kernel/kexec_file.c: move purgatories sha256 to common code

The code to verify the new kernels sha digest is applicable for all architectures. Move it to common code. One problem is the string.c implementation on x86. Currently sha256 includes x86/boot/string.h which defines memcpy and memset to be gcc builtins. By moving the sha256 implementation to common code and changing the include to linux/string.h both functions are no longer defined. Thus definitions have to be provided in x86/purgatory/string.c Link: http://lkml.kernel.org/r/20180321112751.22196-12-prudo@linux.vnet.ibm.com Signed-off-by: Philipp Rudo <prudo@linux.vnet.ibm.com> Acked-by: Dave Young <dyoung@redhat.com> Cc: AKASHI Takahiro <takahiro.akashi@linaro.org> Cc: Eric Biederman <ebiederm@xmission.com> Cc: Heiko Carstens <heiko.carstens@de.ibm.com> Cc: Ingo Molnar <mingo@kernel.org> Cc: Martin Schwidefsky <schwidefsky@de.ibm.com> Cc: Michael Ellerman <mpe@ellerman.id.au> Cc: Thiago Jung Bauermann <bauerman@linux.vnet.ibm.com> Cc: Vivek Goyal <vgoyal@redhat.com> Signed-off-by: Andrew Morton <akpm@linux-foundation.org> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
author: Philipp Rudo <prudo@linux.vnet.ibm.com> 2018-04-13 18:36:46 -0400
committer: Linus Torvalds <torvalds@linux-foundation.org> 2018-04-13 20:10:28 -0400
commit: df6f2801f511b07c08c110fe9f047a34cb40286f (patch)
tree: 71949b732c86f7ee9337adc4490b76ffdf292c0d /lib/sha256.c
parent: 3be3f61d25e04ecf90d65d52fad632af5ba8805b (diff)
1 files changed, 283 insertions, 0 deletions
diff --git a/lib/sha256.c b/lib/sha256.c
new file mode 100644
index 000000000000..4400c832e2aa
--- /dev/null
+++ b/lib/sha256.c
@@ -0,0 +1,283 @@
+/*
+ * SHA-256, as specified in
+ * http://csrc.nist.gov/groups/STM/cavp/documents/shs/sha256-384-512.pdf
+ *
+ * SHA-256 code by Jean-Luc Cooke <jlcooke@certainkey.com>.
+ *
+ * Copyright (c) Jean-Luc Cooke <jlcooke@certainkey.com>
+ * Copyright (c) Andrew McDonald <andrew@mcdonald.org.uk>
+ * Copyright (c) 2002 James Morris <jmorris@intercode.com.au>
+ * Copyright (c) 2014 Red Hat Inc.
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the Free
+ * Software Foundation; either version 2 of the License, or (at your option)
+ * any later version.
+ */
+#include <linux/bitops.h>
+#include <linux/sha256.h>
+#include <linux/string.h>
+#include <asm/byteorder.h>
+static inline u32 Ch(u32 x, u32 y, u32 z)
+{
+        return z ^ (x & (y ^ z));
+}
+static inline u32 Maj(u32 x, u32 y, u32 z)
+{
+        return (x & y) | (z & (x | y));
+}
+#define e0(x)       (ror32(x, 2) ^ ror32(x, 13) ^ ror32(x, 22))
+#define e1(x)       (ror32(x, 6) ^ ror32(x, 11) ^ ror32(x, 25))
+#define s0(x)       (ror32(x, 7) ^ ror32(x, 18) ^ (x >> 3))
+#define s1(x)       (ror32(x, 17) ^ ror32(x, 19) ^ (x >> 10))
+static inline void LOAD_OP(int I, u32 *W, const u8 *input)
+{
+        W[I] = __be32_to_cpu(((__be32 *)(input))[I]);
+}
+static inline void BLEND_OP(int I, u32 *W)
+{
+        W[I] = s1(W[I-2]) + W[I-7] + s0(W[I-15]) + W[I-16];
+}
+static void sha256_transform(u32 *state, const u8 *input)
+{
+        u32 a, b, c, d, e, f, g, h, t1, t2;
+        u32 W[64];
+        int i;
+        /* load the input */
+        for (i = 0; i < 16; i++)
+                LOAD_OP(i, W, input);
+        /* now blend */
+        for (i = 16; i < 64; i++)
+                BLEND_OP(i, W);
+        /* load the state into our registers */
+        a = state[0];  b = state[1];  c = state[2];  d = state[3];
+        e = state[4];  f = state[5];  g = state[6];  h = state[7];
+        /* now iterate */
+        t1 = h + e1(e) + Ch(e, f, g) + 0x428a2f98 + W[0];
+        t2 = e0(a) + Maj(a, b, c);    d += t1;    h = t1 + t2;
+        t1 = g + e1(d) + Ch(d, e, f) + 0x71374491 + W[1];
+        t2 = e0(h) + Maj(h, a, b);    c += t1;    g = t1 + t2;
+        t1 = f + e1(c) + Ch(c, d, e) + 0xb5c0fbcf + W[2];
+        t2 = e0(g) + Maj(g, h, a);    b += t1;    f = t1 + t2;
+        t1 = e + e1(b) + Ch(b, c, d) + 0xe9b5dba5 + W[3];
+        t2 = e0(f) + Maj(f, g, h);    a += t1;    e = t1 + t2;
+        t1 = d + e1(a) + Ch(a, b, c) + 0x3956c25b + W[4];
+        t2 = e0(e) + Maj(e, f, g);    h += t1;    d = t1 + t2;
+        t1 = c + e1(h) + Ch(h, a, b) + 0x59f111f1 + W[5];
+        t2 = e0(d) + Maj(d, e, f);    g += t1;    c = t1 + t2;
+        t1 = b + e1(g) + Ch(g, h, a) + 0x923f82a4 + W[6];
+        t2 = e0(c) + Maj(c, d, e);    f += t1;    b = t1 + t2;
+        t1 = a + e1(f) + Ch(f, g, h) + 0xab1c5ed5 + W[7];
+        t2 = e0(b) + Maj(b, c, d);    e += t1;    a = t1 + t2;
+        t1 = h + e1(e) + Ch(e, f, g) + 0xd807aa98 + W[8];
+        t2 = e0(a) + Maj(a, b, c);    d += t1;    h = t1 + t2;
+        t1 = g + e1(d) + Ch(d, e, f) + 0x12835b01 + W[9];
+        t2 = e0(h) + Maj(h, a, b);    c += t1;    g = t1 + t2;
+        t1 = f + e1(c) + Ch(c, d, e) + 0x243185be + W[10];
+        t2 = e0(g) + Maj(g, h, a);    b += t1;    f = t1 + t2;
+        t1 = e + e1(b) + Ch(b, c, d) + 0x550c7dc3 + W[11];
+        t2 = e0(f) + Maj(f, g, h);    a += t1;    e = t1 + t2;
+        t1 = d + e1(a) + Ch(a, b, c) + 0x72be5d74 + W[12];
+        t2 = e0(e) + Maj(e, f, g);    h += t1;    d = t1 + t2;
+        t1 = c + e1(h) + Ch(h, a, b) + 0x80deb1fe + W[13];
+        t2 = e0(d) + Maj(d, e, f);    g += t1;    c = t1 + t2;
+        t1 = b + e1(g) + Ch(g, h, a) + 0x9bdc06a7 + W[14];
+        t2 = e0(c) + Maj(c, d, e);    f += t1;    b = t1 + t2;
+        t1 = a + e1(f) + Ch(f, g, h) + 0xc19bf174 + W[15];
+        t2 = e0(b) + Maj(b, c, d);    e += t1;    a = t1+t2;
+        t1 = h + e1(e) + Ch(e, f, g) + 0xe49b69c1 + W[16];
+        t2 = e0(a) + Maj(a, b, c);    d += t1;    h = t1+t2;
+        t1 = g + e1(d) + Ch(d, e, f) + 0xefbe4786 + W[17];
+        t2 = e0(h) + Maj(h, a, b);    c += t1;    g = t1+t2;
+        t1 = f + e1(c) + Ch(c, d, e) + 0x0fc19dc6 + W[18];
+        t2 = e0(g) + Maj(g, h, a);    b += t1;    f = t1+t2;
+        t1 = e + e1(b) + Ch(b, c, d) + 0x240ca1cc + W[19];
+        t2 = e0(f) + Maj(f, g, h);    a += t1;    e = t1+t2;
+        t1 = d + e1(a) + Ch(a, b, c) + 0x2de92c6f + W[20];
+        t2 = e0(e) + Maj(e, f, g);    h += t1;    d = t1+t2;
+        t1 = c + e1(h) + Ch(h, a, b) + 0x4a7484aa + W[21];
+        t2 = e0(d) + Maj(d, e, f);    g += t1;    c = t1+t2;
+        t1 = b + e1(g) + Ch(g, h, a) + 0x5cb0a9dc + W[22];
+        t2 = e0(c) + Maj(c, d, e);    f += t1;    b = t1+t2;
+        t1 = a + e1(f) + Ch(f, g, h) + 0x76f988da + W[23];
+        t2 = e0(b) + Maj(b, c, d);    e += t1;    a = t1+t2;
+        t1 = h + e1(e) + Ch(e, f, g) + 0x983e5152 + W[24];
+        t2 = e0(a) + Maj(a, b, c);    d += t1;    h = t1+t2;
+        t1 = g + e1(d) + Ch(d, e, f) + 0xa831c66d + W[25];
+        t2 = e0(h) + Maj(h, a, b);    c += t1;    g = t1+t2;
+        t1 = f + e1(c) + Ch(c, d, e) + 0xb00327c8 + W[26];
+        t2 = e0(g) + Maj(g, h, a);    b += t1;    f = t1+t2;
+        t1 = e + e1(b) + Ch(b, c, d) + 0xbf597fc7 + W[27];
+        t2 = e0(f) + Maj(f, g, h);    a += t1;    e = t1+t2;
+        t1 = d + e1(a) + Ch(a, b, c) + 0xc6e00bf3 + W[28];
+        t2 = e0(e) + Maj(e, f, g);    h += t1;    d = t1+t2;
+        t1 = c + e1(h) + Ch(h, a, b) + 0xd5a79147 + W[29];
+        t2 = e0(d) + Maj(d, e, f);    g += t1;    c = t1+t2;
+        t1 = b + e1(g) + Ch(g, h, a) + 0x06ca6351 + W[30];
+        t2 = e0(c) + Maj(c, d, e);    f += t1;    b = t1+t2;
+        t1 = a + e1(f) + Ch(f, g, h) + 0x14292967 + W[31];
+        t2 = e0(b) + Maj(b, c, d);    e += t1;    a = t1+t2;
+        t1 = h + e1(e) + Ch(e, f, g) + 0x27b70a85 + W[32];
+        t2 = e0(a) + Maj(a, b, c);    d += t1;    h = t1+t2;
+        t1 = g + e1(d) + Ch(d, e, f) + 0x2e1b2138 + W[33];
+        t2 = e0(h) + Maj(h, a, b);    c += t1;    g = t1+t2;
+        t1 = f + e1(c) + Ch(c, d, e) + 0x4d2c6dfc + W[34];
+        t2 = e0(g) + Maj(g, h, a);    b += t1;    f = t1+t2;
+        t1 = e + e1(b) + Ch(b, c, d) + 0x53380d13 + W[35];
+        t2 = e0(f) + Maj(f, g, h);    a += t1;    e = t1+t2;
+        t1 = d + e1(a) + Ch(a, b, c) + 0x650a7354 + W[36];
+        t2 = e0(e) + Maj(e, f, g);    h += t1;    d = t1+t2;
+        t1 = c + e1(h) + Ch(h, a, b) + 0x766a0abb + W[37];
+        t2 = e0(d) + Maj(d, e, f);    g += t1;    c = t1+t2;
+        t1 = b + e1(g) + Ch(g, h, a) + 0x81c2c92e + W[38];
+        t2 = e0(c) + Maj(c, d, e);    f += t1;    b = t1+t2;
+        t1 = a + e1(f) + Ch(f, g, h) + 0x92722c85 + W[39];
+        t2 = e0(b) + Maj(b, c, d);    e += t1;    a = t1+t2;
+        t1 = h + e1(e) + Ch(e, f, g) + 0xa2bfe8a1 + W[40];
+        t2 = e0(a) + Maj(a, b, c);    d += t1;    h = t1+t2;
+        t1 = g + e1(d) + Ch(d, e, f) + 0xa81a664b + W[41];
+        t2 = e0(h) + Maj(h, a, b);    c += t1;    g = t1+t2;
+        t1 = f + e1(c) + Ch(c, d, e) + 0xc24b8b70 + W[42];
+        t2 = e0(g) + Maj(g, h, a);    b += t1;    f = t1+t2;
+        t1 = e + e1(b) + Ch(b, c, d) + 0xc76c51a3 + W[43];
+        t2 = e0(f) + Maj(f, g, h);    a += t1;    e = t1+t2;
+        t1 = d + e1(a) + Ch(a, b, c) + 0xd192e819 + W[44];
+        t2 = e0(e) + Maj(e, f, g);    h += t1;    d = t1+t2;
+        t1 = c + e1(h) + Ch(h, a, b) + 0xd6990624 + W[45];
+        t2 = e0(d) + Maj(d, e, f);    g += t1;    c = t1+t2;
+        t1 = b + e1(g) + Ch(g, h, a) + 0xf40e3585 + W[46];
+        t2 = e0(c) + Maj(c, d, e);    f += t1;    b = t1+t2;
+        t1 = a + e1(f) + Ch(f, g, h) + 0x106aa070 + W[47];
+        t2 = e0(b) + Maj(b, c, d);    e += t1;    a = t1+t2;
+        t1 = h + e1(e) + Ch(e, f, g) + 0x19a4c116 + W[48];
+        t2 = e0(a) + Maj(a, b, c);    d += t1;    h = t1+t2;
+        t1 = g + e1(d) + Ch(d, e, f) + 0x1e376c08 + W[49];
+        t2 = e0(h) + Maj(h, a, b);    c += t1;    g = t1+t2;
+        t1 = f + e1(c) + Ch(c, d, e) + 0x2748774c + W[50];
+        t2 = e0(g) + Maj(g, h, a);    b += t1;    f = t1+t2;
+        t1 = e + e1(b) + Ch(b, c, d) + 0x34b0bcb5 + W[51];
+        t2 = e0(f) + Maj(f, g, h);    a += t1;    e = t1+t2;
+        t1 = d + e1(a) + Ch(a, b, c) + 0x391c0cb3 + W[52];
+        t2 = e0(e) + Maj(e, f, g);    h += t1;    d = t1+t2;
+        t1 = c + e1(h) + Ch(h, a, b) + 0x4ed8aa4a + W[53];
+        t2 = e0(d) + Maj(d, e, f);    g += t1;    c = t1+t2;
+        t1 = b + e1(g) + Ch(g, h, a) + 0x5b9cca4f + W[54];
+        t2 = e0(c) + Maj(c, d, e);    f += t1;    b = t1+t2;
+        t1 = a + e1(f) + Ch(f, g, h) + 0x682e6ff3 + W[55];
+        t2 = e0(b) + Maj(b, c, d);    e += t1;    a = t1+t2;
+        t1 = h + e1(e) + Ch(e, f, g) + 0x748f82ee + W[56];
+        t2 = e0(a) + Maj(a, b, c);    d += t1;    h = t1+t2;
+        t1 = g + e1(d) + Ch(d, e, f) + 0x78a5636f + W[57];
+        t2 = e0(h) + Maj(h, a, b);    c += t1;    g = t1+t2;
+        t1 = f + e1(c) + Ch(c, d, e) + 0x84c87814 + W[58];
+        t2 = e0(g) + Maj(g, h, a);    b += t1;    f = t1+t2;
+        t1 = e + e1(b) + Ch(b, c, d) + 0x8cc70208 + W[59];
+        t2 = e0(f) + Maj(f, g, h);    a += t1;    e = t1+t2;
+        t1 = d + e1(a) + Ch(a, b, c) + 0x90befffa + W[60];
+        t2 = e0(e) + Maj(e, f, g);    h += t1;    d = t1+t2;
+        t1 = c + e1(h) + Ch(h, a, b) + 0xa4506ceb + W[61];
+        t2 = e0(d) + Maj(d, e, f);    g += t1;    c = t1+t2;
+        t1 = b + e1(g) + Ch(g, h, a) + 0xbef9a3f7 + W[62];
+        t2 = e0(c) + Maj(c, d, e);    f += t1;    b = t1+t2;
+        t1 = a + e1(f) + Ch(f, g, h) + 0xc67178f2 + W[63];
+        t2 = e0(b) + Maj(b, c, d);    e += t1;    a = t1+t2;
+        state[0] += a; state[1] += b; state[2] += c; state[3] += d;
+        state[4] += e; state[5] += f; state[6] += g; state[7] += h;
+        /* clear any sensitive info... */
+        a = b = c = d = e = f = g = h = t1 = t2 = 0;
+        memset(W, 0, 64 * sizeof(u32));
+}
+int sha256_init(struct sha256_state *sctx)
+{
+        sctx->state[0] = SHA256_H0;
+        sctx->state[1] = SHA256_H1;
+        sctx->state[2] = SHA256_H2;
+        sctx->state[3] = SHA256_H3;
+        sctx->state[4] = SHA256_H4;
+        sctx->state[5] = SHA256_H5;
+        sctx->state[6] = SHA256_H6;
+        sctx->state[7] = SHA256_H7;
+        sctx->count = 0;
+        return 0;
+}
+int sha256_update(struct sha256_state *sctx, const u8 *data, unsigned int len)
+{
+        unsigned int partial, done;
+        const u8 *src;
+        partial = sctx->count & 0x3f;
+        sctx->count += len;
+        done = 0;
+        src = data;
+        if ((partial + len) > 63) {
+                if (partial) {
+                        done = -partial;
+                        memcpy(sctx->buf + partial, data, done + 64);
+                        src = sctx->buf;
+                }
+                do {
+                        sha256_transform(sctx->state, src);
+                        done += 64;
+                        src = data + done;
+                } while (done + 63 < len);
+                partial = 0;
+        }
+        memcpy(sctx->buf + partial, src, len - done);
+        return 0;
+}
+int sha256_final(struct sha256_state *sctx, u8 *out)
+{
+        __be32 *dst = (__be32 *)out;
+        __be64 bits;
+        unsigned int index, pad_len;
+        int i;
+        static const u8 padding[64] = { 0x80, };
+        /* Save number of bits */
+        bits = cpu_to_be64(sctx->count << 3);
+        /* Pad out to 56 mod 64. */
+        index = sctx->count & 0x3f;
+        pad_len = (index < 56) ? (56 - index) : ((64+56) - index);
+        sha256_update(sctx, padding, pad_len);
+        /* Append length (before padding) */
+        sha256_update(sctx, (const u8 *)&bits, sizeof(bits));
+        /* Store state in digest */
+        for (i = 0; i < 8; i++)
+                dst[i] = cpu_to_be32(sctx->state[i]);
+        /* Zeroize sensitive information. */
+        memset(sctx, 0, sizeof(*sctx));
+        return 0;
+}
author	Philipp Rudo <prudo@linux.vnet.ibm.com>	2018-04-13 18:36:46 -0400
committer	Linus Torvalds <torvalds@linux-foundation.org>	2018-04-13 20:10:28 -0400
commit	df6f2801f511b07c08c110fe9f047a34cb40286f (patch)
tree	71949b732c86f7ee9337adc4490b76ffdf292c0d /lib/sha256.c
parent	3be3f61d25e04ecf90d65d52fad632af5ba8805b (diff)

diff --git a/lib/sha256.c b/lib/sha256.c new file mode 100644 index 000000000000..4400c832e2aa --- /dev/null +++ b/lib/sha256.c
@@ -0,0 +1,283 @@
	1	/*
	2	* SHA-256, as specified in
	3	* http://csrc.nist.gov/groups/STM/cavp/documents/shs/sha256-384-512.pdf
	4	*
	5	* SHA-256 code by Jean-Luc Cooke <jlcooke@certainkey.com>.
	6	*
	7	* Copyright (c) Jean-Luc Cooke <jlcooke@certainkey.com>
	8	* Copyright (c) Andrew McDonald <andrew@mcdonald.org.uk>
	9	* Copyright (c) 2002 James Morris <jmorris@intercode.com.au>
	10	* Copyright (c) 2014 Red Hat Inc.
	11	*
	12	* This program is free software; you can redistribute it and/or modify it
	13	* under the terms of the GNU General Public License as published by the Free
	14	* Software Foundation; either version 2 of the License, or (at your option)
	15	* any later version.
	16	*/
	17
	18	#include <linux/bitops.h>
	19	#include <linux/sha256.h>
	20	#include <linux/string.h>
	21	#include <asm/byteorder.h>
	22
	23	static inline u32 Ch(u32 x, u32 y, u32 z)
	24	{
	25	return z ^ (x & (y ^ z));
	26	}
	27
	28	static inline u32 Maj(u32 x, u32 y, u32 z)
	29	{
	30	return (x & y) \| (z & (x \| y));
	31	}
	32
	33	#define e0(x) (ror32(x, 2) ^ ror32(x, 13) ^ ror32(x, 22))
	34	#define e1(x) (ror32(x, 6) ^ ror32(x, 11) ^ ror32(x, 25))
	35	#define s0(x) (ror32(x, 7) ^ ror32(x, 18) ^ (x >> 3))
	36	#define s1(x) (ror32(x, 17) ^ ror32(x, 19) ^ (x >> 10))
	37
	38	static inline void LOAD_OP(int I, u32 W, const u8 input)
	39	{
	40	W[I] = __be32_to_cpu(((__be32 *)(input))[I]);
	41	}
	42
	43	static inline void BLEND_OP(int I, u32 *W)
	44	{
	45	W[I] = s1(W[I-2]) + W[I-7] + s0(W[I-15]) + W[I-16];
	46	}
	47
	48	static void sha256_transform(u32 state, const u8 input)
	49	{
	50	u32 a, b, c, d, e, f, g, h, t1, t2;
	51	u32 W[64];
	52	int i;
	53
	54	/* load the input */
	55	for (i = 0; i < 16; i++)
	56	LOAD_OP(i, W, input);
	57
	58	/* now blend */
	59	for (i = 16; i < 64; i++)
	60	BLEND_OP(i, W);
	61
	62	/* load the state into our registers */
	63	a = state[0]; b = state[1]; c = state[2]; d = state[3];
	64	e = state[4]; f = state[5]; g = state[6]; h = state[7];
	65
	66	/* now iterate */
	67	t1 = h + e1(e) + Ch(e, f, g) + 0x428a2f98 + W[0];
	68	t2 = e0(a) + Maj(a, b, c); d += t1; h = t1 + t2;
	69	t1 = g + e1(d) + Ch(d, e, f) + 0x71374491 + W[1];
	70	t2 = e0(h) + Maj(h, a, b); c += t1; g = t1 + t2;
	71	t1 = f + e1(c) + Ch(c, d, e) + 0xb5c0fbcf + W[2];
	72	t2 = e0(g) + Maj(g, h, a); b += t1; f = t1 + t2;
	73	t1 = e + e1(b) + Ch(b, c, d) + 0xe9b5dba5 + W[3];
	74	t2 = e0(f) + Maj(f, g, h); a += t1; e = t1 + t2;
	75	t1 = d + e1(a) + Ch(a, b, c) + 0x3956c25b + W[4];
	76	t2 = e0(e) + Maj(e, f, g); h += t1; d = t1 + t2;
	77	t1 = c + e1(h) + Ch(h, a, b) + 0x59f111f1 + W[5];
	78	t2 = e0(d) + Maj(d, e, f); g += t1; c = t1 + t2;
	79	t1 = b + e1(g) + Ch(g, h, a) + 0x923f82a4 + W[6];
	80	t2 = e0(c) + Maj(c, d, e); f += t1; b = t1 + t2;
	81	t1 = a + e1(f) + Ch(f, g, h) + 0xab1c5ed5 + W[7];
	82	t2 = e0(b) + Maj(b, c, d); e += t1; a = t1 + t2;
	83
	84	t1 = h + e1(e) + Ch(e, f, g) + 0xd807aa98 + W[8];
	85	t2 = e0(a) + Maj(a, b, c); d += t1; h = t1 + t2;
	86	t1 = g + e1(d) + Ch(d, e, f) + 0x12835b01 + W[9];
	87	t2 = e0(h) + Maj(h, a, b); c += t1; g = t1 + t2;
	88	t1 = f + e1(c) + Ch(c, d, e) + 0x243185be + W[10];
	89	t2 = e0(g) + Maj(g, h, a); b += t1; f = t1 + t2;
	90	t1 = e + e1(b) + Ch(b, c, d) + 0x550c7dc3 + W[11];
	91	t2 = e0(f) + Maj(f, g, h); a += t1; e = t1 + t2;
	92	t1 = d + e1(a) + Ch(a, b, c) + 0x72be5d74 + W[12];
	93	t2 = e0(e) + Maj(e, f, g); h += t1; d = t1 + t2;
	94	t1 = c + e1(h) + Ch(h, a, b) + 0x80deb1fe + W[13];
	95	t2 = e0(d) + Maj(d, e, f); g += t1; c = t1 + t2;
	96	t1 = b + e1(g) + Ch(g, h, a) + 0x9bdc06a7 + W[14];
	97	t2 = e0(c) + Maj(c, d, e); f += t1; b = t1 + t2;
	98	t1 = a + e1(f) + Ch(f, g, h) + 0xc19bf174 + W[15];
	99	t2 = e0(b) + Maj(b, c, d); e += t1; a = t1+t2;
	100
	101	t1 = h + e1(e) + Ch(e, f, g) + 0xe49b69c1 + W[16];
	102	t2 = e0(a) + Maj(a, b, c); d += t1; h = t1+t2;
	103	t1 = g + e1(d) + Ch(d, e, f) + 0xefbe4786 + W[17];
	104	t2 = e0(h) + Maj(h, a, b); c += t1; g = t1+t2;
	105	t1 = f + e1(c) + Ch(c, d, e) + 0x0fc19dc6 + W[18];
	106	t2 = e0(g) + Maj(g, h, a); b += t1; f = t1+t2;
	107	t1 = e + e1(b) + Ch(b, c, d) + 0x240ca1cc + W[19];
	108	t2 = e0(f) + Maj(f, g, h); a += t1; e = t1+t2;
	109	t1 = d + e1(a) + Ch(a, b, c) + 0x2de92c6f + W[20];
	110	t2 = e0(e) + Maj(e, f, g); h += t1; d = t1+t2;
	111	t1 = c + e1(h) + Ch(h, a, b) + 0x4a7484aa + W[21];
	112	t2 = e0(d) + Maj(d, e, f); g += t1; c = t1+t2;
	113	t1 = b + e1(g) + Ch(g, h, a) + 0x5cb0a9dc + W[22];
	114	t2 = e0(c) + Maj(c, d, e); f += t1; b = t1+t2;
	115	t1 = a + e1(f) + Ch(f, g, h) + 0x76f988da + W[23];
	116	t2 = e0(b) + Maj(b, c, d); e += t1; a = t1+t2;
	117
	118	t1 = h + e1(e) + Ch(e, f, g) + 0x983e5152 + W[24];
	119	t2 = e0(a) + Maj(a, b, c); d += t1; h = t1+t2;
	120	t1 = g + e1(d) + Ch(d, e, f) + 0xa831c66d + W[25];
	121	t2 = e0(h) + Maj(h, a, b); c += t1; g = t1+t2;
	122	t1 = f + e1(c) + Ch(c, d, e) + 0xb00327c8 + W[26];
	123	t2 = e0(g) + Maj(g, h, a); b += t1; f = t1+t2;
	124	t1 = e + e1(b) + Ch(b, c, d) + 0xbf597fc7 + W[27];
	125	t2 = e0(f) + Maj(f, g, h); a += t1; e = t1+t2;
	126	t1 = d + e1(a) + Ch(a, b, c) + 0xc6e00bf3 + W[28];
	127	t2 = e0(e) + Maj(e, f, g); h += t1; d = t1+t2;
	128	t1 = c + e1(h) + Ch(h, a, b) + 0xd5a79147 + W[29];
	129	t2 = e0(d) + Maj(d, e, f); g += t1; c = t1+t2;
	130	t1 = b + e1(g) + Ch(g, h, a) + 0x06ca6351 + W[30];
	131	t2 = e0(c) + Maj(c, d, e); f += t1; b = t1+t2;
	132	t1 = a + e1(f) + Ch(f, g, h) + 0x14292967 + W[31];
	133	t2 = e0(b) + Maj(b, c, d); e += t1; a = t1+t2;
	134
	135	t1 = h + e1(e) + Ch(e, f, g) + 0x27b70a85 + W[32];
	136	t2 = e0(a) + Maj(a, b, c); d += t1; h = t1+t2;
	137	t1 = g + e1(d) + Ch(d, e, f) + 0x2e1b2138 + W[33];
	138	t2 = e0(h) + Maj(h, a, b); c += t1; g = t1+t2;
	139	t1 = f + e1(c) + Ch(c, d, e) + 0x4d2c6dfc + W[34];
	140	t2 = e0(g) + Maj(g, h, a); b += t1; f = t1+t2;
	141	t1 = e + e1(b) + Ch(b, c, d) + 0x53380d13 + W[35];
	142	t2 = e0(f) + Maj(f, g, h); a += t1; e = t1+t2;
	143	t1 = d + e1(a) + Ch(a, b, c) + 0x650a7354 + W[36];
	144	t2 = e0(e) + Maj(e, f, g); h += t1; d = t1+t2;
	145	t1 = c + e1(h) + Ch(h, a, b) + 0x766a0abb + W[37];
	146	t2 = e0(d) + Maj(d, e, f); g += t1; c = t1+t2;
	147	t1 = b + e1(g) + Ch(g, h, a) + 0x81c2c92e + W[38];
	148	t2 = e0(c) + Maj(c, d, e); f += t1; b = t1+t2;
	149	t1 = a + e1(f) + Ch(f, g, h) + 0x92722c85 + W[39];
	150	t2 = e0(b) + Maj(b, c, d); e += t1; a = t1+t2;
	151
	152	t1 = h + e1(e) + Ch(e, f, g) + 0xa2bfe8a1 + W[40];
	153	t2 = e0(a) + Maj(a, b, c); d += t1; h = t1+t2;
	154	t1 = g + e1(d) + Ch(d, e, f) + 0xa81a664b + W[41];
	155	t2 = e0(h) + Maj(h, a, b); c += t1; g = t1+t2;
	156	t1 = f + e1(c) + Ch(c, d, e) + 0xc24b8b70 + W[42];
	157	t2 = e0(g) + Maj(g, h, a); b += t1; f = t1+t2;
	158	t1 = e + e1(b) + Ch(b, c, d) + 0xc76c51a3 + W[43];
	159	t2 = e0(f) + Maj(f, g, h); a += t1; e = t1+t2;
	160	t1 = d + e1(a) + Ch(a, b, c) + 0xd192e819 + W[44];
	161	t2 = e0(e) + Maj(e, f, g); h += t1; d = t1+t2;
	162	t1 = c + e1(h) + Ch(h, a, b) + 0xd6990624 + W[45];
	163	t2 = e0(d) + Maj(d, e, f); g += t1; c = t1+t2;
	164	t1 = b + e1(g) + Ch(g, h, a) + 0xf40e3585 + W[46];
	165	t2 = e0(c) + Maj(c, d, e); f += t1; b = t1+t2;
	166	t1 = a + e1(f) + Ch(f, g, h) + 0x106aa070 + W[47];
	167	t2 = e0(b) + Maj(b, c, d); e += t1; a = t1+t2;
	168
	169	t1 = h + e1(e) + Ch(e, f, g) + 0x19a4c116 + W[48];
	170	t2 = e0(a) + Maj(a, b, c); d += t1; h = t1+t2;
	171	t1 = g + e1(d) + Ch(d, e, f) + 0x1e376c08 + W[49];
	172	t2 = e0(h) + Maj(h, a, b); c += t1; g = t1+t2;
	173	t1 = f + e1(c) + Ch(c, d, e) + 0x2748774c + W[50];
	174	t2 = e0(g) + Maj(g, h, a); b += t1; f = t1+t2;
	175	t1 = e + e1(b) + Ch(b, c, d) + 0x34b0bcb5 + W[51];
	176	t2 = e0(f) + Maj(f, g, h); a += t1; e = t1+t2;
	177	t1 = d + e1(a) + Ch(a, b, c) + 0x391c0cb3 + W[52];
	178	t2 = e0(e) + Maj(e, f, g); h += t1; d = t1+t2;
	179	t1 = c + e1(h) + Ch(h, a, b) + 0x4ed8aa4a + W[53];
	180	t2 = e0(d) + Maj(d, e, f); g += t1; c = t1+t2;
	181	t1 = b + e1(g) + Ch(g, h, a) + 0x5b9cca4f + W[54];
	182	t2 = e0(c) + Maj(c, d, e); f += t1; b = t1+t2;
	183	t1 = a + e1(f) + Ch(f, g, h) + 0x682e6ff3 + W[55];
	184	t2 = e0(b) + Maj(b, c, d); e += t1; a = t1+t2;
	185
	186	t1 = h + e1(e) + Ch(e, f, g) + 0x748f82ee + W[56];
	187	t2 = e0(a) + Maj(a, b, c); d += t1; h = t1+t2;
	188	t1 = g + e1(d) + Ch(d, e, f) + 0x78a5636f + W[57];
	189	t2 = e0(h) + Maj(h, a, b); c += t1; g = t1+t2;
	190	t1 = f + e1(c) + Ch(c, d, e) + 0x84c87814 + W[58];
	191	t2 = e0(g) + Maj(g, h, a); b += t1; f = t1+t2;
	192	t1 = e + e1(b) + Ch(b, c, d) + 0x8cc70208 + W[59];
	193	t2 = e0(f) + Maj(f, g, h); a += t1; e = t1+t2;
	194	t1 = d + e1(a) + Ch(a, b, c) + 0x90befffa + W[60];
	195	t2 = e0(e) + Maj(e, f, g); h += t1; d = t1+t2;
	196	t1 = c + e1(h) + Ch(h, a, b) + 0xa4506ceb + W[61];
	197	t2 = e0(d) + Maj(d, e, f); g += t1; c = t1+t2;
	198	t1 = b + e1(g) + Ch(g, h, a) + 0xbef9a3f7 + W[62];
	199	t2 = e0(c) + Maj(c, d, e); f += t1; b = t1+t2;
	200	t1 = a + e1(f) + Ch(f, g, h) + 0xc67178f2 + W[63];
	201	t2 = e0(b) + Maj(b, c, d); e += t1; a = t1+t2;
	202
	203	state[0] += a; state[1] += b; state[2] += c; state[3] += d;
	204	state[4] += e; state[5] += f; state[6] += g; state[7] += h;
	205
	206	/* clear any sensitive info... */
	207	a = b = c = d = e = f = g = h = t1 = t2 = 0;
	208	memset(W, 0, 64 * sizeof(u32));
	209	}
	210
	211	int sha256_init(struct sha256_state *sctx)
	212	{
	213	sctx->state[0] = SHA256_H0;
	214	sctx->state[1] = SHA256_H1;
	215	sctx->state[2] = SHA256_H2;
	216	sctx->state[3] = SHA256_H3;
	217	sctx->state[4] = SHA256_H4;
	218	sctx->state[5] = SHA256_H5;
	219	sctx->state[6] = SHA256_H6;
	220	sctx->state[7] = SHA256_H7;
	221	sctx->count = 0;
	222
	223	return 0;
	224	}
	225
	226	int sha256_update(struct sha256_state sctx, const u8 data, unsigned int len)
	227	{
	228	unsigned int partial, done;
	229	const u8 *src;
	230
	231	partial = sctx->count & 0x3f;
	232	sctx->count += len;
	233	done = 0;
	234	src = data;
	235
	236	if ((partial + len) > 63) {
	237	if (partial) {
	238	done = -partial;
	239	memcpy(sctx->buf + partial, data, done + 64);
	240	src = sctx->buf;
	241	}
	242
	243	do {
	244	sha256_transform(sctx->state, src);
	245	done += 64;
	246	src = data + done;
	247	} while (done + 63 < len);
	248
	249	partial = 0;
	250	}
	251	memcpy(sctx->buf + partial, src, len - done);
	252
	253	return 0;
	254	}
	255
	256	int sha256_final(struct sha256_state sctx, u8 out)
	257	{
	258	__be32 dst = (__be32 )out;
	259	__be64 bits;
	260	unsigned int index, pad_len;
	261	int i;
	262	static const u8 padding[64] = { 0x80, };
	263
	264	/* Save number of bits */
	265	bits = cpu_to_be64(sctx->count << 3);
	266
	267	/* Pad out to 56 mod 64. */
	268	index = sctx->count & 0x3f;
	269	pad_len = (index < 56) ? (56 - index) : ((64+56) - index);
	270	sha256_update(sctx, padding, pad_len);
	271
	272	/* Append length (before padding) */
	273	sha256_update(sctx, (const u8 *)&bits, sizeof(bits));
	274
	275	/* Store state in digest */
	276	for (i = 0; i < 8; i++)
	277	dst[i] = cpu_to_be32(sctx->state[i]);
	278
	279	/* Zeroize sensitive information. */
	280	memset(sctx, 0, sizeof(*sctx));
	281
	282	return 0;
	283	}