Index: lib/libmd/md5.h =================================================================== --- lib/libmd/md5.h +++ lib/libmd/md5.h @@ -7,6 +7,7 @@ /* Ensure libmd symbols do not clash with libcrypto */ +#ifndef _STANDALONE #ifndef MD5Init #define MD5Init _libmd_MD5Init #endif @@ -34,6 +35,7 @@ #ifndef MD5Data #define MD5Data _libmd_MD5Data #endif +#endif #endif Index: sys/boot/efi/Makefile =================================================================== --- sys/boot/efi/Makefile +++ sys/boot/efi/Makefile @@ -15,7 +15,7 @@ .if ${MACHINE_CPUARCH} == "aarch64" || \ ${MACHINE_CPUARCH} == "amd64" || \ ${MACHINE_CPUARCH} == "arm" -SUBDIR+= libefi loader boot1 +SUBDIR+= libefi libcryptoboot loader boot1 .endif .endif # ${COMPILER_TYPE} != "gcc" || ${COMPILER_VERSION} >= 404500 Index: sys/boot/efi/Makefile.inc =================================================================== --- sys/boot/efi/Makefile.inc +++ sys/boot/efi/Makefile.inc @@ -10,6 +10,7 @@ # Options used when building app-specific efi components # See conf/kern.mk for the correct set of these CFLAGS+= -ffreestanding -Wformat -msoft-float ${CFLAGS_NO_SIMD} +CFLAGS+= -D_STANDALONE LDFLAGS+= -nostdlib .if ${MACHINE_CPUARCH} == "amd64" Index: sys/boot/efi/boot1/Makefile =================================================================== --- sys/boot/efi/boot1/Makefile +++ sys/boot/efi/boot1/Makefile @@ -19,16 +19,13 @@ CWARNFLAGS.zfs_module.c += -Wno-sign-compare CWARNFLAGS.zfs_module.c += -Wno-unused-parameter CWARNFLAGS.zfs_module.c += -Wno-unused-function -CWARNFLAGS.skein.c += -Wno-cast-align -CWARNFLAGS.skein.c += -Wno-missing-variable-declarations .endif # architecture-specific loader code SRCS= boot1.c self_reloc.c start.S ufs_module.c .if ${MK_ZFS} != "no" SRCS+= zfs_module.c -SRCS+= skein.c skein_block.c -.PATH: ${.CURDIR}/../../../crypto/skein +LIBCRYPTOBOOT= ${.OBJDIR}/../libcryptoboot/libcryptoboot.a .endif CFLAGS+= -I. @@ -73,8 +70,8 @@ # __aeabi_* (arm) or __divdi3 (i386). # as well as required string and memory functions for all platforms. # -DPADD+= ${LIBSTAND} -LDADD+= -lstand +DPADD+= ${LIBCRYPTOBOOT} ${LIBSTAND} +LDADD+= ${LIBCRYPTOBOOT} -lstand DPADD+= ${LDSCRIPT} Index: sys/boot/efi/libcryptoboot/Makefile =================================================================== --- /dev/null +++ sys/boot/efi/libcryptoboot/Makefile @@ -0,0 +1,28 @@ +# $FreeBSD$ + +.include + +LIB= cryptoboot +INTERNALLIB= +WARNS?= 6 + +CWARNFLAGS.skein.c += -Wno-cast-align +CWARNFLAGS.skein.c += -Wno-missing-variable-declarations +CWARNFLAGS.md5c.c += -Wno-missing-prototypes + + +SRCS= skein.c skein_block.c sha256c.c sha512c.c md5c.c + +.PATH: ${.CURDIR}/../../../crypto/skein +.PATH: ${.CURDIR}/../../../crypto/sha2 +.PATH: ${.CURDIR}/../../../../lib/libmd + +.if ${MACHINE_CPUARCH} == "aarch64" +CFLAGS+= -msoft-float -mgeneral-regs-only +.endif +.if ${MACHINE_ARCH} == "amd64" +CFLAGS+= -fPIC -mno-red-zone +.endif + +.include +.include Index: sys/boot/efi/libcryptoboot/Makefile.depend =================================================================== --- /dev/null +++ sys/boot/efi/libcryptoboot/Makefile.depend @@ -0,0 +1,15 @@ +# $FreeBSD$ +# Autogenerated - do NOT edit! + +DIRDEPS = \ + include \ + include/xlocale \ + lib/libmd \ + secure/lib/libcrypto \ + + +.include + +.if ${DEP_RELDIR} == ${_DEP_RELDIR} +# local dependencies - needed for -jN in clean tree +.endif Index: sys/boot/efi/loader/Makefile =================================================================== --- sys/boot/efi/loader/Makefile +++ sys/boot/efi/loader/Makefile @@ -24,8 +24,7 @@ .if ${MK_ZFS} != "no" SRCS+= zfs.c .PATH: ${.CURDIR}/../../zfs -SRCS+= skein.c skein_block.c -.PATH: ${.CURDIR}/../../../crypto/skein +LIBCRYPTOBOOT= ${.OBJDIR}/../libcryptoboot/libcryptoboot.a # Disable warnings that are currently incompatible with the zfs boot code CWARNFLAGS.zfs.c+= -Wno-sign-compare @@ -55,7 +54,6 @@ .if ${MK_ZFS} != "no" CFLAGS+= -I${.CURDIR}/../../zfs CFLAGS+= -I${.CURDIR}/../../../cddl/boot/zfs -CFLAGS+= -I${.CURDIR}/../../../crypto/skein CFLAGS+= -DEFI_ZFS_BOOT .endif CFLAGS+= -DNO_PCI -DEFI @@ -143,9 +141,10 @@ LIBEFI= ${.OBJDIR}/../libefi/libefi.a -DPADD= ${LIBFICL} ${LIBEFI} ${LIBFDT} ${LIBEFI_FDT} ${LIBSTAND} \ - ${LDSCRIPT} -LDADD= ${LIBFICL} ${LIBEFI} ${LIBFDT} ${LIBEFI_FDT} ${LIBSTAND} +DPADD= ${LIBFICL} ${LIBEFI} ${LIBFDT} ${LIBEFI_FDT} ${LIBCRYPTOBOOT} \ + ${LIBSTAND} ${LDSCRIPT} +LDADD= ${LIBFICL} ${LIBEFI} ${LIBFDT} ${LIBEFI_FDT} ${LIBCRYPTOBOOT} \ + ${LIBSTAND} .include Index: sys/boot/geli/Makefile =================================================================== --- sys/boot/geli/Makefile +++ sys/boot/geli/Makefile @@ -27,15 +27,6 @@ # Our password input method SRCS+= pwgets.c -# sha256 and sha512 from sys/crypto -.PATH: ${.CURDIR}/../../crypto/sha2 -CFLAGS+= -DWEAK_REFS -SRCS+= sha256c.c sha512c.c - -# md5 from libmd -.PATH: ${.CURDIR}/../../../lib/libmd -SRCS+= md5c.c - # AES implementation from sys/crypto .PATH: ${.CURDIR}/../../crypto/rijndael CFLAGS+= -I${.CURDIR}/../../ Index: sys/boot/i386/Makefile.inc =================================================================== --- sys/boot/i386/Makefile.inc +++ sys/boot/i386/Makefile.inc @@ -7,7 +7,7 @@ LOADER_ADDRESS?=0x200000 CFLAGS+= -march=i386 -ffreestanding CFLAGS.gcc+= -mpreferred-stack-boundary=2 -CFLAGS+= ${CFLAGS_NO_SIMD} -msoft-float +CFLAGS+= ${CFLAGS_NO_SIMD} -msoft-float -D_STANDALONE LDFLAGS+= -nostdlib .if ${MACHINE_CPUARCH} == "amd64" Index: sys/boot/i386/gptboot/Makefile =================================================================== --- sys/boot/i386/gptboot/Makefile +++ sys/boot/i386/gptboot/Makefile @@ -45,6 +45,7 @@ LIBGELIBOOT= ${.OBJDIR}/../../geli/libgeliboot.a .PATH: ${.CURDIR}/../../../opencrypto OPENCRYPTO_XTS= xform_aes_xts.o +LIBCRYPTOBOOT= ${.OBJDIR}/../../libcryptoboot/libcryptoboot.a .endif LD_FLAGS=-static -N --gc-sections @@ -75,7 +76,8 @@ ${OBJCOPY} -S -O binary gptboot.out ${.TARGET} gptboot.out: ${BTXCRT} gptboot.o sio.o crc32.o drv.o cons.o util.o ${OPENCRYPTO_XTS} - ${LD} ${LD_FLAGS} -Ttext ${ORG2} -o ${.TARGET} ${.ALLSRC} ${LIBSTAND} ${LIBGELIBOOT} + ${LD} ${LD_FLAGS} -Ttext ${ORG2} -o ${.TARGET} ${.ALLSRC} \ + ${LIBGELIBOOT} ${LIBCRYPTOBOOT} ${LIBSTAND} gptboot.o: ${.CURDIR}/../../common/ufsread.c Index: sys/boot/i386/gptzfsboot/Makefile =================================================================== --- sys/boot/i386/gptzfsboot/Makefile +++ sys/boot/i386/gptzfsboot/Makefile @@ -2,7 +2,7 @@ .PATH: ${.CURDIR}/../boot2 ${.CURDIR}/../gptboot \ ${.CURDIR}/../zfsboot ${.CURDIR}/../common \ - ${.CURDIR}/../../common ${.CURDIR}/../../../crypto/skein + ${.CURDIR}/../../common FILES= gptzfsboot MAN= gptzfsboot.8 @@ -27,7 +27,6 @@ -I${.CURDIR}/../common \ -I${.CURDIR}/../../zfs \ -I${.CURDIR}/../../../cddl/boot/zfs \ - -I${.CURDIR}/../../../crypto/skein \ -I${.CURDIR}/../btx/lib -I. \ -I${.CURDIR}/../boot2 \ -I${.CURDIR}/../../.. \ @@ -49,6 +48,7 @@ LD_FLAGS=-static -N --gc-sections LIBSTAND= ${.OBJDIR}/../../libstand32/libstand.a +LIBCRYPTOBOOT= ${.OBJDIR}/../../libcryptoboot/libcryptoboot.a # Pick up ../Makefile.inc early. .include @@ -68,14 +68,15 @@ ${LD} ${LD_FLAGS} -e start -Ttext ${ORG1} -o ${.TARGET} gptldr.o CLEANFILES+= gptzfsboot.bin gptzfsboot.out zfsboot.o sio.o cons.o \ - drv.o gpt.o util.o skein.o skein_block.o ${OPENCRYPTO_XTS} + drv.o gpt.o util.o ${OPENCRYPTO_XTS} gptzfsboot.bin: gptzfsboot.out ${OBJCOPY} -S -O binary gptzfsboot.out ${.TARGET} gptzfsboot.out: ${BTXCRT} zfsboot.o sio.o gpt.o drv.o cons.o util.o \ - skein.o skein_block.o ${OPENCRYPTO_XTS} - ${LD} ${LD_FLAGS} -Ttext ${ORG2} -o ${.TARGET} ${.ALLSRC} ${LIBSTAND} ${LIBGELIBOOT} + ${OPENCRYPTO_XTS} + ${LD} ${LD_FLAGS} -Ttext ${ORG2} -o ${.TARGET} ${.ALLSRC} \ + ${LIBGELIBOOT} ${LIBCRYPTOBOOT} ${LIBSTAND} zfsboot.o: ${.CURDIR}/../../zfs/zfsimpl.c Index: sys/boot/i386/libi386/Makefile =================================================================== --- sys/boot/i386/libi386/Makefile +++ sys/boot/i386/libi386/Makefile @@ -32,7 +32,7 @@ .if !defined(LOADER_NO_GELI_SUPPORT) # Decrypt encrypted drives -CFLAGS+= -DLOADER_GELI_SUPPORT +CFLAGS+= -DLOADER_GELI_SUPPORT -D_STANDALONE CFLAGS+= -I${.CURDIR}/../../geli .endif Index: sys/boot/i386/loader/Makefile =================================================================== --- sys/boot/i386/loader/Makefile +++ sys/boot/i386/loader/Makefile @@ -66,6 +66,10 @@ CFLAGS+= -I${.CURDIR}/../../.. -D_STAND .endif +.if !defined(LOADER_NO_GELI_SUPPORT) || defined(LOADER_ZFS_SUPPORT) +LIBCRYPTOBOOT= ${.OBJDIR}/../../libcryptoboot/libcryptoboot.a +.endif + # Always add MI sources .PATH: ${.CURDIR}/../../common .include "${.CURDIR}/../../common/Makefile.inc" @@ -123,8 +127,10 @@ # XXX crt0.o needs to be first for pxeboot(8) to work OBJS= ${BTXCRT} -DPADD= ${LIBFICL} ${LIBFIREWIRE} ${LIBZFSBOOT} ${LIBI386} ${LIBSTAND} ${LIBGELIBOOT} -LDADD= ${LIBFICL} ${LIBFIREWIRE} ${LIBZFSBOOT} ${LIBI386} ${LIBSTAND} ${LIBGELIBOOT} +DPADD= ${LIBFICL} ${LIBFIREWIRE} ${LIBZFSBOOT} ${LIBI386} ${LIBGELIBOOT} \ + ${LIBCRYPTOBOOT} ${LIBSTAND} +LDADD= ${LIBFICL} ${LIBFIREWIRE} ${LIBZFSBOOT} ${LIBI386} ${LIBGELIBOOT} \ + ${LIBCRYPTOBOOT} ${LIBSTAND} .include Index: sys/boot/i386/zfsboot/Makefile =================================================================== --- sys/boot/i386/zfsboot/Makefile +++ sys/boot/i386/zfsboot/Makefile @@ -1,7 +1,7 @@ # $FreeBSD$ .PATH: ${.CURDIR}/../boot2 ${.CURDIR}/../common \ - ${.CURDIR}/../../common ${.CURDIR}/../../../crypto/skein + ${.CURDIR}/../../common FILES= zfsboot MAN= zfsboot.8 @@ -26,7 +26,7 @@ -I${.CURDIR}/../common \ -I${.CURDIR}/../../zfs \ -I${.CURDIR}/../../../cddl/boot/zfs \ - -I${.CURDIR}/../../../crypto/skein \ + -I${.CURDIR}/../../.. \ -I${.CURDIR}/../btx/lib -I. \ -I${.CURDIR}/../boot2 \ -Wall -Waggregate-return -Wbad-function-cast -Wno-cast-align \ @@ -38,6 +38,16 @@ LD_FLAGS=-static -N --gc-sections +.if !defined(LOADER_NO_GELI_SUPPORT) +CFLAGS+= -DLOADER_GELI_SUPPORT +LIBGELIBOOT= ${.OBJDIR}/../../geli/libgeliboot.a +.PATH: ${.CURDIR}/../../../opencrypto +SRCS+= xform_aes_xts.c +OPENCRYPTO_XTS= xform_aes_xts.o +CFLAGS+= -I${.CURDIR}/../../geli +.endif + +LIBBOOTCRYPTO= ${.OBJDIR}/../../libbootcrypto/libbootcrypto.a LIBSTAND= ${.OBJDIR}/../../libstand32/libstand.a # Pick up ../Makefile.inc early. @@ -58,12 +68,12 @@ CLEANFILES+= zfsboot2 zfsboot.ld zfsboot.ldr zfsboot.bin zfsboot.out \ zfsboot.o zfsboot.s zfsboot.s.tmp sio.o cons.o drv.o util.o \ - skein.o skein_block.o + ${OPENCRYPTO_XTS} -# We currently allow 128k bytes for zfsboot - in practice it could be +# We currently allow 256k bytes for zfsboot - in practice it could be # any size up to 3.5Mb but keeping it fixed size simplifies zfsldr. # -BOOT2SIZE= 131072 +BOOT2SIZE= 262144 zfsboot2: zfsboot.ld @set -- `ls -l zfsboot.ld`; x=$$((${BOOT2SIZE}-$$5)); \ @@ -80,8 +90,9 @@ zfsboot.bin: zfsboot.out ${OBJCOPY} -S -O binary zfsboot.out ${.TARGET} -zfsboot.out: ${BTXCRT} zfsboot.o sio.o drv.o cons.o util.o skein.o skein_block.o - ${LD} ${LD_FLAGS} -Ttext ${ORG2} -o ${.TARGET} ${.ALLSRC} ${LIBSTAND} +zfsboot.out: ${BTXCRT} zfsboot.o sio.o drv.o cons.o util.o ${OPENCRYPTO_XTS} + ${LD} ${LD_FLAGS} -Ttext ${ORG2} -o ${.TARGET} ${.ALLSRC} \ + ${LIBGELIBOOT} ${LIBBOOTCRYPTO} ${LIBSTAND} SRCS= zfsboot.c Index: sys/boot/libcryptoboot/Makefile =================================================================== --- /dev/null +++ sys/boot/libcryptoboot/Makefile @@ -0,0 +1,34 @@ +# $FreeBSD$ + +.include + +LIB= cryptoboot +INTERNALLIB= +WARNS?= 6 + +CWARNFLAGS.skein.c += -Wno-cast-align +CWARNFLAGS.skein.c += -Wno-missing-variable-declarations +CWARNFLAGS.md5c.c += -Wno-missing-prototypes + +.if ${MACHINE_CPUARCH} == "i386" || ${MACHINE_CPUARCH} == "amd64" +CFLAGS+= -march=i386 +.endif +.if ${MACHINE_ARCH} == "amd64" || ${MACHINE_ARCH} == "powerpc64" +CFLAGS+= -m32 +.endif + +SRCS= skein.c skein_block.c sha256c.c sha512c.c md5c.c + +.PATH: ${.CURDIR}/../../crypto/skein +.PATH: ${.CURDIR}/../../crypto/sha2 +.PATH: ${.CURDIR}/../../../lib/libmd + +.if ${MACHINE_CPUARCH} == "aarch64" +CFLAGS+= -msoft-float -mgeneral-regs-only +.endif +.if ${MACHINE_ARCH} == "amd64" +CFLAGS+= -fPIC -mno-red-zone +.endif + +.include +.include Index: sys/boot/libcryptoboot/Makefile.depend =================================================================== --- /dev/null +++ sys/boot/libcryptoboot/Makefile.depend @@ -0,0 +1,15 @@ +# $FreeBSD$ +# Autogenerated - do NOT edit! + +DIRDEPS = \ + include \ + include/xlocale \ + lib/libmd \ + secure/lib/libcrypto \ + + +.include + +.if ${DEP_RELDIR} == ${_DEP_RELDIR} +# local dependencies - needed for -jN in clean tree +.endif Index: sys/boot/userboot/Makefile =================================================================== --- sys/boot/userboot/Makefile +++ sys/boot/userboot/Makefile @@ -2,7 +2,7 @@ .include -SUBDIR= ficl libstand test zfs userboot +SUBDIR= ficl libstand test zfs libcryptoboot userboot .include Index: sys/boot/userboot/libcryptoboot/Makefile =================================================================== --- /dev/null +++ sys/boot/userboot/libcryptoboot/Makefile @@ -0,0 +1,25 @@ +# $FreeBSD$ + +.include + +LIB= cryptoboot +INTERNALLIB= +WARNS?= 6 + +CWARNFLAGS.skein.c += -Wno-cast-align +CWARNFLAGS.skein.c += -Wno-missing-variable-declarations +CWARNFLAGS.md5c.c += -Wno-missing-prototypes + + +SRCS= skein.c skein_block.c sha256c.c sha512c.c md5c.c + +.PATH: ${.CURDIR}/../../../crypto/skein +.PATH: ${.CURDIR}/../../../crypto/sha2 +.PATH: ${.CURDIR}/../../../../lib/libmd + +.if ${MACHINE_CPUARCH} == "aarch64" +CFLAGS+= -msoft-float -mgeneral-regs-only +.endif + +.include +.include Index: sys/boot/userboot/libcryptoboot/Makefile.depend =================================================================== --- /dev/null +++ sys/boot/userboot/libcryptoboot/Makefile.depend @@ -0,0 +1,15 @@ +# $FreeBSD$ +# Autogenerated - do NOT edit! + +DIRDEPS = \ + include \ + include/xlocale \ + lib/libmd \ + secure/lib/libcrypto \ + + +.include + +.if ${DEP_RELDIR} == ${_DEP_RELDIR} +# local dependencies - needed for -jN in clean tree +.endif Index: sys/boot/userboot/userboot/Makefile =================================================================== --- sys/boot/userboot/userboot/Makefile +++ sys/boot/userboot/userboot/Makefile @@ -57,6 +57,7 @@ .if ${MK_ZFS} != "no" CFLAGS+= -DUSERBOOT_ZFS_SUPPORT LIBZFSBOOT= ${.OBJDIR}/../zfs/libzfsboot.a +LIBCRYPTOBOOT= ${.OBJDIR}/../libcryptoboot/libcryptoboot.a .endif # Always add MI sources @@ -64,7 +65,7 @@ .include "${.CURDIR}/../../common/Makefile.inc" CFLAGS+= -I${.CURDIR}/../../common CFLAGS+= -I. -DPADD+= ${LIBFICL} ${LIBZFSBOOT} ${LIBSTAND} -LDADD+= ${LIBFICL} ${LIBZFSBOOT} ${LIBSTAND} +DPADD+= ${LIBFICL} ${LIBZFSBOOT} ${LIBCRYPTOBOOT} ${LIBSTAND} +LDADD+= ${LIBFICL} ${LIBZFSBOOT} ${LIBCRYPTOBOOT} ${LIBSTAND} .include Index: sys/boot/userboot/zfs/Makefile =================================================================== --- sys/boot/userboot/zfs/Makefile +++ sys/boot/userboot/zfs/Makefile @@ -2,18 +2,17 @@ S= ${.CURDIR}/../../zfs -.PATH: ${S} ${.CURDIR}/../../../crypto/skein +.PATH: ${S} LIB= zfsboot INTERNALLIB= -SRCS+= zfs.c skein.c skein_block.c +SRCS+= zfs.c CFLAGS+= -I${.CURDIR}/../../common -I${.CURDIR}/../../.. -I. CFLAGS+= -I${.CURDIR}/../../../../lib/libstand CFLAGS+= -I${.CURDIR}/../../../cddl/boot/zfs -CFLAGS+= -I${.CURDIR}/../../../crypto/skein -CFLAGS+= -ffreestanding -fPIC CFLAGS+= -Wformat -Wall +.include .include Index: sys/cddl/boot/zfs/sha256.c =================================================================== --- sys/cddl/boot/zfs/sha256.c +++ sys/cddl/boot/zfs/sha256.c @@ -28,287 +28,43 @@ * Copyright 2015 Toomas Soome */ -/* - * SHA-256 and SHA-512/256 hashes, as specified in FIPS 180-4, available at: - * http://csrc.nist.gov/cryptval - * - * This is a very compact implementation of SHA-256 and SHA-512/256. - * It is designed to be simple and portable, not to be fast. - */ - -/* - * The literal definitions according to FIPS180-4 would be: - * - * Ch(x, y, z) (((x) & (y)) ^ ((~(x)) & (z))) - * Maj(x, y, z) (((x) & (y)) | ((x) & (z)) | ((y) & (z))) - * - * We use logical equivalents which require one less op. - */ -#define Ch(x, y, z) ((z) ^ ((x) & ((y) ^ (z)))) -#define Maj(x, y, z) (((x) & (y)) ^ ((z) & ((x) ^ (y)))) -#define ROTR(x, n) (((x) >> (n)) | ((x) << ((sizeof (x) * NBBY)-(n)))) - -/* SHA-224/256 operations */ -#define BIGSIGMA0_256(x) (ROTR(x, 2) ^ ROTR(x, 13) ^ ROTR(x, 22)) -#define BIGSIGMA1_256(x) (ROTR(x, 6) ^ ROTR(x, 11) ^ ROTR(x, 25)) -#define SIGMA0_256(x) (ROTR(x, 7) ^ ROTR(x, 18) ^ ((x) >> 3)) -#define SIGMA1_256(x) (ROTR(x, 17) ^ ROTR(x, 19) ^ ((x) >> 10)) - -/* SHA-384/512 operations */ -#define BIGSIGMA0_512(x) (ROTR((x), 28) ^ ROTR((x), 34) ^ ROTR((x), 39)) -#define BIGSIGMA1_512(x) (ROTR((x), 14) ^ ROTR((x), 18) ^ ROTR((x), 41)) -#define SIGMA0_512(x) (ROTR((x), 1) ^ ROTR((x), 8) ^ ((x) >> 7)) -#define SIGMA1_512(x) (ROTR((x), 19) ^ ROTR((x), 61) ^ ((x) >> 6)) - -/* SHA-256 round constants */ -static const uint32_t SHA256_K[64] = { - 0x428a2f98, 0x71374491, 0xb5c0fbcf, 0xe9b5dba5, - 0x3956c25b, 0x59f111f1, 0x923f82a4, 0xab1c5ed5, - 0xd807aa98, 0x12835b01, 0x243185be, 0x550c7dc3, - 0x72be5d74, 0x80deb1fe, 0x9bdc06a7, 0xc19bf174, - 0xe49b69c1, 0xefbe4786, 0x0fc19dc6, 0x240ca1cc, - 0x2de92c6f, 0x4a7484aa, 0x5cb0a9dc, 0x76f988da, - 0x983e5152, 0xa831c66d, 0xb00327c8, 0xbf597fc7, - 0xc6e00bf3, 0xd5a79147, 0x06ca6351, 0x14292967, - 0x27b70a85, 0x2e1b2138, 0x4d2c6dfc, 0x53380d13, - 0x650a7354, 0x766a0abb, 0x81c2c92e, 0x92722c85, - 0xa2bfe8a1, 0xa81a664b, 0xc24b8b70, 0xc76c51a3, - 0xd192e819, 0xd6990624, 0xf40e3585, 0x106aa070, - 0x19a4c116, 0x1e376c08, 0x2748774c, 0x34b0bcb5, - 0x391c0cb3, 0x4ed8aa4a, 0x5b9cca4f, 0x682e6ff3, - 0x748f82ee, 0x78a5636f, 0x84c87814, 0x8cc70208, - 0x90befffa, 0xa4506ceb, 0xbef9a3f7, 0xc67178f2 -}; - -/* SHA-512 round constants */ -static const uint64_t SHA512_K[80] = { - 0x428A2F98D728AE22ULL, 0x7137449123EF65CDULL, - 0xB5C0FBCFEC4D3B2FULL, 0xE9B5DBA58189DBBCULL, - 0x3956C25BF348B538ULL, 0x59F111F1B605D019ULL, - 0x923F82A4AF194F9BULL, 0xAB1C5ED5DA6D8118ULL, - 0xD807AA98A3030242ULL, 0x12835B0145706FBEULL, - 0x243185BE4EE4B28CULL, 0x550C7DC3D5FFB4E2ULL, - 0x72BE5D74F27B896FULL, 0x80DEB1FE3B1696B1ULL, - 0x9BDC06A725C71235ULL, 0xC19BF174CF692694ULL, - 0xE49B69C19EF14AD2ULL, 0xEFBE4786384F25E3ULL, - 0x0FC19DC68B8CD5B5ULL, 0x240CA1CC77AC9C65ULL, - 0x2DE92C6F592B0275ULL, 0x4A7484AA6EA6E483ULL, - 0x5CB0A9DCBD41FBD4ULL, 0x76F988DA831153B5ULL, - 0x983E5152EE66DFABULL, 0xA831C66D2DB43210ULL, - 0xB00327C898FB213FULL, 0xBF597FC7BEEF0EE4ULL, - 0xC6E00BF33DA88FC2ULL, 0xD5A79147930AA725ULL, - 0x06CA6351E003826FULL, 0x142929670A0E6E70ULL, - 0x27B70A8546D22FFCULL, 0x2E1B21385C26C926ULL, - 0x4D2C6DFC5AC42AEDULL, 0x53380D139D95B3DFULL, - 0x650A73548BAF63DEULL, 0x766A0ABB3C77B2A8ULL, - 0x81C2C92E47EDAEE6ULL, 0x92722C851482353BULL, - 0xA2BFE8A14CF10364ULL, 0xA81A664BBC423001ULL, - 0xC24B8B70D0F89791ULL, 0xC76C51A30654BE30ULL, - 0xD192E819D6EF5218ULL, 0xD69906245565A910ULL, - 0xF40E35855771202AULL, 0x106AA07032BBD1B8ULL, - 0x19A4C116B8D2D0C8ULL, 0x1E376C085141AB53ULL, - 0x2748774CDF8EEB99ULL, 0x34B0BCB5E19B48A8ULL, - 0x391C0CB3C5C95A63ULL, 0x4ED8AA4AE3418ACBULL, - 0x5B9CCA4F7763E373ULL, 0x682E6FF3D6B2B8A3ULL, - 0x748F82EE5DEFB2FCULL, 0x78A5636F43172F60ULL, - 0x84C87814A1F0AB72ULL, 0x8CC702081A6439ECULL, - 0x90BEFFFA23631E28ULL, 0xA4506CEBDE82BDE9ULL, - 0xBEF9A3F7B2C67915ULL, 0xC67178F2E372532BULL, - 0xCA273ECEEA26619CULL, 0xD186B8C721C0C207ULL, - 0xEADA7DD6CDE0EB1EULL, 0xF57D4F7FEE6ED178ULL, - 0x06F067AA72176FBAULL, 0x0A637DC5A2C898A6ULL, - 0x113F9804BEF90DAEULL, 0x1B710B35131C471BULL, - 0x28DB77F523047D84ULL, 0x32CAAB7B40C72493ULL, - 0x3C9EBE0A15C9BEBCULL, 0x431D67C49C100D4CULL, - 0x4CC5D4BECB3E42B6ULL, 0x597F299CFC657E2AULL, - 0x5FCB6FAB3AD6FAECULL, 0x6C44198C4A475817ULL -}; - -static void -SHA256Transform(uint32_t *H, const uint8_t *cp) -{ - uint32_t a, b, c, d, e, f, g, h, t, T1, T2, W[64]; - - /* copy chunk into the first 16 words of the message schedule */ - for (t = 0; t < 16; t++, cp += sizeof (uint32_t)) - W[t] = (cp[0] << 24) | (cp[1] << 16) | (cp[2] << 8) | cp[3]; - - /* extend the first 16 words into the remaining 48 words */ - for (t = 16; t < 64; t++) - W[t] = SIGMA1_256(W[t - 2]) + W[t - 7] + - SIGMA0_256(W[t - 15]) + W[t - 16]; - - /* init working variables to the current hash value */ - a = H[0]; b = H[1]; c = H[2]; d = H[3]; - e = H[4]; f = H[5]; g = H[6]; h = H[7]; - - /* iterate the compression function for all rounds of the hash */ - for (t = 0; t < 64; t++) { - T1 = h + BIGSIGMA1_256(e) + Ch(e, f, g) + SHA256_K[t] + W[t]; - T2 = BIGSIGMA0_256(a) + Maj(a, b, c); - h = g; g = f; f = e; e = d + T1; - d = c; c = b; b = a; a = T1 + T2; - } - - /* add the compressed chunk to the current hash value */ - H[0] += a; H[1] += b; H[2] += c; H[3] += d; - H[4] += e; H[5] += f; H[6] += g; H[7] += h; -} - -static void -SHA512Transform(uint64_t *H, const uint8_t *cp) -{ - uint64_t a, b, c, d, e, f, g, h, t, T1, T2, W[80]; - - /* copy chunk into the first 16 words of the message schedule */ - for (t = 0; t < 16; t++, cp += sizeof (uint64_t)) - W[t] = ((uint64_t)cp[0] << 56) | ((uint64_t)cp[1] << 48) | - ((uint64_t)cp[2] << 40) | ((uint64_t)cp[3] << 32) | - ((uint64_t)cp[4] << 24) | ((uint64_t)cp[5] << 16) | - ((uint64_t)cp[6] << 8) | (uint64_t)cp[7]; - - /* extend the first 16 words into the remaining 64 words */ - for (t = 16; t < 80; t++) - W[t] = SIGMA1_512(W[t - 2]) + W[t - 7] + - SIGMA0_512(W[t - 15]) + W[t - 16]; - - /* init working variables to the current hash value */ - a = H[0]; b = H[1]; c = H[2]; d = H[3]; - e = H[4]; f = H[5]; g = H[6]; h = H[7]; - - /* iterate the compression function for all rounds of the hash */ - for (t = 0; t < 80; t++) { - T1 = h + BIGSIGMA1_512(e) + Ch(e, f, g) + SHA512_K[t] + W[t]; - T2 = BIGSIGMA0_512(a) + Maj(a, b, c); - h = g; g = f; f = e; e = d + T1; - d = c; c = b; b = a; a = T1 + T2; - } - - /* add the compressed chunk to the current hash value */ - H[0] += a; H[1] += b; H[2] += c; H[3] += d; - H[4] += e; H[5] += f; H[6] += g; H[7] += h; -} - -/* - * Implements the SHA-224 and SHA-256 hash algos - to select between them - * pass the appropriate initial values of 'H' and truncate the last 32 bits - * in case of SHA-224. - */ -static void -SHA256(uint32_t *H, const void *buf, uint64_t size, zio_cksum_t *zcp) -{ - uint8_t pad[128]; - unsigned padsize = size & 63; - unsigned i, k; - - /* process all blocks up to the last one */ - for (i = 0; i < size - padsize; i += 64) - SHA256Transform(H, (uint8_t *)buf + i); - - /* process the last block and padding */ - for (k = 0; k < padsize; k++) - pad[k] = ((uint8_t *)buf)[k+i]; - - for (pad[padsize++] = 0x80; (padsize & 63) != 56; padsize++) - pad[padsize] = 0; - - for (i = 0; i < 8; i++) - pad[padsize++] = (size << 3) >> (56 - 8 * i); - - for (i = 0; i < padsize; i += 64) - SHA256Transform(H, pad + i); - - ZIO_SET_CHECKSUM(zcp, - (uint64_t)H[0] << 32 | H[1], - (uint64_t)H[2] << 32 | H[3], - (uint64_t)H[4] << 32 | H[5], - (uint64_t)H[6] << 32 | H[7]); -} - -/* - * encode 64bit data in big-endian format. - */ -static void -Encode64(uint8_t *output, uint64_t *input, size_t len) -{ - size_t i, j; - for (i = 0, j = 0; j < len; i++, j += 8) { - output[j] = (input[i] >> 56) & 0xff; - output[j + 1] = (input[i] >> 48) & 0xff; - output[j + 2] = (input[i] >> 40) & 0xff; - output[j + 3] = (input[i] >> 32) & 0xff; - output[j + 4] = (input[i] >> 24) & 0xff; - output[j + 5] = (input[i] >> 16) & 0xff; - output[j + 6] = (input[i] >> 8) & 0xff; - output[j + 7] = input[i] & 0xff; - } -} - -/* - * Implements the SHA-384, SHA-512 and SHA-512/t hash algos - to select - * between them pass the appropriate initial values for 'H'. The output - * of this function is truncated to the first 256 bits that fit into 'zcp'. - */ -static void -SHA512(uint64_t *H, const void *buf, uint64_t size, zio_cksum_t *zcp) -{ - uint64_t c64[2]; - uint8_t pad[256]; - unsigned padsize = size & 127; - unsigned i, k; - - /* process all blocks up to the last one */ - for (i = 0; i < size - padsize; i += 128) - SHA512Transform(H, (uint8_t *)buf + i); - - /* process the last block and padding */ - for (k = 0; k < padsize; k++) - pad[k] = ((uint8_t *)buf)[k+i]; - - if (padsize < 112) { - for (pad[padsize++] = 0x80; padsize < 112; padsize++) - pad[padsize] = 0; - } else { - for (pad[padsize++] = 0x80; padsize < 240; padsize++) - pad[padsize] = 0; - } - - c64[0] = 0; - c64[1] = size << 3; - Encode64(pad+padsize, c64, sizeof (c64)); - padsize += sizeof (c64); - - for (i = 0; i < padsize; i += 128) - SHA512Transform(H, pad + i); - - /* truncate the output to the first 256 bits which fit into 'zcp' */ - Encode64((uint8_t *)zcp, H, sizeof (uint64_t) * 4); -} +#include +#include +#include static void zio_checksum_SHA256(const void *buf, uint64_t size, const void *ctx_template __unused, zio_cksum_t *zcp) { - /* SHA-256 as per FIPS 180-4. */ - uint32_t H[] = { - 0x6a09e667, 0xbb67ae85, 0x3c6ef372, 0xa54ff53a, - 0x510e527f, 0x9b05688c, 0x1f83d9ab, 0x5be0cd19 - }; - SHA256(H, buf, size, zcp); + SHA256_CTX ctx; + zio_cksum_t tmp; + + SHA256_Init(&ctx); + SHA256_Update(&ctx, buf, size); + SHA256_Final((unsigned char *)&tmp, &ctx); + + /* + * A prior implementation of this function had a + * private SHA256 implementation always wrote things out in + * Big Endian and there wasn't a byteswap variant of it. + * To preseve on disk compatibility we need to force that + * behaviour. + */ + zcp->zc_word[0] = htobe64(tmp.zc_word[0]); + zcp->zc_word[1] = htobe64(tmp.zc_word[1]); + zcp->zc_word[2] = htobe64(tmp.zc_word[2]); + zcp->zc_word[3] = htobe64(tmp.zc_word[3]); } static void zio_checksum_SHA512_native(const void *buf, uint64_t size, const void *ctx_template __unused, zio_cksum_t *zcp) { - /* SHA-512/256 as per FIPS 180-4. */ - uint64_t H[] = { - 0x22312194FC2BF72CULL, 0x9F555FA3C84C64C2ULL, - 0x2393B86B6F53B151ULL, 0x963877195940EABDULL, - 0x96283EE2A88EFFE3ULL, 0xBE5E1E2553863992ULL, - 0x2B0199FC2C85B8AAULL, 0x0EB72DDC81C52CA2ULL - }; - SHA512(H, buf, size, zcp); + SHA512_CTX ctx; + + SHA512_256_Init(&ctx); + SHA512_256_Update(&ctx, buf, size); + SHA512_256_Final((unsigned char *)zcp, &ctx); } static void Index: sys/cddl/boot/zfs/skein_zfs.c =================================================================== --- sys/cddl/boot/zfs/skein_zfs.c +++ sys/cddl/boot/zfs/skein_zfs.c @@ -23,7 +23,7 @@ /* * Copyright 2013 Saso Kiselkov. All rights reserved. */ -#include +#include /* * Computes a native 256-bit skein MAC checksum. Please note that this Index: sys/crypto/sha2/sha256.h =================================================================== --- sys/crypto/sha2/sha256.h +++ sys/crypto/sha2/sha256.h @@ -47,6 +47,7 @@ /* Ensure libmd symbols do not clash with libcrypto */ +#ifndef _STANDALONE #ifndef SHA256_Init #define SHA256_Init _libmd_SHA256_Init #endif @@ -75,6 +76,7 @@ #ifndef SHA256_version #define SHA256_version _libmd_SHA256_version #endif +#endif void SHA256_Init(SHA256_CTX *); void SHA256_Update(SHA256_CTX *, const void *, size_t); Index: sys/crypto/sha2/sha384.h =================================================================== --- sys/crypto/sha2/sha384.h +++ sys/crypto/sha2/sha384.h @@ -46,6 +46,7 @@ __BEGIN_DECLS /* Ensure libmd symbols do not clash with libcrypto */ +#ifndef _STANDALONE #ifndef SHA384_Init #define SHA384_Init _libmd_SHA384_Init #endif @@ -71,6 +72,7 @@ #ifndef SHA384_version #define SHA384_version _libmd_SHA384_version #endif +#endif void SHA384_Init(SHA384_CTX *); void SHA384_Update(SHA384_CTX *, const void *, size_t); Index: sys/crypto/sha2/sha512.h =================================================================== --- sys/crypto/sha2/sha512.h +++ sys/crypto/sha2/sha512.h @@ -46,6 +46,7 @@ __BEGIN_DECLS /* Ensure libmd symbols do not clash with libcrypto */ +#ifndef _STANDALONE #ifndef SHA512_Init #define SHA512_Init _libmd_SHA512_Init #endif @@ -74,6 +75,7 @@ #ifndef SHA512_version #define SHA512_version _libmd_SHA512_version #endif +#endif void SHA512_Init(SHA512_CTX *); void SHA512_Update(SHA512_CTX *, const void *, size_t); Index: sys/crypto/sha2/sha512c.c =================================================================== --- sys/crypto/sha2/sha512c.c +++ sys/crypto/sha2/sha512c.c @@ -334,6 +334,7 @@ memset(ctx, 0, sizeof(*ctx)); } +#ifndef _STANDALONE /*** SHA-512t: *********************************************************/ /* * the SHA512t transforms are identical to SHA512 so reuse the existing function @@ -376,6 +377,7 @@ /* Clear the context state */ memset(ctx, 0, sizeof(*ctx)); } +#endif void SHA512_256_Init(SHA512_CTX * ctx) @@ -416,6 +418,7 @@ memset(ctx, 0, sizeof(*ctx)); } +#ifndef _STANDALONE /*** SHA-384: *********************************************************/ /* * the SHA384 and SHA512 transforms are identical, so SHA384 is skipped @@ -465,6 +468,7 @@ /* Clear the context state */ memset(ctx, 0, sizeof(*ctx)); } +#endif #ifdef WEAK_REFS /* When building libmd, provide weak references. Note: this is not Index: sys/crypto/sha2/sha512t.h =================================================================== --- sys/crypto/sha2/sha512t.h +++ sys/crypto/sha2/sha512t.h @@ -43,6 +43,7 @@ __BEGIN_DECLS /* Ensure libmd symbols do not clash with libcrypto */ +#ifndef _STANDALONE #ifndef SHA512_224_Init #define SHA512_224_Init _libmd_SHA512_224_Init #endif @@ -100,6 +101,7 @@ #ifndef SHA512_256_version #define SHA512_256_version _libmd_SHA512_256_version #endif +#endif void SHA512_224_Init(SHA512_CTX *); void SHA512_224_Update(SHA512_CTX *, const void *, size_t); Index: sys/crypto/skein/skein_port.h =================================================================== --- sys/crypto/skein/skein_port.h +++ sys/crypto/skein/skein_port.h @@ -117,6 +117,7 @@ /* Start FreeBSD libmd shims */ /* Ensure libmd symbols do not clash with libcrypto */ +#ifndef _STANDALONE #ifndef SKEIN256_Init #define SKEIN256_Init _libmd_SKEIN256_Init #define SKEIN512_Init _libmd_SKEIN512_Init @@ -152,6 +153,7 @@ #define SKEIN512_Data _libmd_SKEIN512_Data #define SKEIN1024_Data _libmd_SKEIN1024_Data #endif +#endif __END_DECLS