
2425 		    SHA1_DIGEST_LENGTH);
2426 	} else {
2427 		sha1_mac_init_ctx(sha1_hmac_ctx_tmpl, key->ck_data,
2428 		    keylen_in_bytes);
2429 	}
2430 
2431 	sha1_hmac_ctx_tmpl->hc_mech_type = mechanism->cm_type;
2432 	*ctx_template = (crypto_spi_ctx_template_t)sha1_hmac_ctx_tmpl;
2433 	*ctx_template_size = sizeof (sha1_hmac_ctx_t);
2434 
2435 
2436 	return (CRYPTO_SUCCESS);
2437 }
2438 
2439 static int
2440 sha1_free_context(crypto_ctx_t *ctx)
2441 {
2442 	uint_t ctx_len;
2443 	sha1_mech_type_t mech_type;
2444 
2445 	if (ctx->cc_provider_private == NULL)
2446 		return (CRYPTO_SUCCESS);
2447 
2448 	/*
2449 	 * We have to free either SHA1 or SHA1-HMAC contexts, which
2450 	 * have different lengths.
2451 	 */
2452 
2453 	mech_type = PROV_SHA1_CTX(ctx)->sc_mech_type;
2454 	if (mech_type == SHA1_MECH_INFO_TYPE)
2455 		ctx_len = sizeof (sha1_ctx_t);
2456 	else {
2457 		ASSERT(mech_type == SHA1_HMAC_MECH_INFO_TYPE ||
2458 		    mech_type == SHA1_HMAC_GEN_MECH_INFO_TYPE);
2459 		ctx_len = sizeof (sha1_hmac_ctx_t);
2460 	}
2461 
2462 	bzero(ctx->cc_provider_private, ctx_len);
2463 	kmem_free(ctx->cc_provider_private, ctx_len);
2464 	ctx->cc_provider_private = NULL;
2465 
2466 	return (CRYPTO_SUCCESS);
2467 }
2468 
2469 #endif /* _KERNEL */
2470