xref: /titanic_44/usr/src/common/crypto/sha1/sha1.c (revision 9df12a23948bd40cbe37ce88d84e272c3894e675)
1 /*
2  * Copyright 2006 Sun Microsystems, Inc.  All rights reserved.
3  * Use is subject to license terms.
4  */
5 
6 #pragma ident	"%Z%%M%	%I%	%E% SMI"
7 
8 /*
9  * The basic framework for this code came from the reference
10  * implementation for MD5.  That implementation is Copyright (C)
11  * 1991-2, RSA Data Security, Inc. Created 1991. All rights reserved.
12  *
13  * License to copy and use this software is granted provided that it
14  * is identified as the "RSA Data Security, Inc. MD5 Message-Digest
15  * Algorithm" in all material mentioning or referencing this software
16  * or this function.
17  *
18  * License is also granted to make and use derivative works provided
19  * that such works are identified as "derived from the RSA Data
20  * Security, Inc. MD5 Message-Digest Algorithm" in all material
21  * mentioning or referencing the derived work.
22  *
23  * RSA Data Security, Inc. makes no representations concerning either
24  * the merchantability of this software or the suitability of this
25  * software for any particular purpose. It is provided "as is"
26  * without express or implied warranty of any kind.
27  *
28  * These notices must be retained in any copies of any part of this
29  * documentation and/or software.
30  *
31  * NOTE: Cleaned-up and optimized, version of SHA1, based on the FIPS 180-1
32  * standard, available at http://www.itl.nist.gov/div897/pubs/fip180-1.htm
33  * Not as fast as one would like -- further optimizations are encouraged
34  * and appreciated.
35  */
36 
37 #include <sys/types.h>
38 #include <sys/param.h>
39 #include <sys/systm.h>
40 #include <sys/sysmacros.h>
41 #include <sys/sha1.h>
42 #include <sys/sha1_consts.h>
43 
44 #ifdef _KERNEL
45 
46 #include <sys/modctl.h>
47 #include <sys/cmn_err.h>
48 #include <sys/note.h>
49 #include <sys/crypto/common.h>
50 #include <sys/crypto/spi.h>
51 #include <sys/strsun.h>
52 
53 /*
54  * The sha1 module is created with two modlinkages:
55  * - a modlmisc that allows consumers to directly call the entry points
56  *   SHA1Init, SHA1Update, and SHA1Final.
57  * - a modlcrypto that allows the module to register with the Kernel
58  *   Cryptographic Framework (KCF) as a software provider for the SHA1
59  *   mechanisms.
60  */
61 
62 #endif /* _KERNEL */
63 #ifndef	_KERNEL
64 #include <strings.h>
65 #include <stdlib.h>
66 #include <errno.h>
67 #include <sys/systeminfo.h>
68 #endif	/* !_KERNEL */
69 
70 static void Encode(uint8_t *, uint32_t *, size_t);
71 static void SHA1Transform(uint32_t, uint32_t, uint32_t, uint32_t, uint32_t,
72     SHA1_CTX *, const uint8_t *);
73 
74 static uint8_t PADDING[64] = { 0x80, /* all zeros */ };
75 
76 /*
77  * F, G, and H are the basic SHA1 functions.
78  */
79 #define	F(b, c, d)	(((b) & (c)) | ((~b) & (d)))
80 #define	G(b, c, d)	((b) ^ (c) ^ (d))
81 #define	H(b, c, d)	(((b) & (c)) | ((b) & (d)) | ((c) & (d)))
82 
83 /*
84  * ROTATE_LEFT rotates x left n bits.
85  */
86 #define	ROTATE_LEFT(x, n)	\
87 	(((x) << (n)) | ((x) >> ((sizeof (x) * NBBY)-(n))))
88 
89 #ifdef _KERNEL
90 
91 static struct modlmisc modlmisc = {
92 	&mod_miscops,
93 	"SHA1 Message-Digest Algorithm"
94 };
95 
96 static struct modlcrypto modlcrypto = {
97 	&mod_cryptoops,
98 	"SHA1 Kernel SW Provider %I%"
99 };
100 
101 static struct modlinkage modlinkage = {
102 	MODREV_1, &modlmisc, &modlcrypto, NULL
103 };
104 
105 /*
106  * CSPI information (entry points, provider info, etc.)
107  */
108 
109 typedef enum sha1_mech_type {
110 	SHA1_MECH_INFO_TYPE,		/* SUN_CKM_SHA1 */
111 	SHA1_HMAC_MECH_INFO_TYPE,	/* SUN_CKM_SHA1_HMAC */
112 	SHA1_HMAC_GEN_MECH_INFO_TYPE	/* SUN_CKM_SHA1_HMAC_GENERAL */
113 } sha1_mech_type_t;
114 
115 #define	SHA1_DIGEST_LENGTH	20	/* SHA1 digest length in bytes */
116 #define	SHA1_HMAC_BLOCK_SIZE	64	/* SHA1-HMAC block size */
117 #define	SHA1_HMAC_MIN_KEY_LEN	8	/* SHA1-HMAC min key length in bits */
118 #define	SHA1_HMAC_MAX_KEY_LEN	INT_MAX /* SHA1-HMAC max key length in bits */
119 #define	SHA1_HMAC_INTS_PER_BLOCK	(SHA1_HMAC_BLOCK_SIZE/sizeof (uint32_t))
120 
121 /*
122  * Context for SHA1 mechanism.
123  */
124 typedef struct sha1_ctx {
125 	sha1_mech_type_t	sc_mech_type;	/* type of context */
126 	SHA1_CTX		sc_sha1_ctx;	/* SHA1 context */
127 } sha1_ctx_t;
128 
129 /*
130  * Context for SHA1-HMAC and SHA1-HMAC-GENERAL mechanisms.
131  */
132 typedef struct sha1_hmac_ctx {
133 	sha1_mech_type_t	hc_mech_type;	/* type of context */
134 	uint32_t		hc_digest_len;	/* digest len in bytes */
135 	SHA1_CTX		hc_icontext;	/* inner SHA1 context */
136 	SHA1_CTX		hc_ocontext;	/* outer SHA1 context */
137 } sha1_hmac_ctx_t;
138 
139 /*
140  * Macros to access the SHA1 or SHA1-HMAC contexts from a context passed
141  * by KCF to one of the entry points.
142  */
143 
144 #define	PROV_SHA1_CTX(ctx)	((sha1_ctx_t *)(ctx)->cc_provider_private)
145 #define	PROV_SHA1_HMAC_CTX(ctx)	((sha1_hmac_ctx_t *)(ctx)->cc_provider_private)
146 
147 /* to extract the digest length passed as mechanism parameter */
148 #define	PROV_SHA1_GET_DIGEST_LEN(m, len) {				\
149 	if (IS_P2ALIGNED((m)->cm_param, sizeof (ulong_t)))		\
150 		(len) = (uint32_t)*((ulong_t *)mechanism->cm_param);	\
151 	else {								\
152 		ulong_t tmp_ulong;					\
153 		bcopy((m)->cm_param, &tmp_ulong, sizeof (ulong_t));	\
154 		(len) = (uint32_t)tmp_ulong;				\
155 	}								\
156 }
157 
158 #define	PROV_SHA1_DIGEST_KEY(ctx, key, len, digest) {	\
159 	SHA1Init(ctx);					\
160 	SHA1Update(ctx, key, len);			\
161 	SHA1Final(digest, ctx);				\
162 }
163 
164 /*
165  * Mechanism info structure passed to KCF during registration.
166  */
167 static crypto_mech_info_t sha1_mech_info_tab[] = {
168 	/* SHA1 */
169 	{SUN_CKM_SHA1, SHA1_MECH_INFO_TYPE,
170 	    CRYPTO_FG_DIGEST | CRYPTO_FG_DIGEST_ATOMIC,
171 	    0, 0, CRYPTO_KEYSIZE_UNIT_IN_BITS},
172 	/* SHA1-HMAC */
173 	{SUN_CKM_SHA1_HMAC, SHA1_HMAC_MECH_INFO_TYPE,
174 	    CRYPTO_FG_MAC | CRYPTO_FG_MAC_ATOMIC,
175 	    SHA1_HMAC_MIN_KEY_LEN, SHA1_HMAC_MAX_KEY_LEN,
176 	    CRYPTO_KEYSIZE_UNIT_IN_BITS},
177 	/* SHA1-HMAC GENERAL */
178 	{SUN_CKM_SHA1_HMAC_GENERAL, SHA1_HMAC_GEN_MECH_INFO_TYPE,
179 	    CRYPTO_FG_MAC | CRYPTO_FG_MAC_ATOMIC,
180 	    SHA1_HMAC_MIN_KEY_LEN, SHA1_HMAC_MAX_KEY_LEN,
181 	    CRYPTO_KEYSIZE_UNIT_IN_BITS}
182 };
183 
184 static void sha1_provider_status(crypto_provider_handle_t, uint_t *);
185 
186 static crypto_control_ops_t sha1_control_ops = {
187 	sha1_provider_status
188 };
189 
190 static int sha1_digest_init(crypto_ctx_t *, crypto_mechanism_t *,
191     crypto_req_handle_t);
192 static int sha1_digest(crypto_ctx_t *, crypto_data_t *, crypto_data_t *,
193     crypto_req_handle_t);
194 static int sha1_digest_update(crypto_ctx_t *, crypto_data_t *,
195     crypto_req_handle_t);
196 static int sha1_digest_final(crypto_ctx_t *, crypto_data_t *,
197     crypto_req_handle_t);
198 static int sha1_digest_atomic(crypto_provider_handle_t, crypto_session_id_t,
199     crypto_mechanism_t *, crypto_data_t *, crypto_data_t *,
200     crypto_req_handle_t);
201 
202 static crypto_digest_ops_t sha1_digest_ops = {
203 	sha1_digest_init,
204 	sha1_digest,
205 	sha1_digest_update,
206 	NULL,
207 	sha1_digest_final,
208 	sha1_digest_atomic
209 };
210 
211 static int sha1_mac_init(crypto_ctx_t *, crypto_mechanism_t *, crypto_key_t *,
212     crypto_spi_ctx_template_t, crypto_req_handle_t);
213 static int sha1_mac_update(crypto_ctx_t *, crypto_data_t *,
214     crypto_req_handle_t);
215 static int sha1_mac_final(crypto_ctx_t *, crypto_data_t *, crypto_req_handle_t);
216 static int sha1_mac_atomic(crypto_provider_handle_t, crypto_session_id_t,
217     crypto_mechanism_t *, crypto_key_t *, crypto_data_t *, crypto_data_t *,
218     crypto_spi_ctx_template_t, crypto_req_handle_t);
219 static int sha1_mac_verify_atomic(crypto_provider_handle_t, crypto_session_id_t,
220     crypto_mechanism_t *, crypto_key_t *, crypto_data_t *, crypto_data_t *,
221     crypto_spi_ctx_template_t, crypto_req_handle_t);
222 
223 static crypto_mac_ops_t sha1_mac_ops = {
224 	sha1_mac_init,
225 	NULL,
226 	sha1_mac_update,
227 	sha1_mac_final,
228 	sha1_mac_atomic,
229 	sha1_mac_verify_atomic
230 };
231 
232 static int sha1_create_ctx_template(crypto_provider_handle_t,
233     crypto_mechanism_t *, crypto_key_t *, crypto_spi_ctx_template_t *,
234     size_t *, crypto_req_handle_t);
235 static int sha1_free_context(crypto_ctx_t *);
236 
237 static crypto_ctx_ops_t sha1_ctx_ops = {
238 	sha1_create_ctx_template,
239 	sha1_free_context
240 };
241 
242 static crypto_ops_t sha1_crypto_ops = {
243 	&sha1_control_ops,
244 	&sha1_digest_ops,
245 	NULL,
246 	&sha1_mac_ops,
247 	NULL,
248 	NULL,
249 	NULL,
250 	NULL,
251 	NULL,
252 	NULL,
253 	NULL,
254 	NULL,
255 	NULL,
256 	&sha1_ctx_ops
257 };
258 
259 static crypto_provider_info_t sha1_prov_info = {
260 	CRYPTO_SPI_VERSION_1,
261 	"SHA1 Software Provider",
262 	CRYPTO_SW_PROVIDER,
263 	{&modlinkage},
264 	NULL,
265 	&sha1_crypto_ops,
266 	sizeof (sha1_mech_info_tab)/sizeof (crypto_mech_info_t),
267 	sha1_mech_info_tab
268 };
269 
270 static crypto_kcf_provider_handle_t sha1_prov_handle = NULL;
271 
272 int
273 _init()
274 {
275 	int ret;
276 
277 	if ((ret = mod_install(&modlinkage)) != 0)
278 		return (ret);
279 
280 	/*
281 	 * Register with KCF. If the registration fails, log an
282 	 * error but do not uninstall the module, since the functionality
283 	 * provided by misc/sha1 should still be available.
284 	 */
285 	if ((ret = crypto_register_provider(&sha1_prov_info,
286 	    &sha1_prov_handle)) != CRYPTO_SUCCESS)
287 		cmn_err(CE_WARN, "sha1 _init: "
288 		    "crypto_register_provider() failed (0x%x)", ret);
289 
290 	return (0);
291 }
292 
293 int
294 _info(struct modinfo *modinfop)
295 {
296 	return (mod_info(&modlinkage, modinfop));
297 }
298 
299 #endif /* _KERNEL */
300 
301 /*
302  * SHA1Init()
303  *
304  * purpose: initializes the sha1 context and begins and sha1 digest operation
305  *   input: SHA1_CTX *	: the context to initializes.
306  *  output: void
307  */
308 
309 void
310 SHA1Init(SHA1_CTX *ctx)
311 {
312 	ctx->count[0] = ctx->count[1] = 0;
313 
314 	/*
315 	 * load magic initialization constants. Tell lint
316 	 * that these constants are unsigned by using U.
317 	 */
318 
319 	ctx->state[0] = 0x67452301U;
320 	ctx->state[1] = 0xefcdab89U;
321 	ctx->state[2] = 0x98badcfeU;
322 	ctx->state[3] = 0x10325476U;
323 	ctx->state[4] = 0xc3d2e1f0U;
324 }
325 
326 #ifdef VIS_SHA1
327 
328 
329 #ifdef _KERNEL
330 
331 #include <sys/regset.h>
332 #include <sys/vis.h>
333 #include <sys/fpu/fpusystm.h>
334 
335 /* the alignment for block stores to save fp registers */
336 #define	VIS_ALIGN	(64)
337 
338 extern int sha1_savefp(kfpu_t *, int);
339 extern void sha1_restorefp(kfpu_t *);
340 
341 uint32_t	vis_sha1_svfp_threshold = 128;
342 
343 #else /* !_KERNEL */
344 
345 static boolean_t checked_vis = B_FALSE;
346 static int usevis = 0;
347 
348 static int
349 havevis()
350 {
351 	char *buf = NULL;
352 	char *isa_token;
353 	char *lasts;
354 	int ret = 0;
355 	size_t bufsize = 255; /* UltraSPARC III needs 115 chars */
356 	int v9_isa_token, vis_isa_token, isa_token_num;
357 
358 	if (checked_vis) {
359 		return (usevis);
360 	}
361 
362 	if ((buf = malloc(bufsize)) == NULL) {
363 		return (0);
364 	}
365 
366 	if ((ret = sysinfo(SI_ISALIST, buf, bufsize)) == -1) {
367 		free(buf);
368 		return (0);
369 	} else if (ret > bufsize) {
370 		/* We lost some because our buffer was too small  */
371 		if ((buf = realloc(buf, bufsize = ret)) == NULL) {
372 			return (0);
373 		}
374 		if ((ret = sysinfo(SI_ISALIST, buf, bufsize)) == -1) {
375 			free(buf);
376 			return (0);
377 		}
378 	}
379 
380 	/*
381 	 * Check the relative posistions of sparcv9 & sparcv9+vis
382 	 * because they are listed in (best) performance order.
383 	 * For example: The Niagara chip reports it has VIS but the
384 	 * SHA1 code runs faster without this optimisation.
385 	 */
386 	isa_token = strtok_r(buf, " ", &lasts);
387 	v9_isa_token = vis_isa_token = -1;
388 	isa_token_num = 0;
389 	do {
390 		if (strcmp(isa_token, "sparcv9") == 0) {
391 			v9_isa_token = isa_token_num;
392 		} else if (strcmp(isa_token, "sparcv9+vis") == 0) {
393 			vis_isa_token = isa_token_num;
394 		}
395 		isa_token_num++;
396 	} while (isa_token = strtok_r(NULL, " ", &lasts));
397 
398 	if (vis_isa_token != -1 && vis_isa_token < v9_isa_token)
399 		usevis = 1;
400 	free(buf);
401 
402 	checked_vis = B_TRUE;
403 	return (usevis);
404 }
405 
406 #endif /* _KERNEL */
407 
408 /*
409  * VIS SHA-1 consts.
410  */
411 static uint64_t VIS[] = {
412 	0x8000000080000000ULL,
413 	0x0002000200020002ULL,
414 	0x5a8279996ed9eba1ULL,
415 	0x8f1bbcdcca62c1d6ULL,
416 	0x012389ab456789abULL};
417 
418 extern void SHA1TransformVIS(uint64_t *, uint64_t *, uint32_t *, uint64_t *);
419 
420 
421 /*
422  * SHA1Update()
423  *
424  * purpose: continues an sha1 digest operation, using the message block
425  *          to update the context.
426  *   input: SHA1_CTX *	: the context to update
427  *          uint8_t *	: the message block
428  *          uint32_t    : the length of the message block in bytes
429  *  output: void
430  */
431 
432 void
433 SHA1Update(SHA1_CTX *ctx, const uint8_t *input, uint32_t input_len)
434 {
435 	uint32_t i, buf_index, buf_len;
436 	uint64_t X0[40], input64[8];
437 #ifdef _KERNEL
438 	int usevis = 0;
439 #endif /* _KERNEL */
440 
441 	/* check for noop */
442 	if (input_len == 0)
443 		return;
444 
445 	/* compute number of bytes mod 64 */
446 	buf_index = (ctx->count[1] >> 3) & 0x3F;
447 
448 	/* update number of bits */
449 	if ((ctx->count[1] += (input_len << 3)) < (input_len << 3))
450 		ctx->count[0]++;
451 
452 	ctx->count[0] += (input_len >> 29);
453 
454 	buf_len = 64 - buf_index;
455 
456 	/* transform as many times as possible */
457 	i = 0;
458 	if (input_len >= buf_len) {
459 #ifdef _KERNEL
460 		uint8_t fpua[sizeof (kfpu_t) + GSR_SIZE + VIS_ALIGN];
461 		kfpu_t *fpu;
462 
463 		uint32_t len = (input_len + buf_index) & ~0x3f;
464 		int svfp_ok;
465 
466 		fpu = (kfpu_t *)P2ROUNDUP((uintptr_t)fpua, 64);
467 		svfp_ok = ((len >= vis_sha1_svfp_threshold) ? 1 : 0);
468 		usevis = fpu_exists && sha1_savefp(fpu, svfp_ok);
469 #else
470 		if (!checked_vis)
471 			usevis = havevis();
472 #endif /* _KERNEL */
473 
474 		/*
475 		 * general optimization:
476 		 *
477 		 * only do initial bcopy() and SHA1Transform() if
478 		 * buf_index != 0.  if buf_index == 0, we're just
479 		 * wasting our time doing the bcopy() since there
480 		 * wasn't any data left over from a previous call to
481 		 * SHA1Update().
482 		 */
483 
484 		if (buf_index) {
485 			bcopy(input, &ctx->buf_un.buf8[buf_index], buf_len);
486 			if (usevis) {
487 				SHA1TransformVIS(X0,
488 				    (uint64_t *)ctx->buf_un.buf8,
489 				    &ctx->state[0], VIS);
490 			} else {
491 				SHA1Transform(ctx->state[0], ctx->state[1],
492 				    ctx->state[2], ctx->state[3],
493 				    ctx->state[4], ctx, ctx->buf_un.buf8);
494 			}
495 			i = buf_len;
496 		}
497 
498 		/*
499 		 * VIS SHA-1: uses the VIS 1.0 instructions to accelerate
500 		 * SHA-1 processing. This is achieved by "offloading" the
501 		 * computation of the message schedule (MS) to the VIS units.
502 		 * This allows the VIS computation of the message schedule
503 		 * to be performed in parallel with the standard integer
504 		 * processing of the remainder of the SHA-1 computation.
505 		 * performance by up to around 1.37X, compared to an optimized
506 		 * integer-only implementation.
507 		 *
508 		 * The VIS implementation of SHA1Transform has a different API
509 		 * to the standard integer version:
510 		 *
511 		 * void SHA1TransformVIS(
512 		 *	 uint64_t *, // Pointer to MS for ith block
513 		 *	 uint64_t *, // Pointer to ith block of message data
514 		 *	 uint32_t *, // Pointer to SHA state i.e ctx->state
515 		 *	 uint64_t *, // Pointer to various VIS constants
516 		 * )
517 		 *
518 		 * Note: the message data must by 4-byte aligned.
519 		 *
520 		 * Function requires VIS 1.0 support.
521 		 *
522 		 * Handling is provided to deal with arbitrary byte alingment
523 		 * of the input data but the performance gains are reduced
524 		 * for alignments other than 4-bytes.
525 		 */
526 		if (usevis) {
527 			if (((uint64_t)(uintptr_t)(&input[i]) & 0x3)) {
528 				/*
529 				 * Main processing loop - input misaligned
530 				 */
531 				for (; i + 63 < input_len; i += 64) {
532 				    bcopy(&input[i], input64, 64);
533 				    SHA1TransformVIS(X0, input64,
534 					&ctx->state[0], VIS);
535 				}
536 			} else {
537 				/*
538 				 * Main processing loop - input 8-byte aligned
539 				 */
540 				for (; i + 63 < input_len; i += 64) {
541 					SHA1TransformVIS(X0,
542 					    (uint64_t *)&input[i],
543 					    &ctx->state[0], VIS);
544 				}
545 
546 			}
547 #ifdef _KERNEL
548 			sha1_restorefp(fpu);
549 #endif /* _KERNEL */
550 		} else {
551 			for (; i + 63 < input_len; i += 64) {
552 			    SHA1Transform(ctx->state[0], ctx->state[1],
553 				ctx->state[2], ctx->state[3], ctx->state[4],
554 				ctx, &input[i]);
555 			}
556 		}
557 
558 		/*
559 		 * general optimization:
560 		 *
561 		 * if i and input_len are the same, return now instead
562 		 * of calling bcopy(), since the bcopy() in this case
563 		 * will be an expensive nop.
564 		 */
565 
566 		if (input_len == i)
567 			return;
568 
569 		buf_index = 0;
570 	}
571 
572 	/* buffer remaining input */
573 	bcopy(&input[i], &ctx->buf_un.buf8[buf_index], input_len - i);
574 }
575 
576 #else /* VIS_SHA1 */
577 
578 void
579 SHA1Update(SHA1_CTX *ctx, const uint8_t *input, uint32_t input_len)
580 {
581 	uint32_t i, buf_index, buf_len;
582 
583 	/* check for noop */
584 	if (input_len == 0)
585 		return;
586 
587 	/* compute number of bytes mod 64 */
588 	buf_index = (ctx->count[1] >> 3) & 0x3F;
589 
590 	/* update number of bits */
591 	if ((ctx->count[1] += (input_len << 3)) < (input_len << 3))
592 		ctx->count[0]++;
593 
594 	ctx->count[0] += (input_len >> 29);
595 
596 	buf_len = 64 - buf_index;
597 
598 	/* transform as many times as possible */
599 	i = 0;
600 	if (input_len >= buf_len) {
601 
602 		/*
603 		 * general optimization:
604 		 *
605 		 * only do initial bcopy() and SHA1Transform() if
606 		 * buf_index != 0.  if buf_index == 0, we're just
607 		 * wasting our time doing the bcopy() since there
608 		 * wasn't any data left over from a previous call to
609 		 * SHA1Update().
610 		 */
611 
612 		if (buf_index) {
613 			bcopy(input, &ctx->buf_un.buf8[buf_index], buf_len);
614 
615 
616 			SHA1Transform(ctx->state[0], ctx->state[1],
617 			    ctx->state[2], ctx->state[3], ctx->state[4], ctx,
618 			    ctx->buf_un.buf8);
619 
620 			i = buf_len;
621 		}
622 
623 		for (; i + 63 < input_len; i += 64)
624 			SHA1Transform(ctx->state[0], ctx->state[1],
625 			    ctx->state[2], ctx->state[3], ctx->state[4],
626 			    ctx, &input[i]);
627 
628 		/*
629 		 * general optimization:
630 		 *
631 		 * if i and input_len are the same, return now instead
632 		 * of calling bcopy(), since the bcopy() in this case
633 		 * will be an expensive nop.
634 		 */
635 
636 		if (input_len == i)
637 			return;
638 
639 		buf_index = 0;
640 	}
641 
642 	/* buffer remaining input */
643 	bcopy(&input[i], &ctx->buf_un.buf8[buf_index], input_len - i);
644 }
645 
646 #endif /* VIS_SHA1 */
647 
648 /*
649  * SHA1Final()
650  *
651  * purpose: ends an sha1 digest operation, finalizing the message digest and
652  *          zeroing the context.
653  *   input: uint8_t *	: a buffer to store the digest in
654  *          SHA1_CTX *  : the context to finalize, save, and zero
655  *  output: void
656  */
657 
658 void
659 SHA1Final(uint8_t *digest, SHA1_CTX *ctx)
660 {
661 	uint8_t		bitcount_be[sizeof (ctx->count)];
662 	uint32_t	index = (ctx->count[1] >> 3) & 0x3f;
663 
664 	/* store bit count, big endian */
665 	Encode(bitcount_be, ctx->count, sizeof (bitcount_be));
666 
667 	/* pad out to 56 mod 64 */
668 	SHA1Update(ctx, PADDING, ((index < 56) ? 56 : 120) - index);
669 
670 	/* append length (before padding) */
671 	SHA1Update(ctx, bitcount_be, sizeof (bitcount_be));
672 
673 	/* store state in digest */
674 	Encode(digest, ctx->state, sizeof (ctx->state));
675 
676 	/* zeroize sensitive information */
677 	bzero(ctx, sizeof (*ctx));
678 }
679 
680 /*
681  * sparc optimization:
682  *
683  * on the sparc, we can load big endian 32-bit data easily.  note that
684  * special care must be taken to ensure the address is 32-bit aligned.
685  * in the interest of speed, we don't check to make sure, since
686  * careful programming can guarantee this for us.
687  */
688 
689 #if	defined(_BIG_ENDIAN)
690 
691 #define	LOAD_BIG_32(addr)	(*(uint32_t *)(addr))
692 
693 #else	/* little endian -- will work on big endian, but slowly */
694 
695 #define	LOAD_BIG_32(addr)	\
696 	(((addr)[0] << 24) | ((addr)[1] << 16) | ((addr)[2] << 8) | (addr)[3])
697 #endif
698 
699 /*
700  * sparc register window optimization:
701  *
702  * `a', `b', `c', `d', and `e' are passed into SHA1Transform
703  * explicitly since it increases the number of registers available to
704  * the compiler.  under this scheme, these variables can be held in
705  * %i0 - %i4, which leaves more local and out registers available.
706  */
707 
708 /*
709  * SHA1Transform()
710  *
711  * purpose: sha1 transformation -- updates the digest based on `block'
712  *   input: uint32_t	: bytes  1 -  4 of the digest
713  *          uint32_t	: bytes  5 -  8 of the digest
714  *          uint32_t	: bytes  9 - 12 of the digest
715  *          uint32_t	: bytes 12 - 16 of the digest
716  *          uint32_t	: bytes 16 - 20 of the digest
717  *          SHA1_CTX *	: the context to update
718  *          uint8_t [64]: the block to use to update the digest
719  *  output: void
720  */
721 
722 void
723 SHA1Transform(uint32_t a, uint32_t b, uint32_t c, uint32_t d, uint32_t e,
724     SHA1_CTX *ctx, const uint8_t blk[64])
725 {
726 	/*
727 	 * sparc optimization:
728 	 *
729 	 * while it is somewhat counter-intuitive, on sparc, it is
730 	 * more efficient to place all the constants used in this
731 	 * function in an array and load the values out of the array
732 	 * than to manually load the constants.  this is because
733 	 * setting a register to a 32-bit value takes two ops in most
734 	 * cases: a `sethi' and an `or', but loading a 32-bit value
735 	 * from memory only takes one `ld' (or `lduw' on v9).  while
736 	 * this increases memory usage, the compiler can find enough
737 	 * other things to do while waiting to keep the pipeline does
738 	 * not stall.  additionally, it is likely that many of these
739 	 * constants are cached so that later accesses do not even go
740 	 * out to the bus.
741 	 *
742 	 * this array is declared `static' to keep the compiler from
743 	 * having to bcopy() this array onto the stack frame of
744 	 * SHA1Transform() each time it is called -- which is
745 	 * unacceptably expensive.
746 	 *
747 	 * the `const' is to ensure that callers are good citizens and
748 	 * do not try to munge the array.  since these routines are
749 	 * going to be called from inside multithreaded kernelland,
750 	 * this is a good safety check. -- `sha1_consts' will end up in
751 	 * .rodata.
752 	 *
753 	 * unfortunately, loading from an array in this manner hurts
754 	 * performance under intel.  so, there is a macro,
755 	 * SHA1_CONST(), used in SHA1Transform(), that either expands to
756 	 * a reference to this array, or to the actual constant,
757 	 * depending on what platform this code is compiled for.
758 	 */
759 
760 #if	defined(__sparc)
761 	static const uint32_t sha1_consts[] = {
762 		SHA1_CONST_0,	SHA1_CONST_1,	SHA1_CONST_2,	SHA1_CONST_3,
763 	};
764 #endif
765 
766 	/*
767 	 * general optimization:
768 	 *
769 	 * use individual integers instead of using an array.  this is a
770 	 * win, although the amount it wins by seems to vary quite a bit.
771 	 */
772 
773 	uint32_t	w_0, w_1, w_2,  w_3,  w_4,  w_5,  w_6,  w_7;
774 	uint32_t	w_8, w_9, w_10, w_11, w_12, w_13, w_14, w_15;
775 
776 	/*
777 	 * sparc optimization:
778 	 *
779 	 * if `block' is already aligned on a 4-byte boundary, use
780 	 * LOAD_BIG_32() directly.  otherwise, bcopy() into a
781 	 * buffer that *is* aligned on a 4-byte boundary and then do
782 	 * the LOAD_BIG_32() on that buffer.  benchmarks have shown
783 	 * that using the bcopy() is better than loading the bytes
784 	 * individually and doing the endian-swap by hand.
785 	 *
786 	 * even though it's quite tempting to assign to do:
787 	 *
788 	 * blk = bcopy(ctx->buf_un.buf32, blk, sizeof (ctx->buf_un.buf32));
789 	 *
790 	 * and only have one set of LOAD_BIG_32()'s, the compiler
791 	 * *does not* like that, so please resist the urge.
792 	 */
793 
794 #if	defined(__sparc)
795 	if ((uintptr_t)blk & 0x3) {		/* not 4-byte aligned? */
796 		bcopy(blk, ctx->buf_un.buf32,  sizeof (ctx->buf_un.buf32));
797 		w_15 = LOAD_BIG_32(ctx->buf_un.buf32 + 15);
798 		w_14 = LOAD_BIG_32(ctx->buf_un.buf32 + 14);
799 		w_13 = LOAD_BIG_32(ctx->buf_un.buf32 + 13);
800 		w_12 = LOAD_BIG_32(ctx->buf_un.buf32 + 12);
801 		w_11 = LOAD_BIG_32(ctx->buf_un.buf32 + 11);
802 		w_10 = LOAD_BIG_32(ctx->buf_un.buf32 + 10);
803 		w_9  = LOAD_BIG_32(ctx->buf_un.buf32 +  9);
804 		w_8  = LOAD_BIG_32(ctx->buf_un.buf32 +  8);
805 		w_7  = LOAD_BIG_32(ctx->buf_un.buf32 +  7);
806 		w_6  = LOAD_BIG_32(ctx->buf_un.buf32 +  6);
807 		w_5  = LOAD_BIG_32(ctx->buf_un.buf32 +  5);
808 		w_4  = LOAD_BIG_32(ctx->buf_un.buf32 +  4);
809 		w_3  = LOAD_BIG_32(ctx->buf_un.buf32 +  3);
810 		w_2  = LOAD_BIG_32(ctx->buf_un.buf32 +  2);
811 		w_1  = LOAD_BIG_32(ctx->buf_un.buf32 +  1);
812 		w_0  = LOAD_BIG_32(ctx->buf_un.buf32 +  0);
813 	} else {
814 		/*LINTED*/
815 		w_15 = LOAD_BIG_32(blk + 60);
816 		/*LINTED*/
817 		w_14 = LOAD_BIG_32(blk + 56);
818 		/*LINTED*/
819 		w_13 = LOAD_BIG_32(blk + 52);
820 		/*LINTED*/
821 		w_12 = LOAD_BIG_32(blk + 48);
822 		/*LINTED*/
823 		w_11 = LOAD_BIG_32(blk + 44);
824 		/*LINTED*/
825 		w_10 = LOAD_BIG_32(blk + 40);
826 		/*LINTED*/
827 		w_9  = LOAD_BIG_32(blk + 36);
828 		/*LINTED*/
829 		w_8  = LOAD_BIG_32(blk + 32);
830 		/*LINTED*/
831 		w_7  = LOAD_BIG_32(blk + 28);
832 		/*LINTED*/
833 		w_6  = LOAD_BIG_32(blk + 24);
834 		/*LINTED*/
835 		w_5  = LOAD_BIG_32(blk + 20);
836 		/*LINTED*/
837 		w_4  = LOAD_BIG_32(blk + 16);
838 		/*LINTED*/
839 		w_3  = LOAD_BIG_32(blk + 12);
840 		/*LINTED*/
841 		w_2  = LOAD_BIG_32(blk +  8);
842 		/*LINTED*/
843 		w_1  = LOAD_BIG_32(blk +  4);
844 		/*LINTED*/
845 		w_0  = LOAD_BIG_32(blk +  0);
846 	}
847 #else
848 	w_15 = LOAD_BIG_32(blk + 60);
849 	w_14 = LOAD_BIG_32(blk + 56);
850 	w_13 = LOAD_BIG_32(blk + 52);
851 	w_12 = LOAD_BIG_32(blk + 48);
852 	w_11 = LOAD_BIG_32(blk + 44);
853 	w_10 = LOAD_BIG_32(blk + 40);
854 	w_9  = LOAD_BIG_32(blk + 36);
855 	w_8  = LOAD_BIG_32(blk + 32);
856 	w_7  = LOAD_BIG_32(blk + 28);
857 	w_6  = LOAD_BIG_32(blk + 24);
858 	w_5  = LOAD_BIG_32(blk + 20);
859 	w_4  = LOAD_BIG_32(blk + 16);
860 	w_3  = LOAD_BIG_32(blk + 12);
861 	w_2  = LOAD_BIG_32(blk +  8);
862 	w_1  = LOAD_BIG_32(blk +  4);
863 	w_0  = LOAD_BIG_32(blk +  0);
864 #endif
865 	/*
866 	 * general optimization:
867 	 *
868 	 * even though this approach is described in the standard as
869 	 * being slower algorithmically, it is 30-40% faster than the
870 	 * "faster" version under SPARC, because this version has more
871 	 * of the constraints specified at compile-time and uses fewer
872 	 * variables (and therefore has better register utilization)
873 	 * than its "speedier" brother.  (i've tried both, trust me)
874 	 *
875 	 * for either method given in the spec, there is an "assignment"
876 	 * phase where the following takes place:
877 	 *
878 	 *	tmp = (main_computation);
879 	 *	e = d; d = c; c = rotate_left(b, 30); b = a; a = tmp;
880 	 *
881 	 * we can make the algorithm go faster by not doing this work,
882 	 * but just pretending that `d' is now `e', etc. this works
883 	 * really well and obviates the need for a temporary variable.
884 	 * however, we still explictly perform the rotate action,
885 	 * since it is cheaper on SPARC to do it once than to have to
886 	 * do it over and over again.
887 	 */
888 
889 	/* round 1 */
890 	e = ROTATE_LEFT(a, 5) + F(b, c, d) + e + w_0 + SHA1_CONST(0); /* 0 */
891 	b = ROTATE_LEFT(b, 30);
892 
893 	d = ROTATE_LEFT(e, 5) + F(a, b, c) + d + w_1 + SHA1_CONST(0); /* 1 */
894 	a = ROTATE_LEFT(a, 30);
895 
896 	c = ROTATE_LEFT(d, 5) + F(e, a, b) + c + w_2 + SHA1_CONST(0); /* 2 */
897 	e = ROTATE_LEFT(e, 30);
898 
899 	b = ROTATE_LEFT(c, 5) + F(d, e, a) + b + w_3 + SHA1_CONST(0); /* 3 */
900 	d = ROTATE_LEFT(d, 30);
901 
902 	a = ROTATE_LEFT(b, 5) + F(c, d, e) + a + w_4 + SHA1_CONST(0); /* 4 */
903 	c = ROTATE_LEFT(c, 30);
904 
905 	e = ROTATE_LEFT(a, 5) + F(b, c, d) + e + w_5 + SHA1_CONST(0); /* 5 */
906 	b = ROTATE_LEFT(b, 30);
907 
908 	d = ROTATE_LEFT(e, 5) + F(a, b, c) + d + w_6 + SHA1_CONST(0); /* 6 */
909 	a = ROTATE_LEFT(a, 30);
910 
911 	c = ROTATE_LEFT(d, 5) + F(e, a, b) + c + w_7 + SHA1_CONST(0); /* 7 */
912 	e = ROTATE_LEFT(e, 30);
913 
914 	b = ROTATE_LEFT(c, 5) + F(d, e, a) + b + w_8 + SHA1_CONST(0); /* 8 */
915 	d = ROTATE_LEFT(d, 30);
916 
917 	a = ROTATE_LEFT(b, 5) + F(c, d, e) + a + w_9 + SHA1_CONST(0); /* 9 */
918 	c = ROTATE_LEFT(c, 30);
919 
920 	e = ROTATE_LEFT(a, 5) + F(b, c, d) + e + w_10 + SHA1_CONST(0); /* 10 */
921 	b = ROTATE_LEFT(b, 30);
922 
923 	d = ROTATE_LEFT(e, 5) + F(a, b, c) + d + w_11 + SHA1_CONST(0); /* 11 */
924 	a = ROTATE_LEFT(a, 30);
925 
926 	c = ROTATE_LEFT(d, 5) + F(e, a, b) + c + w_12 + SHA1_CONST(0); /* 12 */
927 	e = ROTATE_LEFT(e, 30);
928 
929 	b = ROTATE_LEFT(c, 5) + F(d, e, a) + b + w_13 + SHA1_CONST(0); /* 13 */
930 	d = ROTATE_LEFT(d, 30);
931 
932 	a = ROTATE_LEFT(b, 5) + F(c, d, e) + a + w_14 + SHA1_CONST(0); /* 14 */
933 	c = ROTATE_LEFT(c, 30);
934 
935 	e = ROTATE_LEFT(a, 5) + F(b, c, d) + e + w_15 + SHA1_CONST(0); /* 15 */
936 	b = ROTATE_LEFT(b, 30);
937 
938 	w_0 = ROTATE_LEFT((w_13 ^ w_8 ^ w_2 ^ w_0), 1);		/* 16 */
939 	d = ROTATE_LEFT(e, 5) + F(a, b, c) + d + w_0 + SHA1_CONST(0);
940 	a = ROTATE_LEFT(a, 30);
941 
942 	w_1 = ROTATE_LEFT((w_14 ^ w_9 ^ w_3 ^ w_1), 1);		/* 17 */
943 	c = ROTATE_LEFT(d, 5) + F(e, a, b) + c + w_1 + SHA1_CONST(0);
944 	e = ROTATE_LEFT(e, 30);
945 
946 	w_2 = ROTATE_LEFT((w_15 ^ w_10 ^ w_4 ^ w_2), 1);	/* 18 */
947 	b = ROTATE_LEFT(c, 5) + F(d, e, a) + b + w_2 + SHA1_CONST(0);
948 	d = ROTATE_LEFT(d, 30);
949 
950 	w_3 = ROTATE_LEFT((w_0 ^ w_11 ^ w_5 ^ w_3), 1);		/* 19 */
951 	a = ROTATE_LEFT(b, 5) + F(c, d, e) + a + w_3 + SHA1_CONST(0);
952 	c = ROTATE_LEFT(c, 30);
953 
954 	/* round 2 */
955 	w_4 = ROTATE_LEFT((w_1 ^ w_12 ^ w_6 ^ w_4), 1);		/* 20 */
956 	e = ROTATE_LEFT(a, 5) + G(b, c, d) + e + w_4 + SHA1_CONST(1);
957 	b = ROTATE_LEFT(b, 30);
958 
959 	w_5 = ROTATE_LEFT((w_2 ^ w_13 ^ w_7 ^ w_5), 1);		/* 21 */
960 	d = ROTATE_LEFT(e, 5) + G(a, b, c) + d + w_5 + SHA1_CONST(1);
961 	a = ROTATE_LEFT(a, 30);
962 
963 	w_6 = ROTATE_LEFT((w_3 ^ w_14 ^ w_8 ^ w_6), 1);		/* 22 */
964 	c = ROTATE_LEFT(d, 5) + G(e, a, b) + c + w_6 + SHA1_CONST(1);
965 	e = ROTATE_LEFT(e, 30);
966 
967 	w_7 = ROTATE_LEFT((w_4 ^ w_15 ^ w_9 ^ w_7), 1);		/* 23 */
968 	b = ROTATE_LEFT(c, 5) + G(d, e, a) + b + w_7 + SHA1_CONST(1);
969 	d = ROTATE_LEFT(d, 30);
970 
971 	w_8 = ROTATE_LEFT((w_5 ^ w_0 ^ w_10 ^ w_8), 1);		/* 24 */
972 	a = ROTATE_LEFT(b, 5) + G(c, d, e) + a + w_8 + SHA1_CONST(1);
973 	c = ROTATE_LEFT(c, 30);
974 
975 	w_9 = ROTATE_LEFT((w_6 ^ w_1 ^ w_11 ^ w_9), 1);		/* 25 */
976 	e = ROTATE_LEFT(a, 5) + G(b, c, d) + e + w_9 + SHA1_CONST(1);
977 	b = ROTATE_LEFT(b, 30);
978 
979 	w_10 = ROTATE_LEFT((w_7 ^ w_2 ^ w_12 ^ w_10), 1);	/* 26 */
980 	d = ROTATE_LEFT(e, 5) + G(a, b, c) + d + w_10 + SHA1_CONST(1);
981 	a = ROTATE_LEFT(a, 30);
982 
983 	w_11 = ROTATE_LEFT((w_8 ^ w_3 ^ w_13 ^ w_11), 1);	/* 27 */
984 	c = ROTATE_LEFT(d, 5) + G(e, a, b) + c + w_11 + SHA1_CONST(1);
985 	e = ROTATE_LEFT(e, 30);
986 
987 	w_12 = ROTATE_LEFT((w_9 ^ w_4 ^ w_14 ^ w_12), 1);	/* 28 */
988 	b = ROTATE_LEFT(c, 5) + G(d, e, a) + b + w_12 + SHA1_CONST(1);
989 	d = ROTATE_LEFT(d, 30);
990 
991 	w_13 = ROTATE_LEFT((w_10 ^ w_5 ^ w_15 ^ w_13), 1);	/* 29 */
992 	a = ROTATE_LEFT(b, 5) + G(c, d, e) + a + w_13 + SHA1_CONST(1);
993 	c = ROTATE_LEFT(c, 30);
994 
995 	w_14 = ROTATE_LEFT((w_11 ^ w_6 ^ w_0 ^ w_14), 1);	/* 30 */
996 	e = ROTATE_LEFT(a, 5) + G(b, c, d) + e + w_14 + SHA1_CONST(1);
997 	b = ROTATE_LEFT(b, 30);
998 
999 	w_15 = ROTATE_LEFT((w_12 ^ w_7 ^ w_1 ^ w_15), 1);	/* 31 */
1000 	d = ROTATE_LEFT(e, 5) + G(a, b, c) + d + w_15 + SHA1_CONST(1);
1001 	a = ROTATE_LEFT(a, 30);
1002 
1003 	w_0 = ROTATE_LEFT((w_13 ^ w_8 ^ w_2 ^ w_0), 1);		/* 32 */
1004 	c = ROTATE_LEFT(d, 5) + G(e, a, b) + c + w_0 + SHA1_CONST(1);
1005 	e = ROTATE_LEFT(e, 30);
1006 
1007 	w_1 = ROTATE_LEFT((w_14 ^ w_9 ^ w_3 ^ w_1), 1);		/* 33 */
1008 	b = ROTATE_LEFT(c, 5) + G(d, e, a) + b + w_1 + SHA1_CONST(1);
1009 	d = ROTATE_LEFT(d, 30);
1010 
1011 	w_2 = ROTATE_LEFT((w_15 ^ w_10 ^ w_4 ^ w_2), 1);	/* 34 */
1012 	a = ROTATE_LEFT(b, 5) + G(c, d, e) + a + w_2 + SHA1_CONST(1);
1013 	c = ROTATE_LEFT(c, 30);
1014 
1015 	w_3 = ROTATE_LEFT((w_0 ^ w_11 ^ w_5 ^ w_3), 1);		/* 35 */
1016 	e = ROTATE_LEFT(a, 5) + G(b, c, d) + e + w_3 + SHA1_CONST(1);
1017 	b = ROTATE_LEFT(b, 30);
1018 
1019 	w_4 = ROTATE_LEFT((w_1 ^ w_12 ^ w_6 ^ w_4), 1);		/* 36 */
1020 	d = ROTATE_LEFT(e, 5) + G(a, b, c) + d + w_4 + SHA1_CONST(1);
1021 	a = ROTATE_LEFT(a, 30);
1022 
1023 	w_5 = ROTATE_LEFT((w_2 ^ w_13 ^ w_7 ^ w_5), 1);		/* 37 */
1024 	c = ROTATE_LEFT(d, 5) + G(e, a, b) + c + w_5 + SHA1_CONST(1);
1025 	e = ROTATE_LEFT(e, 30);
1026 
1027 	w_6 = ROTATE_LEFT((w_3 ^ w_14 ^ w_8 ^ w_6), 1);		/* 38 */
1028 	b = ROTATE_LEFT(c, 5) + G(d, e, a) + b + w_6 + SHA1_CONST(1);
1029 	d = ROTATE_LEFT(d, 30);
1030 
1031 	w_7 = ROTATE_LEFT((w_4 ^ w_15 ^ w_9 ^ w_7), 1);		/* 39 */
1032 	a = ROTATE_LEFT(b, 5) + G(c, d, e) + a + w_7 + SHA1_CONST(1);
1033 	c = ROTATE_LEFT(c, 30);
1034 
1035 	/* round 3 */
1036 	w_8 = ROTATE_LEFT((w_5 ^ w_0 ^ w_10 ^ w_8), 1);		/* 40 */
1037 	e = ROTATE_LEFT(a, 5) + H(b, c, d) + e + w_8 + SHA1_CONST(2);
1038 	b = ROTATE_LEFT(b, 30);
1039 
1040 	w_9 = ROTATE_LEFT((w_6 ^ w_1 ^ w_11 ^ w_9), 1);		/* 41 */
1041 	d = ROTATE_LEFT(e, 5) + H(a, b, c) + d + w_9 + SHA1_CONST(2);
1042 	a = ROTATE_LEFT(a, 30);
1043 
1044 	w_10 = ROTATE_LEFT((w_7 ^ w_2 ^ w_12 ^ w_10), 1);	/* 42 */
1045 	c = ROTATE_LEFT(d, 5) + H(e, a, b) + c + w_10 + SHA1_CONST(2);
1046 	e = ROTATE_LEFT(e, 30);
1047 
1048 	w_11 = ROTATE_LEFT((w_8 ^ w_3 ^ w_13 ^ w_11), 1);	/* 43 */
1049 	b = ROTATE_LEFT(c, 5) + H(d, e, a) + b + w_11 + SHA1_CONST(2);
1050 	d = ROTATE_LEFT(d, 30);
1051 
1052 	w_12 = ROTATE_LEFT((w_9 ^ w_4 ^ w_14 ^ w_12), 1);	/* 44 */
1053 	a = ROTATE_LEFT(b, 5) + H(c, d, e) + a + w_12 + SHA1_CONST(2);
1054 	c = ROTATE_LEFT(c, 30);
1055 
1056 	w_13 = ROTATE_LEFT((w_10 ^ w_5 ^ w_15 ^ w_13), 1);	/* 45 */
1057 	e = ROTATE_LEFT(a, 5) + H(b, c, d) + e + w_13 + SHA1_CONST(2);
1058 	b = ROTATE_LEFT(b, 30);
1059 
1060 	w_14 = ROTATE_LEFT((w_11 ^ w_6 ^ w_0 ^ w_14), 1);	/* 46 */
1061 	d = ROTATE_LEFT(e, 5) + H(a, b, c) + d + w_14 + SHA1_CONST(2);
1062 	a = ROTATE_LEFT(a, 30);
1063 
1064 	w_15 = ROTATE_LEFT((w_12 ^ w_7 ^ w_1 ^ w_15), 1);	/* 47 */
1065 	c = ROTATE_LEFT(d, 5) + H(e, a, b) + c + w_15 + SHA1_CONST(2);
1066 	e = ROTATE_LEFT(e, 30);
1067 
1068 	w_0 = ROTATE_LEFT((w_13 ^ w_8 ^ w_2 ^ w_0), 1);		/* 48 */
1069 	b = ROTATE_LEFT(c, 5) + H(d, e, a) + b + w_0 + SHA1_CONST(2);
1070 	d = ROTATE_LEFT(d, 30);
1071 
1072 	w_1 = ROTATE_LEFT((w_14 ^ w_9 ^ w_3 ^ w_1), 1);		/* 49 */
1073 	a = ROTATE_LEFT(b, 5) + H(c, d, e) + a + w_1 + SHA1_CONST(2);
1074 	c = ROTATE_LEFT(c, 30);
1075 
1076 	w_2 = ROTATE_LEFT((w_15 ^ w_10 ^ w_4 ^ w_2), 1);	/* 50 */
1077 	e = ROTATE_LEFT(a, 5) + H(b, c, d) + e + w_2 + SHA1_CONST(2);
1078 	b = ROTATE_LEFT(b, 30);
1079 
1080 	w_3 = ROTATE_LEFT((w_0 ^ w_11 ^ w_5 ^ w_3), 1);		/* 51 */
1081 	d = ROTATE_LEFT(e, 5) + H(a, b, c) + d + w_3 + SHA1_CONST(2);
1082 	a = ROTATE_LEFT(a, 30);
1083 
1084 	w_4 = ROTATE_LEFT((w_1 ^ w_12 ^ w_6 ^ w_4), 1);		/* 52 */
1085 	c = ROTATE_LEFT(d, 5) + H(e, a, b) + c + w_4 + SHA1_CONST(2);
1086 	e = ROTATE_LEFT(e, 30);
1087 
1088 	w_5 = ROTATE_LEFT((w_2 ^ w_13 ^ w_7 ^ w_5), 1);		/* 53 */
1089 	b = ROTATE_LEFT(c, 5) + H(d, e, a) + b + w_5 + SHA1_CONST(2);
1090 	d = ROTATE_LEFT(d, 30);
1091 
1092 	w_6 = ROTATE_LEFT((w_3 ^ w_14 ^ w_8 ^ w_6), 1);		/* 54 */
1093 	a = ROTATE_LEFT(b, 5) + H(c, d, e) + a + w_6 + SHA1_CONST(2);
1094 	c = ROTATE_LEFT(c, 30);
1095 
1096 	w_7 = ROTATE_LEFT((w_4 ^ w_15 ^ w_9 ^ w_7), 1);		/* 55 */
1097 	e = ROTATE_LEFT(a, 5) + H(b, c, d) + e + w_7 + SHA1_CONST(2);
1098 	b = ROTATE_LEFT(b, 30);
1099 
1100 	w_8 = ROTATE_LEFT((w_5 ^ w_0 ^ w_10 ^ w_8), 1);		/* 56 */
1101 	d = ROTATE_LEFT(e, 5) + H(a, b, c) + d + w_8 + SHA1_CONST(2);
1102 	a = ROTATE_LEFT(a, 30);
1103 
1104 	w_9 = ROTATE_LEFT((w_6 ^ w_1 ^ w_11 ^ w_9), 1);		/* 57 */
1105 	c = ROTATE_LEFT(d, 5) + H(e, a, b) + c + w_9 + SHA1_CONST(2);
1106 	e = ROTATE_LEFT(e, 30);
1107 
1108 	w_10 = ROTATE_LEFT((w_7 ^ w_2 ^ w_12 ^ w_10), 1);	/* 58 */
1109 	b = ROTATE_LEFT(c, 5) + H(d, e, a) + b + w_10 + SHA1_CONST(2);
1110 	d = ROTATE_LEFT(d, 30);
1111 
1112 	w_11 = ROTATE_LEFT((w_8 ^ w_3 ^ w_13 ^ w_11), 1);	/* 59 */
1113 	a = ROTATE_LEFT(b, 5) + H(c, d, e) + a + w_11 + SHA1_CONST(2);
1114 	c = ROTATE_LEFT(c, 30);
1115 
1116 	/* round 4 */
1117 	w_12 = ROTATE_LEFT((w_9 ^ w_4 ^ w_14 ^ w_12), 1);	/* 60 */
1118 	e = ROTATE_LEFT(a, 5) + G(b, c, d) + e + w_12 + SHA1_CONST(3);
1119 	b = ROTATE_LEFT(b, 30);
1120 
1121 	w_13 = ROTATE_LEFT((w_10 ^ w_5 ^ w_15 ^ w_13), 1);	/* 61 */
1122 	d = ROTATE_LEFT(e, 5) + G(a, b, c) + d + w_13 + SHA1_CONST(3);
1123 	a = ROTATE_LEFT(a, 30);
1124 
1125 	w_14 = ROTATE_LEFT((w_11 ^ w_6 ^ w_0 ^ w_14), 1);	/* 62 */
1126 	c = ROTATE_LEFT(d, 5) + G(e, a, b) + c + w_14 + SHA1_CONST(3);
1127 	e = ROTATE_LEFT(e, 30);
1128 
1129 	w_15 = ROTATE_LEFT((w_12 ^ w_7 ^ w_1 ^ w_15), 1);	/* 63 */
1130 	b = ROTATE_LEFT(c, 5) + G(d, e, a) + b + w_15 + SHA1_CONST(3);
1131 	d = ROTATE_LEFT(d, 30);
1132 
1133 	w_0 = ROTATE_LEFT((w_13 ^ w_8 ^ w_2 ^ w_0), 1);		/* 64 */
1134 	a = ROTATE_LEFT(b, 5) + G(c, d, e) + a + w_0 + SHA1_CONST(3);
1135 	c = ROTATE_LEFT(c, 30);
1136 
1137 	w_1 = ROTATE_LEFT((w_14 ^ w_9 ^ w_3 ^ w_1), 1);		/* 65 */
1138 	e = ROTATE_LEFT(a, 5) + G(b, c, d) + e + w_1 + SHA1_CONST(3);
1139 	b = ROTATE_LEFT(b, 30);
1140 
1141 	w_2 = ROTATE_LEFT((w_15 ^ w_10 ^ w_4 ^ w_2), 1);	/* 66 */
1142 	d = ROTATE_LEFT(e, 5) + G(a, b, c) + d + w_2 + SHA1_CONST(3);
1143 	a = ROTATE_LEFT(a, 30);
1144 
1145 	w_3 = ROTATE_LEFT((w_0 ^ w_11 ^ w_5 ^ w_3), 1);		/* 67 */
1146 	c = ROTATE_LEFT(d, 5) + G(e, a, b) + c + w_3 + SHA1_CONST(3);
1147 	e = ROTATE_LEFT(e, 30);
1148 
1149 	w_4 = ROTATE_LEFT((w_1 ^ w_12 ^ w_6 ^ w_4), 1);		/* 68 */
1150 	b = ROTATE_LEFT(c, 5) + G(d, e, a) + b + w_4 + SHA1_CONST(3);
1151 	d = ROTATE_LEFT(d, 30);
1152 
1153 	w_5 = ROTATE_LEFT((w_2 ^ w_13 ^ w_7 ^ w_5), 1);		/* 69 */
1154 	a = ROTATE_LEFT(b, 5) + G(c, d, e) + a + w_5 + SHA1_CONST(3);
1155 	c = ROTATE_LEFT(c, 30);
1156 
1157 	w_6 = ROTATE_LEFT((w_3 ^ w_14 ^ w_8 ^ w_6), 1);		/* 70 */
1158 	e = ROTATE_LEFT(a, 5) + G(b, c, d) + e + w_6 + SHA1_CONST(3);
1159 	b = ROTATE_LEFT(b, 30);
1160 
1161 	w_7 = ROTATE_LEFT((w_4 ^ w_15 ^ w_9 ^ w_7), 1);		/* 71 */
1162 	d = ROTATE_LEFT(e, 5) + G(a, b, c) + d + w_7 + SHA1_CONST(3);
1163 	a = ROTATE_LEFT(a, 30);
1164 
1165 	w_8 = ROTATE_LEFT((w_5 ^ w_0 ^ w_10 ^ w_8), 1);		/* 72 */
1166 	c = ROTATE_LEFT(d, 5) + G(e, a, b) + c + w_8 + SHA1_CONST(3);
1167 	e = ROTATE_LEFT(e, 30);
1168 
1169 	w_9 = ROTATE_LEFT((w_6 ^ w_1 ^ w_11 ^ w_9), 1);		/* 73 */
1170 	b = ROTATE_LEFT(c, 5) + G(d, e, a) + b + w_9 + SHA1_CONST(3);
1171 	d = ROTATE_LEFT(d, 30);
1172 
1173 	w_10 = ROTATE_LEFT((w_7 ^ w_2 ^ w_12 ^ w_10), 1);	/* 74 */
1174 	a = ROTATE_LEFT(b, 5) + G(c, d, e) + a + w_10 + SHA1_CONST(3);
1175 	c = ROTATE_LEFT(c, 30);
1176 
1177 	w_11 = ROTATE_LEFT((w_8 ^ w_3 ^ w_13 ^ w_11), 1);	/* 75 */
1178 	e = ROTATE_LEFT(a, 5) + G(b, c, d) + e + w_11 + SHA1_CONST(3);
1179 	b = ROTATE_LEFT(b, 30);
1180 
1181 	w_12 = ROTATE_LEFT((w_9 ^ w_4 ^ w_14 ^ w_12), 1);	/* 76 */
1182 	d = ROTATE_LEFT(e, 5) + G(a, b, c) + d + w_12 + SHA1_CONST(3);
1183 	a = ROTATE_LEFT(a, 30);
1184 
1185 	w_13 = ROTATE_LEFT((w_10 ^ w_5 ^ w_15 ^ w_13), 1);	/* 77 */
1186 	c = ROTATE_LEFT(d, 5) + G(e, a, b) + c + w_13 + SHA1_CONST(3);
1187 	e = ROTATE_LEFT(e, 30);
1188 
1189 	w_14 = ROTATE_LEFT((w_11 ^ w_6 ^ w_0 ^ w_14), 1);	/* 78 */
1190 	b = ROTATE_LEFT(c, 5) + G(d, e, a) + b + w_14 + SHA1_CONST(3);
1191 	d = ROTATE_LEFT(d, 30);
1192 
1193 	w_15 = ROTATE_LEFT((w_12 ^ w_7 ^ w_1 ^ w_15), 1);	/* 79 */
1194 
1195 	ctx->state[0] += ROTATE_LEFT(b, 5) + G(c, d, e) + a + w_15 +
1196 	    SHA1_CONST(3);
1197 	ctx->state[1] += b;
1198 	ctx->state[2] += ROTATE_LEFT(c, 30);
1199 	ctx->state[3] += d;
1200 	ctx->state[4] += e;
1201 
1202 	/* zeroize sensitive information */
1203 	w_0 = w_1 = w_2 = w_3 = w_4 = w_5 = w_6 = w_7 = w_8 = 0;
1204 	w_9 = w_10 = w_11 = w_12 = w_13 = w_14 = w_15 = 0;
1205 }
1206 
1207 /*
1208  * devpro compiler optimization:
1209  *
1210  * the compiler can generate better code if it knows that `input' and
1211  * `output' do not point to the same source.  there is no portable
1212  * way to tell the compiler this, but the sun compiler recognizes the
1213  * `_Restrict' keyword to indicate this condition.  use it if possible.
1214  */
1215 
1216 #ifdef	__RESTRICT
1217 #define	restrict	_Restrict
1218 #else
1219 #define	restrict	/* nothing */
1220 #endif
1221 
1222 /*
1223  * Encode()
1224  *
1225  * purpose: to convert a list of numbers from little endian to big endian
1226  *   input: uint8_t *	: place to store the converted big endian numbers
1227  *	    uint32_t *	: place to get numbers to convert from
1228  *          size_t	: the length of the input in bytes
1229  *  output: void
1230  */
1231 
1232 static void
1233 Encode(uint8_t *restrict output, uint32_t *restrict input, size_t len)
1234 {
1235 	size_t		i, j;
1236 
1237 #if	defined(__sparc)
1238 	if (IS_P2ALIGNED(output, sizeof (uint32_t))) {
1239 		for (i = 0, j = 0; j < len; i++, j += 4) {
1240 			/* LINTED: pointer alignment */
1241 			*((uint32_t *)(output + j)) = input[i];
1242 		}
1243 	} else {
1244 #endif	/* little endian -- will work on big endian, but slowly */
1245 		for (i = 0, j = 0; j < len; i++, j += 4) {
1246 			output[j]	= (input[i] >> 24) & 0xff;
1247 			output[j + 1]	= (input[i] >> 16) & 0xff;
1248 			output[j + 2]	= (input[i] >>  8) & 0xff;
1249 			output[j + 3]	= input[i] & 0xff;
1250 		}
1251 #if	defined(__sparc)
1252 	}
1253 #endif
1254 }
1255 
1256 
1257 #ifdef _KERNEL
1258 
1259 /*
1260  * KCF software provider control entry points.
1261  */
1262 /* ARGSUSED */
1263 static void
1264 sha1_provider_status(crypto_provider_handle_t provider, uint_t *status)
1265 {
1266 	*status = CRYPTO_PROVIDER_READY;
1267 }
1268 
1269 /*
1270  * KCF software provider digest entry points.
1271  */
1272 
1273 static int
1274 sha1_digest_init(crypto_ctx_t *ctx, crypto_mechanism_t *mechanism,
1275     crypto_req_handle_t req)
1276 {
1277 	if (mechanism->cm_type != SHA1_MECH_INFO_TYPE)
1278 		return (CRYPTO_MECHANISM_INVALID);
1279 
1280 	/*
1281 	 * Allocate and initialize SHA1 context.
1282 	 */
1283 	ctx->cc_provider_private = kmem_alloc(sizeof (sha1_ctx_t),
1284 	    crypto_kmflag(req));
1285 	if (ctx->cc_provider_private == NULL)
1286 		return (CRYPTO_HOST_MEMORY);
1287 
1288 	PROV_SHA1_CTX(ctx)->sc_mech_type = SHA1_MECH_INFO_TYPE;
1289 	SHA1Init(&PROV_SHA1_CTX(ctx)->sc_sha1_ctx);
1290 
1291 	return (CRYPTO_SUCCESS);
1292 }
1293 
1294 /*
1295  * Helper SHA1 digest update function for uio data.
1296  */
1297 static int
1298 sha1_digest_update_uio(SHA1_CTX *sha1_ctx, crypto_data_t *data)
1299 {
1300 	off_t offset = data->cd_offset;
1301 	size_t length = data->cd_length;
1302 	uint_t vec_idx;
1303 	size_t cur_len;
1304 
1305 	/* we support only kernel buffer */
1306 	if (data->cd_uio->uio_segflg != UIO_SYSSPACE)
1307 		return (CRYPTO_ARGUMENTS_BAD);
1308 
1309 	/*
1310 	 * Jump to the first iovec containing data to be
1311 	 * digested.
1312 	 */
1313 	for (vec_idx = 0; vec_idx < data->cd_uio->uio_iovcnt &&
1314 	    offset >= data->cd_uio->uio_iov[vec_idx].iov_len;
1315 	    offset -= data->cd_uio->uio_iov[vec_idx++].iov_len);
1316 	if (vec_idx == data->cd_uio->uio_iovcnt) {
1317 		/*
1318 		 * The caller specified an offset that is larger than the
1319 		 * total size of the buffers it provided.
1320 		 */
1321 		return (CRYPTO_DATA_LEN_RANGE);
1322 	}
1323 
1324 	/*
1325 	 * Now do the digesting on the iovecs.
1326 	 */
1327 	while (vec_idx < data->cd_uio->uio_iovcnt && length > 0) {
1328 		cur_len = MIN(data->cd_uio->uio_iov[vec_idx].iov_len -
1329 		    offset, length);
1330 
1331 		SHA1Update(sha1_ctx,
1332 		    (uint8_t *)data->cd_uio->uio_iov[vec_idx].iov_base + offset,
1333 		    cur_len);
1334 
1335 		length -= cur_len;
1336 		vec_idx++;
1337 		offset = 0;
1338 	}
1339 
1340 	if (vec_idx == data->cd_uio->uio_iovcnt && length > 0) {
1341 		/*
1342 		 * The end of the specified iovec's was reached but
1343 		 * the length requested could not be processed, i.e.
1344 		 * The caller requested to digest more data than it provided.
1345 		 */
1346 		return (CRYPTO_DATA_LEN_RANGE);
1347 	}
1348 
1349 	return (CRYPTO_SUCCESS);
1350 }
1351 
1352 /*
1353  * Helper SHA1 digest final function for uio data.
1354  * digest_len is the length of the desired digest. If digest_len
1355  * is smaller than the default SHA1 digest length, the caller
1356  * must pass a scratch buffer, digest_scratch, which must
1357  * be at least SHA1_DIGEST_LENGTH bytes.
1358  */
1359 static int
1360 sha1_digest_final_uio(SHA1_CTX *sha1_ctx, crypto_data_t *digest,
1361     ulong_t digest_len, uchar_t *digest_scratch)
1362 {
1363 	off_t offset = digest->cd_offset;
1364 	uint_t vec_idx;
1365 
1366 	/* we support only kernel buffer */
1367 	if (digest->cd_uio->uio_segflg != UIO_SYSSPACE)
1368 		return (CRYPTO_ARGUMENTS_BAD);
1369 
1370 	/*
1371 	 * Jump to the first iovec containing ptr to the digest to
1372 	 * be returned.
1373 	 */
1374 	for (vec_idx = 0; offset >= digest->cd_uio->uio_iov[vec_idx].iov_len &&
1375 	    vec_idx < digest->cd_uio->uio_iovcnt;
1376 	    offset -= digest->cd_uio->uio_iov[vec_idx++].iov_len);
1377 	if (vec_idx == digest->cd_uio->uio_iovcnt) {
1378 		/*
1379 		 * The caller specified an offset that is
1380 		 * larger than the total size of the buffers
1381 		 * it provided.
1382 		 */
1383 		return (CRYPTO_DATA_LEN_RANGE);
1384 	}
1385 
1386 	if (offset + digest_len <=
1387 	    digest->cd_uio->uio_iov[vec_idx].iov_len) {
1388 		/*
1389 		 * The computed SHA1 digest will fit in the current
1390 		 * iovec.
1391 		 */
1392 		if (digest_len != SHA1_DIGEST_LENGTH) {
1393 			/*
1394 			 * The caller requested a short digest. Digest
1395 			 * into a scratch buffer and return to
1396 			 * the user only what was requested.
1397 			 */
1398 			SHA1Final(digest_scratch, sha1_ctx);
1399 			bcopy(digest_scratch, (uchar_t *)digest->
1400 			    cd_uio->uio_iov[vec_idx].iov_base + offset,
1401 			    digest_len);
1402 		} else {
1403 			SHA1Final((uchar_t *)digest->
1404 			    cd_uio->uio_iov[vec_idx].iov_base + offset,
1405 			    sha1_ctx);
1406 		}
1407 	} else {
1408 		/*
1409 		 * The computed digest will be crossing one or more iovec's.
1410 		 * This is bad performance-wise but we need to support it.
1411 		 * Allocate a small scratch buffer on the stack and
1412 		 * copy it piece meal to the specified digest iovec's.
1413 		 */
1414 		uchar_t digest_tmp[SHA1_DIGEST_LENGTH];
1415 		off_t scratch_offset = 0;
1416 		size_t length = digest_len;
1417 		size_t cur_len;
1418 
1419 		SHA1Final(digest_tmp, sha1_ctx);
1420 
1421 		while (vec_idx < digest->cd_uio->uio_iovcnt && length > 0) {
1422 			cur_len = MIN(digest->cd_uio->uio_iov[vec_idx].iov_len -
1423 			    offset, length);
1424 			bcopy(digest_tmp + scratch_offset,
1425 			    digest->cd_uio->uio_iov[vec_idx].iov_base + offset,
1426 			    cur_len);
1427 
1428 			length -= cur_len;
1429 			vec_idx++;
1430 			scratch_offset += cur_len;
1431 			offset = 0;
1432 		}
1433 
1434 		if (vec_idx == digest->cd_uio->uio_iovcnt && length > 0) {
1435 			/*
1436 			 * The end of the specified iovec's was reached but
1437 			 * the length requested could not be processed, i.e.
1438 			 * The caller requested to digest more data than it
1439 			 * provided.
1440 			 */
1441 			return (CRYPTO_DATA_LEN_RANGE);
1442 		}
1443 	}
1444 
1445 	return (CRYPTO_SUCCESS);
1446 }
1447 
1448 /*
1449  * Helper SHA1 digest update for mblk's.
1450  */
1451 static int
1452 sha1_digest_update_mblk(SHA1_CTX *sha1_ctx, crypto_data_t *data)
1453 {
1454 	off_t offset = data->cd_offset;
1455 	size_t length = data->cd_length;
1456 	mblk_t *mp;
1457 	size_t cur_len;
1458 
1459 	/*
1460 	 * Jump to the first mblk_t containing data to be digested.
1461 	 */
1462 	for (mp = data->cd_mp; mp != NULL && offset >= MBLKL(mp);
1463 	    offset -= MBLKL(mp), mp = mp->b_cont);
1464 	if (mp == NULL) {
1465 		/*
1466 		 * The caller specified an offset that is larger than the
1467 		 * total size of the buffers it provided.
1468 		 */
1469 		return (CRYPTO_DATA_LEN_RANGE);
1470 	}
1471 
1472 	/*
1473 	 * Now do the digesting on the mblk chain.
1474 	 */
1475 	while (mp != NULL && length > 0) {
1476 		cur_len = MIN(MBLKL(mp) - offset, length);
1477 		SHA1Update(sha1_ctx, mp->b_rptr + offset, cur_len);
1478 		length -= cur_len;
1479 		offset = 0;
1480 		mp = mp->b_cont;
1481 	}
1482 
1483 	if (mp == NULL && length > 0) {
1484 		/*
1485 		 * The end of the mblk was reached but the length requested
1486 		 * could not be processed, i.e. The caller requested
1487 		 * to digest more data than it provided.
1488 		 */
1489 		return (CRYPTO_DATA_LEN_RANGE);
1490 	}
1491 
1492 	return (CRYPTO_SUCCESS);
1493 }
1494 
1495 /*
1496  * Helper SHA1 digest final for mblk's.
1497  * digest_len is the length of the desired digest. If digest_len
1498  * is smaller than the default SHA1 digest length, the caller
1499  * must pass a scratch buffer, digest_scratch, which must
1500  * be at least SHA1_DIGEST_LENGTH bytes.
1501  */
1502 static int
1503 sha1_digest_final_mblk(SHA1_CTX *sha1_ctx, crypto_data_t *digest,
1504     ulong_t digest_len, uchar_t *digest_scratch)
1505 {
1506 	off_t offset = digest->cd_offset;
1507 	mblk_t *mp;
1508 
1509 	/*
1510 	 * Jump to the first mblk_t that will be used to store the digest.
1511 	 */
1512 	for (mp = digest->cd_mp; mp != NULL && offset >= MBLKL(mp);
1513 	    offset -= MBLKL(mp), mp = mp->b_cont);
1514 	if (mp == NULL) {
1515 		/*
1516 		 * The caller specified an offset that is larger than the
1517 		 * total size of the buffers it provided.
1518 		 */
1519 		return (CRYPTO_DATA_LEN_RANGE);
1520 	}
1521 
1522 	if (offset + digest_len <= MBLKL(mp)) {
1523 		/*
1524 		 * The computed SHA1 digest will fit in the current mblk.
1525 		 * Do the SHA1Final() in-place.
1526 		 */
1527 		if (digest_len != SHA1_DIGEST_LENGTH) {
1528 			/*
1529 			 * The caller requested a short digest. Digest
1530 			 * into a scratch buffer and return to
1531 			 * the user only what was requested.
1532 			 */
1533 			SHA1Final(digest_scratch, sha1_ctx);
1534 			bcopy(digest_scratch, mp->b_rptr + offset, digest_len);
1535 		} else {
1536 			SHA1Final(mp->b_rptr + offset, sha1_ctx);
1537 		}
1538 	} else {
1539 		/*
1540 		 * The computed digest will be crossing one or more mblk's.
1541 		 * This is bad performance-wise but we need to support it.
1542 		 * Allocate a small scratch buffer on the stack and
1543 		 * copy it piece meal to the specified digest iovec's.
1544 		 */
1545 		uchar_t digest_tmp[SHA1_DIGEST_LENGTH];
1546 		off_t scratch_offset = 0;
1547 		size_t length = digest_len;
1548 		size_t cur_len;
1549 
1550 		SHA1Final(digest_tmp, sha1_ctx);
1551 
1552 		while (mp != NULL && length > 0) {
1553 			cur_len = MIN(MBLKL(mp) - offset, length);
1554 			bcopy(digest_tmp + scratch_offset,
1555 			    mp->b_rptr + offset, cur_len);
1556 
1557 			length -= cur_len;
1558 			mp = mp->b_cont;
1559 			scratch_offset += cur_len;
1560 			offset = 0;
1561 		}
1562 
1563 		if (mp == NULL && length > 0) {
1564 			/*
1565 			 * The end of the specified mblk was reached but
1566 			 * the length requested could not be processed, i.e.
1567 			 * The caller requested to digest more data than it
1568 			 * provided.
1569 			 */
1570 			return (CRYPTO_DATA_LEN_RANGE);
1571 		}
1572 	}
1573 
1574 	return (CRYPTO_SUCCESS);
1575 }
1576 
1577 /* ARGSUSED */
1578 static int
1579 sha1_digest(crypto_ctx_t *ctx, crypto_data_t *data, crypto_data_t *digest,
1580     crypto_req_handle_t req)
1581 {
1582 	int ret = CRYPTO_SUCCESS;
1583 
1584 	ASSERT(ctx->cc_provider_private != NULL);
1585 
1586 	/*
1587 	 * We need to just return the length needed to store the output.
1588 	 * We should not destroy the context for the following cases.
1589 	 */
1590 	if ((digest->cd_length == 0) ||
1591 	    (digest->cd_length < SHA1_DIGEST_LENGTH)) {
1592 		digest->cd_length = SHA1_DIGEST_LENGTH;
1593 		return (CRYPTO_BUFFER_TOO_SMALL);
1594 	}
1595 
1596 	/*
1597 	 * Do the SHA1 update on the specified input data.
1598 	 */
1599 	switch (data->cd_format) {
1600 	case CRYPTO_DATA_RAW:
1601 		SHA1Update(&PROV_SHA1_CTX(ctx)->sc_sha1_ctx,
1602 		    (uint8_t *)data->cd_raw.iov_base + data->cd_offset,
1603 		    data->cd_length);
1604 		break;
1605 	case CRYPTO_DATA_UIO:
1606 		ret = sha1_digest_update_uio(&PROV_SHA1_CTX(ctx)->sc_sha1_ctx,
1607 		    data);
1608 		break;
1609 	case CRYPTO_DATA_MBLK:
1610 		ret = sha1_digest_update_mblk(&PROV_SHA1_CTX(ctx)->sc_sha1_ctx,
1611 		    data);
1612 		break;
1613 	default:
1614 		ret = CRYPTO_ARGUMENTS_BAD;
1615 	}
1616 
1617 	if (ret != CRYPTO_SUCCESS) {
1618 		/* the update failed, free context and bail */
1619 		kmem_free(ctx->cc_provider_private, sizeof (sha1_ctx_t));
1620 		ctx->cc_provider_private = NULL;
1621 		digest->cd_length = 0;
1622 		return (ret);
1623 	}
1624 
1625 	/*
1626 	 * Do a SHA1 final, must be done separately since the digest
1627 	 * type can be different than the input data type.
1628 	 */
1629 	switch (digest->cd_format) {
1630 	case CRYPTO_DATA_RAW:
1631 		SHA1Final((unsigned char *)digest->cd_raw.iov_base +
1632 		    digest->cd_offset, &PROV_SHA1_CTX(ctx)->sc_sha1_ctx);
1633 		break;
1634 	case CRYPTO_DATA_UIO:
1635 		ret = sha1_digest_final_uio(&PROV_SHA1_CTX(ctx)->sc_sha1_ctx,
1636 		    digest, SHA1_DIGEST_LENGTH, NULL);
1637 		break;
1638 	case CRYPTO_DATA_MBLK:
1639 		ret = sha1_digest_final_mblk(&PROV_SHA1_CTX(ctx)->sc_sha1_ctx,
1640 		    digest, SHA1_DIGEST_LENGTH, NULL);
1641 		break;
1642 	default:
1643 		ret = CRYPTO_ARGUMENTS_BAD;
1644 	}
1645 
1646 	/* all done, free context and return */
1647 
1648 	if (ret == CRYPTO_SUCCESS) {
1649 		digest->cd_length = SHA1_DIGEST_LENGTH;
1650 	} else {
1651 		digest->cd_length = 0;
1652 	}
1653 
1654 	kmem_free(ctx->cc_provider_private, sizeof (sha1_ctx_t));
1655 	ctx->cc_provider_private = NULL;
1656 	return (ret);
1657 }
1658 
1659 /* ARGSUSED */
1660 static int
1661 sha1_digest_update(crypto_ctx_t *ctx, crypto_data_t *data,
1662     crypto_req_handle_t req)
1663 {
1664 	int ret = CRYPTO_SUCCESS;
1665 
1666 	ASSERT(ctx->cc_provider_private != NULL);
1667 
1668 	/*
1669 	 * Do the SHA1 update on the specified input data.
1670 	 */
1671 	switch (data->cd_format) {
1672 	case CRYPTO_DATA_RAW:
1673 		SHA1Update(&PROV_SHA1_CTX(ctx)->sc_sha1_ctx,
1674 		    (uint8_t *)data->cd_raw.iov_base + data->cd_offset,
1675 		    data->cd_length);
1676 		break;
1677 	case CRYPTO_DATA_UIO:
1678 		ret = sha1_digest_update_uio(&PROV_SHA1_CTX(ctx)->sc_sha1_ctx,
1679 		    data);
1680 		break;
1681 	case CRYPTO_DATA_MBLK:
1682 		ret = sha1_digest_update_mblk(&PROV_SHA1_CTX(ctx)->sc_sha1_ctx,
1683 		    data);
1684 		break;
1685 	default:
1686 		ret = CRYPTO_ARGUMENTS_BAD;
1687 	}
1688 
1689 	return (ret);
1690 }
1691 
1692 /* ARGSUSED */
1693 static int
1694 sha1_digest_final(crypto_ctx_t *ctx, crypto_data_t *digest,
1695     crypto_req_handle_t req)
1696 {
1697 	int ret = CRYPTO_SUCCESS;
1698 
1699 	ASSERT(ctx->cc_provider_private != NULL);
1700 
1701 	/*
1702 	 * We need to just return the length needed to store the output.
1703 	 * We should not destroy the context for the following cases.
1704 	 */
1705 	if ((digest->cd_length == 0) ||
1706 	    (digest->cd_length < SHA1_DIGEST_LENGTH)) {
1707 		digest->cd_length = SHA1_DIGEST_LENGTH;
1708 		return (CRYPTO_BUFFER_TOO_SMALL);
1709 	}
1710 
1711 	/*
1712 	 * Do a SHA1 final.
1713 	 */
1714 	switch (digest->cd_format) {
1715 	case CRYPTO_DATA_RAW:
1716 		SHA1Final((unsigned char *)digest->cd_raw.iov_base +
1717 		    digest->cd_offset, &PROV_SHA1_CTX(ctx)->sc_sha1_ctx);
1718 		break;
1719 	case CRYPTO_DATA_UIO:
1720 		ret = sha1_digest_final_uio(&PROV_SHA1_CTX(ctx)->sc_sha1_ctx,
1721 		    digest, SHA1_DIGEST_LENGTH, NULL);
1722 		break;
1723 	case CRYPTO_DATA_MBLK:
1724 		ret = sha1_digest_final_mblk(&PROV_SHA1_CTX(ctx)->sc_sha1_ctx,
1725 		    digest, SHA1_DIGEST_LENGTH, NULL);
1726 		break;
1727 	default:
1728 		ret = CRYPTO_ARGUMENTS_BAD;
1729 	}
1730 
1731 	/* all done, free context and return */
1732 
1733 	if (ret == CRYPTO_SUCCESS) {
1734 		digest->cd_length = SHA1_DIGEST_LENGTH;
1735 	} else {
1736 		digest->cd_length = 0;
1737 	}
1738 
1739 	kmem_free(ctx->cc_provider_private, sizeof (sha1_ctx_t));
1740 	ctx->cc_provider_private = NULL;
1741 
1742 	return (ret);
1743 }
1744 
1745 /* ARGSUSED */
1746 static int
1747 sha1_digest_atomic(crypto_provider_handle_t provider,
1748     crypto_session_id_t session_id, crypto_mechanism_t *mechanism,
1749     crypto_data_t *data, crypto_data_t *digest,
1750     crypto_req_handle_t req)
1751 {
1752 	int ret = CRYPTO_SUCCESS;
1753 	SHA1_CTX sha1_ctx;
1754 
1755 	if (mechanism->cm_type != SHA1_MECH_INFO_TYPE)
1756 		return (CRYPTO_MECHANISM_INVALID);
1757 
1758 	/*
1759 	 * Do the SHA1 init.
1760 	 */
1761 	SHA1Init(&sha1_ctx);
1762 
1763 	/*
1764 	 * Do the SHA1 update on the specified input data.
1765 	 */
1766 	switch (data->cd_format) {
1767 	case CRYPTO_DATA_RAW:
1768 		SHA1Update(&sha1_ctx,
1769 		    (uint8_t *)data->cd_raw.iov_base + data->cd_offset,
1770 		    data->cd_length);
1771 		break;
1772 	case CRYPTO_DATA_UIO:
1773 		ret = sha1_digest_update_uio(&sha1_ctx, data);
1774 		break;
1775 	case CRYPTO_DATA_MBLK:
1776 		ret = sha1_digest_update_mblk(&sha1_ctx, data);
1777 		break;
1778 	default:
1779 		ret = CRYPTO_ARGUMENTS_BAD;
1780 	}
1781 
1782 	if (ret != CRYPTO_SUCCESS) {
1783 		/* the update failed, bail */
1784 		digest->cd_length = 0;
1785 		return (ret);
1786 	}
1787 
1788 	/*
1789 	 * Do a SHA1 final, must be done separately since the digest
1790 	 * type can be different than the input data type.
1791 	 */
1792 	switch (digest->cd_format) {
1793 	case CRYPTO_DATA_RAW:
1794 		SHA1Final((unsigned char *)digest->cd_raw.iov_base +
1795 		    digest->cd_offset, &sha1_ctx);
1796 		break;
1797 	case CRYPTO_DATA_UIO:
1798 		ret = sha1_digest_final_uio(&sha1_ctx, digest,
1799 		    SHA1_DIGEST_LENGTH, NULL);
1800 		break;
1801 	case CRYPTO_DATA_MBLK:
1802 		ret = sha1_digest_final_mblk(&sha1_ctx, digest,
1803 		    SHA1_DIGEST_LENGTH, NULL);
1804 		break;
1805 	default:
1806 		ret = CRYPTO_ARGUMENTS_BAD;
1807 	}
1808 
1809 	if (ret == CRYPTO_SUCCESS) {
1810 		digest->cd_length = SHA1_DIGEST_LENGTH;
1811 	} else {
1812 		digest->cd_length = 0;
1813 	}
1814 
1815 	return (ret);
1816 }
1817 
1818 /*
1819  * KCF software provider mac entry points.
1820  *
1821  * SHA1 HMAC is: SHA1(key XOR opad, SHA1(key XOR ipad, text))
1822  *
1823  * Init:
1824  * The initialization routine initializes what we denote
1825  * as the inner and outer contexts by doing
1826  * - for inner context: SHA1(key XOR ipad)
1827  * - for outer context: SHA1(key XOR opad)
1828  *
1829  * Update:
1830  * Each subsequent SHA1 HMAC update will result in an
1831  * update of the inner context with the specified data.
1832  *
1833  * Final:
1834  * The SHA1 HMAC final will do a SHA1 final operation on the
1835  * inner context, and the resulting digest will be used
1836  * as the data for an update on the outer context. Last
1837  * but not least, a SHA1 final on the outer context will
1838  * be performed to obtain the SHA1 HMAC digest to return
1839  * to the user.
1840  */
1841 
1842 /*
1843  * Initialize a SHA1-HMAC context.
1844  */
1845 static void
1846 sha1_mac_init_ctx(sha1_hmac_ctx_t *ctx, void *keyval, uint_t length_in_bytes)
1847 {
1848 	uint32_t ipad[SHA1_HMAC_INTS_PER_BLOCK];
1849 	uint32_t opad[SHA1_HMAC_INTS_PER_BLOCK];
1850 	uint_t i;
1851 
1852 	bzero(ipad, SHA1_HMAC_BLOCK_SIZE);
1853 	bzero(opad, SHA1_HMAC_BLOCK_SIZE);
1854 
1855 	bcopy(keyval, ipad, length_in_bytes);
1856 	bcopy(keyval, opad, length_in_bytes);
1857 
1858 	/* XOR key with ipad (0x36) and opad (0x5c) */
1859 	for (i = 0; i < SHA1_HMAC_INTS_PER_BLOCK; i++) {
1860 		ipad[i] ^= 0x36363636;
1861 		opad[i] ^= 0x5c5c5c5c;
1862 	}
1863 
1864 	/* perform SHA1 on ipad */
1865 	SHA1Init(&ctx->hc_icontext);
1866 	SHA1Update(&ctx->hc_icontext, (uint8_t *)ipad, SHA1_HMAC_BLOCK_SIZE);
1867 
1868 	/* perform SHA1 on opad */
1869 	SHA1Init(&ctx->hc_ocontext);
1870 	SHA1Update(&ctx->hc_ocontext, (uint8_t *)opad, SHA1_HMAC_BLOCK_SIZE);
1871 }
1872 
1873 /*
1874  */
1875 static int
1876 sha1_mac_init(crypto_ctx_t *ctx, crypto_mechanism_t *mechanism,
1877     crypto_key_t *key, crypto_spi_ctx_template_t ctx_template,
1878     crypto_req_handle_t req)
1879 {
1880 	int ret = CRYPTO_SUCCESS;
1881 	uint_t keylen_in_bytes = CRYPTO_BITS2BYTES(key->ck_length);
1882 
1883 	if (mechanism->cm_type != SHA1_HMAC_MECH_INFO_TYPE &&
1884 	    mechanism->cm_type != SHA1_HMAC_GEN_MECH_INFO_TYPE)
1885 		return (CRYPTO_MECHANISM_INVALID);
1886 
1887 	/* Add support for key by attributes (RFE 4706552) */
1888 	if (key->ck_format != CRYPTO_KEY_RAW)
1889 		return (CRYPTO_ARGUMENTS_BAD);
1890 
1891 	ctx->cc_provider_private = kmem_alloc(sizeof (sha1_hmac_ctx_t),
1892 	    crypto_kmflag(req));
1893 	if (ctx->cc_provider_private == NULL)
1894 		return (CRYPTO_HOST_MEMORY);
1895 
1896 	if (ctx_template != NULL) {
1897 		/* reuse context template */
1898 		bcopy(ctx_template, PROV_SHA1_HMAC_CTX(ctx),
1899 		    sizeof (sha1_hmac_ctx_t));
1900 	} else {
1901 		/* no context template, compute context */
1902 		if (keylen_in_bytes > SHA1_HMAC_BLOCK_SIZE) {
1903 			uchar_t digested_key[SHA1_DIGEST_LENGTH];
1904 			sha1_hmac_ctx_t *hmac_ctx = ctx->cc_provider_private;
1905 
1906 			/*
1907 			 * Hash the passed-in key to get a smaller key.
1908 			 * The inner context is used since it hasn't been
1909 			 * initialized yet.
1910 			 */
1911 			PROV_SHA1_DIGEST_KEY(&hmac_ctx->hc_icontext,
1912 			    key->ck_data, keylen_in_bytes, digested_key);
1913 			sha1_mac_init_ctx(PROV_SHA1_HMAC_CTX(ctx),
1914 			    digested_key, SHA1_DIGEST_LENGTH);
1915 		} else {
1916 			sha1_mac_init_ctx(PROV_SHA1_HMAC_CTX(ctx),
1917 			    key->ck_data, keylen_in_bytes);
1918 		}
1919 	}
1920 
1921 	/*
1922 	 * Get the mechanism parameters, if applicable.
1923 	 */
1924 	PROV_SHA1_HMAC_CTX(ctx)->hc_mech_type = mechanism->cm_type;
1925 	if (mechanism->cm_type == SHA1_HMAC_GEN_MECH_INFO_TYPE) {
1926 		if (mechanism->cm_param == NULL ||
1927 		    mechanism->cm_param_len != sizeof (ulong_t))
1928 			ret = CRYPTO_MECHANISM_PARAM_INVALID;
1929 		PROV_SHA1_GET_DIGEST_LEN(mechanism,
1930 		    PROV_SHA1_HMAC_CTX(ctx)->hc_digest_len);
1931 		if (PROV_SHA1_HMAC_CTX(ctx)->hc_digest_len >
1932 		    SHA1_DIGEST_LENGTH)
1933 			ret = CRYPTO_MECHANISM_PARAM_INVALID;
1934 	}
1935 
1936 	if (ret != CRYPTO_SUCCESS) {
1937 		bzero(ctx->cc_provider_private, sizeof (sha1_hmac_ctx_t));
1938 		kmem_free(ctx->cc_provider_private, sizeof (sha1_hmac_ctx_t));
1939 		ctx->cc_provider_private = NULL;
1940 	}
1941 
1942 	return (ret);
1943 }
1944 
1945 /* ARGSUSED */
1946 static int
1947 sha1_mac_update(crypto_ctx_t *ctx, crypto_data_t *data, crypto_req_handle_t req)
1948 {
1949 	int ret = CRYPTO_SUCCESS;
1950 
1951 	ASSERT(ctx->cc_provider_private != NULL);
1952 
1953 	/*
1954 	 * Do a SHA1 update of the inner context using the specified
1955 	 * data.
1956 	 */
1957 	switch (data->cd_format) {
1958 	case CRYPTO_DATA_RAW:
1959 		SHA1Update(&PROV_SHA1_HMAC_CTX(ctx)->hc_icontext,
1960 		    (uint8_t *)data->cd_raw.iov_base + data->cd_offset,
1961 		    data->cd_length);
1962 		break;
1963 	case CRYPTO_DATA_UIO:
1964 		ret = sha1_digest_update_uio(
1965 		    &PROV_SHA1_HMAC_CTX(ctx)->hc_icontext, data);
1966 		break;
1967 	case CRYPTO_DATA_MBLK:
1968 		ret = sha1_digest_update_mblk(
1969 		    &PROV_SHA1_HMAC_CTX(ctx)->hc_icontext, data);
1970 		break;
1971 	default:
1972 		ret = CRYPTO_ARGUMENTS_BAD;
1973 	}
1974 
1975 	return (ret);
1976 }
1977 
1978 /* ARGSUSED */
1979 static int
1980 sha1_mac_final(crypto_ctx_t *ctx, crypto_data_t *mac, crypto_req_handle_t req)
1981 {
1982 	int ret = CRYPTO_SUCCESS;
1983 	uchar_t digest[SHA1_DIGEST_LENGTH];
1984 	uint32_t digest_len = SHA1_DIGEST_LENGTH;
1985 
1986 	ASSERT(ctx->cc_provider_private != NULL);
1987 
1988 	if (PROV_SHA1_HMAC_CTX(ctx)->hc_mech_type ==
1989 	    SHA1_HMAC_GEN_MECH_INFO_TYPE)
1990 		digest_len = PROV_SHA1_HMAC_CTX(ctx)->hc_digest_len;
1991 
1992 	/*
1993 	 * We need to just return the length needed to store the output.
1994 	 * We should not destroy the context for the following cases.
1995 	 */
1996 	if ((mac->cd_length == 0) || (mac->cd_length < digest_len)) {
1997 		mac->cd_length = digest_len;
1998 		return (CRYPTO_BUFFER_TOO_SMALL);
1999 	}
2000 
2001 	/*
2002 	 * Do a SHA1 final on the inner context.
2003 	 */
2004 	SHA1Final(digest, &PROV_SHA1_HMAC_CTX(ctx)->hc_icontext);
2005 
2006 	/*
2007 	 * Do a SHA1 update on the outer context, feeding the inner
2008 	 * digest as data.
2009 	 */
2010 	SHA1Update(&PROV_SHA1_HMAC_CTX(ctx)->hc_ocontext, digest,
2011 	    SHA1_DIGEST_LENGTH);
2012 
2013 	/*
2014 	 * Do a SHA1 final on the outer context, storing the computing
2015 	 * digest in the users buffer.
2016 	 */
2017 	switch (mac->cd_format) {
2018 	case CRYPTO_DATA_RAW:
2019 		if (digest_len != SHA1_DIGEST_LENGTH) {
2020 			/*
2021 			 * The caller requested a short digest. Digest
2022 			 * into a scratch buffer and return to
2023 			 * the user only what was requested.
2024 			 */
2025 			SHA1Final(digest,
2026 			    &PROV_SHA1_HMAC_CTX(ctx)->hc_ocontext);
2027 			bcopy(digest, (unsigned char *)mac->cd_raw.iov_base +
2028 			    mac->cd_offset, digest_len);
2029 		} else {
2030 			SHA1Final((unsigned char *)mac->cd_raw.iov_base +
2031 			    mac->cd_offset,
2032 			    &PROV_SHA1_HMAC_CTX(ctx)->hc_ocontext);
2033 		}
2034 		break;
2035 	case CRYPTO_DATA_UIO:
2036 		ret = sha1_digest_final_uio(
2037 		    &PROV_SHA1_HMAC_CTX(ctx)->hc_ocontext, mac,
2038 		    digest_len, digest);
2039 		break;
2040 	case CRYPTO_DATA_MBLK:
2041 		ret = sha1_digest_final_mblk(
2042 		    &PROV_SHA1_HMAC_CTX(ctx)->hc_ocontext, mac,
2043 		    digest_len, digest);
2044 		break;
2045 	default:
2046 		ret = CRYPTO_ARGUMENTS_BAD;
2047 	}
2048 
2049 	if (ret == CRYPTO_SUCCESS) {
2050 		mac->cd_length = digest_len;
2051 	} else {
2052 		mac->cd_length = 0;
2053 	}
2054 
2055 	bzero(ctx->cc_provider_private, sizeof (sha1_hmac_ctx_t));
2056 	kmem_free(ctx->cc_provider_private, sizeof (sha1_hmac_ctx_t));
2057 	ctx->cc_provider_private = NULL;
2058 
2059 	return (ret);
2060 }
2061 
2062 #define	SHA1_MAC_UPDATE(data, ctx, ret) {				\
2063 	switch (data->cd_format) {					\
2064 	case CRYPTO_DATA_RAW:						\
2065 		SHA1Update(&(ctx).hc_icontext,				\
2066 		    (uint8_t *)data->cd_raw.iov_base +			\
2067 		    data->cd_offset, data->cd_length);			\
2068 		break;							\
2069 	case CRYPTO_DATA_UIO:						\
2070 		ret = sha1_digest_update_uio(&(ctx).hc_icontext, data); \
2071 		break;							\
2072 	case CRYPTO_DATA_MBLK:						\
2073 		ret = sha1_digest_update_mblk(&(ctx).hc_icontext,	\
2074 		    data);						\
2075 		break;							\
2076 	default:							\
2077 		ret = CRYPTO_ARGUMENTS_BAD;				\
2078 	}								\
2079 }
2080 
2081 /* ARGSUSED */
2082 static int
2083 sha1_mac_atomic(crypto_provider_handle_t provider,
2084     crypto_session_id_t session_id, crypto_mechanism_t *mechanism,
2085     crypto_key_t *key, crypto_data_t *data, crypto_data_t *mac,
2086     crypto_spi_ctx_template_t ctx_template, crypto_req_handle_t req)
2087 {
2088 	int ret = CRYPTO_SUCCESS;
2089 	uchar_t digest[SHA1_DIGEST_LENGTH];
2090 	sha1_hmac_ctx_t sha1_hmac_ctx;
2091 	uint32_t digest_len = SHA1_DIGEST_LENGTH;
2092 	uint_t keylen_in_bytes = CRYPTO_BITS2BYTES(key->ck_length);
2093 
2094 	if (mechanism->cm_type != SHA1_HMAC_MECH_INFO_TYPE &&
2095 	    mechanism->cm_type != SHA1_HMAC_GEN_MECH_INFO_TYPE)
2096 		return (CRYPTO_MECHANISM_INVALID);
2097 
2098 	/* Add support for key by attributes (RFE 4706552) */
2099 	if (key->ck_format != CRYPTO_KEY_RAW)
2100 		return (CRYPTO_ARGUMENTS_BAD);
2101 
2102 	if (ctx_template != NULL) {
2103 		/* reuse context template */
2104 		bcopy(ctx_template, &sha1_hmac_ctx, sizeof (sha1_hmac_ctx_t));
2105 	} else {
2106 		/* no context template, initialize context */
2107 		if (keylen_in_bytes > SHA1_HMAC_BLOCK_SIZE) {
2108 			/*
2109 			 * Hash the passed-in key to get a smaller key.
2110 			 * The inner context is used since it hasn't been
2111 			 * initialized yet.
2112 			 */
2113 			PROV_SHA1_DIGEST_KEY(&sha1_hmac_ctx.hc_icontext,
2114 			    key->ck_data, keylen_in_bytes, digest);
2115 			sha1_mac_init_ctx(&sha1_hmac_ctx, digest,
2116 			    SHA1_DIGEST_LENGTH);
2117 		} else {
2118 			sha1_mac_init_ctx(&sha1_hmac_ctx, key->ck_data,
2119 			    keylen_in_bytes);
2120 		}
2121 	}
2122 
2123 	/* get the mechanism parameters, if applicable */
2124 	if (mechanism->cm_type == SHA1_HMAC_GEN_MECH_INFO_TYPE) {
2125 		if (mechanism->cm_param == NULL ||
2126 		    mechanism->cm_param_len != sizeof (ulong_t)) {
2127 			ret = CRYPTO_MECHANISM_PARAM_INVALID;
2128 			goto bail;
2129 		}
2130 		PROV_SHA1_GET_DIGEST_LEN(mechanism, digest_len);
2131 		if (digest_len > SHA1_DIGEST_LENGTH) {
2132 			ret = CRYPTO_MECHANISM_PARAM_INVALID;
2133 			goto bail;
2134 		}
2135 	}
2136 
2137 	/* do a SHA1 update of the inner context using the specified data */
2138 	SHA1_MAC_UPDATE(data, sha1_hmac_ctx, ret);
2139 	if (ret != CRYPTO_SUCCESS)
2140 		/* the update failed, free context and bail */
2141 		goto bail;
2142 
2143 	/*
2144 	 * Do a SHA1 final on the inner context.
2145 	 */
2146 	SHA1Final(digest, &sha1_hmac_ctx.hc_icontext);
2147 
2148 	/*
2149 	 * Do an SHA1 update on the outer context, feeding the inner
2150 	 * digest as data.
2151 	 */
2152 	SHA1Update(&sha1_hmac_ctx.hc_ocontext, digest, SHA1_DIGEST_LENGTH);
2153 
2154 	/*
2155 	 * Do a SHA1 final on the outer context, storing the computed
2156 	 * digest in the users buffer.
2157 	 */
2158 	switch (mac->cd_format) {
2159 	case CRYPTO_DATA_RAW:
2160 		if (digest_len != SHA1_DIGEST_LENGTH) {
2161 			/*
2162 			 * The caller requested a short digest. Digest
2163 			 * into a scratch buffer and return to
2164 			 * the user only what was requested.
2165 			 */
2166 			SHA1Final(digest, &sha1_hmac_ctx.hc_ocontext);
2167 			bcopy(digest, (unsigned char *)mac->cd_raw.iov_base +
2168 			    mac->cd_offset, digest_len);
2169 		} else {
2170 			SHA1Final((unsigned char *)mac->cd_raw.iov_base +
2171 			    mac->cd_offset, &sha1_hmac_ctx.hc_ocontext);
2172 		}
2173 		break;
2174 	case CRYPTO_DATA_UIO:
2175 		ret = sha1_digest_final_uio(&sha1_hmac_ctx.hc_ocontext, mac,
2176 		    digest_len, digest);
2177 		break;
2178 	case CRYPTO_DATA_MBLK:
2179 		ret = sha1_digest_final_mblk(&sha1_hmac_ctx.hc_ocontext, mac,
2180 		    digest_len, digest);
2181 		break;
2182 	default:
2183 		ret = CRYPTO_ARGUMENTS_BAD;
2184 	}
2185 
2186 	if (ret == CRYPTO_SUCCESS) {
2187 		mac->cd_length = digest_len;
2188 	} else {
2189 		mac->cd_length = 0;
2190 	}
2191 	/* Extra paranoia: zeroize the context on the stack */
2192 	bzero(&sha1_hmac_ctx, sizeof (sha1_hmac_ctx_t));
2193 
2194 	return (ret);
2195 bail:
2196 	bzero(&sha1_hmac_ctx, sizeof (sha1_hmac_ctx_t));
2197 	mac->cd_length = 0;
2198 	return (ret);
2199 }
2200 
2201 /* ARGSUSED */
2202 static int
2203 sha1_mac_verify_atomic(crypto_provider_handle_t provider,
2204     crypto_session_id_t session_id, crypto_mechanism_t *mechanism,
2205     crypto_key_t *key, crypto_data_t *data, crypto_data_t *mac,
2206     crypto_spi_ctx_template_t ctx_template, crypto_req_handle_t req)
2207 {
2208 	int ret = CRYPTO_SUCCESS;
2209 	uchar_t digest[SHA1_DIGEST_LENGTH];
2210 	sha1_hmac_ctx_t sha1_hmac_ctx;
2211 	uint32_t digest_len = SHA1_DIGEST_LENGTH;
2212 	uint_t keylen_in_bytes = CRYPTO_BITS2BYTES(key->ck_length);
2213 
2214 	if (mechanism->cm_type != SHA1_HMAC_MECH_INFO_TYPE &&
2215 	    mechanism->cm_type != SHA1_HMAC_GEN_MECH_INFO_TYPE)
2216 		return (CRYPTO_MECHANISM_INVALID);
2217 
2218 	/* Add support for key by attributes (RFE 4706552) */
2219 	if (key->ck_format != CRYPTO_KEY_RAW)
2220 		return (CRYPTO_ARGUMENTS_BAD);
2221 
2222 	if (ctx_template != NULL) {
2223 		/* reuse context template */
2224 		bcopy(ctx_template, &sha1_hmac_ctx, sizeof (sha1_hmac_ctx_t));
2225 	} else {
2226 		/* no context template, initialize context */
2227 		if (keylen_in_bytes > SHA1_HMAC_BLOCK_SIZE) {
2228 			/*
2229 			 * Hash the passed-in key to get a smaller key.
2230 			 * The inner context is used since it hasn't been
2231 			 * initialized yet.
2232 			 */
2233 			PROV_SHA1_DIGEST_KEY(&sha1_hmac_ctx.hc_icontext,
2234 			    key->ck_data, keylen_in_bytes, digest);
2235 			sha1_mac_init_ctx(&sha1_hmac_ctx, digest,
2236 			    SHA1_DIGEST_LENGTH);
2237 		} else {
2238 			sha1_mac_init_ctx(&sha1_hmac_ctx, key->ck_data,
2239 			    keylen_in_bytes);
2240 		}
2241 	}
2242 
2243 	/* get the mechanism parameters, if applicable */
2244 	if (mechanism->cm_type == SHA1_HMAC_GEN_MECH_INFO_TYPE) {
2245 		if (mechanism->cm_param == NULL ||
2246 		    mechanism->cm_param_len != sizeof (ulong_t)) {
2247 			ret = CRYPTO_MECHANISM_PARAM_INVALID;
2248 			goto bail;
2249 		}
2250 		PROV_SHA1_GET_DIGEST_LEN(mechanism, digest_len);
2251 		if (digest_len > SHA1_DIGEST_LENGTH) {
2252 			ret = CRYPTO_MECHANISM_PARAM_INVALID;
2253 			goto bail;
2254 		}
2255 	}
2256 
2257 	if (mac->cd_length != digest_len) {
2258 		ret = CRYPTO_INVALID_MAC;
2259 		goto bail;
2260 	}
2261 
2262 	/* do a SHA1 update of the inner context using the specified data */
2263 	SHA1_MAC_UPDATE(data, sha1_hmac_ctx, ret);
2264 	if (ret != CRYPTO_SUCCESS)
2265 		/* the update failed, free context and bail */
2266 		goto bail;
2267 
2268 	/* do a SHA1 final on the inner context */
2269 	SHA1Final(digest, &sha1_hmac_ctx.hc_icontext);
2270 
2271 	/*
2272 	 * Do an SHA1 update on the outer context, feeding the inner
2273 	 * digest as data.
2274 	 */
2275 	SHA1Update(&sha1_hmac_ctx.hc_ocontext, digest, SHA1_DIGEST_LENGTH);
2276 
2277 	/*
2278 	 * Do a SHA1 final on the outer context, storing the computed
2279 	 * digest in the users buffer.
2280 	 */
2281 	SHA1Final(digest, &sha1_hmac_ctx.hc_ocontext);
2282 
2283 	/*
2284 	 * Compare the computed digest against the expected digest passed
2285 	 * as argument.
2286 	 */
2287 
2288 	switch (mac->cd_format) {
2289 
2290 	case CRYPTO_DATA_RAW:
2291 		if (bcmp(digest, (unsigned char *)mac->cd_raw.iov_base +
2292 		    mac->cd_offset, digest_len) != 0)
2293 			ret = CRYPTO_INVALID_MAC;
2294 		break;
2295 
2296 	case CRYPTO_DATA_UIO: {
2297 		off_t offset = mac->cd_offset;
2298 		uint_t vec_idx;
2299 		off_t scratch_offset = 0;
2300 		size_t length = digest_len;
2301 		size_t cur_len;
2302 
2303 		/* we support only kernel buffer */
2304 		if (mac->cd_uio->uio_segflg != UIO_SYSSPACE)
2305 			return (CRYPTO_ARGUMENTS_BAD);
2306 
2307 		/* jump to the first iovec containing the expected digest */
2308 		for (vec_idx = 0;
2309 		    offset >= mac->cd_uio->uio_iov[vec_idx].iov_len &&
2310 		    vec_idx < mac->cd_uio->uio_iovcnt;
2311 		    offset -= mac->cd_uio->uio_iov[vec_idx++].iov_len);
2312 		if (vec_idx == mac->cd_uio->uio_iovcnt) {
2313 			/*
2314 			 * The caller specified an offset that is
2315 			 * larger than the total size of the buffers
2316 			 * it provided.
2317 			 */
2318 			ret = CRYPTO_DATA_LEN_RANGE;
2319 			break;
2320 		}
2321 
2322 		/* do the comparison of computed digest vs specified one */
2323 		while (vec_idx < mac->cd_uio->uio_iovcnt && length > 0) {
2324 			cur_len = MIN(mac->cd_uio->uio_iov[vec_idx].iov_len -
2325 			    offset, length);
2326 
2327 			if (bcmp(digest + scratch_offset,
2328 			    mac->cd_uio->uio_iov[vec_idx].iov_base + offset,
2329 			    cur_len) != 0) {
2330 				ret = CRYPTO_INVALID_MAC;
2331 				break;
2332 			}
2333 
2334 			length -= cur_len;
2335 			vec_idx++;
2336 			scratch_offset += cur_len;
2337 			offset = 0;
2338 		}
2339 		break;
2340 	}
2341 
2342 	case CRYPTO_DATA_MBLK: {
2343 		off_t offset = mac->cd_offset;
2344 		mblk_t *mp;
2345 		off_t scratch_offset = 0;
2346 		size_t length = digest_len;
2347 		size_t cur_len;
2348 
2349 		/* jump to the first mblk_t containing the expected digest */
2350 		for (mp = mac->cd_mp; mp != NULL && offset >= MBLKL(mp);
2351 		    offset -= MBLKL(mp), mp = mp->b_cont);
2352 		if (mp == NULL) {
2353 			/*
2354 			 * The caller specified an offset that is larger than
2355 			 * the total size of the buffers it provided.
2356 			 */
2357 			ret = CRYPTO_DATA_LEN_RANGE;
2358 			break;
2359 		}
2360 
2361 		while (mp != NULL && length > 0) {
2362 			cur_len = MIN(MBLKL(mp) - offset, length);
2363 			if (bcmp(digest + scratch_offset,
2364 			    mp->b_rptr + offset, cur_len) != 0) {
2365 				ret = CRYPTO_INVALID_MAC;
2366 				break;
2367 			}
2368 
2369 			length -= cur_len;
2370 			mp = mp->b_cont;
2371 			scratch_offset += cur_len;
2372 			offset = 0;
2373 		}
2374 		break;
2375 	}
2376 
2377 	default:
2378 		ret = CRYPTO_ARGUMENTS_BAD;
2379 	}
2380 
2381 	bzero(&sha1_hmac_ctx, sizeof (sha1_hmac_ctx_t));
2382 	return (ret);
2383 bail:
2384 	bzero(&sha1_hmac_ctx, sizeof (sha1_hmac_ctx_t));
2385 	mac->cd_length = 0;
2386 	return (ret);
2387 }
2388 
2389 /*
2390  * KCF software provider context management entry points.
2391  */
2392 
2393 /* ARGSUSED */
2394 static int
2395 sha1_create_ctx_template(crypto_provider_handle_t provider,
2396     crypto_mechanism_t *mechanism, crypto_key_t *key,
2397     crypto_spi_ctx_template_t *ctx_template, size_t *ctx_template_size,
2398     crypto_req_handle_t req)
2399 {
2400 	sha1_hmac_ctx_t *sha1_hmac_ctx_tmpl;
2401 	uint_t keylen_in_bytes = CRYPTO_BITS2BYTES(key->ck_length);
2402 
2403 	if ((mechanism->cm_type != SHA1_HMAC_MECH_INFO_TYPE) &&
2404 	    (mechanism->cm_type != SHA1_HMAC_GEN_MECH_INFO_TYPE)) {
2405 		return (CRYPTO_MECHANISM_INVALID);
2406 	}
2407 
2408 	/* Add support for key by attributes (RFE 4706552) */
2409 	if (key->ck_format != CRYPTO_KEY_RAW)
2410 		return (CRYPTO_ARGUMENTS_BAD);
2411 
2412 	/*
2413 	 * Allocate and initialize SHA1 context.
2414 	 */
2415 	sha1_hmac_ctx_tmpl = kmem_alloc(sizeof (sha1_hmac_ctx_t),
2416 	    crypto_kmflag(req));
2417 	if (sha1_hmac_ctx_tmpl == NULL)
2418 		return (CRYPTO_HOST_MEMORY);
2419 
2420 	if (keylen_in_bytes > SHA1_HMAC_BLOCK_SIZE) {
2421 		uchar_t digested_key[SHA1_DIGEST_LENGTH];
2422 
2423 		/*
2424 		 * Hash the passed-in key to get a smaller key.
2425 		 * The inner context is used since it hasn't been
2426 		 * initialized yet.
2427 		 */
2428 		PROV_SHA1_DIGEST_KEY(&sha1_hmac_ctx_tmpl->hc_icontext,
2429 		    key->ck_data, keylen_in_bytes, digested_key);
2430 		sha1_mac_init_ctx(sha1_hmac_ctx_tmpl, digested_key,
2431 		    SHA1_DIGEST_LENGTH);
2432 	} else {
2433 		sha1_mac_init_ctx(sha1_hmac_ctx_tmpl, key->ck_data,
2434 		    keylen_in_bytes);
2435 	}
2436 
2437 	sha1_hmac_ctx_tmpl->hc_mech_type = mechanism->cm_type;
2438 	*ctx_template = (crypto_spi_ctx_template_t)sha1_hmac_ctx_tmpl;
2439 	*ctx_template_size = sizeof (sha1_hmac_ctx_t);
2440 
2441 
2442 	return (CRYPTO_SUCCESS);
2443 }
2444 
2445 static int
2446 sha1_free_context(crypto_ctx_t *ctx)
2447 {
2448 	uint_t ctx_len;
2449 	sha1_mech_type_t mech_type;
2450 
2451 	if (ctx->cc_provider_private == NULL)
2452 		return (CRYPTO_SUCCESS);
2453 
2454 	/*
2455 	 * We have to free either SHA1 or SHA1-HMAC contexts, which
2456 	 * have different lengths.
2457 	 */
2458 
2459 	mech_type = PROV_SHA1_CTX(ctx)->sc_mech_type;
2460 	if (mech_type == SHA1_MECH_INFO_TYPE)
2461 		ctx_len = sizeof (sha1_ctx_t);
2462 	else {
2463 		ASSERT(mech_type == SHA1_HMAC_MECH_INFO_TYPE ||
2464 		    mech_type == SHA1_HMAC_GEN_MECH_INFO_TYPE);
2465 		ctx_len = sizeof (sha1_hmac_ctx_t);
2466 	}
2467 
2468 	bzero(ctx->cc_provider_private, ctx_len);
2469 	kmem_free(ctx->cc_provider_private, ctx_len);
2470 	ctx->cc_provider_private = NULL;
2471 
2472 	return (CRYPTO_SUCCESS);
2473 }
2474 
2475 #endif /* _KERNEL */
2476