1 /*************************** sha384-512.c ***************************/
2 /********************* See RFC 4634 for details *********************/
3 /*
4 * Description:
5 * This file implements the Secure Hash Signature Standard
6 * algorithms as defined in the National Institute of Standards
7 * and Technology Federal Information Processing Standards
8 * Publication (FIPS PUB) 180-1 published on April 17, 1995, 180-2
9 * published on August 1, 2002, and the FIPS PUB 180-2 Change
10 * Notice published on February 28, 2004.
11 *
12 * A combined document showing all algorithms is available at
13 * http://csrc.nist.gov/publications/fips/
14 * fips180-2/fips180-2withchangenotice.pdf
15 *
16 * The SHA-384 and SHA-512 algorithms produce 384-bit and 512-bit
17 * message digests for a given data stream. It should take about
18 * 2**n steps to find a message with the same digest as a given
19 * message and 2**(n/2) to find any two messages with the same
20 * digest, when n is the digest size in bits. Therefore, this
21 * algorithm can serve as a means of providing a
22 * "fingerprint" for a message.
23 *
24 * Portability Issues:
25 * SHA-384 and SHA-512 are defined in terms of 64-bit "words",
26 * but if USE_32BIT_ONLY is #defined, this code is implemented in
27 * terms of 32-bit "words". This code uses <stdint.h> (included
28 * via "sha.h") to define the 64, 32 and 8 bit unsigned integer
29 * types. If your C compiler does not support 64 bit unsigned
30 * integers, and you do not #define USE_32BIT_ONLY, this code is
31 * not appropriate.
32 *
33 * Caveats:
34 * SHA-384 and SHA-512 are designed to work with messages less
35 * than 2^128 bits long. This implementation uses
36 * SHA384/512Input() to hash the bits that are a multiple of the
37 * size of an 8-bit character, and then uses SHA384/256FinalBits()
38 * to hash the final few bits of the input.
39 *
40 */
41
42 #include "sha.h"
43 #include "sha-private.h"
44
45 #ifdef USE_32BIT_ONLY
46 /*
47 * Define 64-bit arithmetic in terms of 32-bit arithmetic.
48 * Each 64-bit number is represented in a 2-word array.
49 * All macros are defined such that the result is the last parameter.
50 */
51
52 /*
53 * Define shift, rotate left and rotate right functions
54 */
55 #define SHA512_SHR(bits, word, ret) ( \
56 /* (((uint64_t)((word))) >> (bits)) */ \
57 (ret)[0] = (((bits) < 32) && ((bits) >= 0)) ? \
58 ((word)[0] >> (bits)) : 0, \
59 (ret)[1] = ((bits) > 32) ? ((word)[0] >> ((bits) - 32)) : \
60 ((bits) == 32) ? (word)[0] : \
61 ((bits) >= 0) ? \
62 (((word)[0] << (32 - (bits))) | \
63 ((word)[1] >> (bits))) : 0 )
64
65 #define SHA512_SHL(bits, word, ret) ( \
66 /* (((uint64_t)(word)) << (bits)) */ \
67 (ret)[0] = ((bits) > 32) ? ((word)[1] << ((bits) - 32)) : \
68 ((bits) == 32) ? (word)[1] : \
69 ((bits) >= 0) ? \
70 (((word)[0] << (bits)) | \
71 ((word)[1] >> (32 - (bits)))) : \
72 0, \
73 (ret)[1] = (((bits) < 32) && ((bits) >= 0)) ? \
74 ((word)[1] << (bits)) : 0 )
75
76 /*
77 * Define 64-bit OR
78 */
79 #define SHA512_OR(word1, word2, ret) ( \
80 (ret)[0] = (word1)[0] | (word2)[0], \
81 (ret)[1] = (word1)[1] | (word2)[1] )
82
83 /*
84 * Define 64-bit XOR
85 */
86 #define SHA512_XOR(word1, word2, ret) ( \
87 (ret)[0] = (word1)[0] ^ (word2)[0], \
88 (ret)[1] = (word1)[1] ^ (word2)[1] )
89
90 /*
91 * Define 64-bit AND
92 */
93 #define SHA512_AND(word1, word2, ret) ( \
94 (ret)[0] = (word1)[0] & (word2)[0], \
95 (ret)[1] = (word1)[1] & (word2)[1] )
96
97 /*
98 * Define 64-bit TILDA
99 */
100 #define SHA512_TILDA(word, ret) \
101 ( (ret)[0] = ~(word)[0], (ret)[1] = ~(word)[1] )
102
103 /*
104 * Define 64-bit ADD
105 */
106 #define SHA512_ADD(word1, word2, ret) ( \
107 (ret)[1] = (word1)[1], (ret)[1] += (word2)[1], \
108 (ret)[0] = (word1)[0] + (word2)[0] + ((ret)[1] < (word1)[1]) )
109
110 /*
111 * Add the 4word value in word2 to word1.
112 */
113 static uint32_t ADDTO4_temp, ADDTO4_temp2;
114 #define SHA512_ADDTO4(word1, word2) ( \
115 ADDTO4_temp = (word1)[3], \
116 (word1)[3] += (word2)[3], \
117 ADDTO4_temp2 = (word1)[2], \
118 (word1)[2] += (word2)[2] + ((word1)[3] < ADDTO4_temp), \
119 ADDTO4_temp = (word1)[1], \
120 (word1)[1] += (word2)[1] + ((word1)[2] < ADDTO4_temp2), \
121 (word1)[0] += (word2)[0] + ((word1)[1] < ADDTO4_temp) )
122
123 /*
124 * Add the 2word value in word2 to word1.
125 */
126 static uint32_t ADDTO2_temp;
127 #define SHA512_ADDTO2(word1, word2) ( \
128 ADDTO2_temp = (word1)[1], \
129 (word1)[1] += (word2)[1], \
130 (word1)[0] += (word2)[0] + ((word1)[1] < ADDTO2_temp) )
131
132 /*
133 * SHA rotate ((word >> bits) | (word << (64-bits)))
134 */
135 static uint32_t ROTR_temp1[2], ROTR_temp2[2];
136 #define SHA512_ROTR(bits, word, ret) ( \
137 SHA512_SHR((bits), (word), ROTR_temp1), \
138 SHA512_SHL(64-(bits), (word), ROTR_temp2), \
139 SHA512_OR(ROTR_temp1, ROTR_temp2, (ret)) )
140
141 /*
142 * Define the SHA SIGMA and sigma macros
143 * SHA512_ROTR(28,word) ^ SHA512_ROTR(34,word) ^ SHA512_ROTR(39,word)
144 */
145 static uint32_t SIGMA0_temp1[2], SIGMA0_temp2[2],
146 SIGMA0_temp3[2], SIGMA0_temp4[2];
147 #define SHA512_SIGMA0(word, ret) ( \
148 SHA512_ROTR(28, (word), SIGMA0_temp1), \
149 SHA512_ROTR(34, (word), SIGMA0_temp2), \
150 SHA512_ROTR(39, (word), SIGMA0_temp3), \
151 SHA512_XOR(SIGMA0_temp2, SIGMA0_temp3, SIGMA0_temp4), \
152 SHA512_XOR(SIGMA0_temp1, SIGMA0_temp4, (ret)) )
153
154 /*
155 * SHA512_ROTR(14,word) ^ SHA512_ROTR(18,word) ^ SHA512_ROTR(41,word)
156 */
157 static uint32_t SIGMA1_temp1[2], SIGMA1_temp2[2],
158 SIGMA1_temp3[2], SIGMA1_temp4[2];
159 #define SHA512_SIGMA1(word, ret) ( \
160 SHA512_ROTR(14, (word), SIGMA1_temp1), \
161 SHA512_ROTR(18, (word), SIGMA1_temp2), \
162 SHA512_ROTR(41, (word), SIGMA1_temp3), \
163 SHA512_XOR(SIGMA1_temp2, SIGMA1_temp3, SIGMA1_temp4), \
164 SHA512_XOR(SIGMA1_temp1, SIGMA1_temp4, (ret)) )
165
166 /*
167 * (SHA512_ROTR( 1,word) ^ SHA512_ROTR( 8,word) ^ SHA512_SHR( 7,word))
168 */
169 static uint32_t sigma0_temp1[2], sigma0_temp2[2],
170 sigma0_temp3[2], sigma0_temp4[2];
171 #define SHA512_sigma0(word, ret) ( \
172 SHA512_ROTR( 1, (word), sigma0_temp1), \
173 SHA512_ROTR( 8, (word), sigma0_temp2), \
174 SHA512_SHR( 7, (word), sigma0_temp3), \
175 SHA512_XOR(sigma0_temp2, sigma0_temp3, sigma0_temp4), \
176 SHA512_XOR(sigma0_temp1, sigma0_temp4, (ret)) )
177
178 /*
179 * (SHA512_ROTR(19,word) ^ SHA512_ROTR(61,word) ^ SHA512_SHR( 6,word))
180 */
181 static uint32_t sigma1_temp1[2], sigma1_temp2[2],
182 sigma1_temp3[2], sigma1_temp4[2];
183 #define SHA512_sigma1(word, ret) ( \
184 SHA512_ROTR(19, (word), sigma1_temp1), \
185 SHA512_ROTR(61, (word), sigma1_temp2), \
186 SHA512_SHR( 6, (word), sigma1_temp3), \
187 SHA512_XOR(sigma1_temp2, sigma1_temp3, sigma1_temp4), \
188 SHA512_XOR(sigma1_temp1, sigma1_temp4, (ret)) )
189
190 #undef SHA_Ch
191 #undef SHA_Maj
192
193 #ifndef USE_MODIFIED_MACROS
194 /*
195 * These definitions are the ones used in FIPS-180-2, section 4.1.3
196 * Ch(x,y,z) ((x & y) ^ (~x & z))
197 */
198 static uint32_t Ch_temp1[2], Ch_temp2[2], Ch_temp3[2];
199 #define SHA_Ch(x, y, z, ret) ( \
200 SHA512_AND(x, y, Ch_temp1), \
201 SHA512_TILDA(x, Ch_temp2), \
202 SHA512_AND(Ch_temp2, z, Ch_temp3), \
203 SHA512_XOR(Ch_temp1, Ch_temp3, (ret)) )
204 /*
205 * Maj(x,y,z) (((x)&(y)) ^ ((x)&(z)) ^ ((y)&(z)))
206 */
207 static uint32_t Maj_temp1[2], Maj_temp2[2], Maj_temp3[2], Maj_temp4[2];
208 #define SHA_Maj(x, y, z, ret) ( \
209 SHA512_AND(x, y, Maj_temp1), \
210 SHA512_AND(x, z, Maj_temp2), \
211 SHA512_AND(y, z, Maj_temp3), \
212 SHA512_XOR(Maj_temp2, Maj_temp3, Maj_temp4), \
213 SHA512_XOR(Maj_temp1, Maj_temp4, (ret)) )
214
215 #else /* !USE_32BIT_ONLY */
216 /*
217 * These definitions are potentially faster equivalents for the ones
218 * used in FIPS-180-2, section 4.1.3.
219 * ((x & y) ^ (~x & z)) becomes
220 * ((x & (y ^ z)) ^ z)
221 */
222 #define SHA_Ch(x, y, z, ret) ( \
223 (ret)[0] = (((x)[0] & ((y)[0] ^ (z)[0])) ^ (z)[0]), \
224 (ret)[1] = (((x)[1] & ((y)[1] ^ (z)[1])) ^ (z)[1]) )
225
226 /*
227 * ((x & y) ^ (x & z) ^ (y & z)) becomes
228 * ((x & (y | z)) | (y & z))
229 */
230 #define SHA_Maj(x, y, z, ret) ( \
231 ret[0] = (((x)[0] & ((y)[0] | (z)[0])) | ((y)[0] & (z)[0])), \
232 ret[1] = (((x)[1] & ((y)[1] | (z)[1])) | ((y)[1] & (z)[1])) )
233 #endif /* USE_MODIFIED_MACROS */
234
235 /*
236 * add "length" to the length
237 */
238 static uint32_t addTemp[4] = { 0, 0, 0, 0 };
239
240 #define SHA384_512AddLength(context, length) ( \
241 addTemp[3] = (length), SHA512_ADDTO4((context)->Length, addTemp), \
242 (context)->Corrupted = (((context)->Length[3] == 0) && \
243 ((context)->Length[2] == 0) && ((context)->Length[1] == 0) && \
244 ((context)->Length[0] < 8)) ? 1 : 0 )
245
246 /* Local Function Prototypes */
247 static void SHA384_512Finalize (SHA512Context * context, uint8_t Pad_Byte);
248 static void SHA384_512PadMessage (SHA512Context * context, uint8_t Pad_Byte);
249 static void SHA384_512ProcessMessageBlock (SHA512Context * context);
250 static int SHA384_512Reset (SHA512Context * context, uint32_t H0[]);
251 static int SHA384_512ResultN (SHA512Context * context,
252 uint8_t Message_Digest[], int HashSize);
253
254 /* Initial Hash Values: FIPS-180-2 sections 5.3.3 and 5.3.4 */
255 static uint32_t SHA384_H0[SHA512HashSize / 4] = {
256 0xCBBB9D5D, 0xC1059ED8, 0x629A292A, 0x367CD507, 0x9159015A,
257 0x3070DD17, 0x152FECD8, 0xF70E5939, 0x67332667, 0xFFC00B31,
258 0x8EB44A87, 0x68581511, 0xDB0C2E0D, 0x64F98FA7, 0x47B5481D,
259 0xBEFA4FA4
260 };
261
262 static uint32_t SHA512_H0[SHA512HashSize / 4] = {
263 0x6A09E667, 0xF3BCC908, 0xBB67AE85, 0x84CAA73B, 0x3C6EF372,
264 0xFE94F82B, 0xA54FF53A, 0x5F1D36F1, 0x510E527F, 0xADE682D1,
265 0x9B05688C, 0x2B3E6C1F, 0x1F83D9AB, 0xFB41BD6B, 0x5BE0CD19,
266 0x137E2179
267 };
268
269 #else /* !USE_32BIT_ONLY */
270
271 /* Define the SHA shift, rotate left and rotate right macro */
272 #define SHA512_SHR(bits,word) (((uint64_t)(word)) >> (bits))
273 #define SHA512_ROTR(bits,word) ((((uint64_t)(word)) >> (bits)) | \
274 (((uint64_t)(word)) << (64-(bits))))
275
276 /* Define the SHA SIGMA and sigma macros */
277 #define SHA512_SIGMA0(word) \
278 (SHA512_ROTR(28,word) ^ SHA512_ROTR(34,word) ^ SHA512_ROTR(39,word))
279 #define SHA512_SIGMA1(word) \
280 (SHA512_ROTR(14,word) ^ SHA512_ROTR(18,word) ^ SHA512_ROTR(41,word))
281 #define SHA512_sigma0(word) \
282 (SHA512_ROTR( 1,word) ^ SHA512_ROTR( 8,word) ^ SHA512_SHR( 7,word))
283 #define SHA512_sigma1(word) \
284 (SHA512_ROTR(19,word) ^ SHA512_ROTR(61,word) ^ SHA512_SHR( 6,word))
285
286 /*
287 * add "length" to the length
288 */
289 static uint64_t addTemp;
290 #define SHA384_512AddLength(context, length) \
291 (addTemp = context->Length_Low, context->Corrupted = \
292 ((context->Length_Low += length) < addTemp) && \
293 (++context->Length_High == 0) ? 1 : 0)
294
295 /* Local Function Prototypes */
296 static void SHA384_512Finalize (SHA512Context * context, uint8_t Pad_Byte);
297 static void SHA384_512PadMessage (SHA512Context * context, uint8_t Pad_Byte);
298 static void SHA384_512ProcessMessageBlock (SHA512Context * context);
299 static int SHA384_512Reset (SHA512Context * context, uint64_t H0[]);
300 static int SHA384_512ResultN (SHA512Context * context,
301 uint8_t Message_Digest[], int HashSize);
302
303 /* Initial Hash Values: FIPS-180-2 sections 5.3.3 and 5.3.4 */
304 static uint64_t SHA384_H0[] = {
305 0xCBBB9D5DC1059ED8ll, 0x629A292A367CD507ll, 0x9159015A3070DD17ll,
306 0x152FECD8F70E5939ll, 0x67332667FFC00B31ll, 0x8EB44A8768581511ll,
307 0xDB0C2E0D64F98FA7ll, 0x47B5481DBEFA4FA4ll
308 };
309
310 static uint64_t SHA512_H0[] = {
311 0x6A09E667F3BCC908ll, 0xBB67AE8584CAA73Bll, 0x3C6EF372FE94F82Bll,
312 0xA54FF53A5F1D36F1ll, 0x510E527FADE682D1ll, 0x9B05688C2B3E6C1Fll,
313 0x1F83D9ABFB41BD6Bll, 0x5BE0CD19137E2179ll
314 };
315
316 #endif /* USE_32BIT_ONLY */
317
318 /*
319 * SHA384Reset
320 *
321 * Description:
322 * This function will initialize the SHA384Context in preparation
323 * for computing a new SHA384 message digest.
324 *
325 * Parameters:
326 * context: [in/out]
327 * The context to reset.
328 *
329 * Returns:
330 * sha Error Code.
331 *
332 */
333 int
SHA384Reset(SHA384Context * context)334 SHA384Reset (SHA384Context * context)
335 {
336 return SHA384_512Reset (context, SHA384_H0);
337 }
338
339 /*
340 * SHA384Input
341 *
342 * Description:
343 * This function accepts an array of octets as the next portion
344 * of the message.
345 *
346 * Parameters:
347 * context: [in/out]
348 * The SHA context to update
349 * message_array: [in]
350 * An array of characters representing the next portion of
351 * the message.
352 * length: [in]
353 * The length of the message in message_array
354 *
355 * Returns:
356 * sha Error Code.
357 *
358 */
359 int
SHA384Input(SHA384Context * context,const uint8_t * message_array,unsigned int length)360 SHA384Input (SHA384Context * context,
361 const uint8_t * message_array, unsigned int length)
362 {
363 return SHA512Input (context, message_array, length);
364 }
365
366 /*
367 * SHA384FinalBits
368 *
369 * Description:
370 * This function will add in any final bits of the message.
371 *
372 * Parameters:
373 * context: [in/out]
374 * The SHA context to update
375 * message_bits: [in]
376 * The final bits of the message, in the upper portion of the
377 * byte. (Use 0b###00000 instead of 0b00000### to input the
378 * three bits ###.)
379 * length: [in]
380 * The number of bits in message_bits, between 1 and 7.
381 *
382 * Returns:
383 * sha Error Code.
384 *
385 */
386 int
SHA384FinalBits(SHA384Context * context,const uint8_t message_bits,unsigned int length)387 SHA384FinalBits (SHA384Context * context,
388 const uint8_t message_bits, unsigned int length)
389 {
390 return SHA512FinalBits (context, message_bits, length);
391 }
392
393 /*
394 * SHA384Result
395 *
396 * Description:
397 * This function will return the 384-bit message
398 * digest into the Message_Digest array provided by the caller.
399 * NOTE: The first octet of hash is stored in the 0th element,
400 * the last octet of hash in the 48th element.
401 *
402 * Parameters:
403 * context: [in/out]
404 * The context to use to calculate the SHA hash.
405 * Message_Digest: [out]
406 * Where the digest is returned.
407 *
408 * Returns:
409 * sha Error Code.
410 *
411 */
412 int
SHA384Result(SHA384Context * context,uint8_t Message_Digest[SHA384HashSize])413 SHA384Result (SHA384Context * context, uint8_t Message_Digest[SHA384HashSize])
414 {
415 return SHA384_512ResultN (context, Message_Digest, SHA384HashSize);
416 }
417
418 /*
419 * SHA512Reset
420 *
421 * Description:
422 * This function will initialize the SHA512Context in preparation
423 * for computing a new SHA512 message digest.
424 *
425 * Parameters:
426 * context: [in/out]
427 * The context to reset.
428 *
429 * Returns:
430 * sha Error Code.
431 *
432 */
433 int
SHA512Reset(SHA512Context * context)434 SHA512Reset (SHA512Context * context)
435 {
436 return SHA384_512Reset (context, SHA512_H0);
437 }
438
439 /*
440 * SHA512Input
441 *
442 * Description:
443 * This function accepts an array of octets as the next portion
444 * of the message.
445 *
446 * Parameters:
447 * context: [in/out]
448 * The SHA context to update
449 * message_array: [in]
450 * An array of characters representing the next portion of
451 * the message.
452 * length: [in]
453 * The length of the message in message_array
454 *
455 * Returns:
456 * sha Error Code.
457 *
458 */
459 int
SHA512Input(SHA512Context * context,const uint8_t * message_array,unsigned int length)460 SHA512Input (SHA512Context * context,
461 const uint8_t * message_array, unsigned int length)
462 {
463 if (!length)
464 return shaSuccess;
465
466 if (!context || !message_array)
467 return shaNull;
468
469 if (context->Computed)
470 {
471 context->Corrupted = shaStateError;
472 return shaStateError;
473 }
474
475 if (context->Corrupted)
476 return context->Corrupted;
477
478 while (length-- && !context->Corrupted)
479 {
480 context->Message_Block[context->Message_Block_Index++] =
481 (*message_array & 0xFF);
482
483 if (!SHA384_512AddLength (context, 8) &&
484 (context->Message_Block_Index == SHA512_Message_Block_Size))
485 SHA384_512ProcessMessageBlock (context);
486
487 message_array++;
488 }
489
490 return shaSuccess;
491 }
492
493 /*
494 * SHA512FinalBits
495 *
496 * Description:
497 * This function will add in any final bits of the message.
498 *
499 * Parameters:
500 * context: [in/out]
501 * The SHA context to update
502 * message_bits: [in]
503 * The final bits of the message, in the upper portion of the
504 * byte. (Use 0b###00000 instead of 0b00000### to input the
505 * three bits ###.)
506 * length: [in]
507 * The number of bits in message_bits, between 1 and 7.
508 *
509 * Returns:
510 * sha Error Code.
511 *
512 */
513 int
SHA512FinalBits(SHA512Context * context,const uint8_t message_bits,unsigned int length)514 SHA512FinalBits (SHA512Context * context,
515 const uint8_t message_bits, unsigned int length)
516 {
517 uint8_t masks[8] = {
518 /* 0 0b00000000 */ 0x00, /* 1 0b10000000 */ 0x80,
519 /* 2 0b11000000 */ 0xC0, /* 3 0b11100000 */ 0xE0,
520 /* 4 0b11110000 */ 0xF0, /* 5 0b11111000 */ 0xF8,
521 /* 6 0b11111100 */ 0xFC, /* 7 0b11111110 */ 0xFE
522 };
523 uint8_t markbit[8] = {
524 /* 0 0b10000000 */ 0x80, /* 1 0b01000000 */ 0x40,
525 /* 2 0b00100000 */ 0x20, /* 3 0b00010000 */ 0x10,
526 /* 4 0b00001000 */ 0x08, /* 5 0b00000100 */ 0x04,
527 /* 6 0b00000010 */ 0x02, /* 7 0b00000001 */ 0x01
528 };
529
530 if (!length)
531 return shaSuccess;
532
533 if (!context)
534 return shaNull;
535
536 if ((context->Computed) || (length >= 8) || (length == 0))
537 {
538 context->Corrupted = shaStateError;
539 return shaStateError;
540 }
541
542 if (context->Corrupted)
543 return context->Corrupted;
544
545 SHA384_512AddLength (context, length);
546 SHA384_512Finalize (context, (uint8_t)
547 ((message_bits & masks[length]) | markbit[length]));
548
549 return shaSuccess;
550 }
551
552 /*
553 * SHA384_512Finalize
554 *
555 * Description:
556 * This helper function finishes off the digest calculations.
557 *
558 * Parameters:
559 * context: [in/out]
560 * The SHA context to update
561 * Pad_Byte: [in]
562 * The last byte to add to the digest before the 0-padding
563 * and length. This will contain the last bits of the message
564 * followed by another single bit. If the message was an
565 * exact multiple of 8-bits long, Pad_Byte will be 0x80.
566 *
567 * Returns:
568 * sha Error Code.
569 *
570 */
571 static void
SHA384_512Finalize(SHA512Context * context,uint8_t Pad_Byte)572 SHA384_512Finalize (SHA512Context * context, uint8_t Pad_Byte)
573 {
574 int_least16_t i;
575 SHA384_512PadMessage (context, Pad_Byte);
576 /* message may be sensitive, clear it out */
577 for (i = 0; i < SHA512_Message_Block_Size; ++i)
578 context->Message_Block[i] = 0;
579 #ifdef USE_32BIT_ONLY /* and clear length */
580 context->Length[0] = context->Length[1] = 0;
581 context->Length[2] = context->Length[3] = 0;
582 #else /* !USE_32BIT_ONLY */
583 context->Length_Low = 0;
584 context->Length_High = 0;
585 #endif /* USE_32BIT_ONLY */
586 context->Computed = 1;
587 }
588
589 /*
590 * SHA512Result
591 *
592 * Description:
593 * This function will return the 512-bit message
594 * digest into the Message_Digest array provided by the caller.
595 * NOTE: The first octet of hash is stored in the 0th element,
596 * the last octet of hash in the 64th element.
597 *
598 * Parameters:
599 * context: [in/out]
600 * The context to use to calculate the SHA hash.
601 * Message_Digest: [out]
602 * Where the digest is returned.
603 *
604 * Returns:
605 * sha Error Code.
606 *
607 */
608 int
SHA512Result(SHA512Context * context,uint8_t Message_Digest[SHA512HashSize])609 SHA512Result (SHA512Context * context, uint8_t Message_Digest[SHA512HashSize])
610 {
611 return SHA384_512ResultN (context, Message_Digest, SHA512HashSize);
612 }
613
614 /*
615 * SHA384_512PadMessage
616 *
617 * Description:
618 * According to the standard, the message must be padded to an
619 * even 1024 bits. The first padding bit must be a '1'. The
620 * last 128 bits represent the length of the original message.
621 * All bits in between should be 0. This helper function will
622 * pad the message according to those rules by filling the
623 * Message_Block array accordingly. When it returns, it can be
624 * assumed that the message digest has been computed.
625 *
626 * Parameters:
627 * context: [in/out]
628 * The context to pad
629 * Pad_Byte: [in]
630 * The last byte to add to the digest before the 0-padding
631 * and length. This will contain the last bits of the message
632 * followed by another single bit. If the message was an
633 * exact multiple of 8-bits long, Pad_Byte will be 0x80.
634 *
635 * Returns:
636 * Nothing.
637 *
638 */
639 static void
SHA384_512PadMessage(SHA512Context * context,uint8_t Pad_Byte)640 SHA384_512PadMessage (SHA512Context * context, uint8_t Pad_Byte)
641 {
642 /*
643 * Check to see if the current message block is too small to hold
644 * the initial padding bits and length. If so, we will pad the
645 * block, process it, and then continue padding into a second
646 * block.
647 */
648 if (context->Message_Block_Index >= (SHA512_Message_Block_Size - 16))
649 {
650 context->Message_Block[context->Message_Block_Index++] = Pad_Byte;
651 while (context->Message_Block_Index < SHA512_Message_Block_Size)
652 context->Message_Block[context->Message_Block_Index++] = 0;
653
654 SHA384_512ProcessMessageBlock (context);
655 }
656 else
657 context->Message_Block[context->Message_Block_Index++] = Pad_Byte;
658
659 while (context->Message_Block_Index < (SHA512_Message_Block_Size - 16))
660 context->Message_Block[context->Message_Block_Index++] = 0;
661
662 /*
663 * Store the message length as the last 16 octets
664 */
665 #ifdef USE_32BIT_ONLY
666 context->Message_Block[112] = (uint8_t) (context->Length[0] >> 24);
667 context->Message_Block[113] = (uint8_t) (context->Length[0] >> 16);
668 context->Message_Block[114] = (uint8_t) (context->Length[0] >> 8);
669 context->Message_Block[115] = (uint8_t) (context->Length[0]);
670 context->Message_Block[116] = (uint8_t) (context->Length[1] >> 24);
671 context->Message_Block[117] = (uint8_t) (context->Length[1] >> 16);
672 context->Message_Block[118] = (uint8_t) (context->Length[1] >> 8);
673 context->Message_Block[119] = (uint8_t) (context->Length[1]);
674
675 context->Message_Block[120] = (uint8_t) (context->Length[2] >> 24);
676 context->Message_Block[121] = (uint8_t) (context->Length[2] >> 16);
677 context->Message_Block[122] = (uint8_t) (context->Length[2] >> 8);
678 context->Message_Block[123] = (uint8_t) (context->Length[2]);
679 context->Message_Block[124] = (uint8_t) (context->Length[3] >> 24);
680 context->Message_Block[125] = (uint8_t) (context->Length[3] >> 16);
681 context->Message_Block[126] = (uint8_t) (context->Length[3] >> 8);
682 context->Message_Block[127] = (uint8_t) (context->Length[3]);
683 #else /* !USE_32BIT_ONLY */
684 context->Message_Block[112] = (uint8_t) (context->Length_High >> 56);
685 context->Message_Block[113] = (uint8_t) (context->Length_High >> 48);
686 context->Message_Block[114] = (uint8_t) (context->Length_High >> 40);
687 context->Message_Block[115] = (uint8_t) (context->Length_High >> 32);
688 context->Message_Block[116] = (uint8_t) (context->Length_High >> 24);
689 context->Message_Block[117] = (uint8_t) (context->Length_High >> 16);
690 context->Message_Block[118] = (uint8_t) (context->Length_High >> 8);
691 context->Message_Block[119] = (uint8_t) (context->Length_High);
692
693 context->Message_Block[120] = (uint8_t) (context->Length_Low >> 56);
694 context->Message_Block[121] = (uint8_t) (context->Length_Low >> 48);
695 context->Message_Block[122] = (uint8_t) (context->Length_Low >> 40);
696 context->Message_Block[123] = (uint8_t) (context->Length_Low >> 32);
697 context->Message_Block[124] = (uint8_t) (context->Length_Low >> 24);
698 context->Message_Block[125] = (uint8_t) (context->Length_Low >> 16);
699 context->Message_Block[126] = (uint8_t) (context->Length_Low >> 8);
700 context->Message_Block[127] = (uint8_t) (context->Length_Low);
701 #endif /* USE_32BIT_ONLY */
702
703 SHA384_512ProcessMessageBlock (context);
704 }
705
706 /*
707 * SHA384_512ProcessMessageBlock
708 *
709 * Description:
710 * This helper function will process the next 1024 bits of the
711 * message stored in the Message_Block array.
712 *
713 * Parameters:
714 * context: [in/out]
715 * The SHA context to update
716 *
717 * Returns:
718 * Nothing.
719 *
720 * Comments:
721 * Many of the variable names in this code, especially the
722 * single character names, were used because those were the
723 * names used in the publication.
724 *
725 *
726 */
727 static void
SHA384_512ProcessMessageBlock(SHA512Context * context)728 SHA384_512ProcessMessageBlock (SHA512Context * context)
729 {
730 /* Constants defined in FIPS-180-2, section 4.2.3 */
731 #ifdef USE_32BIT_ONLY
732 static const uint32_t K[80 * 2] = {
733 0x428A2F98, 0xD728AE22, 0x71374491, 0x23EF65CD, 0xB5C0FBCF,
734 0xEC4D3B2F, 0xE9B5DBA5, 0x8189DBBC, 0x3956C25B, 0xF348B538,
735 0x59F111F1, 0xB605D019, 0x923F82A4, 0xAF194F9B, 0xAB1C5ED5,
736 0xDA6D8118, 0xD807AA98, 0xA3030242, 0x12835B01, 0x45706FBE,
737 0x243185BE, 0x4EE4B28C, 0x550C7DC3, 0xD5FFB4E2, 0x72BE5D74,
738 0xF27B896F, 0x80DEB1FE, 0x3B1696B1, 0x9BDC06A7, 0x25C71235,
739 0xC19BF174, 0xCF692694, 0xE49B69C1, 0x9EF14AD2, 0xEFBE4786,
740 0x384F25E3, 0x0FC19DC6, 0x8B8CD5B5, 0x240CA1CC, 0x77AC9C65,
741 0x2DE92C6F, 0x592B0275, 0x4A7484AA, 0x6EA6E483, 0x5CB0A9DC,
742 0xBD41FBD4, 0x76F988DA, 0x831153B5, 0x983E5152, 0xEE66DFAB,
743 0xA831C66D, 0x2DB43210, 0xB00327C8, 0x98FB213F, 0xBF597FC7,
744 0xBEEF0EE4, 0xC6E00BF3, 0x3DA88FC2, 0xD5A79147, 0x930AA725,
745 0x06CA6351, 0xE003826F, 0x14292967, 0x0A0E6E70, 0x27B70A85,
746 0x46D22FFC, 0x2E1B2138, 0x5C26C926, 0x4D2C6DFC, 0x5AC42AED,
747 0x53380D13, 0x9D95B3DF, 0x650A7354, 0x8BAF63DE, 0x766A0ABB,
748 0x3C77B2A8, 0x81C2C92E, 0x47EDAEE6, 0x92722C85, 0x1482353B,
749 0xA2BFE8A1, 0x4CF10364, 0xA81A664B, 0xBC423001, 0xC24B8B70,
750 0xD0F89791, 0xC76C51A3, 0x0654BE30, 0xD192E819, 0xD6EF5218,
751 0xD6990624, 0x5565A910, 0xF40E3585, 0x5771202A, 0x106AA070,
752 0x32BBD1B8, 0x19A4C116, 0xB8D2D0C8, 0x1E376C08, 0x5141AB53,
753 0x2748774C, 0xDF8EEB99, 0x34B0BCB5, 0xE19B48A8, 0x391C0CB3,
754 0xC5C95A63, 0x4ED8AA4A, 0xE3418ACB, 0x5B9CCA4F, 0x7763E373,
755 0x682E6FF3, 0xD6B2B8A3, 0x748F82EE, 0x5DEFB2FC, 0x78A5636F,
756 0x43172F60, 0x84C87814, 0xA1F0AB72, 0x8CC70208, 0x1A6439EC,
757 0x90BEFFFA, 0x23631E28, 0xA4506CEB, 0xDE82BDE9, 0xBEF9A3F7,
758 0xB2C67915, 0xC67178F2, 0xE372532B, 0xCA273ECE, 0xEA26619C,
759 0xD186B8C7, 0x21C0C207, 0xEADA7DD6, 0xCDE0EB1E, 0xF57D4F7F,
760 0xEE6ED178, 0x06F067AA, 0x72176FBA, 0x0A637DC5, 0xA2C898A6,
761 0x113F9804, 0xBEF90DAE, 0x1B710B35, 0x131C471B, 0x28DB77F5,
762 0x23047D84, 0x32CAAB7B, 0x40C72493, 0x3C9EBE0A, 0x15C9BEBC,
763 0x431D67C4, 0x9C100D4C, 0x4CC5D4BE, 0xCB3E42B6, 0x597F299C,
764 0xFC657E2A, 0x5FCB6FAB, 0x3AD6FAEC, 0x6C44198C, 0x4A475817
765 };
766 int t, t2, t8; /* Loop counter */
767 uint32_t temp1[2], temp2[2], /* Temporary word values */
768 temp3[2], temp4[2], temp5[2];
769 uint32_t W[2 * 80]; /* Word sequence */
770 uint32_t A[2], B[2], C[2], D[2], /* Word buffers */
771 E[2], F[2], G[2], H[2];
772
773 /* Initialize the first 16 words in the array W */
774 for (t = t2 = t8 = 0; t < 16; t++, t8 += 8)
775 {
776 W[t2++] = ((((uint32_t) context->Message_Block[t8])) << 24) |
777 ((((uint32_t) context->Message_Block[t8 + 1])) << 16) |
778 ((((uint32_t) context->Message_Block[t8 + 2])) << 8) |
779 ((((uint32_t) context->Message_Block[t8 + 3])));
780 W[t2++] = ((((uint32_t) context->Message_Block[t8 + 4])) << 24) |
781 ((((uint32_t) context->Message_Block[t8 + 5])) << 16) |
782 ((((uint32_t) context->Message_Block[t8 + 6])) << 8) |
783 ((((uint32_t) context->Message_Block[t8 + 7])));
784 }
785
786 for (t = 16; t < 80; t++, t2 += 2)
787 {
788 /* W[t] = SHA512_sigma1(W[t-2]) + W[t-7] +
789 SHA512_sigma0(W[t-15]) + W[t-16]; */
790 uint32_t *Wt2 = &W[t2 - 2 * 2];
791 uint32_t *Wt7 = &W[t2 - 7 * 2];
792 uint32_t *Wt15 = &W[t2 - 15 * 2];
793 uint32_t *Wt16 = &W[t2 - 16 * 2];
794 SHA512_sigma1 (Wt2, temp1);
795 SHA512_ADD (temp1, Wt7, temp2);
796 SHA512_sigma0 (Wt15, temp1);
797 SHA512_ADD (temp1, Wt16, temp3);
798 SHA512_ADD (temp2, temp3, &W[t2]);
799 }
800
801 A[0] = context->Intermediate_Hash[0];
802 A[1] = context->Intermediate_Hash[1];
803 B[0] = context->Intermediate_Hash[2];
804 B[1] = context->Intermediate_Hash[3];
805 C[0] = context->Intermediate_Hash[4];
806 C[1] = context->Intermediate_Hash[5];
807 D[0] = context->Intermediate_Hash[6];
808 D[1] = context->Intermediate_Hash[7];
809 E[0] = context->Intermediate_Hash[8];
810 E[1] = context->Intermediate_Hash[9];
811 F[0] = context->Intermediate_Hash[10];
812 F[1] = context->Intermediate_Hash[11];
813 G[0] = context->Intermediate_Hash[12];
814 G[1] = context->Intermediate_Hash[13];
815 H[0] = context->Intermediate_Hash[14];
816 H[1] = context->Intermediate_Hash[15];
817
818 for (t = t2 = 0; t < 80; t++, t2 += 2)
819 {
820 /*
821 * temp1 = H + SHA512_SIGMA1(E) + SHA_Ch(E,F,G) + K[t] + W[t];
822 */
823 SHA512_SIGMA1 (E, temp1);
824 SHA512_ADD (H, temp1, temp2);
825 SHA_Ch (E, F, G, temp3);
826 SHA512_ADD (temp2, temp3, temp4);
827 SHA512_ADD (&K[t2], &W[t2], temp5);
828 SHA512_ADD (temp4, temp5, temp1);
829 /*
830 * temp2 = SHA512_SIGMA0(A) + SHA_Maj(A,B,C);
831 */
832 SHA512_SIGMA0 (A, temp3);
833 SHA_Maj (A, B, C, temp4);
834 SHA512_ADD (temp3, temp4, temp2);
835 H[0] = G[0];
836 H[1] = G[1];
837 G[0] = F[0];
838 G[1] = F[1];
839 F[0] = E[0];
840 F[1] = E[1];
841 SHA512_ADD (D, temp1, E);
842 D[0] = C[0];
843 D[1] = C[1];
844 C[0] = B[0];
845 C[1] = B[1];
846 B[0] = A[0];
847 B[1] = A[1];
848 SHA512_ADD (temp1, temp2, A);
849 }
850
851 SHA512_ADDTO2 (&context->Intermediate_Hash[0], A);
852 SHA512_ADDTO2 (&context->Intermediate_Hash[2], B);
853 SHA512_ADDTO2 (&context->Intermediate_Hash[4], C);
854 SHA512_ADDTO2 (&context->Intermediate_Hash[6], D);
855 SHA512_ADDTO2 (&context->Intermediate_Hash[8], E);
856 SHA512_ADDTO2 (&context->Intermediate_Hash[10], F);
857 SHA512_ADDTO2 (&context->Intermediate_Hash[12], G);
858 SHA512_ADDTO2 (&context->Intermediate_Hash[14], H);
859
860 #else /* !USE_32BIT_ONLY */
861 static const uint64_t K[80] = {
862 0x428A2F98D728AE22ll, 0x7137449123EF65CDll, 0xB5C0FBCFEC4D3B2Fll,
863 0xE9B5DBA58189DBBCll, 0x3956C25BF348B538ll, 0x59F111F1B605D019ll,
864 0x923F82A4AF194F9Bll, 0xAB1C5ED5DA6D8118ll, 0xD807AA98A3030242ll,
865 0x12835B0145706FBEll, 0x243185BE4EE4B28Cll, 0x550C7DC3D5FFB4E2ll,
866 0x72BE5D74F27B896Fll, 0x80DEB1FE3B1696B1ll, 0x9BDC06A725C71235ll,
867 0xC19BF174CF692694ll, 0xE49B69C19EF14AD2ll, 0xEFBE4786384F25E3ll,
868 0x0FC19DC68B8CD5B5ll, 0x240CA1CC77AC9C65ll, 0x2DE92C6F592B0275ll,
869 0x4A7484AA6EA6E483ll, 0x5CB0A9DCBD41FBD4ll, 0x76F988DA831153B5ll,
870 0x983E5152EE66DFABll, 0xA831C66D2DB43210ll, 0xB00327C898FB213Fll,
871 0xBF597FC7BEEF0EE4ll, 0xC6E00BF33DA88FC2ll, 0xD5A79147930AA725ll,
872 0x06CA6351E003826Fll, 0x142929670A0E6E70ll, 0x27B70A8546D22FFCll,
873 0x2E1B21385C26C926ll, 0x4D2C6DFC5AC42AEDll, 0x53380D139D95B3DFll,
874 0x650A73548BAF63DEll, 0x766A0ABB3C77B2A8ll, 0x81C2C92E47EDAEE6ll,
875 0x92722C851482353Bll, 0xA2BFE8A14CF10364ll, 0xA81A664BBC423001ll,
876 0xC24B8B70D0F89791ll, 0xC76C51A30654BE30ll, 0xD192E819D6EF5218ll,
877 0xD69906245565A910ll, 0xF40E35855771202All, 0x106AA07032BBD1B8ll,
878 0x19A4C116B8D2D0C8ll, 0x1E376C085141AB53ll, 0x2748774CDF8EEB99ll,
879 0x34B0BCB5E19B48A8ll, 0x391C0CB3C5C95A63ll, 0x4ED8AA4AE3418ACBll,
880 0x5B9CCA4F7763E373ll, 0x682E6FF3D6B2B8A3ll, 0x748F82EE5DEFB2FCll,
881 0x78A5636F43172F60ll, 0x84C87814A1F0AB72ll, 0x8CC702081A6439ECll,
882 0x90BEFFFA23631E28ll, 0xA4506CEBDE82BDE9ll, 0xBEF9A3F7B2C67915ll,
883 0xC67178F2E372532Bll, 0xCA273ECEEA26619Cll, 0xD186B8C721C0C207ll,
884 0xEADA7DD6CDE0EB1Ell, 0xF57D4F7FEE6ED178ll, 0x06F067AA72176FBAll,
885 0x0A637DC5A2C898A6ll, 0x113F9804BEF90DAEll, 0x1B710B35131C471Bll,
886 0x28DB77F523047D84ll, 0x32CAAB7B40C72493ll, 0x3C9EBE0A15C9BEBCll,
887 0x431D67C49C100D4Cll, 0x4CC5D4BECB3E42B6ll, 0x597F299CFC657E2All,
888 0x5FCB6FAB3AD6FAECll, 0x6C44198C4A475817ll
889 };
890 int t, t8; /* Loop counter */
891 uint64_t temp1, temp2; /* Temporary word value */
892 uint64_t W[80]; /* Word sequence */
893 uint64_t A, B, C, D, E, F, G, H; /* Word buffers */
894
895 /*
896 * Initialize the first 16 words in the array W
897 */
898 for (t = t8 = 0; t < 16; t++, t8 += 8)
899 W[t] = ((uint64_t) (context->Message_Block[t8]) << 56) |
900 ((uint64_t) (context->Message_Block[t8 + 1]) << 48) |
901 ((uint64_t) (context->Message_Block[t8 + 2]) << 40) |
902 ((uint64_t) (context->Message_Block[t8 + 3]) << 32) |
903 ((uint64_t) (context->Message_Block[t8 + 4]) << 24) |
904 ((uint64_t) (context->Message_Block[t8 + 5]) << 16) |
905 ((uint64_t) (context->Message_Block[t8 + 6]) << 8) |
906 ((uint64_t) (context->Message_Block[t8 + 7]));
907
908 for (t = 16; t < 80; t++)
909 W[t] = SHA512_sigma1 (W[t - 2]) + W[t - 7] +
910 SHA512_sigma0 (W[t - 15]) + W[t - 16];
911
912 A = context->Intermediate_Hash[0];
913 B = context->Intermediate_Hash[1];
914 C = context->Intermediate_Hash[2];
915 D = context->Intermediate_Hash[3];
916 E = context->Intermediate_Hash[4];
917 F = context->Intermediate_Hash[5];
918 G = context->Intermediate_Hash[6];
919 H = context->Intermediate_Hash[7];
920
921 for (t = 0; t < 80; t++)
922 {
923 temp1 = H + SHA512_SIGMA1 (E) + SHA_Ch (E, F, G) + K[t] + W[t];
924 temp2 = SHA512_SIGMA0 (A) + SHA_Maj (A, B, C);
925 H = G;
926 G = F;
927 F = E;
928 E = D + temp1;
929 D = C;
930 C = B;
931 B = A;
932 A = temp1 + temp2;
933 }
934
935 context->Intermediate_Hash[0] += A;
936 context->Intermediate_Hash[1] += B;
937 context->Intermediate_Hash[2] += C;
938 context->Intermediate_Hash[3] += D;
939 context->Intermediate_Hash[4] += E;
940 context->Intermediate_Hash[5] += F;
941 context->Intermediate_Hash[6] += G;
942 context->Intermediate_Hash[7] += H;
943 #endif /* USE_32BIT_ONLY */
944
945 context->Message_Block_Index = 0;
946 }
947
948 /*
949 * SHA384_512Reset
950 *
951 * Description:
952 * This helper function will initialize the SHA512Context in
953 * preparation for computing a new SHA384 or SHA512 message
954 * digest.
955 *
956 * Parameters:
957 * context: [in/out]
958 * The context to reset.
959 * H0
960 * The initial hash value to use.
961 *
962 * Returns:
963 * sha Error Code.
964 *
965 */
966 #ifdef USE_32BIT_ONLY
967 static int
SHA384_512Reset(SHA512Context * context,uint32_t H0[])968 SHA384_512Reset (SHA512Context * context, uint32_t H0[])
969 #else /* !USE_32BIT_ONLY */
970 static int
971 SHA384_512Reset (SHA512Context * context, uint64_t H0[])
972 #endif /* USE_32BIT_ONLY */
973 {
974 int i;
975 if (!context)
976 return shaNull;
977
978 context->Message_Block_Index = 0;
979
980 #ifdef USE_32BIT_ONLY
981 context->Length[0] = context->Length[1] = 0;
982 context->Length[2] = context->Length[3] = 0;
983
984 for (i = 0; i < SHA512HashSize / 4; i++)
985 context->Intermediate_Hash[i] = H0[i];
986 #else /* !USE_32BIT_ONLY */
987 context->Length_High = context->Length_Low = 0;
988
989 for (i = 0; i < SHA512HashSize / 8; i++)
990 context->Intermediate_Hash[i] = H0[i];
991 #endif /* USE_32BIT_ONLY */
992
993 context->Computed = 0;
994 context->Corrupted = 0;
995
996 return shaSuccess;
997 }
998
999 /*
1000 * SHA384_512ResultN
1001 *
1002 * Description:
1003 * This helper function will return the 384-bit or 512-bit message
1004 * digest into the Message_Digest array provided by the caller.
1005 * NOTE: The first octet of hash is stored in the 0th element,
1006 * the last octet of hash in the 48th/64th element.
1007 *
1008 * Parameters:
1009 * context: [in/out]
1010 * The context to use to calculate the SHA hash.
1011 * Message_Digest: [out]
1012 * Where the digest is returned.
1013 * HashSize: [in]
1014 * The size of the hash, either 48 or 64.
1015 *
1016 * Returns:
1017 * sha Error Code.
1018 *
1019 */
1020 static int
SHA384_512ResultN(SHA512Context * context,uint8_t Message_Digest[],int HashSize)1021 SHA384_512ResultN (SHA512Context * context,
1022 uint8_t Message_Digest[], int HashSize)
1023 {
1024 int i;
1025
1026 #ifdef USE_32BIT_ONLY
1027 int i2;
1028 #endif /* USE_32BIT_ONLY */
1029
1030 if (!context || !Message_Digest)
1031 return shaNull;
1032
1033 if (context->Corrupted)
1034 return context->Corrupted;
1035
1036 if (!context->Computed)
1037 SHA384_512Finalize (context, 0x80);
1038
1039 #ifdef USE_32BIT_ONLY
1040 for (i = i2 = 0; i < HashSize;)
1041 {
1042 Message_Digest[i++] = (uint8_t) (context->Intermediate_Hash[i2] >> 24);
1043 Message_Digest[i++] = (uint8_t) (context->Intermediate_Hash[i2] >> 16);
1044 Message_Digest[i++] = (uint8_t) (context->Intermediate_Hash[i2] >> 8);
1045 Message_Digest[i++] = (uint8_t) (context->Intermediate_Hash[i2++]);
1046 Message_Digest[i++] = (uint8_t) (context->Intermediate_Hash[i2] >> 24);
1047 Message_Digest[i++] = (uint8_t) (context->Intermediate_Hash[i2] >> 16);
1048 Message_Digest[i++] = (uint8_t) (context->Intermediate_Hash[i2] >> 8);
1049 Message_Digest[i++] = (uint8_t) (context->Intermediate_Hash[i2++]);
1050 }
1051 #else /* !USE_32BIT_ONLY */
1052 for (i = 0; i < HashSize; ++i)
1053 Message_Digest[i] = (uint8_t)
1054 (context->Intermediate_Hash[i >> 3] >> 8 * (7 - (i % 8)));
1055 #endif /* USE_32BIT_ONLY */
1056
1057 return shaSuccess;
1058 }
1059