xref: /titanic_50/usr/src/common/crypto/sha2/sha2.c (revision 45916cd2fec6e79bca5dee0421bd39e3c2910d1e)
1 /*
2  * Copyright 2006 Sun Microsystems, Inc.  All rights reserved.
3  * Use is subject to license terms.
4  */
5 
6 #pragma ident	"%Z%%M%	%I%	%E% SMI"
7 
8 
9 /*
10  * The basic framework for this code came from the reference
11  * implementation for MD5.  That implementation is Copyright (C)
12  * 1991-2, RSA Data Security, Inc. Created 1991. All rights reserved.
13  *
14  * License to copy and use this software is granted provided that it
15  * is identified as the "RSA Data Security, Inc. MD5 Message-Digest
16  * Algorithm" in all material mentioning or referencing this software
17  * or this function.
18  *
19  * License is also granted to make and use derivative works provided
20  * that such works are identified as "derived from the RSA Data
21  * Security, Inc. MD5 Message-Digest Algorithm" in all material
22  * mentioning or referencing the derived work.
23  *
24  * RSA Data Security, Inc. makes no representations concerning either
25  * the merchantability of this software or the suitability of this
26  * software for any particular purpose. It is provided "as is"
27  * without express or implied warranty of any kind.
28  *
29  * These notices must be retained in any copies of any part of this
30  * documentation and/or software.
31  *
32  * NOTE: Cleaned-up and optimized, version of SHA2, based on the FIPS 180-2
33  * standard, available at http://www.itl.nist.gov/div897/pubs/fip180-2.htm
34  * Not as fast as one would like -- further optimizations are encouraged
35  * and appreciated.
36  */
37 
38 #include <sys/types.h>
39 #include <sys/param.h>
40 #include <sys/systm.h>
41 #include <sys/sysmacros.h>
42 #include <sys/sha2.h>
43 #include <sys/sha2_consts.h>
44 
45 #ifdef _KERNEL
46 
47 #include <sys/modctl.h>
48 #include <sys/cmn_err.h>
49 #include <sys/crypto/common.h>
50 #include <sys/crypto/spi.h>
51 #include <sys/strsun.h>
52 
53 /*
54  * The sha2 module is created with two modlinkages:
55  * - a modlmisc that allows consumers to directly call the entry points
56  *   SHA2Init, SHA2Update, and SHA2Final.
57  * - a modlcrypto that allows the module to register with the Kernel
58  *   Cryptographic Framework (KCF) as a software provider for the SHA2
59  *   mechanisms.
60  */
61 
62 #else
63 
64 #include <strings.h>
65 #include <stdlib.h>
66 #include <errno.h>
67 
68 #endif	/* !_KERNEL */
69 
70 static void Encode(uint8_t *, uint32_t *, size_t);
71 static void Encode64(uint8_t *, uint64_t *, size_t);
72 static void SHA256Transform(SHA2_CTX *, const uint8_t *);
73 static void SHA512Transform(SHA2_CTX *, const uint8_t *);
74 
75 static uint8_t PADDING[128] = { 0x80, /* all zeros */ };
76 
77 /* Ch and Maj are the basic SHA2 functions. */
78 #define	Ch(b, c, d)	(((b) & (c)) ^ ((~b) & (d)))
79 #define	Maj(b, c, d)	(((b) & (c)) ^ ((b) & (d)) ^ ((c) & (d)))
80 
81 /* Rotates x right n bits. */
82 #define	ROTR(x, n)	\
83 	(((x) >> (n)) | ((x) << ((sizeof (x) * NBBY)-(n))))
84 
85 /* Shift x right n bits */
86 #define	SHR(x, n)	((x) >> (n))
87 
88 /* SHA256 Functions */
89 #define	BIGSIGMA0_256(x)	(ROTR((x), 2) ^ ROTR((x), 13) ^ ROTR((x), 22))
90 #define	BIGSIGMA1_256(x)	(ROTR((x), 6) ^ ROTR((x), 11) ^ ROTR((x), 25))
91 #define	SIGMA0_256(x)		(ROTR((x), 7) ^ ROTR((x), 18) ^ SHR((x), 3))
92 #define	SIGMA1_256(x)		(ROTR((x), 17) ^ ROTR((x), 19) ^ SHR((x), 10))
93 
94 #define	SHA256ROUND(a, b, c, d, e, f, g, h, i, w)			\
95 	T1 = h + BIGSIGMA1_256(e) + Ch(e, f, g) + SHA256_CONST(i) + w;	\
96 	d += T1;							\
97 	T2 = BIGSIGMA0_256(a) + Maj(a, b, c);				\
98 	h = T1 + T2
99 
100 /* SHA384/512 Functions */
101 #define	BIGSIGMA0(x)	(ROTR((x), 28) ^ ROTR((x), 34) ^ ROTR((x), 39))
102 #define	BIGSIGMA1(x)	(ROTR((x), 14) ^ ROTR((x), 18) ^ ROTR((x), 41))
103 #define	SIGMA0(x)	(ROTR((x), 1) ^ ROTR((x), 8) ^ SHR((x), 7))
104 #define	SIGMA1(x)	(ROTR((x), 19) ^ ROTR((x), 61) ^ SHR((x), 6))
105 #define	SHA512ROUND(a, b, c, d, e, f, g, h, i, w)			\
106 	T1 = h + BIGSIGMA1(e) + Ch(e, f, g) + SHA512_CONST(i) + w;	\
107 	d += T1;							\
108 	T2 = BIGSIGMA0(a) + Maj(a, b, c);				\
109 	h = T1 + T2
110 
111 #ifdef _KERNEL
112 
113 static struct modlmisc modlmisc = {
114 	&mod_miscops,
115 	"SHA2 Message-Digest Algorithm"
116 };
117 
118 static struct modlcrypto modlcrypto = {
119 	&mod_cryptoops,
120 	"SHA2 Kernel SW Provider %I%"
121 };
122 
123 static struct modlinkage modlinkage = {
124 	MODREV_1, &modlmisc, &modlcrypto, NULL
125 };
126 
127 /*
128  * CSPI information (entry points, provider info, etc.)
129  */
130 
131 #endif /* _KERNEL */
132 
133 /*
134  * List of support mechanisms in this module.
135  *
136  * It is important to note that in the module, division or modulus calculations
137  * are used on the enumerated type to determine which mechanism is being used;
138  * therefore, changing the order or additional mechanisms should be done
139  * carefully
140  */
141 typedef enum sha2_mech_type {
142 	SHA256_MECH_INFO_TYPE,		/* SUN_CKM_SHA256 */
143 	SHA256_HMAC_MECH_INFO_TYPE,	/* SUN_CKM_SHA256_HMAC */
144 	SHA256_HMAC_GEN_MECH_INFO_TYPE,	/* SUN_CKM_SHA256_HMAC_GENERAL */
145 	SHA384_MECH_INFO_TYPE,		/* SUN_CKM_SHA384 */
146 	SHA384_HMAC_MECH_INFO_TYPE,	/* SUN_CKM_SHA384_HMAC */
147 	SHA384_HMAC_GEN_MECH_INFO_TYPE,	/* SUN_CKM_SHA384_HMAC_GENERAL */
148 	SHA512_MECH_INFO_TYPE,		/* SUN_CKM_SHA512 */
149 	SHA512_HMAC_MECH_INFO_TYPE,	/* SUN_CKM_SHA512_HMAC */
150 	SHA512_HMAC_GEN_MECH_INFO_TYPE	/* SUN_CKM_SHA512_HMAC_GENERAL */
151 } sha2_mech_type_t;
152 
153 #ifdef _KERNEL
154 
155 
156 /*
157  * Context for SHA2 mechanism.
158  */
159 typedef struct sha2_ctx {
160 	sha2_mech_type_t	sc_mech_type;	/* type of context */
161 	SHA2_CTX		sc_sha2_ctx;	/* SHA2 context */
162 } sha2_ctx_t;
163 
164 /*
165  * Context for SHA2 HMAC and HMAC GENERAL mechanisms.
166  */
167 typedef struct sha2_hmac_ctx {
168 	sha2_mech_type_t	hc_mech_type;	/* type of context */
169 	uint32_t		hc_digest_len;	/* digest len in bytes */
170 	SHA2_CTX		hc_icontext;	/* inner SHA2 context */
171 	SHA2_CTX		hc_ocontext;	/* outer SHA2 context */
172 } sha2_hmac_ctx_t;
173 
174 /*
175  * Macros to access the SHA2 or SHA2-HMAC contexts from a context passed
176  * by KCF to one of the entry points.
177  */
178 
179 #define	PROV_SHA2_CTX(ctx)	((sha2_ctx_t *)(ctx)->cc_provider_private)
180 #define	PROV_SHA2_HMAC_CTX(ctx)	((sha2_hmac_ctx_t *)(ctx)->cc_provider_private)
181 
182 /* to extract the digest length passed as mechanism parameter */
183 #define	PROV_SHA2_GET_DIGEST_LEN(m, len) {				\
184 	if (IS_P2ALIGNED((m)->cm_param, sizeof (ulong_t)))		\
185 		(len) = (uint32_t)*((ulong_t *)(m)->cm_param);	\
186 	else {								\
187 		ulong_t tmp_ulong;					\
188 		bcopy((m)->cm_param, &tmp_ulong, sizeof (ulong_t));	\
189 		(len) = (uint32_t)tmp_ulong;				\
190 	}								\
191 }
192 
193 #define	PROV_SHA2_DIGEST_KEY(mech, ctx, key, len, digest) {	\
194 	SHA2Init(mech, ctx);				\
195 	SHA2Update(ctx, key, len);			\
196 	SHA2Final(digest, ctx);				\
197 }
198 
199 /*
200  * Mechanism info structure passed to KCF during registration.
201  */
202 static crypto_mech_info_t sha2_mech_info_tab[] = {
203 	/* SHA256 */
204 	{SUN_CKM_SHA256, SHA256_MECH_INFO_TYPE,
205 	    CRYPTO_FG_DIGEST | CRYPTO_FG_DIGEST_ATOMIC,
206 	    0, 0, CRYPTO_KEYSIZE_UNIT_IN_BITS},
207 	/* SHA256-HMAC */
208 	{SUN_CKM_SHA256_HMAC, SHA256_HMAC_MECH_INFO_TYPE,
209 	    CRYPTO_FG_MAC | CRYPTO_FG_MAC_ATOMIC,
210 	    SHA2_HMAC_MIN_KEY_LEN, SHA2_HMAC_MAX_KEY_LEN,
211 	    CRYPTO_KEYSIZE_UNIT_IN_BITS},
212 	/* SHA256-HMAC GENERAL */
213 	{SUN_CKM_SHA256_HMAC_GENERAL, SHA256_HMAC_GEN_MECH_INFO_TYPE,
214 	    CRYPTO_FG_MAC | CRYPTO_FG_MAC_ATOMIC,
215 	    SHA2_HMAC_MIN_KEY_LEN, SHA2_HMAC_MAX_KEY_LEN,
216 	    CRYPTO_KEYSIZE_UNIT_IN_BITS},
217 	/* SHA384 */
218 	{SUN_CKM_SHA384, SHA384_MECH_INFO_TYPE,
219 	    CRYPTO_FG_DIGEST | CRYPTO_FG_DIGEST_ATOMIC,
220 	    0, 0, CRYPTO_KEYSIZE_UNIT_IN_BITS},
221 	/* SHA384-HMAC */
222 	{SUN_CKM_SHA384_HMAC, SHA384_HMAC_MECH_INFO_TYPE,
223 	    CRYPTO_FG_MAC | CRYPTO_FG_MAC_ATOMIC,
224 	    SHA2_HMAC_MIN_KEY_LEN, SHA2_HMAC_MAX_KEY_LEN,
225 	    CRYPTO_KEYSIZE_UNIT_IN_BITS},
226 	/* SHA384-HMAC GENERAL */
227 	{SUN_CKM_SHA384_HMAC_GENERAL, SHA384_HMAC_GEN_MECH_INFO_TYPE,
228 	    CRYPTO_FG_MAC | CRYPTO_FG_MAC_ATOMIC,
229 	    SHA2_HMAC_MIN_KEY_LEN, SHA2_HMAC_MAX_KEY_LEN,
230 	    CRYPTO_KEYSIZE_UNIT_IN_BITS},
231 	/* SHA512 */
232 	{SUN_CKM_SHA512, SHA512_MECH_INFO_TYPE,
233 	    CRYPTO_FG_DIGEST | CRYPTO_FG_DIGEST_ATOMIC,
234 	    0, 0, CRYPTO_KEYSIZE_UNIT_IN_BITS},
235 	/* SHA512-HMAC */
236 	{SUN_CKM_SHA512_HMAC, SHA512_HMAC_MECH_INFO_TYPE,
237 	    CRYPTO_FG_MAC | CRYPTO_FG_MAC_ATOMIC,
238 	    SHA2_HMAC_MIN_KEY_LEN, SHA2_HMAC_MAX_KEY_LEN,
239 	    CRYPTO_KEYSIZE_UNIT_IN_BITS},
240 	/* SHA512-HMAC GENERAL */
241 	{SUN_CKM_SHA512_HMAC_GENERAL, SHA512_HMAC_GEN_MECH_INFO_TYPE,
242 	    CRYPTO_FG_MAC | CRYPTO_FG_MAC_ATOMIC,
243 	    SHA2_HMAC_MIN_KEY_LEN, SHA2_HMAC_MAX_KEY_LEN,
244 	    CRYPTO_KEYSIZE_UNIT_IN_BITS}
245 };
246 
247 void SHA2Init(uint64_t, SHA2_CTX *);
248 void SHA2Update(SHA2_CTX *, const uint8_t *, uint32_t);
249 void SHA2Final(uint8_t *, SHA2_CTX *);
250 
251 static void sha2_provider_status(crypto_provider_handle_t, uint_t *);
252 
253 static crypto_control_ops_t sha2_control_ops = {
254 	sha2_provider_status
255 };
256 
257 static int sha2_digest_init(crypto_ctx_t *, crypto_mechanism_t *,
258     crypto_req_handle_t);
259 static int sha2_digest(crypto_ctx_t *, crypto_data_t *, crypto_data_t *,
260     crypto_req_handle_t);
261 static int sha2_digest_update(crypto_ctx_t *, crypto_data_t *,
262     crypto_req_handle_t);
263 static int sha2_digest_final(crypto_ctx_t *, crypto_data_t *,
264     crypto_req_handle_t);
265 static int sha2_digest_atomic(crypto_provider_handle_t, crypto_session_id_t,
266     crypto_mechanism_t *, crypto_data_t *, crypto_data_t *,
267     crypto_req_handle_t);
268 
269 static crypto_digest_ops_t sha2_digest_ops = {
270 	sha2_digest_init,
271 	sha2_digest,
272 	sha2_digest_update,
273 	NULL,
274 	sha2_digest_final,
275 	sha2_digest_atomic
276 };
277 
278 static int sha2_mac_init(crypto_ctx_t *, crypto_mechanism_t *, crypto_key_t *,
279     crypto_spi_ctx_template_t, crypto_req_handle_t);
280 static int sha2_mac_update(crypto_ctx_t *, crypto_data_t *,
281     crypto_req_handle_t);
282 static int sha2_mac_final(crypto_ctx_t *, crypto_data_t *, crypto_req_handle_t);
283 static int sha2_mac_atomic(crypto_provider_handle_t, crypto_session_id_t,
284     crypto_mechanism_t *, crypto_key_t *, crypto_data_t *, crypto_data_t *,
285     crypto_spi_ctx_template_t, crypto_req_handle_t);
286 static int sha2_mac_verify_atomic(crypto_provider_handle_t, crypto_session_id_t,
287     crypto_mechanism_t *, crypto_key_t *, crypto_data_t *, crypto_data_t *,
288     crypto_spi_ctx_template_t, crypto_req_handle_t);
289 
290 static crypto_mac_ops_t sha2_mac_ops = {
291 	sha2_mac_init,
292 	NULL,
293 	sha2_mac_update,
294 	sha2_mac_final,
295 	sha2_mac_atomic,
296 	sha2_mac_verify_atomic
297 };
298 
299 static int sha2_create_ctx_template(crypto_provider_handle_t,
300     crypto_mechanism_t *, crypto_key_t *, crypto_spi_ctx_template_t *,
301     size_t *, crypto_req_handle_t);
302 static int sha2_free_context(crypto_ctx_t *);
303 
304 static crypto_ctx_ops_t sha2_ctx_ops = {
305 	sha2_create_ctx_template,
306 	sha2_free_context
307 };
308 
309 static crypto_ops_t sha2_crypto_ops = {
310 	&sha2_control_ops,
311 	&sha2_digest_ops,
312 	NULL,
313 	&sha2_mac_ops,
314 	NULL,
315 	NULL,
316 	NULL,
317 	NULL,
318 	NULL,
319 	NULL,
320 	NULL,
321 	NULL,
322 	NULL,
323 	&sha2_ctx_ops
324 };
325 
326 static crypto_provider_info_t sha2_prov_info = {
327 	CRYPTO_SPI_VERSION_1,
328 	"SHA2 Software Provider",
329 	CRYPTO_SW_PROVIDER,
330 	{&modlinkage},
331 	NULL,
332 	&sha2_crypto_ops,
333 	sizeof (sha2_mech_info_tab)/sizeof (crypto_mech_info_t),
334 	sha2_mech_info_tab
335 };
336 
337 static crypto_kcf_provider_handle_t sha2_prov_handle = NULL;
338 
339 int
340 _init()
341 {
342 	int ret;
343 
344 	if ((ret = mod_install(&modlinkage)) != 0)
345 		return (ret);
346 
347 	/*
348 	 * Register with KCF. If the registration fails, log an
349 	 * error but do not uninstall the module, since the functionality
350 	 * provided by misc/sha2 should still be available.
351 	 */
352 	if ((ret = crypto_register_provider(&sha2_prov_info,
353 	    &sha2_prov_handle)) != CRYPTO_SUCCESS)
354 		cmn_err(CE_WARN, "sha2 _init: "
355 		    "crypto_register_provider() failed (0x%x)", ret);
356 
357 	return (0);
358 }
359 
360 int
361 _info(struct modinfo *modinfop)
362 {
363 	return (mod_info(&modlinkage, modinfop));
364 }
365 
366 #endif /* _KERNEL */
367 
368 
369 /*
370  * sparc optimization:
371  *
372  * on the sparc, we can load big endian 32-bit data easily.  note that
373  * special care must be taken to ensure the address is 32-bit aligned.
374  * in the interest of speed, we don't check to make sure, since
375  * careful programming can guarantee this for us.
376  */
377 
378 #if	defined(_BIG_ENDIAN)
379 
380 #define	LOAD_BIG_32(addr)	(*(uint32_t *)(addr))
381 
382 #else	/* little endian -- will work on big endian, but slowly */
383 
384 #define	LOAD_BIG_32(addr)	\
385 	(((addr)[0] << 24) | ((addr)[1] << 16) | ((addr)[2] << 8) | (addr)[3])
386 #endif
387 
388 
389 #if	defined(_BIG_ENDIAN)
390 
391 #define	LOAD_BIG_64(addr)	(*(uint64_t *)(addr))
392 
393 #else	/* little endian -- will work on big endian, but slowly */
394 
395 #define	LOAD_BIG_64(addr)	\
396 	(((uint64_t)(addr)[0] << 56) | ((uint64_t)(addr)[1] << 48) |	\
397 	    ((uint64_t)(addr)[2] << 40) | ((uint64_t)(addr)[3] << 32) |	\
398 	    ((uint64_t)(addr)[4] << 24) | ((uint64_t)(addr)[5] << 16) |	\
399 	    ((uint64_t)(addr)[6] << 8) | (uint64_t)(addr)[7])
400 
401 #endif
402 
403 
404 /* SHA256 Transform */
405 
406 static void
407 SHA256Transform(SHA2_CTX *ctx, const uint8_t *blk)
408 {
409 
410 	uint32_t a = ctx->state.s32[0];
411 	uint32_t b = ctx->state.s32[1];
412 	uint32_t c = ctx->state.s32[2];
413 	uint32_t d = ctx->state.s32[3];
414 	uint32_t e = ctx->state.s32[4];
415 	uint32_t f = ctx->state.s32[5];
416 	uint32_t g = ctx->state.s32[6];
417 	uint32_t h = ctx->state.s32[7];
418 
419 	uint32_t w0, w1, w2, w3, w4, w5, w6, w7;
420 	uint32_t w8, w9, w10, w11, w12, w13, w14, w15;
421 	uint32_t T1, T2;
422 
423 #if	defined(__sparc)
424 	static const uint32_t sha256_consts[] = {
425 		SHA256_CONST_0, SHA256_CONST_1, SHA256_CONST_2,
426 		SHA256_CONST_3, SHA256_CONST_4, SHA256_CONST_5,
427 		SHA256_CONST_6, SHA256_CONST_7, SHA256_CONST_8,
428 		SHA256_CONST_9, SHA256_CONST_10, SHA256_CONST_11,
429 		SHA256_CONST_12, SHA256_CONST_13, SHA256_CONST_14,
430 		SHA256_CONST_15, SHA256_CONST_16, SHA256_CONST_17,
431 		SHA256_CONST_18, SHA256_CONST_19, SHA256_CONST_20,
432 		SHA256_CONST_21, SHA256_CONST_22, SHA256_CONST_23,
433 		SHA256_CONST_24, SHA256_CONST_25, SHA256_CONST_26,
434 		SHA256_CONST_27, SHA256_CONST_28, SHA256_CONST_29,
435 		SHA256_CONST_30, SHA256_CONST_31, SHA256_CONST_32,
436 		SHA256_CONST_33, SHA256_CONST_34, SHA256_CONST_35,
437 		SHA256_CONST_36, SHA256_CONST_37, SHA256_CONST_38,
438 		SHA256_CONST_39, SHA256_CONST_40, SHA256_CONST_41,
439 		SHA256_CONST_42, SHA256_CONST_43, SHA256_CONST_44,
440 		SHA256_CONST_45, SHA256_CONST_46, SHA256_CONST_47,
441 		SHA256_CONST_48, SHA256_CONST_49, SHA256_CONST_50,
442 		SHA256_CONST_51, SHA256_CONST_52, SHA256_CONST_53,
443 		SHA256_CONST_54, SHA256_CONST_55, SHA256_CONST_56,
444 		SHA256_CONST_57, SHA256_CONST_58, SHA256_CONST_59,
445 		SHA256_CONST_60, SHA256_CONST_61, SHA256_CONST_62,
446 		SHA256_CONST_63
447 	};
448 #endif
449 
450 	if ((uintptr_t)blk & 0x3) {		/* not 4-byte aligned? */
451 		bcopy(blk, ctx->buf_un.buf32,  sizeof (ctx->buf_un.buf32));
452 		blk = (uint8_t *)ctx->buf_un.buf32;
453 	}
454 
455 #if	defined(__sparc)
456 	/*LINTED*/
457 	w0 =  LOAD_BIG_32(blk + 4 * 0);
458 	SHA256ROUND(a, b, c, d, e, f, g, h, 0, w0);
459 	/*LINTED*/
460 	w1 =  LOAD_BIG_32(blk + 4 * 1);
461 	SHA256ROUND(h, a, b, c, d, e, f, g, 1, w1);
462 	/*LINTED*/
463 	w2 =  LOAD_BIG_32(blk + 4 * 2);
464 	SHA256ROUND(g, h, a, b, c, d, e, f, 2, w2);
465 	/*LINTED*/
466 	w3 =  LOAD_BIG_32(blk + 4 * 3);
467 	SHA256ROUND(f, g, h, a, b, c, d, e, 3, w3);
468 	/*LINTED*/
469 	w4 =  LOAD_BIG_32(blk + 4 * 4);
470 	SHA256ROUND(e, f, g, h, a, b, c, d, 4, w4);
471 	/*LINTED*/
472 	w5 =  LOAD_BIG_32(blk + 4 * 5);
473 	SHA256ROUND(d, e, f, g, h, a, b, c, 5, w5);
474 	/*LINTED*/
475 	w6 =  LOAD_BIG_32(blk + 4 * 6);
476 	SHA256ROUND(c, d, e, f, g, h, a, b, 6, w6);
477 	/*LINTED*/
478 	w7 =  LOAD_BIG_32(blk + 4 * 7);
479 	SHA256ROUND(b, c, d, e, f, g, h, a, 7, w7);
480 	/*LINTED*/
481 	w8 =  LOAD_BIG_32(blk + 4 * 8);
482 	SHA256ROUND(a, b, c, d, e, f, g, h, 8, w8);
483 	/*LINTED*/
484 	w9 =  LOAD_BIG_32(blk + 4 * 9);
485 	SHA256ROUND(h, a, b, c, d, e, f, g, 9, w9);
486 	/*LINTED*/
487 	w10 =  LOAD_BIG_32(blk + 4 * 10);
488 	SHA256ROUND(g, h, a, b, c, d, e, f, 10, w10);
489 	/*LINTED*/
490 	w11 =  LOAD_BIG_32(blk + 4 * 11);
491 	SHA256ROUND(f, g, h, a, b, c, d, e, 11, w11);
492 	/*LINTED*/
493 	w12 =  LOAD_BIG_32(blk + 4 * 12);
494 	SHA256ROUND(e, f, g, h, a, b, c, d, 12, w12);
495 	/*LINTED*/
496 	w13 =  LOAD_BIG_32(blk + 4 * 13);
497 	SHA256ROUND(d, e, f, g, h, a, b, c, 13, w13);
498 	/*LINTED*/
499 	w14 =  LOAD_BIG_32(blk + 4 * 14);
500 	SHA256ROUND(c, d, e, f, g, h, a, b, 14, w14);
501 	/*LINTED*/
502 	w15 =  LOAD_BIG_32(blk + 4 * 15);
503 	SHA256ROUND(b, c, d, e, f, g, h, a, 15, w15);
504 
505 #else
506 
507 	w0 =  LOAD_BIG_32(blk + 4 * 0);
508 	SHA256ROUND(a, b, c, d, e, f, g, h, 0, w0);
509 	w1 =  LOAD_BIG_32(blk + 4 * 1);
510 	SHA256ROUND(h, a, b, c, d, e, f, g, 1, w1);
511 	w2 =  LOAD_BIG_32(blk + 4 * 2);
512 	SHA256ROUND(g, h, a, b, c, d, e, f, 2, w2);
513 	w3 =  LOAD_BIG_32(blk + 4 * 3);
514 	SHA256ROUND(f, g, h, a, b, c, d, e, 3, w3);
515 	w4 =  LOAD_BIG_32(blk + 4 * 4);
516 	SHA256ROUND(e, f, g, h, a, b, c, d, 4, w4);
517 	w5 =  LOAD_BIG_32(blk + 4 * 5);
518 	SHA256ROUND(d, e, f, g, h, a, b, c, 5, w5);
519 	w6 =  LOAD_BIG_32(blk + 4 * 6);
520 	SHA256ROUND(c, d, e, f, g, h, a, b, 6, w6);
521 	w7 =  LOAD_BIG_32(blk + 4 * 7);
522 	SHA256ROUND(b, c, d, e, f, g, h, a, 7, w7);
523 	w8 =  LOAD_BIG_32(blk + 4 * 8);
524 	SHA256ROUND(a, b, c, d, e, f, g, h, 8, w8);
525 	w9 =  LOAD_BIG_32(blk + 4 * 9);
526 	SHA256ROUND(h, a, b, c, d, e, f, g, 9, w9);
527 	w10 =  LOAD_BIG_32(blk + 4 * 10);
528 	SHA256ROUND(g, h, a, b, c, d, e, f, 10, w10);
529 	w11 =  LOAD_BIG_32(blk + 4 * 11);
530 	SHA256ROUND(f, g, h, a, b, c, d, e, 11, w11);
531 	w12 =  LOAD_BIG_32(blk + 4 * 12);
532 	SHA256ROUND(e, f, g, h, a, b, c, d, 12, w12);
533 	w13 =  LOAD_BIG_32(blk + 4 * 13);
534 	SHA256ROUND(d, e, f, g, h, a, b, c, 13, w13);
535 	w14 =  LOAD_BIG_32(blk + 4 * 14);
536 	SHA256ROUND(c, d, e, f, g, h, a, b, 14, w14);
537 	w15 =  LOAD_BIG_32(blk + 4 * 15);
538 	SHA256ROUND(b, c, d, e, f, g, h, a, 15, w15);
539 
540 #endif
541 
542 	w0 = SIGMA1_256(w14) + w9 + SIGMA0_256(w1) + w0;
543 	SHA256ROUND(a, b, c, d, e, f, g, h, 16, w0);
544 	w1 = SIGMA1_256(w15) + w10 + SIGMA0_256(w2) + w1;
545 	SHA256ROUND(h, a, b, c, d, e, f, g, 17, w1);
546 	w2 = SIGMA1_256(w0) + w11 + SIGMA0_256(w3) + w2;
547 	SHA256ROUND(g, h, a, b, c, d, e, f, 18, w2);
548 	w3 = SIGMA1_256(w1) + w12 + SIGMA0_256(w4) + w3;
549 	SHA256ROUND(f, g, h, a, b, c, d, e, 19, w3);
550 	w4 = SIGMA1_256(w2) + w13 + SIGMA0_256(w5) + w4;
551 	SHA256ROUND(e, f, g, h, a, b, c, d, 20, w4);
552 	w5 = SIGMA1_256(w3) + w14 + SIGMA0_256(w6) + w5;
553 	SHA256ROUND(d, e, f, g, h, a, b, c, 21, w5);
554 	w6 = SIGMA1_256(w4) + w15 + SIGMA0_256(w7) + w6;
555 	SHA256ROUND(c, d, e, f, g, h, a, b, 22, w6);
556 	w7 = SIGMA1_256(w5) + w0 + SIGMA0_256(w8) + w7;
557 	SHA256ROUND(b, c, d, e, f, g, h, a, 23, w7);
558 	w8 = SIGMA1_256(w6) + w1 + SIGMA0_256(w9) + w8;
559 	SHA256ROUND(a, b, c, d, e, f, g, h, 24, w8);
560 	w9 = SIGMA1_256(w7) + w2 + SIGMA0_256(w10) + w9;
561 	SHA256ROUND(h, a, b, c, d, e, f, g, 25, w9);
562 	w10 = SIGMA1_256(w8) + w3 + SIGMA0_256(w11) + w10;
563 	SHA256ROUND(g, h, a, b, c, d, e, f, 26, w10);
564 	w11 = SIGMA1_256(w9) + w4 + SIGMA0_256(w12) + w11;
565 	SHA256ROUND(f, g, h, a, b, c, d, e, 27, w11);
566 	w12 = SIGMA1_256(w10) + w5 + SIGMA0_256(w13) + w12;
567 	SHA256ROUND(e, f, g, h, a, b, c, d, 28, w12);
568 	w13 = SIGMA1_256(w11) + w6 + SIGMA0_256(w14) + w13;
569 	SHA256ROUND(d, e, f, g, h, a, b, c, 29, w13);
570 	w14 = SIGMA1_256(w12) + w7 + SIGMA0_256(w15) + w14;
571 	SHA256ROUND(c, d, e, f, g, h, a, b, 30, w14);
572 	w15 = SIGMA1_256(w13) + w8 + SIGMA0_256(w0) + w15;
573 	SHA256ROUND(b, c, d, e, f, g, h, a, 31, w15);
574 
575 	w0 = SIGMA1_256(w14) + w9 + SIGMA0_256(w1) + w0;
576 	SHA256ROUND(a, b, c, d, e, f, g, h, 32, w0);
577 	w1 = SIGMA1_256(w15) + w10 + SIGMA0_256(w2) + w1;
578 	SHA256ROUND(h, a, b, c, d, e, f, g, 33, w1);
579 	w2 = SIGMA1_256(w0) + w11 + SIGMA0_256(w3) + w2;
580 	SHA256ROUND(g, h, a, b, c, d, e, f, 34, w2);
581 	w3 = SIGMA1_256(w1) + w12 + SIGMA0_256(w4) + w3;
582 	SHA256ROUND(f, g, h, a, b, c, d, e, 35, w3);
583 	w4 = SIGMA1_256(w2) + w13 + SIGMA0_256(w5) + w4;
584 	SHA256ROUND(e, f, g, h, a, b, c, d, 36, w4);
585 	w5 = SIGMA1_256(w3) + w14 + SIGMA0_256(w6) + w5;
586 	SHA256ROUND(d, e, f, g, h, a, b, c, 37, w5);
587 	w6 = SIGMA1_256(w4) + w15 + SIGMA0_256(w7) + w6;
588 	SHA256ROUND(c, d, e, f, g, h, a, b, 38, w6);
589 	w7 = SIGMA1_256(w5) + w0 + SIGMA0_256(w8) + w7;
590 	SHA256ROUND(b, c, d, e, f, g, h, a, 39, w7);
591 	w8 = SIGMA1_256(w6) + w1 + SIGMA0_256(w9) + w8;
592 	SHA256ROUND(a, b, c, d, e, f, g, h, 40, w8);
593 	w9 = SIGMA1_256(w7) + w2 + SIGMA0_256(w10) + w9;
594 	SHA256ROUND(h, a, b, c, d, e, f, g, 41, w9);
595 	w10 = SIGMA1_256(w8) + w3 + SIGMA0_256(w11) + w10;
596 	SHA256ROUND(g, h, a, b, c, d, e, f, 42, w10);
597 	w11 = SIGMA1_256(w9) + w4 + SIGMA0_256(w12) + w11;
598 	SHA256ROUND(f, g, h, a, b, c, d, e, 43, w11);
599 	w12 = SIGMA1_256(w10) + w5 + SIGMA0_256(w13) + w12;
600 	SHA256ROUND(e, f, g, h, a, b, c, d, 44, w12);
601 	w13 = SIGMA1_256(w11) + w6 + SIGMA0_256(w14) + w13;
602 	SHA256ROUND(d, e, f, g, h, a, b, c, 45, w13);
603 	w14 = SIGMA1_256(w12) + w7 + SIGMA0_256(w15) + w14;
604 	SHA256ROUND(c, d, e, f, g, h, a, b, 46, w14);
605 	w15 = SIGMA1_256(w13) + w8 + SIGMA0_256(w0) + w15;
606 	SHA256ROUND(b, c, d, e, f, g, h, a, 47, w15);
607 
608 	w0 = SIGMA1_256(w14) + w9 + SIGMA0_256(w1) + w0;
609 	SHA256ROUND(a, b, c, d, e, f, g, h, 48, w0);
610 	w1 = SIGMA1_256(w15) + w10 + SIGMA0_256(w2) + w1;
611 	SHA256ROUND(h, a, b, c, d, e, f, g, 49, w1);
612 	w2 = SIGMA1_256(w0) + w11 + SIGMA0_256(w3) + w2;
613 	SHA256ROUND(g, h, a, b, c, d, e, f, 50, w2);
614 	w3 = SIGMA1_256(w1) + w12 + SIGMA0_256(w4) + w3;
615 	SHA256ROUND(f, g, h, a, b, c, d, e, 51, w3);
616 	w4 = SIGMA1_256(w2) + w13 + SIGMA0_256(w5) + w4;
617 	SHA256ROUND(e, f, g, h, a, b, c, d, 52, w4);
618 	w5 = SIGMA1_256(w3) + w14 + SIGMA0_256(w6) + w5;
619 	SHA256ROUND(d, e, f, g, h, a, b, c, 53, w5);
620 	w6 = SIGMA1_256(w4) + w15 + SIGMA0_256(w7) + w6;
621 	SHA256ROUND(c, d, e, f, g, h, a, b, 54, w6);
622 	w7 = SIGMA1_256(w5) + w0 + SIGMA0_256(w8) + w7;
623 	SHA256ROUND(b, c, d, e, f, g, h, a, 55, w7);
624 	w8 = SIGMA1_256(w6) + w1 + SIGMA0_256(w9) + w8;
625 	SHA256ROUND(a, b, c, d, e, f, g, h, 56, w8);
626 	w9 = SIGMA1_256(w7) + w2 + SIGMA0_256(w10) + w9;
627 	SHA256ROUND(h, a, b, c, d, e, f, g, 57, w9);
628 	w10 = SIGMA1_256(w8) + w3 + SIGMA0_256(w11) + w10;
629 	SHA256ROUND(g, h, a, b, c, d, e, f, 58, w10);
630 	w11 = SIGMA1_256(w9) + w4 + SIGMA0_256(w12) + w11;
631 	SHA256ROUND(f, g, h, a, b, c, d, e, 59, w11);
632 	w12 = SIGMA1_256(w10) + w5 + SIGMA0_256(w13) + w12;
633 	SHA256ROUND(e, f, g, h, a, b, c, d, 60, w12);
634 	w13 = SIGMA1_256(w11) + w6 + SIGMA0_256(w14) + w13;
635 	SHA256ROUND(d, e, f, g, h, a, b, c, 61, w13);
636 	w14 = SIGMA1_256(w12) + w7 + SIGMA0_256(w15) + w14;
637 	SHA256ROUND(c, d, e, f, g, h, a, b, 62, w14);
638 	w15 = SIGMA1_256(w13) + w8 + SIGMA0_256(w0) + w15;
639 	SHA256ROUND(b, c, d, e, f, g, h, a, 63, w15);
640 
641 	ctx->state.s32[0] += a;
642 	ctx->state.s32[1] += b;
643 	ctx->state.s32[2] += c;
644 	ctx->state.s32[3] += d;
645 	ctx->state.s32[4] += e;
646 	ctx->state.s32[5] += f;
647 	ctx->state.s32[6] += g;
648 	ctx->state.s32[7] += h;
649 }
650 
651 
652 /* SHA384 and SHA512 Transform */
653 
654 static void
655 SHA512Transform(SHA2_CTX *ctx, const uint8_t *blk)
656 {
657 
658 	uint64_t a = ctx->state.s64[0];
659 	uint64_t b = ctx->state.s64[1];
660 	uint64_t c = ctx->state.s64[2];
661 	uint64_t d = ctx->state.s64[3];
662 	uint64_t e = ctx->state.s64[4];
663 	uint64_t f = ctx->state.s64[5];
664 	uint64_t g = ctx->state.s64[6];
665 	uint64_t h = ctx->state.s64[7];
666 
667 	uint64_t w0, w1, w2, w3, w4, w5, w6, w7;
668 	uint64_t w8, w9, w10, w11, w12, w13, w14, w15;
669 	uint64_t T1, T2;
670 
671 #if	defined(__sparc)
672 	static const uint64_t sha512_consts[] = {
673 		SHA512_CONST_0, SHA512_CONST_1, SHA512_CONST_2,
674 		SHA512_CONST_3, SHA512_CONST_4, SHA512_CONST_5,
675 		SHA512_CONST_6, SHA512_CONST_7, SHA512_CONST_8,
676 		SHA512_CONST_9, SHA512_CONST_10, SHA512_CONST_11,
677 		SHA512_CONST_12, SHA512_CONST_13, SHA512_CONST_14,
678 		SHA512_CONST_15, SHA512_CONST_16, SHA512_CONST_17,
679 		SHA512_CONST_18, SHA512_CONST_19, SHA512_CONST_20,
680 		SHA512_CONST_21, SHA512_CONST_22, SHA512_CONST_23,
681 		SHA512_CONST_24, SHA512_CONST_25, SHA512_CONST_26,
682 		SHA512_CONST_27, SHA512_CONST_28, SHA512_CONST_29,
683 		SHA512_CONST_30, SHA512_CONST_31, SHA512_CONST_32,
684 		SHA512_CONST_33, SHA512_CONST_34, SHA512_CONST_35,
685 		SHA512_CONST_36, SHA512_CONST_37, SHA512_CONST_38,
686 		SHA512_CONST_39, SHA512_CONST_40, SHA512_CONST_41,
687 		SHA512_CONST_42, SHA512_CONST_43, SHA512_CONST_44,
688 		SHA512_CONST_45, SHA512_CONST_46, SHA512_CONST_47,
689 		SHA512_CONST_48, SHA512_CONST_49, SHA512_CONST_50,
690 		SHA512_CONST_51, SHA512_CONST_52, SHA512_CONST_53,
691 		SHA512_CONST_54, SHA512_CONST_55, SHA512_CONST_56,
692 		SHA512_CONST_57, SHA512_CONST_58, SHA512_CONST_59,
693 		SHA512_CONST_60, SHA512_CONST_61, SHA512_CONST_62,
694 		SHA512_CONST_63, SHA512_CONST_64, SHA512_CONST_65,
695 		SHA512_CONST_66, SHA512_CONST_67, SHA512_CONST_68,
696 		SHA512_CONST_69, SHA512_CONST_70, SHA512_CONST_71,
697 		SHA512_CONST_72, SHA512_CONST_73, SHA512_CONST_74,
698 		SHA512_CONST_75, SHA512_CONST_76, SHA512_CONST_77,
699 		SHA512_CONST_78, SHA512_CONST_79
700 	};
701 #endif
702 
703 
704 	if ((uintptr_t)blk & 0x7) {		/* not 8-byte aligned? */
705 		bcopy(blk, ctx->buf_un.buf64,  sizeof (ctx->buf_un.buf64));
706 		blk = (uint8_t *)ctx->buf_un.buf64;
707 	}
708 
709 #if	defined(__sparc)
710 	/*LINTED*/
711 	w0 =  LOAD_BIG_64(blk + 8 * 0);
712 	SHA512ROUND(a, b, c, d, e, f, g, h, 0, w0);
713 	/*LINTED*/
714 	w1 =  LOAD_BIG_64(blk + 8 * 1);
715 	SHA512ROUND(h, a, b, c, d, e, f, g, 1, w1);
716 	/*LINTED*/
717 	w2 =  LOAD_BIG_64(blk + 8 * 2);
718 	SHA512ROUND(g, h, a, b, c, d, e, f, 2, w2);
719 	/*LINTED*/
720 	w3 =  LOAD_BIG_64(blk + 8 * 3);
721 	SHA512ROUND(f, g, h, a, b, c, d, e, 3, w3);
722 	/*LINTED*/
723 	w4 =  LOAD_BIG_64(blk + 8 * 4);
724 	SHA512ROUND(e, f, g, h, a, b, c, d, 4, w4);
725 	/*LINTED*/
726 	w5 =  LOAD_BIG_64(blk + 8 * 5);
727 	SHA512ROUND(d, e, f, g, h, a, b, c, 5, w5);
728 	/*LINTED*/
729 	w6 =  LOAD_BIG_64(blk + 8 * 6);
730 	SHA512ROUND(c, d, e, f, g, h, a, b, 6, w6);
731 	/*LINTED*/
732 	w7 =  LOAD_BIG_64(blk + 8 * 7);
733 	SHA512ROUND(b, c, d, e, f, g, h, a, 7, w7);
734 	/*LINTED*/
735 	w8 =  LOAD_BIG_64(blk + 8 * 8);
736 	SHA512ROUND(a, b, c, d, e, f, g, h, 8, w8);
737 	/*LINTED*/
738 	w9 =  LOAD_BIG_64(blk + 8 * 9);
739 	SHA512ROUND(h, a, b, c, d, e, f, g, 9, w9);
740 	/*LINTED*/
741 	w10 =  LOAD_BIG_64(blk + 8 * 10);
742 	SHA512ROUND(g, h, a, b, c, d, e, f, 10, w10);
743 	/*LINTED*/
744 	w11 =  LOAD_BIG_64(blk + 8 * 11);
745 	SHA512ROUND(f, g, h, a, b, c, d, e, 11, w11);
746 	/*LINTED*/
747 	w12 =  LOAD_BIG_64(blk + 8 * 12);
748 	SHA512ROUND(e, f, g, h, a, b, c, d, 12, w12);
749 	/*LINTED*/
750 	w13 =  LOAD_BIG_64(blk + 8 * 13);
751 	SHA512ROUND(d, e, f, g, h, a, b, c, 13, w13);
752 	/*LINTED*/
753 	w14 =  LOAD_BIG_64(blk + 8 * 14);
754 	SHA512ROUND(c, d, e, f, g, h, a, b, 14, w14);
755 	/*LINTED*/
756 	w15 =  LOAD_BIG_64(blk + 8 * 15);
757 	SHA512ROUND(b, c, d, e, f, g, h, a, 15, w15);
758 
759 #else
760 
761 	w0 =  LOAD_BIG_64(blk + 8 * 0);
762 	SHA512ROUND(a, b, c, d, e, f, g, h, 0, w0);
763 	w1 =  LOAD_BIG_64(blk + 8 * 1);
764 	SHA512ROUND(h, a, b, c, d, e, f, g, 1, w1);
765 	w2 =  LOAD_BIG_64(blk + 8 * 2);
766 	SHA512ROUND(g, h, a, b, c, d, e, f, 2, w2);
767 	w3 =  LOAD_BIG_64(blk + 8 * 3);
768 	SHA512ROUND(f, g, h, a, b, c, d, e, 3, w3);
769 	w4 =  LOAD_BIG_64(blk + 8 * 4);
770 	SHA512ROUND(e, f, g, h, a, b, c, d, 4, w4);
771 	w5 =  LOAD_BIG_64(blk + 8 * 5);
772 	SHA512ROUND(d, e, f, g, h, a, b, c, 5, w5);
773 	w6 =  LOAD_BIG_64(blk + 8 * 6);
774 	SHA512ROUND(c, d, e, f, g, h, a, b, 6, w6);
775 	w7 =  LOAD_BIG_64(blk + 8 * 7);
776 	SHA512ROUND(b, c, d, e, f, g, h, a, 7, w7);
777 	w8 =  LOAD_BIG_64(blk + 8 * 8);
778 	SHA512ROUND(a, b, c, d, e, f, g, h, 8, w8);
779 	w9 =  LOAD_BIG_64(blk + 8 * 9);
780 	SHA512ROUND(h, a, b, c, d, e, f, g, 9, w9);
781 	w10 =  LOAD_BIG_64(blk + 8 * 10);
782 	SHA512ROUND(g, h, a, b, c, d, e, f, 10, w10);
783 	w11 =  LOAD_BIG_64(blk + 8 * 11);
784 	SHA512ROUND(f, g, h, a, b, c, d, e, 11, w11);
785 	w12 =  LOAD_BIG_64(blk + 8 * 12);
786 	SHA512ROUND(e, f, g, h, a, b, c, d, 12, w12);
787 	w13 =  LOAD_BIG_64(blk + 8 * 13);
788 	SHA512ROUND(d, e, f, g, h, a, b, c, 13, w13);
789 	w14 =  LOAD_BIG_64(blk + 8 * 14);
790 	SHA512ROUND(c, d, e, f, g, h, a, b, 14, w14);
791 	w15 =  LOAD_BIG_64(blk + 8 * 15);
792 	SHA512ROUND(b, c, d, e, f, g, h, a, 15, w15);
793 
794 #endif
795 
796 	w0 = SIGMA1(w14) + w9 + SIGMA0(w1) + w0;
797 	SHA512ROUND(a, b, c, d, e, f, g, h, 16, w0);
798 	w1 = SIGMA1(w15) + w10 + SIGMA0(w2) + w1;
799 	SHA512ROUND(h, a, b, c, d, e, f, g, 17, w1);
800 	w2 = SIGMA1(w0) + w11 + SIGMA0(w3) + w2;
801 	SHA512ROUND(g, h, a, b, c, d, e, f, 18, w2);
802 	w3 = SIGMA1(w1) + w12 + SIGMA0(w4) + w3;
803 	SHA512ROUND(f, g, h, a, b, c, d, e, 19, w3);
804 	w4 = SIGMA1(w2) + w13 + SIGMA0(w5) + w4;
805 	SHA512ROUND(e, f, g, h, a, b, c, d, 20, w4);
806 	w5 = SIGMA1(w3) + w14 + SIGMA0(w6) + w5;
807 	SHA512ROUND(d, e, f, g, h, a, b, c, 21, w5);
808 	w6 = SIGMA1(w4) + w15 + SIGMA0(w7) + w6;
809 	SHA512ROUND(c, d, e, f, g, h, a, b, 22, w6);
810 	w7 = SIGMA1(w5) + w0 + SIGMA0(w8) + w7;
811 	SHA512ROUND(b, c, d, e, f, g, h, a, 23, w7);
812 	w8 = SIGMA1(w6) + w1 + SIGMA0(w9) + w8;
813 	SHA512ROUND(a, b, c, d, e, f, g, h, 24, w8);
814 	w9 = SIGMA1(w7) + w2 + SIGMA0(w10) + w9;
815 	SHA512ROUND(h, a, b, c, d, e, f, g, 25, w9);
816 	w10 = SIGMA1(w8) + w3 + SIGMA0(w11) + w10;
817 	SHA512ROUND(g, h, a, b, c, d, e, f, 26, w10);
818 	w11 = SIGMA1(w9) + w4 + SIGMA0(w12) + w11;
819 	SHA512ROUND(f, g, h, a, b, c, d, e, 27, w11);
820 	w12 = SIGMA1(w10) + w5 + SIGMA0(w13) + w12;
821 	SHA512ROUND(e, f, g, h, a, b, c, d, 28, w12);
822 	w13 = SIGMA1(w11) + w6 + SIGMA0(w14) + w13;
823 	SHA512ROUND(d, e, f, g, h, a, b, c, 29, w13);
824 	w14 = SIGMA1(w12) + w7 + SIGMA0(w15) + w14;
825 	SHA512ROUND(c, d, e, f, g, h, a, b, 30, w14);
826 	w15 = SIGMA1(w13) + w8 + SIGMA0(w0) + w15;
827 	SHA512ROUND(b, c, d, e, f, g, h, a, 31, w15);
828 
829 	w0 = SIGMA1(w14) + w9 + SIGMA0(w1) + w0;
830 	SHA512ROUND(a, b, c, d, e, f, g, h, 32, w0);
831 	w1 = SIGMA1(w15) + w10 + SIGMA0(w2) + w1;
832 	SHA512ROUND(h, a, b, c, d, e, f, g, 33, w1);
833 	w2 = SIGMA1(w0) + w11 + SIGMA0(w3) + w2;
834 	SHA512ROUND(g, h, a, b, c, d, e, f, 34, w2);
835 	w3 = SIGMA1(w1) + w12 + SIGMA0(w4) + w3;
836 	SHA512ROUND(f, g, h, a, b, c, d, e, 35, w3);
837 	w4 = SIGMA1(w2) + w13 + SIGMA0(w5) + w4;
838 	SHA512ROUND(e, f, g, h, a, b, c, d, 36, w4);
839 	w5 = SIGMA1(w3) + w14 + SIGMA0(w6) + w5;
840 	SHA512ROUND(d, e, f, g, h, a, b, c, 37, w5);
841 	w6 = SIGMA1(w4) + w15 + SIGMA0(w7) + w6;
842 	SHA512ROUND(c, d, e, f, g, h, a, b, 38, w6);
843 	w7 = SIGMA1(w5) + w0 + SIGMA0(w8) + w7;
844 	SHA512ROUND(b, c, d, e, f, g, h, a, 39, w7);
845 	w8 = SIGMA1(w6) + w1 + SIGMA0(w9) + w8;
846 	SHA512ROUND(a, b, c, d, e, f, g, h, 40, w8);
847 	w9 = SIGMA1(w7) + w2 + SIGMA0(w10) + w9;
848 	SHA512ROUND(h, a, b, c, d, e, f, g, 41, w9);
849 	w10 = SIGMA1(w8) + w3 + SIGMA0(w11) + w10;
850 	SHA512ROUND(g, h, a, b, c, d, e, f, 42, w10);
851 	w11 = SIGMA1(w9) + w4 + SIGMA0(w12) + w11;
852 	SHA512ROUND(f, g, h, a, b, c, d, e, 43, w11);
853 	w12 = SIGMA1(w10) + w5 + SIGMA0(w13) + w12;
854 	SHA512ROUND(e, f, g, h, a, b, c, d, 44, w12);
855 	w13 = SIGMA1(w11) + w6 + SIGMA0(w14) + w13;
856 	SHA512ROUND(d, e, f, g, h, a, b, c, 45, w13);
857 	w14 = SIGMA1(w12) + w7 + SIGMA0(w15) + w14;
858 	SHA512ROUND(c, d, e, f, g, h, a, b, 46, w14);
859 	w15 = SIGMA1(w13) + w8 + SIGMA0(w0) + w15;
860 	SHA512ROUND(b, c, d, e, f, g, h, a, 47, w15);
861 
862 	w0 = SIGMA1(w14) + w9 + SIGMA0(w1) + w0;
863 	SHA512ROUND(a, b, c, d, e, f, g, h, 48, w0);
864 	w1 = SIGMA1(w15) + w10 + SIGMA0(w2) + w1;
865 	SHA512ROUND(h, a, b, c, d, e, f, g, 49, w1);
866 	w2 = SIGMA1(w0) + w11 + SIGMA0(w3) + w2;
867 	SHA512ROUND(g, h, a, b, c, d, e, f, 50, w2);
868 	w3 = SIGMA1(w1) + w12 + SIGMA0(w4) + w3;
869 	SHA512ROUND(f, g, h, a, b, c, d, e, 51, w3);
870 	w4 = SIGMA1(w2) + w13 + SIGMA0(w5) + w4;
871 	SHA512ROUND(e, f, g, h, a, b, c, d, 52, w4);
872 	w5 = SIGMA1(w3) + w14 + SIGMA0(w6) + w5;
873 	SHA512ROUND(d, e, f, g, h, a, b, c, 53, w5);
874 	w6 = SIGMA1(w4) + w15 + SIGMA0(w7) + w6;
875 	SHA512ROUND(c, d, e, f, g, h, a, b, 54, w6);
876 	w7 = SIGMA1(w5) + w0 + SIGMA0(w8) + w7;
877 	SHA512ROUND(b, c, d, e, f, g, h, a, 55, w7);
878 	w8 = SIGMA1(w6) + w1 + SIGMA0(w9) + w8;
879 	SHA512ROUND(a, b, c, d, e, f, g, h, 56, w8);
880 	w9 = SIGMA1(w7) + w2 + SIGMA0(w10) + w9;
881 	SHA512ROUND(h, a, b, c, d, e, f, g, 57, w9);
882 	w10 = SIGMA1(w8) + w3 + SIGMA0(w11) + w10;
883 	SHA512ROUND(g, h, a, b, c, d, e, f, 58, w10);
884 	w11 = SIGMA1(w9) + w4 + SIGMA0(w12) + w11;
885 	SHA512ROUND(f, g, h, a, b, c, d, e, 59, w11);
886 	w12 = SIGMA1(w10) + w5 + SIGMA0(w13) + w12;
887 	SHA512ROUND(e, f, g, h, a, b, c, d, 60, w12);
888 	w13 = SIGMA1(w11) + w6 + SIGMA0(w14) + w13;
889 	SHA512ROUND(d, e, f, g, h, a, b, c, 61, w13);
890 	w14 = SIGMA1(w12) + w7 + SIGMA0(w15) + w14;
891 	SHA512ROUND(c, d, e, f, g, h, a, b, 62, w14);
892 	w15 = SIGMA1(w13) + w8 + SIGMA0(w0) + w15;
893 	SHA512ROUND(b, c, d, e, f, g, h, a, 63, w15);
894 
895 	w0 = SIGMA1(w14) + w9 + SIGMA0(w1) + w0;
896 	SHA512ROUND(a, b, c, d, e, f, g, h, 64, w0);
897 	w1 = SIGMA1(w15) + w10 + SIGMA0(w2) + w1;
898 	SHA512ROUND(h, a, b, c, d, e, f, g, 65, w1);
899 	w2 = SIGMA1(w0) + w11 + SIGMA0(w3) + w2;
900 	SHA512ROUND(g, h, a, b, c, d, e, f, 66, w2);
901 	w3 = SIGMA1(w1) + w12 + SIGMA0(w4) + w3;
902 	SHA512ROUND(f, g, h, a, b, c, d, e, 67, w3);
903 	w4 = SIGMA1(w2) + w13 + SIGMA0(w5) + w4;
904 	SHA512ROUND(e, f, g, h, a, b, c, d, 68, w4);
905 	w5 = SIGMA1(w3) + w14 + SIGMA0(w6) + w5;
906 	SHA512ROUND(d, e, f, g, h, a, b, c, 69, w5);
907 	w6 = SIGMA1(w4) + w15 + SIGMA0(w7) + w6;
908 	SHA512ROUND(c, d, e, f, g, h, a, b, 70, w6);
909 	w7 = SIGMA1(w5) + w0 + SIGMA0(w8) + w7;
910 	SHA512ROUND(b, c, d, e, f, g, h, a, 71, w7);
911 	w8 = SIGMA1(w6) + w1 + SIGMA0(w9) + w8;
912 	SHA512ROUND(a, b, c, d, e, f, g, h, 72, w8);
913 	w9 = SIGMA1(w7) + w2 + SIGMA0(w10) + w9;
914 	SHA512ROUND(h, a, b, c, d, e, f, g, 73, w9);
915 	w10 = SIGMA1(w8) + w3 + SIGMA0(w11) + w10;
916 	SHA512ROUND(g, h, a, b, c, d, e, f, 74, w10);
917 	w11 = SIGMA1(w9) + w4 + SIGMA0(w12) + w11;
918 	SHA512ROUND(f, g, h, a, b, c, d, e, 75, w11);
919 	w12 = SIGMA1(w10) + w5 + SIGMA0(w13) + w12;
920 	SHA512ROUND(e, f, g, h, a, b, c, d, 76, w12);
921 	w13 = SIGMA1(w11) + w6 + SIGMA0(w14) + w13;
922 	SHA512ROUND(d, e, f, g, h, a, b, c, 77, w13);
923 	w14 = SIGMA1(w12) + w7 + SIGMA0(w15) + w14;
924 	SHA512ROUND(c, d, e, f, g, h, a, b, 78, w14);
925 	w15 = SIGMA1(w13) + w8 + SIGMA0(w0) + w15;
926 	SHA512ROUND(b, c, d, e, f, g, h, a, 79, w15);
927 
928 	ctx->state.s64[0] += a;
929 	ctx->state.s64[1] += b;
930 	ctx->state.s64[2] += c;
931 	ctx->state.s64[3] += d;
932 	ctx->state.s64[4] += e;
933 	ctx->state.s64[5] += f;
934 	ctx->state.s64[6] += g;
935 	ctx->state.s64[7] += h;
936 
937 }
938 
939 
940 /*
941  * devpro compiler optimization:
942  *
943  * the compiler can generate better code if it knows that `input' and
944  * `output' do not point to the same source.  there is no portable
945  * way to tell the compiler this, but the sun compiler recognizes the
946  * `_Restrict' keyword to indicate this condition.  use it if possible.
947  */
948 
949 #ifdef	__RESTRICT
950 #define	restrict	_Restrict
951 #else
952 #define	restrict	/* nothing */
953 #endif
954 
955 /*
956  * Encode()
957  *
958  * purpose: to convert a list of numbers from little endian to big endian
959  *   input: uint8_t *	: place to store the converted big endian numbers
960  *	    uint32_t *	: place to get numbers to convert from
961  *          size_t	: the length of the input in bytes
962  *  output: void
963  */
964 
965 static void
966 Encode(uint8_t *restrict output, uint32_t *restrict input, size_t len)
967 {
968 	size_t		i, j;
969 
970 #if	defined(__sparc)
971 	if (IS_P2ALIGNED(output, sizeof (uint32_t))) {
972 		for (i = 0, j = 0; j < len; i++, j += 4) {
973 			/* LINTED: pointer alignment */
974 			*((uint32_t *)(output + j)) = input[i];
975 		}
976 	} else {
977 #endif	/* little endian -- will work on big endian, but slowly */
978 		for (i = 0, j = 0; j < len; i++, j += 4) {
979 			output[j]	= (input[i] >> 24) & 0xff;
980 			output[j + 1]	= (input[i] >> 16) & 0xff;
981 			output[j + 2]	= (input[i] >>  8) & 0xff;
982 			output[j + 3]	= input[i] & 0xff;
983 		}
984 #if	defined(__sparc)
985 	}
986 #endif
987 }
988 
989 static void
990 Encode64(uint8_t *restrict output, uint64_t *restrict input, size_t len)
991 {
992 	size_t		i, j;
993 
994 #if	defined(__sparc)
995 	if (IS_P2ALIGNED(output, sizeof (uint64_t))) {
996 		for (i = 0, j = 0; j < len; i++, j += 8) {
997 			/* LINTED: pointer alignment */
998 			*((uint64_t *)(output + j)) = input[i];
999 		}
1000 	} else {
1001 #endif	/* little endian -- will work on big endian, but slowly */
1002 		for (i = 0, j = 0; j < len; i++, j += 8) {
1003 
1004 			output[j]	= (input[i] >> 56) & 0xff;
1005 			output[j + 1]	= (input[i] >> 48) & 0xff;
1006 			output[j + 2]	= (input[i] >> 40) & 0xff;
1007 			output[j + 3]	= (input[i] >> 32) & 0xff;
1008 			output[j + 4]	= (input[i] >> 24) & 0xff;
1009 			output[j + 5]	= (input[i] >> 16) & 0xff;
1010 			output[j + 6]	= (input[i] >>  8) & 0xff;
1011 			output[j + 7]	= input[i] & 0xff;
1012 		}
1013 #if	defined(__sparc)
1014 	}
1015 #endif
1016 }
1017 
1018 
1019 #ifdef _KERNEL
1020 
1021 /*
1022  * KCF software provider control entry points.
1023  */
1024 /* ARGSUSED */
1025 static void
1026 sha2_provider_status(crypto_provider_handle_t provider, uint_t *status)
1027 {
1028 	*status = CRYPTO_PROVIDER_READY;
1029 }
1030 
1031 /*
1032  * KCF software provider digest entry points.
1033  */
1034 
1035 static int
1036 sha2_digest_init(crypto_ctx_t *ctx, crypto_mechanism_t *mechanism,
1037     crypto_req_handle_t req)
1038 {
1039 
1040 	/*
1041 	 * Allocate and initialize SHA2 context.
1042 	 */
1043 	ctx->cc_provider_private = kmem_alloc(sizeof (sha2_ctx_t),
1044 	    crypto_kmflag(req));
1045 	if (ctx->cc_provider_private == NULL)
1046 		return (CRYPTO_HOST_MEMORY);
1047 
1048 	PROV_SHA2_CTX(ctx)->sc_mech_type = mechanism->cm_type;
1049 	SHA2Init(mechanism->cm_type, &PROV_SHA2_CTX(ctx)->sc_sha2_ctx);
1050 
1051 	return (CRYPTO_SUCCESS);
1052 }
1053 
1054 /*
1055  * Helper SHA2 digest update function for uio data.
1056  */
1057 static int
1058 sha2_digest_update_uio(SHA2_CTX *sha2_ctx, crypto_data_t *data)
1059 {
1060 	off_t offset = data->cd_offset;
1061 	size_t length = data->cd_length;
1062 	uint_t vec_idx;
1063 	size_t cur_len;
1064 
1065 	/* we support only kernel buffer */
1066 	if (data->cd_uio->uio_segflg != UIO_SYSSPACE)
1067 		return (CRYPTO_ARGUMENTS_BAD);
1068 
1069 	/*
1070 	 * Jump to the first iovec containing data to be
1071 	 * digested.
1072 	 */
1073 	for (vec_idx = 0; vec_idx < data->cd_uio->uio_iovcnt &&
1074 	    offset >= data->cd_uio->uio_iov[vec_idx].iov_len;
1075 	    offset -= data->cd_uio->uio_iov[vec_idx++].iov_len);
1076 	if (vec_idx == data->cd_uio->uio_iovcnt) {
1077 		/*
1078 		 * The caller specified an offset that is larger than the
1079 		 * total size of the buffers it provided.
1080 		 */
1081 		return (CRYPTO_DATA_LEN_RANGE);
1082 	}
1083 
1084 	/*
1085 	 * Now do the digesting on the iovecs.
1086 	 */
1087 	while (vec_idx < data->cd_uio->uio_iovcnt && length > 0) {
1088 		cur_len = MIN(data->cd_uio->uio_iov[vec_idx].iov_len -
1089 		    offset, length);
1090 
1091 		SHA2Update(sha2_ctx, (uint8_t *)data->cd_uio->
1092 		    uio_iov[vec_idx].iov_base + offset, cur_len);
1093 		length -= cur_len;
1094 		vec_idx++;
1095 		offset = 0;
1096 	}
1097 
1098 	if (vec_idx == data->cd_uio->uio_iovcnt && length > 0) {
1099 		/*
1100 		 * The end of the specified iovec's was reached but
1101 		 * the length requested could not be processed, i.e.
1102 		 * The caller requested to digest more data than it provided.
1103 		 */
1104 		return (CRYPTO_DATA_LEN_RANGE);
1105 	}
1106 
1107 	return (CRYPTO_SUCCESS);
1108 }
1109 
1110 /*
1111  * Helper SHA2 digest final function for uio data.
1112  * digest_len is the length of the desired digest. If digest_len
1113  * is smaller than the default SHA2 digest length, the caller
1114  * must pass a scratch buffer, digest_scratch, which must
1115  * be at least the algorithm's digest length bytes.
1116  */
1117 static int
1118 sha2_digest_final_uio(SHA2_CTX *sha2_ctx, crypto_data_t *digest,
1119     ulong_t digest_len, uchar_t *digest_scratch)
1120 {
1121 	off_t offset = digest->cd_offset;
1122 	uint_t vec_idx;
1123 
1124 	/* we support only kernel buffer */
1125 	if (digest->cd_uio->uio_segflg != UIO_SYSSPACE)
1126 		return (CRYPTO_ARGUMENTS_BAD);
1127 
1128 	/*
1129 	 * Jump to the first iovec containing ptr to the digest to
1130 	 * be returned.
1131 	 */
1132 	for (vec_idx = 0; offset >= digest->cd_uio->uio_iov[vec_idx].iov_len &&
1133 	    vec_idx < digest->cd_uio->uio_iovcnt;
1134 	    offset -= digest->cd_uio->uio_iov[vec_idx++].iov_len);
1135 	if (vec_idx == digest->cd_uio->uio_iovcnt) {
1136 		/*
1137 		 * The caller specified an offset that is
1138 		 * larger than the total size of the buffers
1139 		 * it provided.
1140 		 */
1141 		return (CRYPTO_DATA_LEN_RANGE);
1142 	}
1143 
1144 	if (offset + digest_len <=
1145 	    digest->cd_uio->uio_iov[vec_idx].iov_len) {
1146 		/*
1147 		 * The computed SHA2 digest will fit in the current
1148 		 * iovec.
1149 		 */
1150 		if (((sha2_ctx->algotype <= SHA256_HMAC_GEN_MECH_INFO_TYPE) &&
1151 		    (digest_len != SHA256_DIGEST_LENGTH)) ||
1152 		    ((sha2_ctx->algotype > SHA256_HMAC_GEN_MECH_INFO_TYPE) &&
1153 			(digest_len != SHA512_DIGEST_LENGTH))) {
1154 			/*
1155 			 * The caller requested a short digest. Digest
1156 			 * into a scratch buffer and return to
1157 			 * the user only what was requested.
1158 			 */
1159 			SHA2Final(digest_scratch, sha2_ctx);
1160 
1161 			bcopy(digest_scratch, (uchar_t *)digest->
1162 			    cd_uio->uio_iov[vec_idx].iov_base + offset,
1163 			    digest_len);
1164 		} else {
1165 			SHA2Final((uchar_t *)digest->
1166 			    cd_uio->uio_iov[vec_idx].iov_base + offset,
1167 			    sha2_ctx);
1168 
1169 		}
1170 	} else {
1171 		/*
1172 		 * The computed digest will be crossing one or more iovec's.
1173 		 * This is bad performance-wise but we need to support it.
1174 		 * Allocate a small scratch buffer on the stack and
1175 		 * copy it piece meal to the specified digest iovec's.
1176 		 */
1177 		uchar_t digest_tmp[SHA512_DIGEST_LENGTH];
1178 		off_t scratch_offset = 0;
1179 		size_t length = digest_len;
1180 		size_t cur_len;
1181 
1182 		SHA2Final(digest_tmp, sha2_ctx);
1183 
1184 		while (vec_idx < digest->cd_uio->uio_iovcnt && length > 0) {
1185 			cur_len =
1186 			    MIN(digest->cd_uio->uio_iov[vec_idx].iov_len -
1187 				    offset, length);
1188 			bcopy(digest_tmp + scratch_offset,
1189 			    digest->cd_uio->uio_iov[vec_idx].iov_base + offset,
1190 			    cur_len);
1191 
1192 			length -= cur_len;
1193 			vec_idx++;
1194 			scratch_offset += cur_len;
1195 			offset = 0;
1196 		}
1197 
1198 		if (vec_idx == digest->cd_uio->uio_iovcnt && length > 0) {
1199 			/*
1200 			 * The end of the specified iovec's was reached but
1201 			 * the length requested could not be processed, i.e.
1202 			 * The caller requested to digest more data than it
1203 			 * provided.
1204 			 */
1205 			return (CRYPTO_DATA_LEN_RANGE);
1206 		}
1207 	}
1208 
1209 	return (CRYPTO_SUCCESS);
1210 }
1211 
1212 /*
1213  * Helper SHA2 digest update for mblk's.
1214  */
1215 static int
1216 sha2_digest_update_mblk(SHA2_CTX *sha2_ctx, crypto_data_t *data)
1217 {
1218 	off_t offset = data->cd_offset;
1219 	size_t length = data->cd_length;
1220 	mblk_t *mp;
1221 	size_t cur_len;
1222 
1223 	/*
1224 	 * Jump to the first mblk_t containing data to be digested.
1225 	 */
1226 	for (mp = data->cd_mp; mp != NULL && offset >= MBLKL(mp);
1227 	    offset -= MBLKL(mp), mp = mp->b_cont);
1228 	if (mp == NULL) {
1229 		/*
1230 		 * The caller specified an offset that is larger than the
1231 		 * total size of the buffers it provided.
1232 		 */
1233 		return (CRYPTO_DATA_LEN_RANGE);
1234 	}
1235 
1236 	/*
1237 	 * Now do the digesting on the mblk chain.
1238 	 */
1239 	while (mp != NULL && length > 0) {
1240 		cur_len = MIN(MBLKL(mp) - offset, length);
1241 		SHA2Update(sha2_ctx, mp->b_rptr + offset, cur_len);
1242 		length -= cur_len;
1243 		offset = 0;
1244 		mp = mp->b_cont;
1245 	}
1246 
1247 	if (mp == NULL && length > 0) {
1248 		/*
1249 		 * The end of the mblk was reached but the length requested
1250 		 * could not be processed, i.e. The caller requested
1251 		 * to digest more data than it provided.
1252 		 */
1253 		return (CRYPTO_DATA_LEN_RANGE);
1254 	}
1255 
1256 	return (CRYPTO_SUCCESS);
1257 }
1258 
1259 /*
1260  * Helper SHA2 digest final for mblk's.
1261  * digest_len is the length of the desired digest. If digest_len
1262  * is smaller than the default SHA2 digest length, the caller
1263  * must pass a scratch buffer, digest_scratch, which must
1264  * be at least the algorithm's digest length bytes.
1265  */
1266 static int
1267 sha2_digest_final_mblk(SHA2_CTX *sha2_ctx, crypto_data_t *digest,
1268     ulong_t digest_len, uchar_t *digest_scratch)
1269 {
1270 	off_t offset = digest->cd_offset;
1271 	mblk_t *mp;
1272 
1273 	/*
1274 	 * Jump to the first mblk_t that will be used to store the digest.
1275 	 */
1276 	for (mp = digest->cd_mp; mp != NULL && offset >= MBLKL(mp);
1277 	    offset -= MBLKL(mp), mp = mp->b_cont);
1278 	if (mp == NULL) {
1279 		/*
1280 		 * The caller specified an offset that is larger than the
1281 		 * total size of the buffers it provided.
1282 		 */
1283 		return (CRYPTO_DATA_LEN_RANGE);
1284 	}
1285 
1286 	if (offset + digest_len <= MBLKL(mp)) {
1287 		/*
1288 		 * The computed SHA2 digest will fit in the current mblk.
1289 		 * Do the SHA2Final() in-place.
1290 		 */
1291 		if (((sha2_ctx->algotype <= SHA256_HMAC_GEN_MECH_INFO_TYPE) &&
1292 		    (digest_len != SHA256_DIGEST_LENGTH)) ||
1293 		    ((sha2_ctx->algotype > SHA256_HMAC_GEN_MECH_INFO_TYPE) &&
1294 			(digest_len != SHA512_DIGEST_LENGTH))) {
1295 			/*
1296 			 * The caller requested a short digest. Digest
1297 			 * into a scratch buffer and return to
1298 			 * the user only what was requested.
1299 			 */
1300 			SHA2Final(digest_scratch, sha2_ctx);
1301 			bcopy(digest_scratch, mp->b_rptr + offset, digest_len);
1302 		} else {
1303 			SHA2Final(mp->b_rptr + offset, sha2_ctx);
1304 		}
1305 	} else {
1306 		/*
1307 		 * The computed digest will be crossing one or more mblk's.
1308 		 * This is bad performance-wise but we need to support it.
1309 		 * Allocate a small scratch buffer on the stack and
1310 		 * copy it piece meal to the specified digest iovec's.
1311 		 */
1312 		uchar_t digest_tmp[SHA512_DIGEST_LENGTH];
1313 		off_t scratch_offset = 0;
1314 		size_t length = digest_len;
1315 		size_t cur_len;
1316 
1317 		SHA2Final(digest_tmp, sha2_ctx);
1318 
1319 		while (mp != NULL && length > 0) {
1320 			cur_len = MIN(MBLKL(mp) - offset, length);
1321 			bcopy(digest_tmp + scratch_offset,
1322 			    mp->b_rptr + offset, cur_len);
1323 
1324 			length -= cur_len;
1325 			mp = mp->b_cont;
1326 			scratch_offset += cur_len;
1327 			offset = 0;
1328 		}
1329 
1330 		if (mp == NULL && length > 0) {
1331 			/*
1332 			 * The end of the specified mblk was reached but
1333 			 * the length requested could not be processed, i.e.
1334 			 * The caller requested to digest more data than it
1335 			 * provided.
1336 			 */
1337 			return (CRYPTO_DATA_LEN_RANGE);
1338 		}
1339 	}
1340 
1341 	return (CRYPTO_SUCCESS);
1342 }
1343 
1344 /* ARGSUSED */
1345 static int
1346 sha2_digest(crypto_ctx_t *ctx, crypto_data_t *data, crypto_data_t *digest,
1347     crypto_req_handle_t req)
1348 {
1349 	int ret = CRYPTO_SUCCESS;
1350 	uint_t sha_digest_len;
1351 
1352 	ASSERT(ctx->cc_provider_private != NULL);
1353 
1354 	switch (PROV_SHA2_CTX(ctx)->sc_mech_type) {
1355 	case SHA256_MECH_INFO_TYPE:
1356 		sha_digest_len = SHA256_DIGEST_LENGTH;
1357 		break;
1358 	case SHA384_MECH_INFO_TYPE:
1359 		sha_digest_len = SHA384_DIGEST_LENGTH;
1360 		break;
1361 	case SHA512_MECH_INFO_TYPE:
1362 		sha_digest_len = SHA512_DIGEST_LENGTH;
1363 		break;
1364 	default:
1365 		return (CRYPTO_MECHANISM_INVALID);
1366 	}
1367 
1368 	/*
1369 	 * We need to just return the length needed to store the output.
1370 	 * We should not destroy the context for the following cases.
1371 	 */
1372 	if ((digest->cd_length == 0) ||
1373 	    (digest->cd_length < sha_digest_len)) {
1374 		digest->cd_length = sha_digest_len;
1375 		return (CRYPTO_BUFFER_TOO_SMALL);
1376 	}
1377 
1378 	/*
1379 	 * Do the SHA2 update on the specified input data.
1380 	 */
1381 	switch (data->cd_format) {
1382 	case CRYPTO_DATA_RAW:
1383 		SHA2Update(&PROV_SHA2_CTX(ctx)->sc_sha2_ctx,
1384 		    (uint8_t *)data->cd_raw.iov_base + data->cd_offset,
1385 		    data->cd_length);
1386 		break;
1387 	case CRYPTO_DATA_UIO:
1388 		ret = sha2_digest_update_uio(&PROV_SHA2_CTX(ctx)->sc_sha2_ctx,
1389 		    data);
1390 		break;
1391 	case CRYPTO_DATA_MBLK:
1392 		ret = sha2_digest_update_mblk(&PROV_SHA2_CTX(ctx)->sc_sha2_ctx,
1393 		    data);
1394 		break;
1395 	default:
1396 		ret = CRYPTO_ARGUMENTS_BAD;
1397 	}
1398 
1399 	if (ret != CRYPTO_SUCCESS) {
1400 		/* the update failed, free context and bail */
1401 		kmem_free(ctx->cc_provider_private, sizeof (sha2_ctx_t));
1402 		ctx->cc_provider_private = NULL;
1403 		digest->cd_length = 0;
1404 		return (ret);
1405 	}
1406 
1407 	/*
1408 	 * Do a SHA2 final, must be done separately since the digest
1409 	 * type can be different than the input data type.
1410 	 */
1411 	switch (digest->cd_format) {
1412 	case CRYPTO_DATA_RAW:
1413 		SHA2Final((unsigned char *)digest->cd_raw.iov_base +
1414 		    digest->cd_offset, &PROV_SHA2_CTX(ctx)->sc_sha2_ctx);
1415 		break;
1416 	case CRYPTO_DATA_UIO:
1417 		ret = sha2_digest_final_uio(&PROV_SHA2_CTX(ctx)->sc_sha2_ctx,
1418 		    digest, sha_digest_len, NULL);
1419 		break;
1420 	case CRYPTO_DATA_MBLK:
1421 		ret = sha2_digest_final_mblk(&PROV_SHA2_CTX(ctx)->sc_sha2_ctx,
1422 		    digest, sha_digest_len, NULL);
1423 		break;
1424 	default:
1425 		ret = CRYPTO_ARGUMENTS_BAD;
1426 	}
1427 
1428 	/* all done, free context and return */
1429 
1430 	if (ret == CRYPTO_SUCCESS)
1431 		digest->cd_length = sha_digest_len;
1432 	else
1433 		digest->cd_length = 0;
1434 
1435 	kmem_free(ctx->cc_provider_private, sizeof (sha2_ctx_t));
1436 	ctx->cc_provider_private = NULL;
1437 	return (ret);
1438 }
1439 
1440 /* ARGSUSED */
1441 static int
1442 sha2_digest_update(crypto_ctx_t *ctx, crypto_data_t *data,
1443     crypto_req_handle_t req)
1444 {
1445 	int ret = CRYPTO_SUCCESS;
1446 
1447 	ASSERT(ctx->cc_provider_private != NULL);
1448 
1449 	/*
1450 	 * Do the SHA2 update on the specified input data.
1451 	 */
1452 	switch (data->cd_format) {
1453 	case CRYPTO_DATA_RAW:
1454 		SHA2Update(&PROV_SHA2_CTX(ctx)->sc_sha2_ctx,
1455 		    (uint8_t *)data->cd_raw.iov_base + data->cd_offset,
1456 		    data->cd_length);
1457 		break;
1458 	case CRYPTO_DATA_UIO:
1459 		ret = sha2_digest_update_uio(&PROV_SHA2_CTX(ctx)->sc_sha2_ctx,
1460 		    data);
1461 		break;
1462 	case CRYPTO_DATA_MBLK:
1463 		ret = sha2_digest_update_mblk(&PROV_SHA2_CTX(ctx)->sc_sha2_ctx,
1464 		    data);
1465 		break;
1466 	default:
1467 		ret = CRYPTO_ARGUMENTS_BAD;
1468 	}
1469 
1470 	return (ret);
1471 }
1472 
1473 /* ARGSUSED */
1474 static int
1475 sha2_digest_final(crypto_ctx_t *ctx, crypto_data_t *digest,
1476     crypto_req_handle_t req)
1477 {
1478 	int ret = CRYPTO_SUCCESS;
1479 	uint_t sha_digest_len;
1480 
1481 	ASSERT(ctx->cc_provider_private != NULL);
1482 
1483 	switch (PROV_SHA2_CTX(ctx)->sc_mech_type) {
1484 	case SHA256_MECH_INFO_TYPE:
1485 		sha_digest_len = SHA256_DIGEST_LENGTH;
1486 		break;
1487 	case SHA384_MECH_INFO_TYPE:
1488 		sha_digest_len = SHA384_DIGEST_LENGTH;
1489 		break;
1490 	case SHA512_MECH_INFO_TYPE:
1491 		sha_digest_len = SHA512_DIGEST_LENGTH;
1492 		break;
1493 	default:
1494 		return (CRYPTO_MECHANISM_INVALID);
1495 	}
1496 
1497 	/*
1498 	 * We need to just return the length needed to store the output.
1499 	 * We should not destroy the context for the following cases.
1500 	 */
1501 	if ((digest->cd_length == 0) ||
1502 	    (digest->cd_length < sha_digest_len)) {
1503 		digest->cd_length = sha_digest_len;
1504 		return (CRYPTO_BUFFER_TOO_SMALL);
1505 	}
1506 
1507 	/*
1508 	 * Do a SHA2 final.
1509 	 */
1510 	switch (digest->cd_format) {
1511 	case CRYPTO_DATA_RAW:
1512 		SHA2Final((unsigned char *)digest->cd_raw.iov_base +
1513 		    digest->cd_offset, &PROV_SHA2_CTX(ctx)->sc_sha2_ctx);
1514 		break;
1515 	case CRYPTO_DATA_UIO:
1516 		ret = sha2_digest_final_uio(&PROV_SHA2_CTX(ctx)->sc_sha2_ctx,
1517 		    digest, sha_digest_len, NULL);
1518 		break;
1519 	case CRYPTO_DATA_MBLK:
1520 		ret = sha2_digest_final_mblk(&PROV_SHA2_CTX(ctx)->sc_sha2_ctx,
1521 		    digest, sha_digest_len, NULL);
1522 		break;
1523 	default:
1524 		ret = CRYPTO_ARGUMENTS_BAD;
1525 	}
1526 
1527 	/* all done, free context and return */
1528 
1529 	if (ret == CRYPTO_SUCCESS)
1530 		digest->cd_length = sha_digest_len;
1531 	else
1532 		digest->cd_length = 0;
1533 
1534 	kmem_free(ctx->cc_provider_private, sizeof (sha2_ctx_t));
1535 	ctx->cc_provider_private = NULL;
1536 
1537 	return (ret);
1538 }
1539 
1540 /* ARGSUSED */
1541 static int
1542 sha2_digest_atomic(crypto_provider_handle_t provider,
1543     crypto_session_id_t session_id, crypto_mechanism_t *mechanism,
1544     crypto_data_t *data, crypto_data_t *digest,
1545     crypto_req_handle_t req)
1546 {
1547 	int ret = CRYPTO_SUCCESS;
1548 	SHA2_CTX sha2_ctx;
1549 	uint32_t sha_digest_len;
1550 
1551 	/*
1552 	 * Do the SHA inits.
1553 	 */
1554 
1555 	SHA2Init(mechanism->cm_type, &sha2_ctx);
1556 
1557 	switch (data->cd_format) {
1558 	case CRYPTO_DATA_RAW:
1559 		SHA2Update(&sha2_ctx, (uint8_t *)data->
1560 		    cd_raw.iov_base + data->cd_offset, data->cd_length);
1561 		break;
1562 	case CRYPTO_DATA_UIO:
1563 		ret = sha2_digest_update_uio(&sha2_ctx, data);
1564 		break;
1565 	case CRYPTO_DATA_MBLK:
1566 		ret = sha2_digest_update_mblk(&sha2_ctx, data);
1567 		break;
1568 	default:
1569 		ret = CRYPTO_ARGUMENTS_BAD;
1570 	}
1571 
1572 	/*
1573 	 * Do the SHA updates on the specified input data.
1574 	 */
1575 
1576 	if (ret != CRYPTO_SUCCESS) {
1577 		/* the update failed, bail */
1578 		digest->cd_length = 0;
1579 		return (ret);
1580 	}
1581 
1582 	if (mechanism->cm_type <= SHA256_HMAC_GEN_MECH_INFO_TYPE)
1583 		sha_digest_len = SHA256_DIGEST_LENGTH;
1584 	else
1585 		sha_digest_len = SHA512_DIGEST_LENGTH;
1586 
1587 	/*
1588 	 * Do a SHA2 final, must be done separately since the digest
1589 	 * type can be different than the input data type.
1590 	 */
1591 	switch (digest->cd_format) {
1592 	case CRYPTO_DATA_RAW:
1593 		SHA2Final((unsigned char *)digest->cd_raw.iov_base +
1594 		    digest->cd_offset, &sha2_ctx);
1595 		break;
1596 	case CRYPTO_DATA_UIO:
1597 		ret = sha2_digest_final_uio(&sha2_ctx, digest,
1598 		    sha_digest_len, NULL);
1599 		break;
1600 	case CRYPTO_DATA_MBLK:
1601 		ret = sha2_digest_final_mblk(&sha2_ctx, digest,
1602 		    sha_digest_len, NULL);
1603 		break;
1604 	default:
1605 		ret = CRYPTO_ARGUMENTS_BAD;
1606 	}
1607 
1608 	if (ret == CRYPTO_SUCCESS)
1609 		digest->cd_length = sha_digest_len;
1610 	else
1611 		digest->cd_length = 0;
1612 
1613 	return (ret);
1614 }
1615 
1616 /*
1617  * KCF software provider mac entry points.
1618  *
1619  * SHA2 HMAC is: SHA2(key XOR opad, SHA2(key XOR ipad, text))
1620  *
1621  * Init:
1622  * The initialization routine initializes what we denote
1623  * as the inner and outer contexts by doing
1624  * - for inner context: SHA2(key XOR ipad)
1625  * - for outer context: SHA2(key XOR opad)
1626  *
1627  * Update:
1628  * Each subsequent SHA2 HMAC update will result in an
1629  * update of the inner context with the specified data.
1630  *
1631  * Final:
1632  * The SHA2 HMAC final will do a SHA2 final operation on the
1633  * inner context, and the resulting digest will be used
1634  * as the data for an update on the outer context. Last
1635  * but not least, a SHA2 final on the outer context will
1636  * be performed to obtain the SHA2 HMAC digest to return
1637  * to the user.
1638  */
1639 
1640 /*
1641  * Initialize a SHA2-HMAC context.
1642  */
1643 static void
1644 sha2_mac_init_ctx(sha2_hmac_ctx_t *ctx, void *keyval, uint_t length_in_bytes)
1645 {
1646 	uint64_t ipad[SHA512_HMAC_BLOCK_SIZE / sizeof (uint64_t)];
1647 	uint64_t opad[SHA512_HMAC_BLOCK_SIZE / sizeof (uint64_t)];
1648 	int i, block_size, blocks_per_int64;
1649 
1650 	/* Determine the block size */
1651 	if (ctx->hc_mech_type <= SHA256_HMAC_GEN_MECH_INFO_TYPE) {
1652 		block_size = SHA256_HMAC_BLOCK_SIZE;
1653 		blocks_per_int64 = SHA256_HMAC_BLOCK_SIZE / sizeof (uint64_t);
1654 	} else {
1655 		block_size = SHA512_HMAC_BLOCK_SIZE;
1656 		blocks_per_int64 = SHA512_HMAC_BLOCK_SIZE / sizeof (uint64_t);
1657 	}
1658 
1659 	(void) bzero(ipad, block_size);
1660 	(void) bzero(opad, block_size);
1661 	(void) bcopy(keyval, ipad, length_in_bytes);
1662 	(void) bcopy(keyval, opad, length_in_bytes);
1663 
1664 	/* XOR key with ipad (0x36) and opad (0x5c) */
1665 	for (i = 0; i < blocks_per_int64; i ++) {
1666 		ipad[i] ^= 0x3636363636363636;
1667 		opad[i] ^= 0x5c5c5c5c5c5c5c5c;
1668 	}
1669 
1670 	/* perform SHA2 on ipad */
1671 	SHA2Init(ctx->hc_mech_type, &ctx->hc_icontext);
1672 	SHA2Update(&ctx->hc_icontext, (uint8_t *)ipad, block_size);
1673 
1674 	/* perform SHA2 on opad */
1675 	SHA2Init(ctx->hc_mech_type, &ctx->hc_ocontext);
1676 	SHA2Update(&ctx->hc_ocontext, (uint8_t *)opad, block_size);
1677 
1678 }
1679 
1680 /*
1681  */
1682 static int
1683 sha2_mac_init(crypto_ctx_t *ctx, crypto_mechanism_t *mechanism,
1684     crypto_key_t *key, crypto_spi_ctx_template_t ctx_template,
1685     crypto_req_handle_t req)
1686 {
1687 	int ret = CRYPTO_SUCCESS;
1688 	uint_t keylen_in_bytes = CRYPTO_BITS2BYTES(key->ck_length);
1689 	uint_t sha_digest_len, sha_hmac_block_size;
1690 
1691 	/*
1692 	 * Set the digest length and block size to values approriate to the
1693 	 * mechanism
1694 	 */
1695 	switch (mechanism->cm_type) {
1696 	case SHA256_HMAC_MECH_INFO_TYPE:
1697 	case SHA256_HMAC_GEN_MECH_INFO_TYPE:
1698 		sha_digest_len = SHA256_DIGEST_LENGTH;
1699 		sha_hmac_block_size = SHA256_HMAC_BLOCK_SIZE;
1700 		break;
1701 	case SHA384_HMAC_MECH_INFO_TYPE:
1702 	case SHA384_HMAC_GEN_MECH_INFO_TYPE:
1703 	case SHA512_HMAC_MECH_INFO_TYPE:
1704 	case SHA512_HMAC_GEN_MECH_INFO_TYPE:
1705 		sha_digest_len = SHA512_DIGEST_LENGTH;
1706 		sha_hmac_block_size = SHA512_HMAC_BLOCK_SIZE;
1707 		break;
1708 	default:
1709 		return (CRYPTO_MECHANISM_INVALID);
1710 	}
1711 
1712 	if (key->ck_format != CRYPTO_KEY_RAW)
1713 		return (CRYPTO_ARGUMENTS_BAD);
1714 
1715 	ctx->cc_provider_private = kmem_alloc(sizeof (sha2_hmac_ctx_t),
1716 	    crypto_kmflag(req));
1717 	if (ctx->cc_provider_private == NULL)
1718 		return (CRYPTO_HOST_MEMORY);
1719 
1720 	if (ctx_template != NULL) {
1721 		/* reuse context template */
1722 		bcopy(ctx_template, PROV_SHA2_HMAC_CTX(ctx),
1723 		    sizeof (sha2_hmac_ctx_t));
1724 	} else {
1725 		/* no context template, compute context */
1726 		if (keylen_in_bytes > sha_hmac_block_size) {
1727 			uchar_t digested_key[SHA512_DIGEST_LENGTH];
1728 			sha2_hmac_ctx_t *hmac_ctx = ctx->cc_provider_private;
1729 
1730 			/*
1731 			 * Hash the passed-in key to get a smaller key.
1732 			 * The inner context is used since it hasn't been
1733 			 * initialized yet.
1734 			 */
1735 			PROV_SHA2_DIGEST_KEY(mechanism->cm_type / 3,
1736 			    &hmac_ctx->hc_icontext,
1737 			    key->ck_data, keylen_in_bytes, digested_key);
1738 			sha2_mac_init_ctx(PROV_SHA2_HMAC_CTX(ctx),
1739 			    digested_key, sha_digest_len);
1740 		} else {
1741 			sha2_mac_init_ctx(PROV_SHA2_HMAC_CTX(ctx),
1742 			    key->ck_data, keylen_in_bytes);
1743 		}
1744 	}
1745 
1746 	/*
1747 	 * Get the mechanism parameters, if applicable.
1748 	 */
1749 	PROV_SHA2_HMAC_CTX(ctx)->hc_mech_type = mechanism->cm_type;
1750 	if (mechanism->cm_type % 3 == 2) {
1751 		if (mechanism->cm_param == NULL ||
1752 		    mechanism->cm_param_len != sizeof (ulong_t))
1753 			ret = CRYPTO_MECHANISM_PARAM_INVALID;
1754 		PROV_SHA2_GET_DIGEST_LEN(mechanism,
1755 		    PROV_SHA2_HMAC_CTX(ctx)->hc_digest_len);
1756 		if (PROV_SHA2_HMAC_CTX(ctx)->hc_digest_len > sha_digest_len)
1757 			ret = CRYPTO_MECHANISM_PARAM_INVALID;
1758 	}
1759 
1760 	if (ret != CRYPTO_SUCCESS) {
1761 		bzero(ctx->cc_provider_private, sizeof (sha2_hmac_ctx_t));
1762 		kmem_free(ctx->cc_provider_private, sizeof (sha2_hmac_ctx_t));
1763 		ctx->cc_provider_private = NULL;
1764 	}
1765 
1766 	return (ret);
1767 }
1768 
1769 /* ARGSUSED */
1770 static int
1771 sha2_mac_update(crypto_ctx_t *ctx, crypto_data_t *data,
1772     crypto_req_handle_t req)
1773 {
1774 	int ret = CRYPTO_SUCCESS;
1775 
1776 	ASSERT(ctx->cc_provider_private != NULL);
1777 
1778 	/*
1779 	 * Do a SHA2 update of the inner context using the specified
1780 	 * data.
1781 	 */
1782 	switch (data->cd_format) {
1783 	case CRYPTO_DATA_RAW:
1784 		SHA2Update(&PROV_SHA2_HMAC_CTX(ctx)->hc_icontext,
1785 		    (uint8_t *)data->cd_raw.iov_base + data->cd_offset,
1786 		    data->cd_length);
1787 		break;
1788 	case CRYPTO_DATA_UIO:
1789 		ret = sha2_digest_update_uio(
1790 		    &PROV_SHA2_HMAC_CTX(ctx)->hc_icontext, data);
1791 		break;
1792 	case CRYPTO_DATA_MBLK:
1793 		ret = sha2_digest_update_mblk(
1794 		    &PROV_SHA2_HMAC_CTX(ctx)->hc_icontext, data);
1795 		break;
1796 	default:
1797 		ret = CRYPTO_ARGUMENTS_BAD;
1798 	}
1799 
1800 	return (ret);
1801 }
1802 
1803 /* ARGSUSED */
1804 static int
1805 sha2_mac_final(crypto_ctx_t *ctx, crypto_data_t *mac, crypto_req_handle_t req)
1806 {
1807 	int ret = CRYPTO_SUCCESS;
1808 	uchar_t digest[SHA512_DIGEST_LENGTH];
1809 	uint32_t digest_len, sha_digest_len;
1810 
1811 	ASSERT(ctx->cc_provider_private != NULL);
1812 
1813 	/* Set the digest lengths to values approriate to the mechanism */
1814 	switch (PROV_SHA2_HMAC_CTX(ctx)->hc_mech_type) {
1815 	case SHA256_HMAC_MECH_INFO_TYPE:
1816 		sha_digest_len = digest_len = SHA256_DIGEST_LENGTH;
1817 		break;
1818 	case SHA384_HMAC_MECH_INFO_TYPE:
1819 	case SHA512_HMAC_MECH_INFO_TYPE:
1820 		sha_digest_len = digest_len = SHA512_DIGEST_LENGTH;
1821 		break;
1822 	case SHA256_HMAC_GEN_MECH_INFO_TYPE:
1823 		sha_digest_len = SHA256_DIGEST_LENGTH;
1824 		digest_len = PROV_SHA2_HMAC_CTX(ctx)->hc_digest_len;
1825 		break;
1826 	case SHA384_HMAC_GEN_MECH_INFO_TYPE:
1827 	case SHA512_HMAC_GEN_MECH_INFO_TYPE:
1828 		sha_digest_len = SHA512_DIGEST_LENGTH;
1829 		digest_len = PROV_SHA2_HMAC_CTX(ctx)->hc_digest_len;
1830 		break;
1831 	}
1832 
1833 	/*
1834 	 * We need to just return the length needed to store the output.
1835 	 * We should not destroy the context for the following cases.
1836 	 */
1837 	if ((mac->cd_length == 0) || (mac->cd_length < digest_len)) {
1838 		mac->cd_length = digest_len;
1839 		return (CRYPTO_BUFFER_TOO_SMALL);
1840 	}
1841 
1842 	/*
1843 	 * Do a SHA2 final on the inner context.
1844 	 */
1845 	SHA2Final(digest, &PROV_SHA2_HMAC_CTX(ctx)->hc_icontext);
1846 
1847 	/*
1848 	 * Do a SHA2 update on the outer context, feeding the inner
1849 	 * digest as data.
1850 	 */
1851 	SHA2Update(&PROV_SHA2_HMAC_CTX(ctx)->hc_ocontext, digest,
1852 	    sha_digest_len);
1853 
1854 	/*
1855 	 * Do a SHA2 final on the outer context, storing the computing
1856 	 * digest in the users buffer.
1857 	 */
1858 	switch (mac->cd_format) {
1859 	case CRYPTO_DATA_RAW:
1860 		if (digest_len != sha_digest_len) {
1861 			/*
1862 			 * The caller requested a short digest. Digest
1863 			 * into a scratch buffer and return to
1864 			 * the user only what was requested.
1865 			 */
1866 			SHA2Final(digest,
1867 			    &PROV_SHA2_HMAC_CTX(ctx)->hc_ocontext);
1868 			bcopy(digest, (unsigned char *)mac->cd_raw.iov_base +
1869 			    mac->cd_offset, digest_len);
1870 		} else {
1871 			SHA2Final((unsigned char *)mac->cd_raw.iov_base +
1872 			    mac->cd_offset,
1873 			    &PROV_SHA2_HMAC_CTX(ctx)->hc_ocontext);
1874 		}
1875 		break;
1876 	case CRYPTO_DATA_UIO:
1877 		ret = sha2_digest_final_uio(
1878 		    &PROV_SHA2_HMAC_CTX(ctx)->hc_ocontext, mac,
1879 		    digest_len, digest);
1880 		break;
1881 	case CRYPTO_DATA_MBLK:
1882 		ret = sha2_digest_final_mblk(
1883 		    &PROV_SHA2_HMAC_CTX(ctx)->hc_ocontext, mac,
1884 		    digest_len, digest);
1885 		break;
1886 	default:
1887 		ret = CRYPTO_ARGUMENTS_BAD;
1888 	}
1889 
1890 	if (ret == CRYPTO_SUCCESS)
1891 		mac->cd_length = digest_len;
1892 	else
1893 		mac->cd_length = 0;
1894 
1895 	bzero(&PROV_SHA2_HMAC_CTX(ctx)->hc_ocontext, sizeof (sha2_hmac_ctx_t));
1896 	kmem_free(ctx->cc_provider_private, sizeof (sha2_hmac_ctx_t));
1897 	ctx->cc_provider_private = NULL;
1898 
1899 	return (ret);
1900 }
1901 
1902 #define	SHA2_MAC_UPDATE(data, ctx, ret) {				\
1903 	switch (data->cd_format) {					\
1904 	case CRYPTO_DATA_RAW:						\
1905 		SHA2Update(&(ctx).hc_icontext,				\
1906 		    (uint8_t *)data->cd_raw.iov_base +			\
1907 		    data->cd_offset, data->cd_length);			\
1908 		break;							\
1909 	case CRYPTO_DATA_UIO:						\
1910 		ret = sha2_digest_update_uio(&(ctx).hc_icontext, data);	\
1911 		break;							\
1912 	case CRYPTO_DATA_MBLK:						\
1913 		ret = sha2_digest_update_mblk(&(ctx).hc_icontext,	\
1914 		    data);						\
1915 		break;							\
1916 	default:							\
1917 		ret = CRYPTO_ARGUMENTS_BAD;				\
1918 	}								\
1919 }
1920 
1921 /* ARGSUSED */
1922 static int
1923 sha2_mac_atomic(crypto_provider_handle_t provider,
1924     crypto_session_id_t session_id, crypto_mechanism_t *mechanism,
1925     crypto_key_t *key, crypto_data_t *data, crypto_data_t *mac,
1926     crypto_spi_ctx_template_t ctx_template, crypto_req_handle_t req)
1927 {
1928 	int ret = CRYPTO_SUCCESS;
1929 	uchar_t digest[SHA512_DIGEST_LENGTH];
1930 	sha2_hmac_ctx_t sha2_hmac_ctx;
1931 	uint32_t sha_digest_len, digest_len, sha_hmac_block_size;
1932 	uint_t keylen_in_bytes = CRYPTO_BITS2BYTES(key->ck_length);
1933 
1934 	/*
1935 	 * Set the digest length and block size to values approriate to the
1936 	 * mechanism
1937 	 */
1938 	switch (mechanism->cm_type) {
1939 	case SHA256_HMAC_MECH_INFO_TYPE:
1940 	case SHA256_HMAC_GEN_MECH_INFO_TYPE:
1941 		sha_digest_len = digest_len = SHA256_DIGEST_LENGTH;
1942 		sha_hmac_block_size = SHA256_HMAC_BLOCK_SIZE;
1943 		break;
1944 	case SHA384_HMAC_MECH_INFO_TYPE:
1945 	case SHA384_HMAC_GEN_MECH_INFO_TYPE:
1946 	case SHA512_HMAC_MECH_INFO_TYPE:
1947 	case SHA512_HMAC_GEN_MECH_INFO_TYPE:
1948 		sha_digest_len = digest_len = SHA512_DIGEST_LENGTH;
1949 		sha_hmac_block_size = SHA512_HMAC_BLOCK_SIZE;
1950 		break;
1951 	default:
1952 		return (CRYPTO_MECHANISM_INVALID);
1953 	}
1954 
1955 	/* Add support for key by attributes (RFE 4706552) */
1956 	if (key->ck_format != CRYPTO_KEY_RAW)
1957 		return (CRYPTO_ARGUMENTS_BAD);
1958 
1959 	if (ctx_template != NULL) {
1960 		/* reuse context template */
1961 		bcopy(ctx_template, &sha2_hmac_ctx, sizeof (sha2_hmac_ctx_t));
1962 	} else {
1963 		sha2_hmac_ctx.hc_mech_type = mechanism->cm_type;
1964 		/* no context template, initialize context */
1965 		if (keylen_in_bytes > sha_hmac_block_size) {
1966 			/*
1967 			 * Hash the passed-in key to get a smaller key.
1968 			 * The inner context is used since it hasn't been
1969 			 * initialized yet.
1970 			 */
1971 			PROV_SHA2_DIGEST_KEY(mechanism->cm_type / 3,
1972 			    &sha2_hmac_ctx.hc_icontext,
1973 			    key->ck_data, keylen_in_bytes, digest);
1974 			sha2_mac_init_ctx(&sha2_hmac_ctx, digest,
1975 			    sha_digest_len);
1976 		} else {
1977 			sha2_mac_init_ctx(&sha2_hmac_ctx, key->ck_data,
1978 			    keylen_in_bytes);
1979 		}
1980 	}
1981 
1982 	/* get the mechanism parameters, if applicable */
1983 	if ((mechanism->cm_type % 3) == 2) {
1984 		if (mechanism->cm_param == NULL ||
1985 		    mechanism->cm_param_len != sizeof (ulong_t)) {
1986 			ret = CRYPTO_MECHANISM_PARAM_INVALID;
1987 			goto bail;
1988 		}
1989 		PROV_SHA2_GET_DIGEST_LEN(mechanism, digest_len);
1990 		if (digest_len > sha_digest_len) {
1991 			ret = CRYPTO_MECHANISM_PARAM_INVALID;
1992 			goto bail;
1993 		}
1994 	}
1995 
1996 	/* do a SHA2 update of the inner context using the specified data */
1997 	SHA2_MAC_UPDATE(data, sha2_hmac_ctx, ret);
1998 	if (ret != CRYPTO_SUCCESS)
1999 		/* the update failed, free context and bail */
2000 		goto bail;
2001 
2002 	/*
2003 	 * Do a SHA2 final on the inner context.
2004 	 */
2005 	SHA2Final(digest, &sha2_hmac_ctx.hc_icontext);
2006 
2007 	/*
2008 	 * Do an SHA2 update on the outer context, feeding the inner
2009 	 * digest as data.
2010 	 *
2011 	 * Make sure that SHA384 is handled special because
2012 	 * it cannot feed a 60-byte inner hash to the outer
2013 	 */
2014 	if (mechanism->cm_type == SHA384_HMAC_MECH_INFO_TYPE ||
2015 	    mechanism->cm_type == SHA384_HMAC_GEN_MECH_INFO_TYPE)
2016 		SHA2Update(&sha2_hmac_ctx.hc_ocontext, digest,
2017 		    SHA384_DIGEST_LENGTH);
2018 	else
2019 		SHA2Update(&sha2_hmac_ctx.hc_ocontext, digest, sha_digest_len);
2020 
2021 	/*
2022 	 * Do a SHA2 final on the outer context, storing the computed
2023 	 * digest in the users buffer.
2024 	 */
2025 	switch (mac->cd_format) {
2026 	case CRYPTO_DATA_RAW:
2027 		if (digest_len != sha_digest_len) {
2028 			/*
2029 			 * The caller requested a short digest. Digest
2030 			 * into a scratch buffer and return to
2031 			 * the user only what was requested.
2032 			 */
2033 			SHA2Final(digest, &sha2_hmac_ctx.hc_ocontext);
2034 			bcopy(digest, (unsigned char *)mac->cd_raw.iov_base +
2035 			    mac->cd_offset, digest_len);
2036 		} else {
2037 			SHA2Final((unsigned char *)mac->cd_raw.iov_base +
2038 			    mac->cd_offset, &sha2_hmac_ctx.hc_ocontext);
2039 		}
2040 		break;
2041 	case CRYPTO_DATA_UIO:
2042 		ret = sha2_digest_final_uio(&sha2_hmac_ctx.hc_ocontext, mac,
2043 		    digest_len, digest);
2044 		break;
2045 	case CRYPTO_DATA_MBLK:
2046 		ret = sha2_digest_final_mblk(&sha2_hmac_ctx.hc_ocontext, mac,
2047 		    digest_len, digest);
2048 		break;
2049 	default:
2050 		ret = CRYPTO_ARGUMENTS_BAD;
2051 	}
2052 
2053 	if (ret == CRYPTO_SUCCESS) {
2054 		mac->cd_length = digest_len;
2055 		return (CRYPTO_SUCCESS);
2056 	}
2057 bail:
2058 	bzero(&sha2_hmac_ctx, sizeof (sha2_hmac_ctx_t));
2059 	mac->cd_length = 0;
2060 	return (ret);
2061 }
2062 
2063 /* ARGSUSED */
2064 static int
2065 sha2_mac_verify_atomic(crypto_provider_handle_t provider,
2066     crypto_session_id_t session_id, crypto_mechanism_t *mechanism,
2067     crypto_key_t *key, crypto_data_t *data, crypto_data_t *mac,
2068     crypto_spi_ctx_template_t ctx_template, crypto_req_handle_t req)
2069 {
2070 	int ret = CRYPTO_SUCCESS;
2071 	uchar_t digest[SHA512_DIGEST_LENGTH];
2072 	sha2_hmac_ctx_t sha2_hmac_ctx;
2073 	uint32_t sha_digest_len, digest_len, sha_hmac_block_size;
2074 	uint_t keylen_in_bytes = CRYPTO_BITS2BYTES(key->ck_length);
2075 
2076 	/*
2077 	 * Set the digest length and block size to values approriate to the
2078 	 * mechanism
2079 	 */
2080 	switch (mechanism->cm_type) {
2081 	case SHA256_HMAC_MECH_INFO_TYPE:
2082 	case SHA256_HMAC_GEN_MECH_INFO_TYPE:
2083 		sha_digest_len = digest_len = SHA256_DIGEST_LENGTH;
2084 		sha_hmac_block_size = SHA256_HMAC_BLOCK_SIZE;
2085 		break;
2086 	case SHA384_HMAC_MECH_INFO_TYPE:
2087 	case SHA384_HMAC_GEN_MECH_INFO_TYPE:
2088 	case SHA512_HMAC_MECH_INFO_TYPE:
2089 	case SHA512_HMAC_GEN_MECH_INFO_TYPE:
2090 		sha_digest_len = digest_len = SHA512_DIGEST_LENGTH;
2091 		sha_hmac_block_size = SHA512_HMAC_BLOCK_SIZE;
2092 		break;
2093 	default:
2094 		return (CRYPTO_MECHANISM_INVALID);
2095 	}
2096 
2097 	/* Add support for key by attributes (RFE 4706552) */
2098 	if (key->ck_format != CRYPTO_KEY_RAW)
2099 		return (CRYPTO_ARGUMENTS_BAD);
2100 
2101 	if (ctx_template != NULL) {
2102 		/* reuse context template */
2103 		bcopy(ctx_template, &sha2_hmac_ctx, sizeof (sha2_hmac_ctx_t));
2104 	} else {
2105 		/* no context template, initialize context */
2106 		if (keylen_in_bytes > sha_hmac_block_size) {
2107 			/*
2108 			 * Hash the passed-in key to get a smaller key.
2109 			 * The inner context is used since it hasn't been
2110 			 * initialized yet.
2111 			 */
2112 			PROV_SHA2_DIGEST_KEY(mechanism->cm_type / 3,
2113 			    &sha2_hmac_ctx.hc_icontext,
2114 			    key->ck_data, keylen_in_bytes, digest);
2115 			sha2_mac_init_ctx(&sha2_hmac_ctx, digest,
2116 			    sha_digest_len);
2117 		} else {
2118 			sha2_mac_init_ctx(&sha2_hmac_ctx, key->ck_data,
2119 			    keylen_in_bytes);
2120 		}
2121 	}
2122 
2123 	/* get the mechanism parameters, if applicable */
2124 	if (mechanism->cm_type % 3 == 2) {
2125 		if (mechanism->cm_param == NULL ||
2126 		    mechanism->cm_param_len != sizeof (ulong_t)) {
2127 			ret = CRYPTO_MECHANISM_PARAM_INVALID;
2128 			goto bail;
2129 		}
2130 		PROV_SHA2_GET_DIGEST_LEN(mechanism, digest_len);
2131 		if (digest_len > sha_digest_len) {
2132 			ret = CRYPTO_MECHANISM_PARAM_INVALID;
2133 			goto bail;
2134 		}
2135 	}
2136 
2137 	if (mac->cd_length != digest_len) {
2138 		ret = CRYPTO_INVALID_MAC;
2139 		goto bail;
2140 	}
2141 
2142 	/* do a SHA2 update of the inner context using the specified data */
2143 	SHA2_MAC_UPDATE(data, sha2_hmac_ctx, ret);
2144 	if (ret != CRYPTO_SUCCESS)
2145 		/* the update failed, free context and bail */
2146 		goto bail;
2147 
2148 	/* do a SHA2 final on the inner context */
2149 	SHA2Final(digest, &sha2_hmac_ctx.hc_icontext);
2150 
2151 	/*
2152 	 * Do an SHA2 update on the outer context, feeding the inner
2153 	 * digest as data.
2154 	 */
2155 	SHA2Update(&sha2_hmac_ctx.hc_ocontext, digest, sha_digest_len);
2156 
2157 	/*
2158 	 * Do a SHA2 final on the outer context, storing the computed
2159 	 * digest in the users buffer.
2160 	 */
2161 	SHA2Final(digest, &sha2_hmac_ctx.hc_ocontext);
2162 
2163 	/*
2164 	 * Compare the computed digest against the expected digest passed
2165 	 * as argument.
2166 	 */
2167 
2168 	switch (mac->cd_format) {
2169 
2170 	case CRYPTO_DATA_RAW:
2171 		if (bcmp(digest, (unsigned char *)mac->cd_raw.iov_base +
2172 		    mac->cd_offset, digest_len) != 0)
2173 			ret = CRYPTO_INVALID_MAC;
2174 		break;
2175 
2176 	case CRYPTO_DATA_UIO: {
2177 		off_t offset = mac->cd_offset;
2178 		uint_t vec_idx;
2179 		off_t scratch_offset = 0;
2180 		size_t length = digest_len;
2181 		size_t cur_len;
2182 
2183 		/* we support only kernel buffer */
2184 		if (mac->cd_uio->uio_segflg != UIO_SYSSPACE)
2185 			return (CRYPTO_ARGUMENTS_BAD);
2186 
2187 		/* jump to the first iovec containing the expected digest */
2188 		for (vec_idx = 0;
2189 		    offset >= mac->cd_uio->uio_iov[vec_idx].iov_len &&
2190 		    vec_idx < mac->cd_uio->uio_iovcnt;
2191 		    offset -= mac->cd_uio->uio_iov[vec_idx++].iov_len);
2192 		if (vec_idx == mac->cd_uio->uio_iovcnt) {
2193 			/*
2194 			 * The caller specified an offset that is
2195 			 * larger than the total size of the buffers
2196 			 * it provided.
2197 			 */
2198 			ret = CRYPTO_DATA_LEN_RANGE;
2199 			break;
2200 		}
2201 
2202 		/* do the comparison of computed digest vs specified one */
2203 		while (vec_idx < mac->cd_uio->uio_iovcnt && length > 0) {
2204 			cur_len = MIN(mac->cd_uio->uio_iov[vec_idx].iov_len -
2205 			    offset, length);
2206 
2207 			if (bcmp(digest + scratch_offset,
2208 			    mac->cd_uio->uio_iov[vec_idx].iov_base + offset,
2209 			    cur_len) != 0) {
2210 				ret = CRYPTO_INVALID_MAC;
2211 				break;
2212 			}
2213 
2214 			length -= cur_len;
2215 			vec_idx++;
2216 			scratch_offset += cur_len;
2217 			offset = 0;
2218 		}
2219 		break;
2220 	}
2221 
2222 	case CRYPTO_DATA_MBLK: {
2223 		off_t offset = mac->cd_offset;
2224 		mblk_t *mp;
2225 		off_t scratch_offset = 0;
2226 		size_t length = digest_len;
2227 		size_t cur_len;
2228 
2229 		/* jump to the first mblk_t containing the expected digest */
2230 		for (mp = mac->cd_mp; mp != NULL && offset >= MBLKL(mp);
2231 		    offset -= MBLKL(mp), mp = mp->b_cont);
2232 		if (mp == NULL) {
2233 			/*
2234 			 * The caller specified an offset that is larger than
2235 			 * the total size of the buffers it provided.
2236 			 */
2237 			ret = CRYPTO_DATA_LEN_RANGE;
2238 			break;
2239 		}
2240 
2241 		while (mp != NULL && length > 0) {
2242 			cur_len = MIN(MBLKL(mp) - offset, length);
2243 			if (bcmp(digest + scratch_offset,
2244 			    mp->b_rptr + offset, cur_len) != 0) {
2245 				ret = CRYPTO_INVALID_MAC;
2246 				break;
2247 			}
2248 
2249 			length -= cur_len;
2250 			mp = mp->b_cont;
2251 			scratch_offset += cur_len;
2252 			offset = 0;
2253 		}
2254 		break;
2255 	}
2256 
2257 	default:
2258 		ret = CRYPTO_ARGUMENTS_BAD;
2259 	}
2260 
2261 	return (ret);
2262 bail:
2263 	bzero(&sha2_hmac_ctx, sizeof (sha2_hmac_ctx_t));
2264 	mac->cd_length = 0;
2265 	return (ret);
2266 }
2267 
2268 /*
2269  * KCF software provider context management entry points.
2270  */
2271 
2272 /* ARGSUSED */
2273 static int
2274 sha2_create_ctx_template(crypto_provider_handle_t provider,
2275     crypto_mechanism_t *mechanism, crypto_key_t *key,
2276     crypto_spi_ctx_template_t *ctx_template, size_t *ctx_template_size,
2277     crypto_req_handle_t req)
2278 {
2279 	sha2_hmac_ctx_t *sha2_hmac_ctx_tmpl;
2280 	uint_t keylen_in_bytes = CRYPTO_BITS2BYTES(key->ck_length);
2281 	uint32_t sha_digest_len, sha_hmac_block_size;
2282 
2283 	/*
2284 	 * Set the digest length and block size to values approriate to the
2285 	 * mechanism
2286 	 */
2287 	switch (mechanism->cm_type) {
2288 	case SHA256_HMAC_MECH_INFO_TYPE:
2289 	case SHA256_HMAC_GEN_MECH_INFO_TYPE:
2290 		sha_digest_len = SHA256_DIGEST_LENGTH;
2291 		sha_hmac_block_size = SHA256_HMAC_BLOCK_SIZE;
2292 		break;
2293 	case SHA384_HMAC_MECH_INFO_TYPE:
2294 	case SHA384_HMAC_GEN_MECH_INFO_TYPE:
2295 	case SHA512_HMAC_MECH_INFO_TYPE:
2296 	case SHA512_HMAC_GEN_MECH_INFO_TYPE:
2297 		sha_digest_len = SHA512_DIGEST_LENGTH;
2298 		sha_hmac_block_size = SHA512_HMAC_BLOCK_SIZE;
2299 		break;
2300 	default:
2301 		return (CRYPTO_MECHANISM_INVALID);
2302 	}
2303 
2304 	/* Add support for key by attributes (RFE 4706552) */
2305 	if (key->ck_format != CRYPTO_KEY_RAW)
2306 		return (CRYPTO_ARGUMENTS_BAD);
2307 
2308 	/*
2309 	 * Allocate and initialize SHA2 context.
2310 	 */
2311 	sha2_hmac_ctx_tmpl = kmem_alloc(sizeof (sha2_hmac_ctx_t),
2312 	    crypto_kmflag(req));
2313 	if (sha2_hmac_ctx_tmpl == NULL)
2314 		return (CRYPTO_HOST_MEMORY);
2315 
2316 	sha2_hmac_ctx_tmpl->hc_mech_type = mechanism->cm_type;
2317 
2318 	if (keylen_in_bytes > sha_hmac_block_size) {
2319 		uchar_t digested_key[SHA512_DIGEST_LENGTH];
2320 
2321 		/*
2322 		 * Hash the passed-in key to get a smaller key.
2323 		 * The inner context is used since it hasn't been
2324 		 * initialized yet.
2325 		 */
2326 		PROV_SHA2_DIGEST_KEY(mechanism->cm_type / 3,
2327 		    &sha2_hmac_ctx_tmpl->hc_icontext,
2328 		    key->ck_data, keylen_in_bytes, digested_key);
2329 		sha2_mac_init_ctx(sha2_hmac_ctx_tmpl, digested_key,
2330 		    sha_digest_len);
2331 	} else {
2332 		sha2_mac_init_ctx(sha2_hmac_ctx_tmpl, key->ck_data,
2333 		    keylen_in_bytes);
2334 	}
2335 
2336 	*ctx_template = (crypto_spi_ctx_template_t)sha2_hmac_ctx_tmpl;
2337 	*ctx_template_size = sizeof (sha2_hmac_ctx_t);
2338 
2339 	return (CRYPTO_SUCCESS);
2340 }
2341 
2342 static int
2343 sha2_free_context(crypto_ctx_t *ctx)
2344 {
2345 	uint_t ctx_len;
2346 
2347 	if (ctx->cc_provider_private == NULL)
2348 		return (CRYPTO_SUCCESS);
2349 
2350 	/*
2351 	 * We have to free either SHA2 or SHA2-HMAC contexts, which
2352 	 * have different lengths.
2353 	 *
2354 	 * Note: Below is dependent on the mechanism ordering.
2355 	 */
2356 
2357 	if (PROV_SHA2_CTX(ctx)->sc_mech_type % 3 == 0)
2358 		ctx_len = sizeof (sha2_ctx_t);
2359 	else
2360 		ctx_len = sizeof (sha2_hmac_ctx_t);
2361 
2362 	bzero(ctx->cc_provider_private, ctx_len);
2363 	kmem_free(ctx->cc_provider_private, ctx_len);
2364 	ctx->cc_provider_private = NULL;
2365 
2366 	return (CRYPTO_SUCCESS);
2367 }
2368 
2369 #endif /* _KERNEL */
2370 
2371 void
2372 SHA2Init(uint64_t mech, SHA2_CTX *ctx)
2373 {
2374 
2375 	switch (mech) {
2376 	case SHA256_MECH_INFO_TYPE:
2377 	case SHA256_HMAC_MECH_INFO_TYPE:
2378 	case SHA256_HMAC_GEN_MECH_INFO_TYPE:
2379 		ctx->state.s32[0] = 0x6a09e667U;
2380 		ctx->state.s32[1] = 0xbb67ae85U;
2381 		ctx->state.s32[2] = 0x3c6ef372U;
2382 		ctx->state.s32[3] = 0xa54ff53aU;
2383 		ctx->state.s32[4] = 0x510e527fU;
2384 		ctx->state.s32[5] = 0x9b05688cU;
2385 		ctx->state.s32[6] = 0x1f83d9abU;
2386 		ctx->state.s32[7] = 0x5be0cd19U;
2387 		break;
2388 	case SHA384_MECH_INFO_TYPE:
2389 	case SHA384_HMAC_MECH_INFO_TYPE:
2390 	case SHA384_HMAC_GEN_MECH_INFO_TYPE:
2391 		ctx->state.s64[0] = 0xcbbb9d5dc1059ed8ULL;
2392 		ctx->state.s64[1] = 0x629a292a367cd507ULL;
2393 		ctx->state.s64[2] = 0x9159015a3070dd17ULL;
2394 		ctx->state.s64[3] = 0x152fecd8f70e5939ULL;
2395 		ctx->state.s64[4] = 0x67332667ffc00b31ULL;
2396 		ctx->state.s64[5] = 0x8eb44a8768581511ULL;
2397 		ctx->state.s64[6] = 0xdb0c2e0d64f98fa7ULL;
2398 		ctx->state.s64[7] = 0x47b5481dbefa4fa4ULL;
2399 		break;
2400 	case SHA512_MECH_INFO_TYPE:
2401 	case SHA512_HMAC_MECH_INFO_TYPE:
2402 	case SHA512_HMAC_GEN_MECH_INFO_TYPE:
2403 		ctx->state.s64[0] = 0x6a09e667f3bcc908ULL;
2404 		ctx->state.s64[1] = 0xbb67ae8584caa73bULL;
2405 		ctx->state.s64[2] = 0x3c6ef372fe94f82bULL;
2406 		ctx->state.s64[3] = 0xa54ff53a5f1d36f1ULL;
2407 		ctx->state.s64[4] = 0x510e527fade682d1ULL;
2408 		ctx->state.s64[5] = 0x9b05688c2b3e6c1fULL;
2409 		ctx->state.s64[6] = 0x1f83d9abfb41bd6bULL;
2410 		ctx->state.s64[7] = 0x5be0cd19137e2179ULL;
2411 		break;
2412 #ifdef _KERNEL
2413 	default:
2414 		cmn_err(CE_WARN, "sha2_init: "
2415 		    "failed to find a supported algorithm: 0x%x",
2416 		    (uint32_t)mech);
2417 
2418 #endif /* _KERNEL */
2419 	}
2420 
2421 	ctx->algotype = mech;
2422 	ctx->count.c64[0] = ctx->count.c64[1] = 0;
2423 }
2424 
2425 /*
2426  * SHA2Update()
2427  *
2428  * purpose: continues an sha2 digest operation, using the message block
2429  *          to update the context.
2430  *   input: SHA2_CTX *	: the context to update
2431  *          uint8_t *	: the message block
2432  *          uint32_t    : the length of the message block in bytes
2433  *  output: void
2434  */
2435 
2436 void
2437 SHA2Update(SHA2_CTX *ctx, const uint8_t *input, uint32_t input_len)
2438 {
2439 	uint32_t i, buf_index, buf_len, buf_limit;
2440 
2441 	/* check for noop */
2442 	if (input_len == 0)
2443 		return;
2444 
2445 	if (ctx->algotype <= SHA256_HMAC_GEN_MECH_INFO_TYPE) {
2446 		buf_limit = 64;
2447 
2448 		/* compute number of bytes mod 64 */
2449 		buf_index = (ctx->count.c32[1] >> 3) & 0x3F;
2450 
2451 		/* update number of bits */
2452 		if ((ctx->count.c32[1] += (input_len << 3)) < (input_len << 3))
2453 			ctx->count.c32[0]++;
2454 
2455 		ctx->count.c32[0] += (input_len >> 29);
2456 
2457 	} else {
2458 		buf_limit = 128;
2459 
2460 		/* compute number of bytes mod 128 */
2461 		buf_index = (ctx->count.c64[1] >> 3) & 0x7F;
2462 
2463 		/* update number of bits */
2464 		if ((ctx->count.c64[1] += (input_len << 3)) < (input_len << 3))
2465 			ctx->count.c64[0]++;
2466 
2467 		ctx->count.c64[0] += (input_len >> 29);
2468 	}
2469 
2470 	buf_len = buf_limit - buf_index;
2471 
2472 	/* transform as many times as possible */
2473 	i = 0;
2474 	if (input_len >= buf_len) {
2475 
2476 		/*
2477 		 * general optimization:
2478 		 *
2479 		 * only do initial bcopy() and SHA2Transform() if
2480 		 * buf_index != 0.  if buf_index == 0, we're just
2481 		 * wasting our time doing the bcopy() since there
2482 		 * wasn't any data left over from a previous call to
2483 		 * SHA2Update().
2484 		 */
2485 		if (buf_index) {
2486 			bcopy(input, &ctx->buf_un.buf8[buf_index], buf_len);
2487 			if (ctx->algotype <= SHA256_HMAC_GEN_MECH_INFO_TYPE)
2488 				SHA256Transform(ctx, ctx->buf_un.buf8);
2489 			else
2490 				SHA512Transform(ctx, ctx->buf_un.buf8);
2491 
2492 			i = buf_len;
2493 		}
2494 
2495 
2496 		for (; i + buf_limit - 1 < input_len; i += buf_limit) {
2497 			if (ctx->algotype <= SHA256_HMAC_GEN_MECH_INFO_TYPE)
2498 				SHA256Transform(ctx, &input[i]);
2499 			else
2500 				SHA512Transform(ctx, &input[i]);
2501 		}
2502 
2503 		/*
2504 		 * general optimization:
2505 		 *
2506 		 * if i and input_len are the same, return now instead
2507 		 * of calling bcopy(), since the bcopy() in this case
2508 		 * will be an expensive nop.
2509 		 */
2510 
2511 		if (input_len == i)
2512 			return;
2513 
2514 		buf_index = 0;
2515 	}
2516 
2517 	/* buffer remaining input */
2518 	bcopy(&input[i], &ctx->buf_un.buf8[buf_index], input_len - i);
2519 }
2520 
2521 
2522 /*
2523  * SHA2Final()
2524  *
2525  * purpose: ends an sha2 digest operation, finalizing the message digest and
2526  *          zeroing the context.
2527  *   input: uint8_t *	: a buffer to store the digest in
2528  *          SHA2_CTX *  : the context to finalize, save, and zero
2529  *  output: void
2530  */
2531 
2532 
2533 void
2534 SHA2Final(uint8_t *digest, SHA2_CTX *ctx)
2535 {
2536 	uint8_t		bitcount_be[sizeof (ctx->count.c32)];
2537 	uint8_t		bitcount_be64[sizeof (ctx->count.c64)];
2538 	uint32_t	index;
2539 
2540 
2541 	if (ctx->algotype <= SHA256_HMAC_GEN_MECH_INFO_TYPE) {
2542 		index  = (ctx->count.c32[1] >> 3) & 0x3f;
2543 		Encode(bitcount_be, ctx->count.c32, sizeof (bitcount_be));
2544 		SHA2Update(ctx, PADDING, ((index < 56) ? 56 : 120) - index);
2545 		SHA2Update(ctx, bitcount_be, sizeof (bitcount_be));
2546 		Encode(digest, ctx->state.s32, sizeof (ctx->state.s32));
2547 
2548 	} else {
2549 		index  = (ctx->count.c64[1] >> 3) & 0x7f;
2550 		Encode64(bitcount_be64, ctx->count.c64,
2551 		    sizeof (bitcount_be64));
2552 		SHA2Update(ctx, PADDING, ((index < 112) ? 112 : 240) - index);
2553 		SHA2Update(ctx, bitcount_be64, sizeof (bitcount_be64));
2554 		if (ctx->algotype <= SHA384_HMAC_GEN_MECH_INFO_TYPE) {
2555 			ctx->state.s64[6] = ctx->state.s64[7] = 0;
2556 			Encode64(digest, ctx->state.s64,
2557 			    sizeof (uint64_t) * 6);
2558 		} else
2559 			Encode64(digest, ctx->state.s64,
2560 			    sizeof (ctx->state.s64));
2561 	}
2562 
2563 	/* zeroize sensitive information */
2564 	bzero(ctx, sizeof (*ctx));
2565 }
2566