Statistics
| Branch: | Revision:

iof-bird-daemon / lib / sha512.c @ f312a837

History | View | Annotate | Download (16 KB)

1
/*
2
 *        BIRD Library -- SHA-512 and SHA-384 Hash Functions,
3
 *                        HMAC-SHA-512 and HMAC-SHA-384 Functions
4
 *
5
 *        (c) 2015 CZ.NIC z.s.p.o.
6
 *
7
 *        Based on the code from libgcrypt-1.6.0, which is
8
 *        (c) 2003, 2006, 2008, 2009 Free Software Foundation, Inc.
9
 *
10
 *        Can be freely distributed and used under the terms of the GNU GPL.
11
 */
12

    
13
#include "lib/sha256.h"
14
#include "lib/sha512.h"
15
#include "lib/unaligned.h"
16

    
17
static uint sha512_transform(void *context, const byte *data, size_t nblks);
18

    
19
void
20
sha512_init(struct sha512_context *ctx)
21
{
22
  struct sha512_state *hd = &ctx->state;
23

    
24
  hd->h0 = UINT64_C(0x6a09e667f3bcc908);
25
  hd->h1 = UINT64_C(0xbb67ae8584caa73b);
26
  hd->h2 = UINT64_C(0x3c6ef372fe94f82b);
27
  hd->h3 = UINT64_C(0xa54ff53a5f1d36f1);
28
  hd->h4 = UINT64_C(0x510e527fade682d1);
29
  hd->h5 = UINT64_C(0x9b05688c2b3e6c1f);
30
  hd->h6 = UINT64_C(0x1f83d9abfb41bd6b);
31
  hd->h7 = UINT64_C(0x5be0cd19137e2179);
32

    
33
  ctx->bctx.nblocks = 0;
34
  ctx->bctx.nblocks_high = 0;
35
  ctx->bctx.count = 0;
36
  ctx->bctx.blocksize = 128;
37
  ctx->bctx.transform = sha512_transform;
38
}
39

    
40
void
41
sha384_init(struct sha384_context *ctx)
42
{
43
  struct sha512_state *hd = &ctx->state;
44

    
45
  hd->h0 = UINT64_C(0xcbbb9d5dc1059ed8);
46
  hd->h1 = UINT64_C(0x629a292a367cd507);
47
  hd->h2 = UINT64_C(0x9159015a3070dd17);
48
  hd->h3 = UINT64_C(0x152fecd8f70e5939);
49
  hd->h4 = UINT64_C(0x67332667ffc00b31);
50
  hd->h5 = UINT64_C(0x8eb44a8768581511);
51
  hd->h6 = UINT64_C(0xdb0c2e0d64f98fa7);
52
  hd->h7 = UINT64_C(0x47b5481dbefa4fa4);
53

    
54
  ctx->bctx.nblocks = 0;
55
  ctx->bctx.nblocks_high = 0;
56
  ctx->bctx.count = 0;
57
  ctx->bctx.blocksize = 128;
58
  ctx->bctx.transform = sha512_transform;
59
}
60

    
61
void sha512_update(struct sha512_context *ctx, const byte *in_buf, size_t in_len)
62
{
63
  sha256_update(&ctx->bctx, in_buf, in_len);
64
}
65

    
66
static inline u64
67
ROTR(u64 x, u64 n)
68
{
69
  return ((x >> n) | (x << (64 - n)));
70
}
71

    
72
static inline u64
73
Ch(u64 x, u64 y, u64 z)
74
{
75
  return ((x & y) ^ ( ~x & z));
76
}
77

    
78
static inline u64
79
Maj(u64 x, u64 y, u64 z)
80
{
81
  return ((x & y) ^ (x & z) ^ (y & z));
82
}
83

    
84
static inline u64
85
Sum0(u64 x)
86
{
87
  return (ROTR (x, 28) ^ ROTR (x, 34) ^ ROTR (x, 39));
88
}
89

    
90
static inline u64
91
Sum1 (u64 x)
92
{
93
  return (ROTR (x, 14) ^ ROTR (x, 18) ^ ROTR (x, 41));
94
}
95

    
96
static const u64 k[] =
97
{
98
    UINT64_C(0x428a2f98d728ae22), UINT64_C(0x7137449123ef65cd),
99
    UINT64_C(0xb5c0fbcfec4d3b2f), UINT64_C(0xe9b5dba58189dbbc),
100
    UINT64_C(0x3956c25bf348b538), UINT64_C(0x59f111f1b605d019),
101
    UINT64_C(0x923f82a4af194f9b), UINT64_C(0xab1c5ed5da6d8118),
102
    UINT64_C(0xd807aa98a3030242), UINT64_C(0x12835b0145706fbe),
103
    UINT64_C(0x243185be4ee4b28c), UINT64_C(0x550c7dc3d5ffb4e2),
104
    UINT64_C(0x72be5d74f27b896f), UINT64_C(0x80deb1fe3b1696b1),
105
    UINT64_C(0x9bdc06a725c71235), UINT64_C(0xc19bf174cf692694),
106
    UINT64_C(0xe49b69c19ef14ad2), UINT64_C(0xefbe4786384f25e3),
107
    UINT64_C(0x0fc19dc68b8cd5b5), UINT64_C(0x240ca1cc77ac9c65),
108
    UINT64_C(0x2de92c6f592b0275), UINT64_C(0x4a7484aa6ea6e483),
109
    UINT64_C(0x5cb0a9dcbd41fbd4), UINT64_C(0x76f988da831153b5),
110
    UINT64_C(0x983e5152ee66dfab), UINT64_C(0xa831c66d2db43210),
111
    UINT64_C(0xb00327c898fb213f), UINT64_C(0xbf597fc7beef0ee4),
112
    UINT64_C(0xc6e00bf33da88fc2), UINT64_C(0xd5a79147930aa725),
113
    UINT64_C(0x06ca6351e003826f), UINT64_C(0x142929670a0e6e70),
114
    UINT64_C(0x27b70a8546d22ffc), UINT64_C(0x2e1b21385c26c926),
115
    UINT64_C(0x4d2c6dfc5ac42aed), UINT64_C(0x53380d139d95b3df),
116
    UINT64_C(0x650a73548baf63de), UINT64_C(0x766a0abb3c77b2a8),
117
    UINT64_C(0x81c2c92e47edaee6), UINT64_C(0x92722c851482353b),
118
    UINT64_C(0xa2bfe8a14cf10364), UINT64_C(0xa81a664bbc423001),
119
    UINT64_C(0xc24b8b70d0f89791), UINT64_C(0xc76c51a30654be30),
120
    UINT64_C(0xd192e819d6ef5218), UINT64_C(0xd69906245565a910),
121
    UINT64_C(0xf40e35855771202a), UINT64_C(0x106aa07032bbd1b8),
122
    UINT64_C(0x19a4c116b8d2d0c8), UINT64_C(0x1e376c085141ab53),
123
    UINT64_C(0x2748774cdf8eeb99), UINT64_C(0x34b0bcb5e19b48a8),
124
    UINT64_C(0x391c0cb3c5c95a63), UINT64_C(0x4ed8aa4ae3418acb),
125
    UINT64_C(0x5b9cca4f7763e373), UINT64_C(0x682e6ff3d6b2b8a3),
126
    UINT64_C(0x748f82ee5defb2fc), UINT64_C(0x78a5636f43172f60),
127
    UINT64_C(0x84c87814a1f0ab72), UINT64_C(0x8cc702081a6439ec),
128
    UINT64_C(0x90befffa23631e28), UINT64_C(0xa4506cebde82bde9),
129
    UINT64_C(0xbef9a3f7b2c67915), UINT64_C(0xc67178f2e372532b),
130
    UINT64_C(0xca273eceea26619c), UINT64_C(0xd186b8c721c0c207),
131
    UINT64_C(0xeada7dd6cde0eb1e), UINT64_C(0xf57d4f7fee6ed178),
132
    UINT64_C(0x06f067aa72176fba), UINT64_C(0x0a637dc5a2c898a6),
133
    UINT64_C(0x113f9804bef90dae), UINT64_C(0x1b710b35131c471b),
134
    UINT64_C(0x28db77f523047d84), UINT64_C(0x32caab7b40c72493),
135
    UINT64_C(0x3c9ebe0a15c9bebc), UINT64_C(0x431d67c49c100d4c),
136
    UINT64_C(0x4cc5d4becb3e42b6), UINT64_C(0x597f299cfc657e2a),
137
    UINT64_C(0x5fcb6fab3ad6faec), UINT64_C(0x6c44198c4a475817)
138
};
139

    
140
/*
141
 * Transform the message W which consists of 16 64-bit-words
142
 */
143
static uint
144
sha512_transform_block(struct sha512_state *hd, const byte *data)
145
{
146
  u64 a, b, c, d, e, f, g, h;
147
  u64 w[16];
148
  int t;
149

    
150
  /* get values from the chaining vars */
151
  a = hd->h0;
152
  b = hd->h1;
153
  c = hd->h2;
154
  d = hd->h3;
155
  e = hd->h4;
156
  f = hd->h5;
157
  g = hd->h6;
158
  h = hd->h7;
159

    
160
  for ( t = 0; t < 16; t++ )
161
    w[t] = get_u64(data + t * 8);
162

    
163
#define S0(x) (ROTR((x),1) ^ ROTR((x),8) ^ ((x)>>7))
164
#define S1(x) (ROTR((x),19) ^ ROTR((x),61) ^ ((x)>>6))
165

    
166
  for (t = 0; t < 80 - 16; )
167
  {
168
    u64 t1, t2;
169

    
170
    /* Performance on a AMD Athlon(tm) Dual Core Processor 4050e
171
         with gcc 4.3.3 using gcry_md_hash_buffer of each 10000 bytes
172
         initialized to 0,1,2,3...255,0,... and 1000 iterations:
173

174
         Not unrolled with macros:  440ms
175
         Unrolled with macros:      350ms
176
         Unrolled with inline:      330ms
177
     */
178
#if 0 /* Not unrolled.  */
179
    t1 = h + Sum1 (e) + Ch(e, f, g) + k[t] + w[t%16];
180
    w[t%16] += S1 (w[(t - 2)%16]) + w[(t - 7)%16] + S0 (w[(t - 15)%16]);
181
    t2 = Sum0 (a) + Maj(a, b, c);
182
    h = g;
183
    g = f;
184
    f = e;
185
    e = d + t1;
186
    d = c;
187
    c = b;
188
    b = a;
189
    a = t1 + t2;
190
    t++;
191
#else /* Unrolled to interweave the chain variables.  */
192
    t1 = h + Sum1 (e) + Ch(e, f, g) + k[t] + w[0];
193
    w[0] += S1 (w[14]) + w[9] + S0 (w[1]);
194
    t2 = Sum0 (a) + Maj(a, b, c);
195
    d += t1;
196
    h = t1 + t2;
197

    
198
    t1 = g + Sum1 (d) + Ch(d, e, f) + k[t+1] + w[1];
199
    w[1] += S1 (w[15]) + w[10] + S0 (w[2]);
200
    t2 = Sum0 (h) + Maj(h, a, b);
201
    c += t1;
202
    g  = t1 + t2;
203

    
204
    t1 = f + Sum1 (c) + Ch(c, d, e) + k[t+2] + w[2];
205
    w[2] += S1 (w[0]) + w[11] + S0 (w[3]);
206
    t2 = Sum0 (g) + Maj(g, h, a);
207
    b += t1;
208
    f  = t1 + t2;
209

    
210
    t1 = e + Sum1 (b) + Ch(b, c, d) + k[t+3] + w[3];
211
    w[3] += S1 (w[1]) + w[12] + S0 (w[4]);
212
    t2 = Sum0 (f) + Maj(f, g, h);
213
    a += t1;
214
    e  = t1 + t2;
215

    
216
    t1 = d + Sum1 (a) + Ch(a, b, c) + k[t+4] + w[4];
217
    w[4] += S1 (w[2]) + w[13] + S0 (w[5]);
218
    t2 = Sum0 (e) + Maj(e, f, g);
219
    h += t1;
220
    d  = t1 + t2;
221

    
222
    t1 = c + Sum1 (h) + Ch(h, a, b) + k[t+5] + w[5];
223
    w[5] += S1 (w[3]) + w[14] + S0 (w[6]);
224
    t2 = Sum0 (d) + Maj(d, e, f);
225
    g += t1;
226
    c  = t1 + t2;
227

    
228
    t1 = b + Sum1 (g) + Ch(g, h, a) + k[t+6] + w[6];
229
    w[6] += S1 (w[4]) + w[15] + S0 (w[7]);
230
    t2 = Sum0 (c) + Maj(c, d, e);
231
    f += t1;
232
    b  = t1 + t2;
233

    
234
    t1 = a + Sum1 (f) + Ch(f, g, h) + k[t+7] + w[7];
235
    w[7] += S1 (w[5]) + w[0] + S0 (w[8]);
236
    t2 = Sum0 (b) + Maj(b, c, d);
237
    e += t1;
238
    a  = t1 + t2;
239

    
240
    t1 = h + Sum1 (e) + Ch(e, f, g) + k[t+8] + w[8];
241
    w[8] += S1 (w[6]) + w[1] + S0 (w[9]);
242
    t2 = Sum0 (a) + Maj(a, b, c);
243
    d += t1;
244
    h  = t1 + t2;
245

    
246
    t1 = g + Sum1 (d) + Ch(d, e, f) + k[t+9] + w[9];
247
    w[9] += S1 (w[7]) + w[2] + S0 (w[10]);
248
    t2 = Sum0 (h) + Maj(h, a, b);
249
    c += t1;
250
    g  = t1 + t2;
251

    
252
    t1 = f + Sum1 (c) + Ch(c, d, e) + k[t+10] + w[10];
253
    w[10] += S1 (w[8]) + w[3] + S0 (w[11]);
254
    t2 = Sum0 (g) + Maj(g, h, a);
255
    b += t1;
256
    f  = t1 + t2;
257

    
258
    t1 = e + Sum1 (b) + Ch(b, c, d) + k[t+11] + w[11];
259
    w[11] += S1 (w[9]) + w[4] + S0 (w[12]);
260
    t2 = Sum0 (f) + Maj(f, g, h);
261
    a += t1;
262
    e  = t1 + t2;
263

    
264
    t1 = d + Sum1 (a) + Ch(a, b, c) + k[t+12] + w[12];
265
    w[12] += S1 (w[10]) + w[5] + S0 (w[13]);
266
    t2 = Sum0 (e) + Maj(e, f, g);
267
    h += t1;
268
    d  = t1 + t2;
269

    
270
    t1 = c + Sum1 (h) + Ch(h, a, b) + k[t+13] + w[13];
271
    w[13] += S1 (w[11]) + w[6] + S0 (w[14]);
272
    t2 = Sum0 (d) + Maj(d, e, f);
273
    g += t1;
274
    c  = t1 + t2;
275

    
276
    t1 = b + Sum1 (g) + Ch(g, h, a) + k[t+14] + w[14];
277
    w[14] += S1 (w[12]) + w[7] + S0 (w[15]);
278
    t2 = Sum0 (c) + Maj(c, d, e);
279
    f += t1;
280
    b  = t1 + t2;
281

    
282
    t1 = a + Sum1 (f) + Ch(f, g, h) + k[t+15] + w[15];
283
    w[15] += S1 (w[13]) + w[8] + S0 (w[0]);
284
    t2 = Sum0 (b) + Maj(b, c, d);
285
    e += t1;
286
    a  = t1 + t2;
287

    
288
    t += 16;
289
#endif
290
  }
291

    
292
  for (; t < 80; )
293
  {
294
    u64 t1, t2;
295

    
296
#if 0 /* Not unrolled.  */
297
    t1 = h + Sum1 (e) + Ch(e, f, g) + k[t] + w[t%16];
298
    t2 = Sum0 (a) + Maj(a, b, c);
299
    h = g;
300
    g = f;
301
    f = e;
302
    e = d + t1;
303
    d = c;
304
    c = b;
305
    b = a;
306
    a = t1 + t2;
307
    t++;
308
#else /* Unrolled to interweave the chain variables.  */
309
    t1 = h + Sum1 (e) + Ch(e, f, g) + k[t] + w[0];
310
    t2 = Sum0 (a) + Maj(a, b, c);
311
    d += t1;
312
    h  = t1 + t2;
313

    
314
    t1 = g + Sum1 (d) + Ch(d, e, f) + k[t+1] + w[1];
315
    t2 = Sum0 (h) + Maj(h, a, b);
316
    c += t1;
317
    g  = t1 + t2;
318

    
319
    t1 = f + Sum1 (c) + Ch(c, d, e) + k[t+2] + w[2];
320
    t2 = Sum0 (g) + Maj(g, h, a);
321
    b += t1;
322
    f  = t1 + t2;
323

    
324
    t1 = e + Sum1 (b) + Ch(b, c, d) + k[t+3] + w[3];
325
    t2 = Sum0 (f) + Maj(f, g, h);
326
    a += t1;
327
    e  = t1 + t2;
328

    
329
    t1 = d + Sum1 (a) + Ch(a, b, c) + k[t+4] + w[4];
330
    t2 = Sum0 (e) + Maj(e, f, g);
331
    h += t1;
332
    d  = t1 + t2;
333

    
334
    t1 = c + Sum1 (h) + Ch(h, a, b) + k[t+5] + w[5];
335
    t2 = Sum0 (d) + Maj(d, e, f);
336
    g += t1;
337
    c  = t1 + t2;
338

    
339
    t1 = b + Sum1 (g) + Ch(g, h, a) + k[t+6] + w[6];
340
    t2 = Sum0 (c) + Maj(c, d, e);
341
    f += t1;
342
    b  = t1 + t2;
343

    
344
    t1 = a + Sum1 (f) + Ch(f, g, h) + k[t+7] + w[7];
345
    t2 = Sum0 (b) + Maj(b, c, d);
346
    e += t1;
347
    a  = t1 + t2;
348

    
349
    t1 = h + Sum1 (e) + Ch(e, f, g) + k[t+8] + w[8];
350
    t2 = Sum0 (a) + Maj(a, b, c);
351
    d += t1;
352
    h  = t1 + t2;
353

    
354
    t1 = g + Sum1 (d) + Ch(d, e, f) + k[t+9] + w[9];
355
    t2 = Sum0 (h) + Maj(h, a, b);
356
    c += t1;
357
    g  = t1 + t2;
358

    
359
    t1 = f + Sum1 (c) + Ch(c, d, e) + k[t+10] + w[10];
360
    t2 = Sum0 (g) + Maj(g, h, a);
361
    b += t1;
362
    f  = t1 + t2;
363

    
364
    t1 = e + Sum1 (b) + Ch(b, c, d) + k[t+11] + w[11];
365
    t2 = Sum0 (f) + Maj(f, g, h);
366
    a += t1;
367
    e  = t1 + t2;
368

    
369
    t1 = d + Sum1 (a) + Ch(a, b, c) + k[t+12] + w[12];
370
    t2 = Sum0 (e) + Maj(e, f, g);
371
    h += t1;
372
    d  = t1 + t2;
373

    
374
    t1 = c + Sum1 (h) + Ch(h, a, b) + k[t+13] + w[13];
375
    t2 = Sum0 (d) + Maj(d, e, f);
376
    g += t1;
377
    c  = t1 + t2;
378

    
379
    t1 = b + Sum1 (g) + Ch(g, h, a) + k[t+14] + w[14];
380
    t2 = Sum0 (c) + Maj(c, d, e);
381
    f += t1;
382
    b  = t1 + t2;
383

    
384
    t1 = a + Sum1 (f) + Ch(f, g, h) + k[t+15] + w[15];
385
    t2 = Sum0 (b) + Maj(b, c, d);
386
    e += t1;
387
    a  = t1 + t2;
388

    
389
    t += 16;
390
#endif
391
  }
392

    
393
  /* Update chaining vars.  */
394
  hd->h0 += a;
395
  hd->h1 += b;
396
  hd->h2 += c;
397
  hd->h3 += d;
398
  hd->h4 += e;
399
  hd->h5 += f;
400
  hd->h6 += g;
401
  hd->h7 += h;
402

    
403
  return /* burn_stack */ (8 + 16) * sizeof(u64) + sizeof(u32) + 3 * sizeof(void*);
404
}
405

    
406
static uint
407
sha512_transform(void *context, const byte *data, size_t nblks)
408
{
409
  struct sha512_context *ctx = context;
410
  uint burn;
411

    
412
  do
413
  {
414
    burn = sha512_transform_block(&ctx->state, data) + 3 * sizeof(void*);
415
    data += 128;
416
  }
417
  while(--nblks);
418

    
419
  return burn;
420
}
421

    
422
/* The routine final terminates the computation and
423
 * returns the digest.
424
 * The handle is prepared for a new cycle, but adding bytes to the
425
 * handle will the destroy the returned buffer.
426
 * Returns: 64 bytes representing the digest.  When used for sha384,
427
 * we take the leftmost 48 of those bytes.
428
 */
429
byte *
430
sha512_final(struct sha512_context *ctx)
431
{
432
  u64 t, th, msb, lsb;
433
  byte *p;
434

    
435
  sha256_update(&ctx->bctx, NULL, 0); /* flush */ ;
436

    
437
  t = ctx->bctx.nblocks;
438
  /* if (sizeof t == sizeof ctx->bctx.nblocks) */
439
  th = ctx->bctx.nblocks_high;
440
  /* else */
441
  /*   th = ctx->bctx.nblocks >> 64; In case we ever use u128  */
442

    
443
  /* multiply by 128 to make a byte count */
444
  lsb = t << 7;
445
  msb = (th << 7) | (t >> 57);
446
  /* add the count */
447
  t = lsb;
448
  if ((lsb += ctx->bctx.count) < t)
449
    msb++;
450
  /* multiply by 8 to make a bit count */
451
  t = lsb;
452
  lsb <<= 3;
453
  msb <<= 3;
454
  msb |= t >> 61;
455

    
456
  if (ctx->bctx.count < 112)
457
  {                                                /* enough room */
458
    ctx->bctx.buf[ctx->bctx.count++] = 0x80;        /* pad */
459
    while(ctx->bctx.count < 112)
460
      ctx->bctx.buf[ctx->bctx.count++] = 0;        /* pad */
461
  }
462
  else
463
  {                                                /* need one extra block */
464
    ctx->bctx.buf[ctx->bctx.count++] = 0x80;        /* pad character */
465
    while(ctx->bctx.count < 128)
466
      ctx->bctx.buf[ctx->bctx.count++] = 0;
467
    sha256_update(&ctx->bctx, NULL, 0);         /* flush */ ;
468
    memset(ctx->bctx.buf, 0, 112);                /* fill next block with zeroes */
469
  }
470
  /* append the 128 bit count */
471
  put_u64(ctx->bctx.buf + 112, msb);
472
  put_u64(ctx->bctx.buf + 120, lsb);
473
  sha512_transform(ctx, ctx->bctx.buf, 1);
474

    
475
  p = ctx->bctx.buf;
476
#define X(a) do { put_u64(p, ctx->state.h##a); p += 8; } while(0)
477
  X (0);
478
  X (1);
479
  X (2);
480
  X (3);
481
  X (4);
482
  X (5);
483
  /* Note that these last two chunks are included even for SHA384.
484
     We just ignore them. */
485
  X (6);
486
  X (7);
487
#undef X
488

    
489
  return ctx->bctx.buf;
490
}
491

    
492

    
493
/*
494
 *         SHA512-HMAC
495
 */
496

    
497
static void
498
sha512_hash_buffer(byte *outbuf, const byte *buffer, size_t length)
499
{
500
  struct sha512_context hd_tmp;
501

    
502
  sha512_init(&hd_tmp);
503
  sha512_update(&hd_tmp, buffer, length);
504
  memcpy(outbuf, sha512_final(&hd_tmp), SHA512_SIZE);
505
}
506

    
507
void
508
sha512_hmac_init(struct sha512_hmac_context *ctx, const byte *key, size_t keylen)
509
{
510
  byte keybuf[SHA512_BLOCK_SIZE], buf[SHA512_BLOCK_SIZE];
511

    
512
  /* Hash the key if necessary */
513
  if (keylen <= SHA512_BLOCK_SIZE)
514
  {
515
    memcpy(keybuf, key, keylen);
516
    bzero(keybuf + keylen, SHA512_BLOCK_SIZE - keylen);
517
  }
518
  else
519
  {
520
    sha512_hash_buffer(keybuf, key, keylen);
521
    bzero(keybuf + SHA512_SIZE, SHA512_BLOCK_SIZE - SHA512_SIZE);
522
  }
523

    
524
  /* Initialize the inner digest */
525
  sha512_init(&ctx->ictx);
526
  int i;
527
  for (i = 0; i < SHA512_BLOCK_SIZE; i++)
528
    buf[i] = keybuf[i] ^ 0x36;
529
  sha512_update(&ctx->ictx, buf, SHA512_BLOCK_SIZE);
530

    
531
  /* Initialize the outer digest */
532
  sha512_init(&ctx->octx);
533
  for (i = 0; i < SHA512_BLOCK_SIZE; i++)
534
    buf[i] = keybuf[i] ^ 0x5c;
535
  sha512_update(&ctx->octx, buf, SHA512_BLOCK_SIZE);
536
}
537

    
538
void sha512_hmac_update(struct sha512_hmac_context *ctx, const byte *buf, size_t buflen)
539
{
540
  /* Just update the inner digest */
541
  sha512_update(&ctx->ictx, buf, buflen);
542
}
543

    
544
byte *sha512_hmac_final(struct sha512_hmac_context *ctx)
545
{
546
  /* Finish the inner digest */
547
  byte *isha = sha512_final(&ctx->ictx);
548

    
549
  /* Finish the outer digest */
550
  sha512_update(&ctx->octx, isha, SHA512_SIZE);
551
  return sha512_final(&ctx->octx);
552
}
553

    
554

    
555
/*
556
 *         SHA384-HMAC
557
 */
558

    
559
static void
560
sha384_hash_buffer(byte *outbuf, const byte *buffer, size_t length)
561
{
562
  struct sha384_context hd_tmp;
563

    
564
  sha384_init(&hd_tmp);
565
  sha384_update(&hd_tmp, buffer, length);
566
  memcpy(outbuf, sha384_final(&hd_tmp), SHA384_SIZE);
567
}
568

    
569
void
570
sha384_hmac_init(struct sha384_hmac_context *ctx, const byte *key, size_t keylen)
571
{
572
  byte keybuf[SHA384_BLOCK_SIZE], buf[SHA384_BLOCK_SIZE];
573

    
574
  /* Hash the key if necessary */
575
  if (keylen <= SHA384_BLOCK_SIZE)
576
  {
577
    memcpy(keybuf, key, keylen);
578
    bzero(keybuf + keylen, SHA384_BLOCK_SIZE - keylen);
579
  }
580
  else
581
  {
582
    sha384_hash_buffer(keybuf, key, keylen);
583
    bzero(keybuf + SHA384_SIZE, SHA384_BLOCK_SIZE - SHA384_SIZE);
584
  }
585

    
586
  /* Initialize the inner digest */
587
  sha384_init(&ctx->ictx);
588
  int i;
589
  for (i = 0; i < SHA384_BLOCK_SIZE; i++)
590
    buf[i] = keybuf[i] ^ 0x36;
591
  sha384_update(&ctx->ictx, buf, SHA384_BLOCK_SIZE);
592

    
593
  /* Initialize the outer digest */
594
  sha384_init(&ctx->octx);
595
  for (i = 0; i < SHA384_BLOCK_SIZE; i++)
596
    buf[i] = keybuf[i] ^ 0x5c;
597
  sha384_update(&ctx->octx, buf, SHA384_BLOCK_SIZE);
598
}
599

    
600
void sha384_hmac_update(struct sha384_hmac_context *ctx, const byte *buf, size_t buflen)
601
{
602
  /* Just update the inner digest */
603
  sha384_update(&ctx->ictx, buf, buflen);
604
}
605

    
606
byte *sha384_hmac_final(struct sha384_hmac_context *ctx)
607
{
608
  /* Finish the inner digest */
609
  byte *isha = sha384_final(&ctx->ictx);
610

    
611
  /* Finish the outer digest */
612
  sha384_update(&ctx->octx, isha, SHA384_SIZE);
613
  return sha384_final(&ctx->octx);
614
}