iofbirddaemon / lib / sha512.c @ f312a837
History  View  Annotate  Download (16 KB)
1 
/*


2 
* BIRD Library  SHA512 and SHA384 Hash Functions,

3 
* HMACSHA512 and HMACSHA384 Functions

4 
*

5 
* (c) 2015 CZ.NIC z.s.p.o.

6 
*

7 
* Based on the code from libgcrypt1.6.0, which is

8 
* (c) 2003, 2006, 2008, 2009 Free Software Foundation, Inc.

9 
*

10 
* Can be freely distributed and used under the terms of the GNU GPL.

11 
*/

12  
13 
#include "lib/sha256.h" 
14 
#include "lib/sha512.h" 
15 
#include "lib/unaligned.h" 
16  
17 
static uint sha512_transform(void *context, const byte *data, size_t nblks); 
18  
19 
void

20 
sha512_init(struct sha512_context *ctx)

21 
{ 
22 
struct sha512_state *hd = &ctx>state;

23  
24 
hd>h0 = UINT64_C(0x6a09e667f3bcc908);

25 
hd>h1 = UINT64_C(0xbb67ae8584caa73b);

26 
hd>h2 = UINT64_C(0x3c6ef372fe94f82b);

27 
hd>h3 = UINT64_C(0xa54ff53a5f1d36f1);

28 
hd>h4 = UINT64_C(0x510e527fade682d1);

29 
hd>h5 = UINT64_C(0x9b05688c2b3e6c1f);

30 
hd>h6 = UINT64_C(0x1f83d9abfb41bd6b);

31 
hd>h7 = UINT64_C(0x5be0cd19137e2179);

32  
33 
ctx>bctx.nblocks = 0;

34 
ctx>bctx.nblocks_high = 0;

35 
ctx>bctx.count = 0;

36 
ctx>bctx.blocksize = 128;

37 
ctx>bctx.transform = sha512_transform; 
38 
} 
39  
40 
void

41 
sha384_init(struct sha384_context *ctx)

42 
{ 
43 
struct sha512_state *hd = &ctx>state;

44  
45 
hd>h0 = UINT64_C(0xcbbb9d5dc1059ed8);

46 
hd>h1 = UINT64_C(0x629a292a367cd507);

47 
hd>h2 = UINT64_C(0x9159015a3070dd17);

48 
hd>h3 = UINT64_C(0x152fecd8f70e5939);

49 
hd>h4 = UINT64_C(0x67332667ffc00b31);

50 
hd>h5 = UINT64_C(0x8eb44a8768581511);

51 
hd>h6 = UINT64_C(0xdb0c2e0d64f98fa7);

52 
hd>h7 = UINT64_C(0x47b5481dbefa4fa4);

53  
54 
ctx>bctx.nblocks = 0;

55 
ctx>bctx.nblocks_high = 0;

56 
ctx>bctx.count = 0;

57 
ctx>bctx.blocksize = 128;

58 
ctx>bctx.transform = sha512_transform; 
59 
} 
60  
61 
void sha512_update(struct sha512_context *ctx, const byte *in_buf, size_t in_len) 
62 
{ 
63 
sha256_update(&ctx>bctx, in_buf, in_len); 
64 
} 
65  
66 
static inline u64 
67 
ROTR(u64 x, u64 n) 
68 
{ 
69 
return ((x >> n)  (x << (64  n))); 
70 
} 
71  
72 
static inline u64 
73 
Ch(u64 x, u64 y, u64 z) 
74 
{ 
75 
return ((x & y) ^ ( ~x & z));

76 
} 
77  
78 
static inline u64 
79 
Maj(u64 x, u64 y, u64 z) 
80 
{ 
81 
return ((x & y) ^ (x & z) ^ (y & z));

82 
} 
83  
84 
static inline u64 
85 
Sum0(u64 x) 
86 
{ 
87 
return (ROTR (x, 28) ^ ROTR (x, 34) ^ ROTR (x, 39)); 
88 
} 
89  
90 
static inline u64 
91 
Sum1 (u64 x) 
92 
{ 
93 
return (ROTR (x, 14) ^ ROTR (x, 18) ^ ROTR (x, 41)); 
94 
} 
95  
96 
static const u64 k[] = 
97 
{ 
98 
UINT64_C(0x428a2f98d728ae22), UINT64_C(0x7137449123ef65cd), 
99 
UINT64_C(0xb5c0fbcfec4d3b2f), UINT64_C(0xe9b5dba58189dbbc), 
100 
UINT64_C(0x3956c25bf348b538), UINT64_C(0x59f111f1b605d019), 
101 
UINT64_C(0x923f82a4af194f9b), UINT64_C(0xab1c5ed5da6d8118), 
102 
UINT64_C(0xd807aa98a3030242), UINT64_C(0x12835b0145706fbe), 
103 
UINT64_C(0x243185be4ee4b28c), UINT64_C(0x550c7dc3d5ffb4e2), 
104 
UINT64_C(0x72be5d74f27b896f), UINT64_C(0x80deb1fe3b1696b1), 
105 
UINT64_C(0x9bdc06a725c71235), UINT64_C(0xc19bf174cf692694), 
106 
UINT64_C(0xe49b69c19ef14ad2), UINT64_C(0xefbe4786384f25e3), 
107 
UINT64_C(0x0fc19dc68b8cd5b5), UINT64_C(0x240ca1cc77ac9c65), 
108 
UINT64_C(0x2de92c6f592b0275), UINT64_C(0x4a7484aa6ea6e483), 
109 
UINT64_C(0x5cb0a9dcbd41fbd4), UINT64_C(0x76f988da831153b5), 
110 
UINT64_C(0x983e5152ee66dfab), UINT64_C(0xa831c66d2db43210), 
111 
UINT64_C(0xb00327c898fb213f), UINT64_C(0xbf597fc7beef0ee4), 
112 
UINT64_C(0xc6e00bf33da88fc2), UINT64_C(0xd5a79147930aa725), 
113 
UINT64_C(0x06ca6351e003826f), UINT64_C(0x142929670a0e6e70), 
114 
UINT64_C(0x27b70a8546d22ffc), UINT64_C(0x2e1b21385c26c926), 
115 
UINT64_C(0x4d2c6dfc5ac42aed), UINT64_C(0x53380d139d95b3df), 
116 
UINT64_C(0x650a73548baf63de), UINT64_C(0x766a0abb3c77b2a8), 
117 
UINT64_C(0x81c2c92e47edaee6), UINT64_C(0x92722c851482353b), 
118 
UINT64_C(0xa2bfe8a14cf10364), UINT64_C(0xa81a664bbc423001), 
119 
UINT64_C(0xc24b8b70d0f89791), UINT64_C(0xc76c51a30654be30), 
120 
UINT64_C(0xd192e819d6ef5218), UINT64_C(0xd69906245565a910), 
121 
UINT64_C(0xf40e35855771202a), UINT64_C(0x106aa07032bbd1b8), 
122 
UINT64_C(0x19a4c116b8d2d0c8), UINT64_C(0x1e376c085141ab53), 
123 
UINT64_C(0x2748774cdf8eeb99), UINT64_C(0x34b0bcb5e19b48a8), 
124 
UINT64_C(0x391c0cb3c5c95a63), UINT64_C(0x4ed8aa4ae3418acb), 
125 
UINT64_C(0x5b9cca4f7763e373), UINT64_C(0x682e6ff3d6b2b8a3), 
126 
UINT64_C(0x748f82ee5defb2fc), UINT64_C(0x78a5636f43172f60), 
127 
UINT64_C(0x84c87814a1f0ab72), UINT64_C(0x8cc702081a6439ec), 
128 
UINT64_C(0x90befffa23631e28), UINT64_C(0xa4506cebde82bde9), 
129 
UINT64_C(0xbef9a3f7b2c67915), UINT64_C(0xc67178f2e372532b), 
130 
UINT64_C(0xca273eceea26619c), UINT64_C(0xd186b8c721c0c207), 
131 
UINT64_C(0xeada7dd6cde0eb1e), UINT64_C(0xf57d4f7fee6ed178), 
132 
UINT64_C(0x06f067aa72176fba), UINT64_C(0x0a637dc5a2c898a6), 
133 
UINT64_C(0x113f9804bef90dae), UINT64_C(0x1b710b35131c471b), 
134 
UINT64_C(0x28db77f523047d84), UINT64_C(0x32caab7b40c72493), 
135 
UINT64_C(0x3c9ebe0a15c9bebc), UINT64_C(0x431d67c49c100d4c), 
136 
UINT64_C(0x4cc5d4becb3e42b6), UINT64_C(0x597f299cfc657e2a), 
137 
UINT64_C(0x5fcb6fab3ad6faec), UINT64_C(0x6c44198c4a475817) 
138 
}; 
139  
140 
/*

141 
* Transform the message W which consists of 16 64bitwords

142 
*/

143 
static uint

144 
sha512_transform_block(struct sha512_state *hd, const byte *data) 
145 
{ 
146 
u64 a, b, c, d, e, f, g, h; 
147 
u64 w[16];

148 
int t;

149  
150 
/* get values from the chaining vars */

151 
a = hd>h0; 
152 
b = hd>h1; 
153 
c = hd>h2; 
154 
d = hd>h3; 
155 
e = hd>h4; 
156 
f = hd>h5; 
157 
g = hd>h6; 
158 
h = hd>h7; 
159  
160 
for ( t = 0; t < 16; t++ ) 
161 
w[t] = get_u64(data + t * 8);

162  
163 
#define S0(x) (ROTR((x),1) ^ ROTR((x),8) ^ ((x)>>7)) 
164 
#define S1(x) (ROTR((x),19) ^ ROTR((x),61) ^ ((x)>>6)) 
165  
166 
for (t = 0; t < 80  16; ) 
167 
{ 
168 
u64 t1, t2; 
169  
170 
/* Performance on a AMD Athlon(tm) Dual Core Processor 4050e

171 
with gcc 4.3.3 using gcry_md_hash_buffer of each 10000 bytes

172 
initialized to 0,1,2,3...255,0,... and 1000 iterations:

173 

174 
Not unrolled with macros: 440ms

175 
Unrolled with macros: 350ms

176 
Unrolled with inline: 330ms

177 
*/

178 
#if 0 /* Not unrolled. */

179 
t1 = h + Sum1 (e) + Ch(e, f, g) + k[t] + w[t%16];

180 
w[t%16] += S1 (w[(t  2)%16]) + w[(t  7)%16] + S0 (w[(t  15)%16]);

181 
t2 = Sum0 (a) + Maj(a, b, c);

182 
h = g;

183 
g = f;

184 
f = e;

185 
e = d + t1;

186 
d = c;

187 
c = b;

188 
b = a;

189 
a = t1 + t2;

190 
t++;

191 
#else /* Unrolled to interweave the chain variables. */

192 
t1 = h + Sum1 (e) + Ch(e, f, g) + k[t] + w[0];

193 
w[0] += S1 (w[14]) + w[9] + S0 (w[1]); 
194 
t2 = Sum0 (a) + Maj(a, b, c); 
195 
d += t1; 
196 
h = t1 + t2; 
197  
198 
t1 = g + Sum1 (d) + Ch(d, e, f) + k[t+1] + w[1]; 
199 
w[1] += S1 (w[15]) + w[10] + S0 (w[2]); 
200 
t2 = Sum0 (h) + Maj(h, a, b); 
201 
c += t1; 
202 
g = t1 + t2; 
203  
204 
t1 = f + Sum1 (c) + Ch(c, d, e) + k[t+2] + w[2]; 
205 
w[2] += S1 (w[0]) + w[11] + S0 (w[3]); 
206 
t2 = Sum0 (g) + Maj(g, h, a); 
207 
b += t1; 
208 
f = t1 + t2; 
209  
210 
t1 = e + Sum1 (b) + Ch(b, c, d) + k[t+3] + w[3]; 
211 
w[3] += S1 (w[1]) + w[12] + S0 (w[4]); 
212 
t2 = Sum0 (f) + Maj(f, g, h); 
213 
a += t1; 
214 
e = t1 + t2; 
215  
216 
t1 = d + Sum1 (a) + Ch(a, b, c) + k[t+4] + w[4]; 
217 
w[4] += S1 (w[2]) + w[13] + S0 (w[5]); 
218 
t2 = Sum0 (e) + Maj(e, f, g); 
219 
h += t1; 
220 
d = t1 + t2; 
221  
222 
t1 = c + Sum1 (h) + Ch(h, a, b) + k[t+5] + w[5]; 
223 
w[5] += S1 (w[3]) + w[14] + S0 (w[6]); 
224 
t2 = Sum0 (d) + Maj(d, e, f); 
225 
g += t1; 
226 
c = t1 + t2; 
227  
228 
t1 = b + Sum1 (g) + Ch(g, h, a) + k[t+6] + w[6]; 
229 
w[6] += S1 (w[4]) + w[15] + S0 (w[7]); 
230 
t2 = Sum0 (c) + Maj(c, d, e); 
231 
f += t1; 
232 
b = t1 + t2; 
233  
234 
t1 = a + Sum1 (f) + Ch(f, g, h) + k[t+7] + w[7]; 
235 
w[7] += S1 (w[5]) + w[0] + S0 (w[8]); 
236 
t2 = Sum0 (b) + Maj(b, c, d); 
237 
e += t1; 
238 
a = t1 + t2; 
239  
240 
t1 = h + Sum1 (e) + Ch(e, f, g) + k[t+8] + w[8]; 
241 
w[8] += S1 (w[6]) + w[1] + S0 (w[9]); 
242 
t2 = Sum0 (a) + Maj(a, b, c); 
243 
d += t1; 
244 
h = t1 + t2; 
245  
246 
t1 = g + Sum1 (d) + Ch(d, e, f) + k[t+9] + w[9]; 
247 
w[9] += S1 (w[7]) + w[2] + S0 (w[10]); 
248 
t2 = Sum0 (h) + Maj(h, a, b); 
249 
c += t1; 
250 
g = t1 + t2; 
251  
252 
t1 = f + Sum1 (c) + Ch(c, d, e) + k[t+10] + w[10]; 
253 
w[10] += S1 (w[8]) + w[3] + S0 (w[11]); 
254 
t2 = Sum0 (g) + Maj(g, h, a); 
255 
b += t1; 
256 
f = t1 + t2; 
257  
258 
t1 = e + Sum1 (b) + Ch(b, c, d) + k[t+11] + w[11]; 
259 
w[11] += S1 (w[9]) + w[4] + S0 (w[12]); 
260 
t2 = Sum0 (f) + Maj(f, g, h); 
261 
a += t1; 
262 
e = t1 + t2; 
263  
264 
t1 = d + Sum1 (a) + Ch(a, b, c) + k[t+12] + w[12]; 
265 
w[12] += S1 (w[10]) + w[5] + S0 (w[13]); 
266 
t2 = Sum0 (e) + Maj(e, f, g); 
267 
h += t1; 
268 
d = t1 + t2; 
269  
270 
t1 = c + Sum1 (h) + Ch(h, a, b) + k[t+13] + w[13]; 
271 
w[13] += S1 (w[11]) + w[6] + S0 (w[14]); 
272 
t2 = Sum0 (d) + Maj(d, e, f); 
273 
g += t1; 
274 
c = t1 + t2; 
275  
276 
t1 = b + Sum1 (g) + Ch(g, h, a) + k[t+14] + w[14]; 
277 
w[14] += S1 (w[12]) + w[7] + S0 (w[15]); 
278 
t2 = Sum0 (c) + Maj(c, d, e); 
279 
f += t1; 
280 
b = t1 + t2; 
281  
282 
t1 = a + Sum1 (f) + Ch(f, g, h) + k[t+15] + w[15]; 
283 
w[15] += S1 (w[13]) + w[8] + S0 (w[0]); 
284 
t2 = Sum0 (b) + Maj(b, c, d); 
285 
e += t1; 
286 
a = t1 + t2; 
287  
288 
t += 16;

289 
#endif

290 
} 
291  
292 
for (; t < 80; ) 
293 
{ 
294 
u64 t1, t2; 
295  
296 
#if 0 /* Not unrolled. */

297 
t1 = h + Sum1 (e) + Ch(e, f, g) + k[t] + w[t%16];

298 
t2 = Sum0 (a) + Maj(a, b, c);

299 
h = g;

300 
g = f;

301 
f = e;

302 
e = d + t1;

303 
d = c;

304 
c = b;

305 
b = a;

306 
a = t1 + t2;

307 
t++;

308 
#else /* Unrolled to interweave the chain variables. */

309 
t1 = h + Sum1 (e) + Ch(e, f, g) + k[t] + w[0];

310 
t2 = Sum0 (a) + Maj(a, b, c); 
311 
d += t1; 
312 
h = t1 + t2; 
313  
314 
t1 = g + Sum1 (d) + Ch(d, e, f) + k[t+1] + w[1]; 
315 
t2 = Sum0 (h) + Maj(h, a, b); 
316 
c += t1; 
317 
g = t1 + t2; 
318  
319 
t1 = f + Sum1 (c) + Ch(c, d, e) + k[t+2] + w[2]; 
320 
t2 = Sum0 (g) + Maj(g, h, a); 
321 
b += t1; 
322 
f = t1 + t2; 
323  
324 
t1 = e + Sum1 (b) + Ch(b, c, d) + k[t+3] + w[3]; 
325 
t2 = Sum0 (f) + Maj(f, g, h); 
326 
a += t1; 
327 
e = t1 + t2; 
328  
329 
t1 = d + Sum1 (a) + Ch(a, b, c) + k[t+4] + w[4]; 
330 
t2 = Sum0 (e) + Maj(e, f, g); 
331 
h += t1; 
332 
d = t1 + t2; 
333  
334 
t1 = c + Sum1 (h) + Ch(h, a, b) + k[t+5] + w[5]; 
335 
t2 = Sum0 (d) + Maj(d, e, f); 
336 
g += t1; 
337 
c = t1 + t2; 
338  
339 
t1 = b + Sum1 (g) + Ch(g, h, a) + k[t+6] + w[6]; 
340 
t2 = Sum0 (c) + Maj(c, d, e); 
341 
f += t1; 
342 
b = t1 + t2; 
343  
344 
t1 = a + Sum1 (f) + Ch(f, g, h) + k[t+7] + w[7]; 
345 
t2 = Sum0 (b) + Maj(b, c, d); 
346 
e += t1; 
347 
a = t1 + t2; 
348  
349 
t1 = h + Sum1 (e) + Ch(e, f, g) + k[t+8] + w[8]; 
350 
t2 = Sum0 (a) + Maj(a, b, c); 
351 
d += t1; 
352 
h = t1 + t2; 
353  
354 
t1 = g + Sum1 (d) + Ch(d, e, f) + k[t+9] + w[9]; 
355 
t2 = Sum0 (h) + Maj(h, a, b); 
356 
c += t1; 
357 
g = t1 + t2; 
358  
359 
t1 = f + Sum1 (c) + Ch(c, d, e) + k[t+10] + w[10]; 
360 
t2 = Sum0 (g) + Maj(g, h, a); 
361 
b += t1; 
362 
f = t1 + t2; 
363  
364 
t1 = e + Sum1 (b) + Ch(b, c, d) + k[t+11] + w[11]; 
365 
t2 = Sum0 (f) + Maj(f, g, h); 
366 
a += t1; 
367 
e = t1 + t2; 
368  
369 
t1 = d + Sum1 (a) + Ch(a, b, c) + k[t+12] + w[12]; 
370 
t2 = Sum0 (e) + Maj(e, f, g); 
371 
h += t1; 
372 
d = t1 + t2; 
373  
374 
t1 = c + Sum1 (h) + Ch(h, a, b) + k[t+13] + w[13]; 
375 
t2 = Sum0 (d) + Maj(d, e, f); 
376 
g += t1; 
377 
c = t1 + t2; 
378  
379 
t1 = b + Sum1 (g) + Ch(g, h, a) + k[t+14] + w[14]; 
380 
t2 = Sum0 (c) + Maj(c, d, e); 
381 
f += t1; 
382 
b = t1 + t2; 
383  
384 
t1 = a + Sum1 (f) + Ch(f, g, h) + k[t+15] + w[15]; 
385 
t2 = Sum0 (b) + Maj(b, c, d); 
386 
e += t1; 
387 
a = t1 + t2; 
388  
389 
t += 16;

390 
#endif

391 
} 
392  
393 
/* Update chaining vars. */

394 
hd>h0 += a; 
395 
hd>h1 += b; 
396 
hd>h2 += c; 
397 
hd>h3 += d; 
398 
hd>h4 += e; 
399 
hd>h5 += f; 
400 
hd>h6 += g; 
401 
hd>h7 += h; 
402  
403 
return /* burn_stack */ (8 + 16) * sizeof(u64) + sizeof(u32) + 3 * sizeof(void*); 
404 
} 
405  
406 
static uint

407 
sha512_transform(void *context, const byte *data, size_t nblks) 
408 
{ 
409 
struct sha512_context *ctx = context;

410 
uint burn; 
411  
412 
do

413 
{ 
414 
burn = sha512_transform_block(&ctx>state, data) + 3 * sizeof(void*); 
415 
data += 128;

416 
} 
417 
while(nblks);

418  
419 
return burn;

420 
} 
421  
422 
/* The routine final terminates the computation and

423 
* returns the digest.

424 
* The handle is prepared for a new cycle, but adding bytes to the

425 
* handle will the destroy the returned buffer.

426 
* Returns: 64 bytes representing the digest. When used for sha384,

427 
* we take the leftmost 48 of those bytes.

428 
*/

429 
byte * 
430 
sha512_final(struct sha512_context *ctx)

431 
{ 
432 
u64 t, th, msb, lsb; 
433 
byte *p; 
434  
435 
sha256_update(&ctx>bctx, NULL, 0); /* flush */ ; 
436  
437 
t = ctx>bctx.nblocks; 
438 
/* if (sizeof t == sizeof ctx>bctx.nblocks) */

439 
th = ctx>bctx.nblocks_high; 
440 
/* else */

441 
/* th = ctx>bctx.nblocks >> 64; In case we ever use u128 */

442  
443 
/* multiply by 128 to make a byte count */

444 
lsb = t << 7;

445 
msb = (th << 7)  (t >> 57); 
446 
/* add the count */

447 
t = lsb; 
448 
if ((lsb += ctx>bctx.count) < t)

449 
msb++; 
450 
/* multiply by 8 to make a bit count */

451 
t = lsb; 
452 
lsb <<= 3;

453 
msb <<= 3;

454 
msb = t >> 61;

455  
456 
if (ctx>bctx.count < 112) 
457 
{ /* enough room */

458 
ctx>bctx.buf[ctx>bctx.count++] = 0x80; /* pad */ 
459 
while(ctx>bctx.count < 112) 
460 
ctx>bctx.buf[ctx>bctx.count++] = 0; /* pad */ 
461 
} 
462 
else

463 
{ /* need one extra block */

464 
ctx>bctx.buf[ctx>bctx.count++] = 0x80; /* pad character */ 
465 
while(ctx>bctx.count < 128) 
466 
ctx>bctx.buf[ctx>bctx.count++] = 0;

467 
sha256_update(&ctx>bctx, NULL, 0); /* flush */ ; 
468 
memset(ctx>bctx.buf, 0, 112); /* fill next block with zeroes */ 
469 
} 
470 
/* append the 128 bit count */

471 
put_u64(ctx>bctx.buf + 112, msb);

472 
put_u64(ctx>bctx.buf + 120, lsb);

473 
sha512_transform(ctx, ctx>bctx.buf, 1);

474  
475 
p = ctx>bctx.buf; 
476 
#define X(a) do { put_u64(p, ctx>state.h##a); p += 8; } while(0) 
477 
X (0);

478 
X (1);

479 
X (2);

480 
X (3);

481 
X (4);

482 
X (5);

483 
/* Note that these last two chunks are included even for SHA384.

484 
We just ignore them. */

485 
X (6);

486 
X (7);

487 
#undef X

488  
489 
return ctx>bctx.buf;

490 
} 
491  
492  
493 
/*

494 
* SHA512HMAC

495 
*/

496  
497 
static void 
498 
sha512_hash_buffer(byte *outbuf, const byte *buffer, size_t length)

499 
{ 
500 
struct sha512_context hd_tmp;

501  
502 
sha512_init(&hd_tmp); 
503 
sha512_update(&hd_tmp, buffer, length); 
504 
memcpy(outbuf, sha512_final(&hd_tmp), SHA512_SIZE); 
505 
} 
506  
507 
void

508 
sha512_hmac_init(struct sha512_hmac_context *ctx, const byte *key, size_t keylen) 
509 
{ 
510 
byte keybuf[SHA512_BLOCK_SIZE], buf[SHA512_BLOCK_SIZE]; 
511  
512 
/* Hash the key if necessary */

513 
if (keylen <= SHA512_BLOCK_SIZE)

514 
{ 
515 
memcpy(keybuf, key, keylen); 
516 
bzero(keybuf + keylen, SHA512_BLOCK_SIZE  keylen); 
517 
} 
518 
else

519 
{ 
520 
sha512_hash_buffer(keybuf, key, keylen); 
521 
bzero(keybuf + SHA512_SIZE, SHA512_BLOCK_SIZE  SHA512_SIZE); 
522 
} 
523  
524 
/* Initialize the inner digest */

525 
sha512_init(&ctx>ictx); 
526 
int i;

527 
for (i = 0; i < SHA512_BLOCK_SIZE; i++) 
528 
buf[i] = keybuf[i] ^ 0x36;

529 
sha512_update(&ctx>ictx, buf, SHA512_BLOCK_SIZE); 
530  
531 
/* Initialize the outer digest */

532 
sha512_init(&ctx>octx); 
533 
for (i = 0; i < SHA512_BLOCK_SIZE; i++) 
534 
buf[i] = keybuf[i] ^ 0x5c;

535 
sha512_update(&ctx>octx, buf, SHA512_BLOCK_SIZE); 
536 
} 
537  
538 
void sha512_hmac_update(struct sha512_hmac_context *ctx, const byte *buf, size_t buflen) 
539 
{ 
540 
/* Just update the inner digest */

541 
sha512_update(&ctx>ictx, buf, buflen); 
542 
} 
543  
544 
byte *sha512_hmac_final(struct sha512_hmac_context *ctx)

545 
{ 
546 
/* Finish the inner digest */

547 
byte *isha = sha512_final(&ctx>ictx); 
548  
549 
/* Finish the outer digest */

550 
sha512_update(&ctx>octx, isha, SHA512_SIZE); 
551 
return sha512_final(&ctx>octx);

552 
} 
553  
554  
555 
/*

556 
* SHA384HMAC

557 
*/

558  
559 
static void 
560 
sha384_hash_buffer(byte *outbuf, const byte *buffer, size_t length)

561 
{ 
562 
struct sha384_context hd_tmp;

563  
564 
sha384_init(&hd_tmp); 
565 
sha384_update(&hd_tmp, buffer, length); 
566 
memcpy(outbuf, sha384_final(&hd_tmp), SHA384_SIZE); 
567 
} 
568  
569 
void

570 
sha384_hmac_init(struct sha384_hmac_context *ctx, const byte *key, size_t keylen) 
571 
{ 
572 
byte keybuf[SHA384_BLOCK_SIZE], buf[SHA384_BLOCK_SIZE]; 
573  
574 
/* Hash the key if necessary */

575 
if (keylen <= SHA384_BLOCK_SIZE)

576 
{ 
577 
memcpy(keybuf, key, keylen); 
578 
bzero(keybuf + keylen, SHA384_BLOCK_SIZE  keylen); 
579 
} 
580 
else

581 
{ 
582 
sha384_hash_buffer(keybuf, key, keylen); 
583 
bzero(keybuf + SHA384_SIZE, SHA384_BLOCK_SIZE  SHA384_SIZE); 
584 
} 
585  
586 
/* Initialize the inner digest */

587 
sha384_init(&ctx>ictx); 
588 
int i;

589 
for (i = 0; i < SHA384_BLOCK_SIZE; i++) 
590 
buf[i] = keybuf[i] ^ 0x36;

591 
sha384_update(&ctx>ictx, buf, SHA384_BLOCK_SIZE); 
592  
593 
/* Initialize the outer digest */

594 
sha384_init(&ctx>octx); 
595 
for (i = 0; i < SHA384_BLOCK_SIZE; i++) 
596 
buf[i] = keybuf[i] ^ 0x5c;

597 
sha384_update(&ctx>octx, buf, SHA384_BLOCK_SIZE); 
598 
} 
599  
600 
void sha384_hmac_update(struct sha384_hmac_context *ctx, const byte *buf, size_t buflen) 
601 
{ 
602 
/* Just update the inner digest */

603 
sha384_update(&ctx>ictx, buf, buflen); 
604 
} 
605  
606 
byte *sha384_hmac_final(struct sha384_hmac_context *ctx)

607 
{ 
608 
/* Finish the inner digest */

609 
byte *isha = sha384_final(&ctx>ictx); 
610  
611 
/* Finish the outer digest */

612 
sha384_update(&ctx>octx, isha, SHA384_SIZE); 
613 
return sha384_final(&ctx>octx);

614 
} 