1 /* MIT License
2 *
3 * Copyright (c) 2016-2022 INRIA, CMU and Microsoft Corporation
4 * Copyright (c) 2022-2023 HACL* Contributors
5 *
6 * Permission is hereby granted, free of charge, to any person obtaining a copy
7 * of this software and associated documentation files (the "Software"), to deal
8 * in the Software without restriction, including without limitation the rights
9 * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
10 * copies of the Software, and to permit persons to whom the Software is
11 * furnished to do so, subject to the following conditions:
12 *
13 * The above copyright notice and this permission notice shall be included in all
14 * copies or substantial portions of the Software.
15 *
16 * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
17 * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
18 * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
19 * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
20 * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
21 * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
22 * SOFTWARE.
23 */
24
25
26 #include "internal/Hacl_Hash_SHA2.h"
27
28
29
Hacl_Hash_SHA2_sha256_init(uint32_t * hash)30 void Hacl_Hash_SHA2_sha256_init(uint32_t *hash)
31 {
32 KRML_MAYBE_FOR8(i,
33 0U,
34 8U,
35 1U,
36 uint32_t *os = hash;
37 uint32_t x = Hacl_Hash_SHA2_h256[i];
38 os[i] = x;);
39 }
40
sha256_update(uint8_t * b,uint32_t * hash)41 static inline void sha256_update(uint8_t *b, uint32_t *hash)
42 {
43 uint32_t hash_old[8U] = { 0U };
44 uint32_t ws[16U] = { 0U };
45 memcpy(hash_old, hash, 8U * sizeof (uint32_t));
46 uint8_t *b10 = b;
47 uint32_t u = load32_be(b10);
48 ws[0U] = u;
49 uint32_t u0 = load32_be(b10 + 4U);
50 ws[1U] = u0;
51 uint32_t u1 = load32_be(b10 + 8U);
52 ws[2U] = u1;
53 uint32_t u2 = load32_be(b10 + 12U);
54 ws[3U] = u2;
55 uint32_t u3 = load32_be(b10 + 16U);
56 ws[4U] = u3;
57 uint32_t u4 = load32_be(b10 + 20U);
58 ws[5U] = u4;
59 uint32_t u5 = load32_be(b10 + 24U);
60 ws[6U] = u5;
61 uint32_t u6 = load32_be(b10 + 28U);
62 ws[7U] = u6;
63 uint32_t u7 = load32_be(b10 + 32U);
64 ws[8U] = u7;
65 uint32_t u8 = load32_be(b10 + 36U);
66 ws[9U] = u8;
67 uint32_t u9 = load32_be(b10 + 40U);
68 ws[10U] = u9;
69 uint32_t u10 = load32_be(b10 + 44U);
70 ws[11U] = u10;
71 uint32_t u11 = load32_be(b10 + 48U);
72 ws[12U] = u11;
73 uint32_t u12 = load32_be(b10 + 52U);
74 ws[13U] = u12;
75 uint32_t u13 = load32_be(b10 + 56U);
76 ws[14U] = u13;
77 uint32_t u14 = load32_be(b10 + 60U);
78 ws[15U] = u14;
79 KRML_MAYBE_FOR4(i0,
80 0U,
81 4U,
82 1U,
83 KRML_MAYBE_FOR16(i,
84 0U,
85 16U,
86 1U,
87 uint32_t k_t = Hacl_Hash_SHA2_k224_256[16U * i0 + i];
88 uint32_t ws_t = ws[i];
89 uint32_t a0 = hash[0U];
90 uint32_t b0 = hash[1U];
91 uint32_t c0 = hash[2U];
92 uint32_t d0 = hash[3U];
93 uint32_t e0 = hash[4U];
94 uint32_t f0 = hash[5U];
95 uint32_t g0 = hash[6U];
96 uint32_t h02 = hash[7U];
97 uint32_t k_e_t = k_t;
98 uint32_t
99 t1 =
100 h02
101 + ((e0 << 26U | e0 >> 6U) ^ ((e0 << 21U | e0 >> 11U) ^ (e0 << 7U | e0 >> 25U)))
102 + ((e0 & f0) ^ (~e0 & g0))
103 + k_e_t
104 + ws_t;
105 uint32_t
106 t2 =
107 ((a0 << 30U | a0 >> 2U) ^ ((a0 << 19U | a0 >> 13U) ^ (a0 << 10U | a0 >> 22U)))
108 + ((a0 & b0) ^ ((a0 & c0) ^ (b0 & c0)));
109 uint32_t a1 = t1 + t2;
110 uint32_t b1 = a0;
111 uint32_t c1 = b0;
112 uint32_t d1 = c0;
113 uint32_t e1 = d0 + t1;
114 uint32_t f1 = e0;
115 uint32_t g1 = f0;
116 uint32_t h12 = g0;
117 hash[0U] = a1;
118 hash[1U] = b1;
119 hash[2U] = c1;
120 hash[3U] = d1;
121 hash[4U] = e1;
122 hash[5U] = f1;
123 hash[6U] = g1;
124 hash[7U] = h12;);
125 if (i0 < 3U)
126 {
127 KRML_MAYBE_FOR16(i,
128 0U,
129 16U,
130 1U,
131 uint32_t t16 = ws[i];
132 uint32_t t15 = ws[(i + 1U) % 16U];
133 uint32_t t7 = ws[(i + 9U) % 16U];
134 uint32_t t2 = ws[(i + 14U) % 16U];
135 uint32_t s1 = (t2 << 15U | t2 >> 17U) ^ ((t2 << 13U | t2 >> 19U) ^ t2 >> 10U);
136 uint32_t s0 = (t15 << 25U | t15 >> 7U) ^ ((t15 << 14U | t15 >> 18U) ^ t15 >> 3U);
137 ws[i] = s1 + t7 + s0 + t16;);
138 });
139 KRML_MAYBE_FOR8(i,
140 0U,
141 8U,
142 1U,
143 uint32_t *os = hash;
144 uint32_t x = hash[i] + hash_old[i];
145 os[i] = x;);
146 }
147
Hacl_Hash_SHA2_sha256_update_nblocks(uint32_t len,uint8_t * b,uint32_t * st)148 void Hacl_Hash_SHA2_sha256_update_nblocks(uint32_t len, uint8_t *b, uint32_t *st)
149 {
150 uint32_t blocks = len / 64U;
151 for (uint32_t i = 0U; i < blocks; i++)
152 {
153 uint8_t *b0 = b;
154 uint8_t *mb = b0 + i * 64U;
155 sha256_update(mb, st);
156 }
157 }
158
159 void
Hacl_Hash_SHA2_sha256_update_last(uint64_t totlen,uint32_t len,uint8_t * b,uint32_t * hash)160 Hacl_Hash_SHA2_sha256_update_last(uint64_t totlen, uint32_t len, uint8_t *b, uint32_t *hash)
161 {
162 uint32_t blocks;
163 if (len + 8U + 1U <= 64U)
164 {
165 blocks = 1U;
166 }
167 else
168 {
169 blocks = 2U;
170 }
171 uint32_t fin = blocks * 64U;
172 uint8_t last[128U] = { 0U };
173 uint8_t totlen_buf[8U] = { 0U };
174 uint64_t total_len_bits = totlen << 3U;
175 store64_be(totlen_buf, total_len_bits);
176 uint8_t *b0 = b;
177 memcpy(last, b0, len * sizeof (uint8_t));
178 last[len] = 0x80U;
179 memcpy(last + fin - 8U, totlen_buf, 8U * sizeof (uint8_t));
180 uint8_t *last00 = last;
181 uint8_t *last10 = last + 64U;
182 uint8_t *l0 = last00;
183 uint8_t *l1 = last10;
184 uint8_t *lb0 = l0;
185 uint8_t *lb1 = l1;
186 uint8_t *last0 = lb0;
187 uint8_t *last1 = lb1;
188 sha256_update(last0, hash);
189 if (blocks > 1U)
190 {
191 sha256_update(last1, hash);
192 return;
193 }
194 }
195
Hacl_Hash_SHA2_sha256_finish(uint32_t * st,uint8_t * h)196 void Hacl_Hash_SHA2_sha256_finish(uint32_t *st, uint8_t *h)
197 {
198 uint8_t hbuf[32U] = { 0U };
199 KRML_MAYBE_FOR8(i, 0U, 8U, 1U, store32_be(hbuf + i * 4U, st[i]););
200 memcpy(h, hbuf, 32U * sizeof (uint8_t));
201 }
202
Hacl_Hash_SHA2_sha224_init(uint32_t * hash)203 void Hacl_Hash_SHA2_sha224_init(uint32_t *hash)
204 {
205 KRML_MAYBE_FOR8(i,
206 0U,
207 8U,
208 1U,
209 uint32_t *os = hash;
210 uint32_t x = Hacl_Hash_SHA2_h224[i];
211 os[i] = x;);
212 }
213
sha224_update_nblocks(uint32_t len,uint8_t * b,uint32_t * st)214 static inline void sha224_update_nblocks(uint32_t len, uint8_t *b, uint32_t *st)
215 {
216 Hacl_Hash_SHA2_sha256_update_nblocks(len, b, st);
217 }
218
Hacl_Hash_SHA2_sha224_update_last(uint64_t totlen,uint32_t len,uint8_t * b,uint32_t * st)219 void Hacl_Hash_SHA2_sha224_update_last(uint64_t totlen, uint32_t len, uint8_t *b, uint32_t *st)
220 {
221 Hacl_Hash_SHA2_sha256_update_last(totlen, len, b, st);
222 }
223
Hacl_Hash_SHA2_sha224_finish(uint32_t * st,uint8_t * h)224 void Hacl_Hash_SHA2_sha224_finish(uint32_t *st, uint8_t *h)
225 {
226 uint8_t hbuf[32U] = { 0U };
227 KRML_MAYBE_FOR8(i, 0U, 8U, 1U, store32_be(hbuf + i * 4U, st[i]););
228 memcpy(h, hbuf, 28U * sizeof (uint8_t));
229 }
230
Hacl_Hash_SHA2_sha512_init(uint64_t * hash)231 void Hacl_Hash_SHA2_sha512_init(uint64_t *hash)
232 {
233 KRML_MAYBE_FOR8(i,
234 0U,
235 8U,
236 1U,
237 uint64_t *os = hash;
238 uint64_t x = Hacl_Hash_SHA2_h512[i];
239 os[i] = x;);
240 }
241
sha512_update(uint8_t * b,uint64_t * hash)242 static inline void sha512_update(uint8_t *b, uint64_t *hash)
243 {
244 uint64_t hash_old[8U] = { 0U };
245 uint64_t ws[16U] = { 0U };
246 memcpy(hash_old, hash, 8U * sizeof (uint64_t));
247 uint8_t *b10 = b;
248 uint64_t u = load64_be(b10);
249 ws[0U] = u;
250 uint64_t u0 = load64_be(b10 + 8U);
251 ws[1U] = u0;
252 uint64_t u1 = load64_be(b10 + 16U);
253 ws[2U] = u1;
254 uint64_t u2 = load64_be(b10 + 24U);
255 ws[3U] = u2;
256 uint64_t u3 = load64_be(b10 + 32U);
257 ws[4U] = u3;
258 uint64_t u4 = load64_be(b10 + 40U);
259 ws[5U] = u4;
260 uint64_t u5 = load64_be(b10 + 48U);
261 ws[6U] = u5;
262 uint64_t u6 = load64_be(b10 + 56U);
263 ws[7U] = u6;
264 uint64_t u7 = load64_be(b10 + 64U);
265 ws[8U] = u7;
266 uint64_t u8 = load64_be(b10 + 72U);
267 ws[9U] = u8;
268 uint64_t u9 = load64_be(b10 + 80U);
269 ws[10U] = u9;
270 uint64_t u10 = load64_be(b10 + 88U);
271 ws[11U] = u10;
272 uint64_t u11 = load64_be(b10 + 96U);
273 ws[12U] = u11;
274 uint64_t u12 = load64_be(b10 + 104U);
275 ws[13U] = u12;
276 uint64_t u13 = load64_be(b10 + 112U);
277 ws[14U] = u13;
278 uint64_t u14 = load64_be(b10 + 120U);
279 ws[15U] = u14;
280 KRML_MAYBE_FOR5(i0,
281 0U,
282 5U,
283 1U,
284 KRML_MAYBE_FOR16(i,
285 0U,
286 16U,
287 1U,
288 uint64_t k_t = Hacl_Hash_SHA2_k384_512[16U * i0 + i];
289 uint64_t ws_t = ws[i];
290 uint64_t a0 = hash[0U];
291 uint64_t b0 = hash[1U];
292 uint64_t c0 = hash[2U];
293 uint64_t d0 = hash[3U];
294 uint64_t e0 = hash[4U];
295 uint64_t f0 = hash[5U];
296 uint64_t g0 = hash[6U];
297 uint64_t h02 = hash[7U];
298 uint64_t k_e_t = k_t;
299 uint64_t
300 t1 =
301 h02
302 + ((e0 << 50U | e0 >> 14U) ^ ((e0 << 46U | e0 >> 18U) ^ (e0 << 23U | e0 >> 41U)))
303 + ((e0 & f0) ^ (~e0 & g0))
304 + k_e_t
305 + ws_t;
306 uint64_t
307 t2 =
308 ((a0 << 36U | a0 >> 28U) ^ ((a0 << 30U | a0 >> 34U) ^ (a0 << 25U | a0 >> 39U)))
309 + ((a0 & b0) ^ ((a0 & c0) ^ (b0 & c0)));
310 uint64_t a1 = t1 + t2;
311 uint64_t b1 = a0;
312 uint64_t c1 = b0;
313 uint64_t d1 = c0;
314 uint64_t e1 = d0 + t1;
315 uint64_t f1 = e0;
316 uint64_t g1 = f0;
317 uint64_t h12 = g0;
318 hash[0U] = a1;
319 hash[1U] = b1;
320 hash[2U] = c1;
321 hash[3U] = d1;
322 hash[4U] = e1;
323 hash[5U] = f1;
324 hash[6U] = g1;
325 hash[7U] = h12;);
326 if (i0 < 4U)
327 {
328 KRML_MAYBE_FOR16(i,
329 0U,
330 16U,
331 1U,
332 uint64_t t16 = ws[i];
333 uint64_t t15 = ws[(i + 1U) % 16U];
334 uint64_t t7 = ws[(i + 9U) % 16U];
335 uint64_t t2 = ws[(i + 14U) % 16U];
336 uint64_t s1 = (t2 << 45U | t2 >> 19U) ^ ((t2 << 3U | t2 >> 61U) ^ t2 >> 6U);
337 uint64_t s0 = (t15 << 63U | t15 >> 1U) ^ ((t15 << 56U | t15 >> 8U) ^ t15 >> 7U);
338 ws[i] = s1 + t7 + s0 + t16;);
339 });
340 KRML_MAYBE_FOR8(i,
341 0U,
342 8U,
343 1U,
344 uint64_t *os = hash;
345 uint64_t x = hash[i] + hash_old[i];
346 os[i] = x;);
347 }
348
Hacl_Hash_SHA2_sha512_update_nblocks(uint32_t len,uint8_t * b,uint64_t * st)349 void Hacl_Hash_SHA2_sha512_update_nblocks(uint32_t len, uint8_t *b, uint64_t *st)
350 {
351 uint32_t blocks = len / 128U;
352 for (uint32_t i = 0U; i < blocks; i++)
353 {
354 uint8_t *b0 = b;
355 uint8_t *mb = b0 + i * 128U;
356 sha512_update(mb, st);
357 }
358 }
359
360 void
Hacl_Hash_SHA2_sha512_update_last(FStar_UInt128_uint128 totlen,uint32_t len,uint8_t * b,uint64_t * hash)361 Hacl_Hash_SHA2_sha512_update_last(
362 FStar_UInt128_uint128 totlen,
363 uint32_t len,
364 uint8_t *b,
365 uint64_t *hash
366 )
367 {
368 uint32_t blocks;
369 if (len + 16U + 1U <= 128U)
370 {
371 blocks = 1U;
372 }
373 else
374 {
375 blocks = 2U;
376 }
377 uint32_t fin = blocks * 128U;
378 uint8_t last[256U] = { 0U };
379 uint8_t totlen_buf[16U] = { 0U };
380 FStar_UInt128_uint128 total_len_bits = FStar_UInt128_shift_left(totlen, 3U);
381 store128_be(totlen_buf, total_len_bits);
382 uint8_t *b0 = b;
383 memcpy(last, b0, len * sizeof (uint8_t));
384 last[len] = 0x80U;
385 memcpy(last + fin - 16U, totlen_buf, 16U * sizeof (uint8_t));
386 uint8_t *last00 = last;
387 uint8_t *last10 = last + 128U;
388 uint8_t *l0 = last00;
389 uint8_t *l1 = last10;
390 uint8_t *lb0 = l0;
391 uint8_t *lb1 = l1;
392 uint8_t *last0 = lb0;
393 uint8_t *last1 = lb1;
394 sha512_update(last0, hash);
395 if (blocks > 1U)
396 {
397 sha512_update(last1, hash);
398 return;
399 }
400 }
401
Hacl_Hash_SHA2_sha512_finish(uint64_t * st,uint8_t * h)402 void Hacl_Hash_SHA2_sha512_finish(uint64_t *st, uint8_t *h)
403 {
404 uint8_t hbuf[64U] = { 0U };
405 KRML_MAYBE_FOR8(i, 0U, 8U, 1U, store64_be(hbuf + i * 8U, st[i]););
406 memcpy(h, hbuf, 64U * sizeof (uint8_t));
407 }
408
Hacl_Hash_SHA2_sha384_init(uint64_t * hash)409 void Hacl_Hash_SHA2_sha384_init(uint64_t *hash)
410 {
411 KRML_MAYBE_FOR8(i,
412 0U,
413 8U,
414 1U,
415 uint64_t *os = hash;
416 uint64_t x = Hacl_Hash_SHA2_h384[i];
417 os[i] = x;);
418 }
419
Hacl_Hash_SHA2_sha384_update_nblocks(uint32_t len,uint8_t * b,uint64_t * st)420 void Hacl_Hash_SHA2_sha384_update_nblocks(uint32_t len, uint8_t *b, uint64_t *st)
421 {
422 Hacl_Hash_SHA2_sha512_update_nblocks(len, b, st);
423 }
424
425 void
Hacl_Hash_SHA2_sha384_update_last(FStar_UInt128_uint128 totlen,uint32_t len,uint8_t * b,uint64_t * st)426 Hacl_Hash_SHA2_sha384_update_last(
427 FStar_UInt128_uint128 totlen,
428 uint32_t len,
429 uint8_t *b,
430 uint64_t *st
431 )
432 {
433 Hacl_Hash_SHA2_sha512_update_last(totlen, len, b, st);
434 }
435
Hacl_Hash_SHA2_sha384_finish(uint64_t * st,uint8_t * h)436 void Hacl_Hash_SHA2_sha384_finish(uint64_t *st, uint8_t *h)
437 {
438 uint8_t hbuf[64U] = { 0U };
439 KRML_MAYBE_FOR8(i, 0U, 8U, 1U, store64_be(hbuf + i * 8U, st[i]););
440 memcpy(h, hbuf, 48U * sizeof (uint8_t));
441 }
442
443 /**
444 Allocate initial state for the SHA2_256 hash. The state is to be freed by
445 calling `free_256`.
446 */
Hacl_Hash_SHA2_malloc_256(void)447 Hacl_Streaming_MD_state_32 *Hacl_Hash_SHA2_malloc_256(void)
448 {
449 uint8_t *buf = (uint8_t *)KRML_HOST_CALLOC(64U, sizeof (uint8_t));
450 uint32_t *block_state = (uint32_t *)KRML_HOST_CALLOC(8U, sizeof (uint32_t));
451 Hacl_Streaming_MD_state_32
452 s = { .block_state = block_state, .buf = buf, .total_len = (uint64_t)0U };
453 Hacl_Streaming_MD_state_32
454 *p = (Hacl_Streaming_MD_state_32 *)KRML_HOST_MALLOC(sizeof (Hacl_Streaming_MD_state_32));
455 p[0U] = s;
456 Hacl_Hash_SHA2_sha256_init(block_state);
457 return p;
458 }
459
460 /**
461 Copies the state passed as argument into a newly allocated state (deep copy).
462 The state is to be freed by calling `free_256`. Cloning the state this way is
463 useful, for instance, if your control-flow diverges and you need to feed
464 more (different) data into the hash in each branch.
465 */
Hacl_Hash_SHA2_copy_256(Hacl_Streaming_MD_state_32 * state)466 Hacl_Streaming_MD_state_32 *Hacl_Hash_SHA2_copy_256(Hacl_Streaming_MD_state_32 *state)
467 {
468 Hacl_Streaming_MD_state_32 scrut = *state;
469 uint32_t *block_state0 = scrut.block_state;
470 uint8_t *buf0 = scrut.buf;
471 uint64_t total_len0 = scrut.total_len;
472 uint8_t *buf = (uint8_t *)KRML_HOST_CALLOC(64U, sizeof (uint8_t));
473 memcpy(buf, buf0, 64U * sizeof (uint8_t));
474 uint32_t *block_state = (uint32_t *)KRML_HOST_CALLOC(8U, sizeof (uint32_t));
475 memcpy(block_state, block_state0, 8U * sizeof (uint32_t));
476 Hacl_Streaming_MD_state_32
477 s = { .block_state = block_state, .buf = buf, .total_len = total_len0 };
478 Hacl_Streaming_MD_state_32
479 *p = (Hacl_Streaming_MD_state_32 *)KRML_HOST_MALLOC(sizeof (Hacl_Streaming_MD_state_32));
480 p[0U] = s;
481 return p;
482 }
483
484 /**
485 Reset an existing state to the initial hash state with empty data.
486 */
Hacl_Hash_SHA2_reset_256(Hacl_Streaming_MD_state_32 * state)487 void Hacl_Hash_SHA2_reset_256(Hacl_Streaming_MD_state_32 *state)
488 {
489 Hacl_Streaming_MD_state_32 scrut = *state;
490 uint8_t *buf = scrut.buf;
491 uint32_t *block_state = scrut.block_state;
492 Hacl_Hash_SHA2_sha256_init(block_state);
493 Hacl_Streaming_MD_state_32
494 tmp = { .block_state = block_state, .buf = buf, .total_len = (uint64_t)0U };
495 state[0U] = tmp;
496 }
497
498 static inline Hacl_Streaming_Types_error_code
update_224_256(Hacl_Streaming_MD_state_32 * state,uint8_t * chunk,uint32_t chunk_len)499 update_224_256(Hacl_Streaming_MD_state_32 *state, uint8_t *chunk, uint32_t chunk_len)
500 {
501 Hacl_Streaming_MD_state_32 s = *state;
502 uint64_t total_len = s.total_len;
503 if ((uint64_t)chunk_len > 2305843009213693951ULL - total_len)
504 {
505 return Hacl_Streaming_Types_MaximumLengthExceeded;
506 }
507 uint32_t sz;
508 if (total_len % (uint64_t)64U == 0ULL && total_len > 0ULL)
509 {
510 sz = 64U;
511 }
512 else
513 {
514 sz = (uint32_t)(total_len % (uint64_t)64U);
515 }
516 if (chunk_len <= 64U - sz)
517 {
518 Hacl_Streaming_MD_state_32 s1 = *state;
519 uint32_t *block_state1 = s1.block_state;
520 uint8_t *buf = s1.buf;
521 uint64_t total_len1 = s1.total_len;
522 uint32_t sz1;
523 if (total_len1 % (uint64_t)64U == 0ULL && total_len1 > 0ULL)
524 {
525 sz1 = 64U;
526 }
527 else
528 {
529 sz1 = (uint32_t)(total_len1 % (uint64_t)64U);
530 }
531 uint8_t *buf2 = buf + sz1;
532 memcpy(buf2, chunk, chunk_len * sizeof (uint8_t));
533 uint64_t total_len2 = total_len1 + (uint64_t)chunk_len;
534 *state
535 =
536 (
537 (Hacl_Streaming_MD_state_32){
538 .block_state = block_state1,
539 .buf = buf,
540 .total_len = total_len2
541 }
542 );
543 }
544 else if (sz == 0U)
545 {
546 Hacl_Streaming_MD_state_32 s1 = *state;
547 uint32_t *block_state1 = s1.block_state;
548 uint8_t *buf = s1.buf;
549 uint64_t total_len1 = s1.total_len;
550 uint32_t sz1;
551 if (total_len1 % (uint64_t)64U == 0ULL && total_len1 > 0ULL)
552 {
553 sz1 = 64U;
554 }
555 else
556 {
557 sz1 = (uint32_t)(total_len1 % (uint64_t)64U);
558 }
559 if (!(sz1 == 0U))
560 {
561 Hacl_Hash_SHA2_sha256_update_nblocks(64U, buf, block_state1);
562 }
563 uint32_t ite;
564 if ((uint64_t)chunk_len % (uint64_t)64U == 0ULL && (uint64_t)chunk_len > 0ULL)
565 {
566 ite = 64U;
567 }
568 else
569 {
570 ite = (uint32_t)((uint64_t)chunk_len % (uint64_t)64U);
571 }
572 uint32_t n_blocks = (chunk_len - ite) / 64U;
573 uint32_t data1_len = n_blocks * 64U;
574 uint32_t data2_len = chunk_len - data1_len;
575 uint8_t *data1 = chunk;
576 uint8_t *data2 = chunk + data1_len;
577 Hacl_Hash_SHA2_sha256_update_nblocks(data1_len / 64U * 64U, data1, block_state1);
578 uint8_t *dst = buf;
579 memcpy(dst, data2, data2_len * sizeof (uint8_t));
580 *state
581 =
582 (
583 (Hacl_Streaming_MD_state_32){
584 .block_state = block_state1,
585 .buf = buf,
586 .total_len = total_len1 + (uint64_t)chunk_len
587 }
588 );
589 }
590 else
591 {
592 uint32_t diff = 64U - sz;
593 uint8_t *chunk1 = chunk;
594 uint8_t *chunk2 = chunk + diff;
595 Hacl_Streaming_MD_state_32 s1 = *state;
596 uint32_t *block_state10 = s1.block_state;
597 uint8_t *buf0 = s1.buf;
598 uint64_t total_len10 = s1.total_len;
599 uint32_t sz10;
600 if (total_len10 % (uint64_t)64U == 0ULL && total_len10 > 0ULL)
601 {
602 sz10 = 64U;
603 }
604 else
605 {
606 sz10 = (uint32_t)(total_len10 % (uint64_t)64U);
607 }
608 uint8_t *buf2 = buf0 + sz10;
609 memcpy(buf2, chunk1, diff * sizeof (uint8_t));
610 uint64_t total_len2 = total_len10 + (uint64_t)diff;
611 *state
612 =
613 (
614 (Hacl_Streaming_MD_state_32){
615 .block_state = block_state10,
616 .buf = buf0,
617 .total_len = total_len2
618 }
619 );
620 Hacl_Streaming_MD_state_32 s10 = *state;
621 uint32_t *block_state1 = s10.block_state;
622 uint8_t *buf = s10.buf;
623 uint64_t total_len1 = s10.total_len;
624 uint32_t sz1;
625 if (total_len1 % (uint64_t)64U == 0ULL && total_len1 > 0ULL)
626 {
627 sz1 = 64U;
628 }
629 else
630 {
631 sz1 = (uint32_t)(total_len1 % (uint64_t)64U);
632 }
633 if (!(sz1 == 0U))
634 {
635 Hacl_Hash_SHA2_sha256_update_nblocks(64U, buf, block_state1);
636 }
637 uint32_t ite;
638 if
639 ((uint64_t)(chunk_len - diff) % (uint64_t)64U == 0ULL && (uint64_t)(chunk_len - diff) > 0ULL)
640 {
641 ite = 64U;
642 }
643 else
644 {
645 ite = (uint32_t)((uint64_t)(chunk_len - diff) % (uint64_t)64U);
646 }
647 uint32_t n_blocks = (chunk_len - diff - ite) / 64U;
648 uint32_t data1_len = n_blocks * 64U;
649 uint32_t data2_len = chunk_len - diff - data1_len;
650 uint8_t *data1 = chunk2;
651 uint8_t *data2 = chunk2 + data1_len;
652 Hacl_Hash_SHA2_sha256_update_nblocks(data1_len / 64U * 64U, data1, block_state1);
653 uint8_t *dst = buf;
654 memcpy(dst, data2, data2_len * sizeof (uint8_t));
655 *state
656 =
657 (
658 (Hacl_Streaming_MD_state_32){
659 .block_state = block_state1,
660 .buf = buf,
661 .total_len = total_len1 + (uint64_t)(chunk_len - diff)
662 }
663 );
664 }
665 return Hacl_Streaming_Types_Success;
666 }
667
668 /**
669 Feed an arbitrary amount of data into the hash. This function returns 0 for
670 success, or 1 if the combined length of all of the data passed to `update_256`
671 (since the last call to `reset_256`) exceeds 2^61-1 bytes.
672
673 This function is identical to the update function for SHA2_224.
674 */
675 Hacl_Streaming_Types_error_code
Hacl_Hash_SHA2_update_256(Hacl_Streaming_MD_state_32 * state,uint8_t * input,uint32_t input_len)676 Hacl_Hash_SHA2_update_256(
677 Hacl_Streaming_MD_state_32 *state,
678 uint8_t *input,
679 uint32_t input_len
680 )
681 {
682 return update_224_256(state, input, input_len);
683 }
684
685 /**
686 Write the resulting hash into `output`, an array of 32 bytes. The state remains
687 valid after a call to `digest_256`, meaning the user may feed more data into
688 the hash via `update_256`. (The digest_256 function operates on an internal copy of
689 the state and therefore does not invalidate the client-held state `p`.)
690 */
Hacl_Hash_SHA2_digest_256(Hacl_Streaming_MD_state_32 * state,uint8_t * output)691 void Hacl_Hash_SHA2_digest_256(Hacl_Streaming_MD_state_32 *state, uint8_t *output)
692 {
693 Hacl_Streaming_MD_state_32 scrut = *state;
694 uint32_t *block_state = scrut.block_state;
695 uint8_t *buf_ = scrut.buf;
696 uint64_t total_len = scrut.total_len;
697 uint32_t r;
698 if (total_len % (uint64_t)64U == 0ULL && total_len > 0ULL)
699 {
700 r = 64U;
701 }
702 else
703 {
704 r = (uint32_t)(total_len % (uint64_t)64U);
705 }
706 uint8_t *buf_1 = buf_;
707 uint32_t tmp_block_state[8U] = { 0U };
708 memcpy(tmp_block_state, block_state, 8U * sizeof (uint32_t));
709 uint32_t ite;
710 if (r % 64U == 0U && r > 0U)
711 {
712 ite = 64U;
713 }
714 else
715 {
716 ite = r % 64U;
717 }
718 uint8_t *buf_last = buf_1 + r - ite;
719 uint8_t *buf_multi = buf_1;
720 Hacl_Hash_SHA2_sha256_update_nblocks(0U, buf_multi, tmp_block_state);
721 uint64_t prev_len_last = total_len - (uint64_t)r;
722 Hacl_Hash_SHA2_sha256_update_last(prev_len_last + (uint64_t)r, r, buf_last, tmp_block_state);
723 Hacl_Hash_SHA2_sha256_finish(tmp_block_state, output);
724 }
725
726 /**
727 Free a state allocated with `malloc_256`.
728
729 This function is identical to the free function for SHA2_224.
730 */
Hacl_Hash_SHA2_free_256(Hacl_Streaming_MD_state_32 * state)731 void Hacl_Hash_SHA2_free_256(Hacl_Streaming_MD_state_32 *state)
732 {
733 Hacl_Streaming_MD_state_32 scrut = *state;
734 uint8_t *buf = scrut.buf;
735 uint32_t *block_state = scrut.block_state;
736 KRML_HOST_FREE(block_state);
737 KRML_HOST_FREE(buf);
738 KRML_HOST_FREE(state);
739 }
740
741 /**
742 Hash `input`, of len `input_len`, into `output`, an array of 32 bytes.
743 */
Hacl_Hash_SHA2_hash_256(uint8_t * output,uint8_t * input,uint32_t input_len)744 void Hacl_Hash_SHA2_hash_256(uint8_t *output, uint8_t *input, uint32_t input_len)
745 {
746 uint8_t *ib = input;
747 uint8_t *rb = output;
748 uint32_t st[8U] = { 0U };
749 Hacl_Hash_SHA2_sha256_init(st);
750 uint32_t rem = input_len % 64U;
751 uint64_t len_ = (uint64_t)input_len;
752 Hacl_Hash_SHA2_sha256_update_nblocks(input_len, ib, st);
753 uint32_t rem1 = input_len % 64U;
754 uint8_t *b0 = ib;
755 uint8_t *lb = b0 + input_len - rem1;
756 Hacl_Hash_SHA2_sha256_update_last(len_, rem, lb, st);
757 Hacl_Hash_SHA2_sha256_finish(st, rb);
758 }
759
Hacl_Hash_SHA2_malloc_224(void)760 Hacl_Streaming_MD_state_32 *Hacl_Hash_SHA2_malloc_224(void)
761 {
762 uint8_t *buf = (uint8_t *)KRML_HOST_CALLOC(64U, sizeof (uint8_t));
763 uint32_t *block_state = (uint32_t *)KRML_HOST_CALLOC(8U, sizeof (uint32_t));
764 Hacl_Streaming_MD_state_32
765 s = { .block_state = block_state, .buf = buf, .total_len = (uint64_t)0U };
766 Hacl_Streaming_MD_state_32
767 *p = (Hacl_Streaming_MD_state_32 *)KRML_HOST_MALLOC(sizeof (Hacl_Streaming_MD_state_32));
768 p[0U] = s;
769 Hacl_Hash_SHA2_sha224_init(block_state);
770 return p;
771 }
772
Hacl_Hash_SHA2_reset_224(Hacl_Streaming_MD_state_32 * state)773 void Hacl_Hash_SHA2_reset_224(Hacl_Streaming_MD_state_32 *state)
774 {
775 Hacl_Streaming_MD_state_32 scrut = *state;
776 uint8_t *buf = scrut.buf;
777 uint32_t *block_state = scrut.block_state;
778 Hacl_Hash_SHA2_sha224_init(block_state);
779 Hacl_Streaming_MD_state_32
780 tmp = { .block_state = block_state, .buf = buf, .total_len = (uint64_t)0U };
781 state[0U] = tmp;
782 }
783
784 Hacl_Streaming_Types_error_code
Hacl_Hash_SHA2_update_224(Hacl_Streaming_MD_state_32 * state,uint8_t * input,uint32_t input_len)785 Hacl_Hash_SHA2_update_224(
786 Hacl_Streaming_MD_state_32 *state,
787 uint8_t *input,
788 uint32_t input_len
789 )
790 {
791 return update_224_256(state, input, input_len);
792 }
793
794 /**
795 Write the resulting hash into `output`, an array of 28 bytes. The state remains
796 valid after a call to `digest_224`, meaning the user may feed more data into
797 the hash via `update_224`.
798 */
Hacl_Hash_SHA2_digest_224(Hacl_Streaming_MD_state_32 * state,uint8_t * output)799 void Hacl_Hash_SHA2_digest_224(Hacl_Streaming_MD_state_32 *state, uint8_t *output)
800 {
801 Hacl_Streaming_MD_state_32 scrut = *state;
802 uint32_t *block_state = scrut.block_state;
803 uint8_t *buf_ = scrut.buf;
804 uint64_t total_len = scrut.total_len;
805 uint32_t r;
806 if (total_len % (uint64_t)64U == 0ULL && total_len > 0ULL)
807 {
808 r = 64U;
809 }
810 else
811 {
812 r = (uint32_t)(total_len % (uint64_t)64U);
813 }
814 uint8_t *buf_1 = buf_;
815 uint32_t tmp_block_state[8U] = { 0U };
816 memcpy(tmp_block_state, block_state, 8U * sizeof (uint32_t));
817 uint32_t ite;
818 if (r % 64U == 0U && r > 0U)
819 {
820 ite = 64U;
821 }
822 else
823 {
824 ite = r % 64U;
825 }
826 uint8_t *buf_last = buf_1 + r - ite;
827 uint8_t *buf_multi = buf_1;
828 sha224_update_nblocks(0U, buf_multi, tmp_block_state);
829 uint64_t prev_len_last = total_len - (uint64_t)r;
830 Hacl_Hash_SHA2_sha224_update_last(prev_len_last + (uint64_t)r, r, buf_last, tmp_block_state);
831 Hacl_Hash_SHA2_sha224_finish(tmp_block_state, output);
832 }
833
Hacl_Hash_SHA2_free_224(Hacl_Streaming_MD_state_32 * state)834 void Hacl_Hash_SHA2_free_224(Hacl_Streaming_MD_state_32 *state)
835 {
836 Hacl_Hash_SHA2_free_256(state);
837 }
838
839 /**
840 Hash `input`, of len `input_len`, into `output`, an array of 28 bytes.
841 */
Hacl_Hash_SHA2_hash_224(uint8_t * output,uint8_t * input,uint32_t input_len)842 void Hacl_Hash_SHA2_hash_224(uint8_t *output, uint8_t *input, uint32_t input_len)
843 {
844 uint8_t *ib = input;
845 uint8_t *rb = output;
846 uint32_t st[8U] = { 0U };
847 Hacl_Hash_SHA2_sha224_init(st);
848 uint32_t rem = input_len % 64U;
849 uint64_t len_ = (uint64_t)input_len;
850 sha224_update_nblocks(input_len, ib, st);
851 uint32_t rem1 = input_len % 64U;
852 uint8_t *b0 = ib;
853 uint8_t *lb = b0 + input_len - rem1;
854 Hacl_Hash_SHA2_sha224_update_last(len_, rem, lb, st);
855 Hacl_Hash_SHA2_sha224_finish(st, rb);
856 }
857
Hacl_Hash_SHA2_malloc_512(void)858 Hacl_Streaming_MD_state_64 *Hacl_Hash_SHA2_malloc_512(void)
859 {
860 uint8_t *buf = (uint8_t *)KRML_HOST_CALLOC(128U, sizeof (uint8_t));
861 uint64_t *block_state = (uint64_t *)KRML_HOST_CALLOC(8U, sizeof (uint64_t));
862 Hacl_Streaming_MD_state_64
863 s = { .block_state = block_state, .buf = buf, .total_len = (uint64_t)0U };
864 Hacl_Streaming_MD_state_64
865 *p = (Hacl_Streaming_MD_state_64 *)KRML_HOST_MALLOC(sizeof (Hacl_Streaming_MD_state_64));
866 p[0U] = s;
867 Hacl_Hash_SHA2_sha512_init(block_state);
868 return p;
869 }
870
871 /**
872 Copies the state passed as argument into a newly allocated state (deep copy).
873 The state is to be freed by calling `free_512`. Cloning the state this way is
874 useful, for instance, if your control-flow diverges and you need to feed
875 more (different) data into the hash in each branch.
876 */
Hacl_Hash_SHA2_copy_512(Hacl_Streaming_MD_state_64 * state)877 Hacl_Streaming_MD_state_64 *Hacl_Hash_SHA2_copy_512(Hacl_Streaming_MD_state_64 *state)
878 {
879 Hacl_Streaming_MD_state_64 scrut = *state;
880 uint64_t *block_state0 = scrut.block_state;
881 uint8_t *buf0 = scrut.buf;
882 uint64_t total_len0 = scrut.total_len;
883 uint8_t *buf = (uint8_t *)KRML_HOST_CALLOC(128U, sizeof (uint8_t));
884 memcpy(buf, buf0, 128U * sizeof (uint8_t));
885 uint64_t *block_state = (uint64_t *)KRML_HOST_CALLOC(8U, sizeof (uint64_t));
886 memcpy(block_state, block_state0, 8U * sizeof (uint64_t));
887 Hacl_Streaming_MD_state_64
888 s = { .block_state = block_state, .buf = buf, .total_len = total_len0 };
889 Hacl_Streaming_MD_state_64
890 *p = (Hacl_Streaming_MD_state_64 *)KRML_HOST_MALLOC(sizeof (Hacl_Streaming_MD_state_64));
891 p[0U] = s;
892 return p;
893 }
894
Hacl_Hash_SHA2_reset_512(Hacl_Streaming_MD_state_64 * state)895 void Hacl_Hash_SHA2_reset_512(Hacl_Streaming_MD_state_64 *state)
896 {
897 Hacl_Streaming_MD_state_64 scrut = *state;
898 uint8_t *buf = scrut.buf;
899 uint64_t *block_state = scrut.block_state;
900 Hacl_Hash_SHA2_sha512_init(block_state);
901 Hacl_Streaming_MD_state_64
902 tmp = { .block_state = block_state, .buf = buf, .total_len = (uint64_t)0U };
903 state[0U] = tmp;
904 }
905
906 static inline Hacl_Streaming_Types_error_code
update_384_512(Hacl_Streaming_MD_state_64 * state,uint8_t * chunk,uint32_t chunk_len)907 update_384_512(Hacl_Streaming_MD_state_64 *state, uint8_t *chunk, uint32_t chunk_len)
908 {
909 Hacl_Streaming_MD_state_64 s = *state;
910 uint64_t total_len = s.total_len;
911 if ((uint64_t)chunk_len > 18446744073709551615ULL - total_len)
912 {
913 return Hacl_Streaming_Types_MaximumLengthExceeded;
914 }
915 uint32_t sz;
916 if (total_len % (uint64_t)128U == 0ULL && total_len > 0ULL)
917 {
918 sz = 128U;
919 }
920 else
921 {
922 sz = (uint32_t)(total_len % (uint64_t)128U);
923 }
924 if (chunk_len <= 128U - sz)
925 {
926 Hacl_Streaming_MD_state_64 s1 = *state;
927 uint64_t *block_state1 = s1.block_state;
928 uint8_t *buf = s1.buf;
929 uint64_t total_len1 = s1.total_len;
930 uint32_t sz1;
931 if (total_len1 % (uint64_t)128U == 0ULL && total_len1 > 0ULL)
932 {
933 sz1 = 128U;
934 }
935 else
936 {
937 sz1 = (uint32_t)(total_len1 % (uint64_t)128U);
938 }
939 uint8_t *buf2 = buf + sz1;
940 memcpy(buf2, chunk, chunk_len * sizeof (uint8_t));
941 uint64_t total_len2 = total_len1 + (uint64_t)chunk_len;
942 *state
943 =
944 (
945 (Hacl_Streaming_MD_state_64){
946 .block_state = block_state1,
947 .buf = buf,
948 .total_len = total_len2
949 }
950 );
951 }
952 else if (sz == 0U)
953 {
954 Hacl_Streaming_MD_state_64 s1 = *state;
955 uint64_t *block_state1 = s1.block_state;
956 uint8_t *buf = s1.buf;
957 uint64_t total_len1 = s1.total_len;
958 uint32_t sz1;
959 if (total_len1 % (uint64_t)128U == 0ULL && total_len1 > 0ULL)
960 {
961 sz1 = 128U;
962 }
963 else
964 {
965 sz1 = (uint32_t)(total_len1 % (uint64_t)128U);
966 }
967 if (!(sz1 == 0U))
968 {
969 Hacl_Hash_SHA2_sha512_update_nblocks(128U, buf, block_state1);
970 }
971 uint32_t ite;
972 if ((uint64_t)chunk_len % (uint64_t)128U == 0ULL && (uint64_t)chunk_len > 0ULL)
973 {
974 ite = 128U;
975 }
976 else
977 {
978 ite = (uint32_t)((uint64_t)chunk_len % (uint64_t)128U);
979 }
980 uint32_t n_blocks = (chunk_len - ite) / 128U;
981 uint32_t data1_len = n_blocks * 128U;
982 uint32_t data2_len = chunk_len - data1_len;
983 uint8_t *data1 = chunk;
984 uint8_t *data2 = chunk + data1_len;
985 Hacl_Hash_SHA2_sha512_update_nblocks(data1_len / 128U * 128U, data1, block_state1);
986 uint8_t *dst = buf;
987 memcpy(dst, data2, data2_len * sizeof (uint8_t));
988 *state
989 =
990 (
991 (Hacl_Streaming_MD_state_64){
992 .block_state = block_state1,
993 .buf = buf,
994 .total_len = total_len1 + (uint64_t)chunk_len
995 }
996 );
997 }
998 else
999 {
1000 uint32_t diff = 128U - sz;
1001 uint8_t *chunk1 = chunk;
1002 uint8_t *chunk2 = chunk + diff;
1003 Hacl_Streaming_MD_state_64 s1 = *state;
1004 uint64_t *block_state10 = s1.block_state;
1005 uint8_t *buf0 = s1.buf;
1006 uint64_t total_len10 = s1.total_len;
1007 uint32_t sz10;
1008 if (total_len10 % (uint64_t)128U == 0ULL && total_len10 > 0ULL)
1009 {
1010 sz10 = 128U;
1011 }
1012 else
1013 {
1014 sz10 = (uint32_t)(total_len10 % (uint64_t)128U);
1015 }
1016 uint8_t *buf2 = buf0 + sz10;
1017 memcpy(buf2, chunk1, diff * sizeof (uint8_t));
1018 uint64_t total_len2 = total_len10 + (uint64_t)diff;
1019 *state
1020 =
1021 (
1022 (Hacl_Streaming_MD_state_64){
1023 .block_state = block_state10,
1024 .buf = buf0,
1025 .total_len = total_len2
1026 }
1027 );
1028 Hacl_Streaming_MD_state_64 s10 = *state;
1029 uint64_t *block_state1 = s10.block_state;
1030 uint8_t *buf = s10.buf;
1031 uint64_t total_len1 = s10.total_len;
1032 uint32_t sz1;
1033 if (total_len1 % (uint64_t)128U == 0ULL && total_len1 > 0ULL)
1034 {
1035 sz1 = 128U;
1036 }
1037 else
1038 {
1039 sz1 = (uint32_t)(total_len1 % (uint64_t)128U);
1040 }
1041 if (!(sz1 == 0U))
1042 {
1043 Hacl_Hash_SHA2_sha512_update_nblocks(128U, buf, block_state1);
1044 }
1045 uint32_t ite;
1046 if
1047 ((uint64_t)(chunk_len - diff) % (uint64_t)128U == 0ULL && (uint64_t)(chunk_len - diff) > 0ULL)
1048 {
1049 ite = 128U;
1050 }
1051 else
1052 {
1053 ite = (uint32_t)((uint64_t)(chunk_len - diff) % (uint64_t)128U);
1054 }
1055 uint32_t n_blocks = (chunk_len - diff - ite) / 128U;
1056 uint32_t data1_len = n_blocks * 128U;
1057 uint32_t data2_len = chunk_len - diff - data1_len;
1058 uint8_t *data1 = chunk2;
1059 uint8_t *data2 = chunk2 + data1_len;
1060 Hacl_Hash_SHA2_sha512_update_nblocks(data1_len / 128U * 128U, data1, block_state1);
1061 uint8_t *dst = buf;
1062 memcpy(dst, data2, data2_len * sizeof (uint8_t));
1063 *state
1064 =
1065 (
1066 (Hacl_Streaming_MD_state_64){
1067 .block_state = block_state1,
1068 .buf = buf,
1069 .total_len = total_len1 + (uint64_t)(chunk_len - diff)
1070 }
1071 );
1072 }
1073 return Hacl_Streaming_Types_Success;
1074 }
1075
1076 /**
1077 Feed an arbitrary amount of data into the hash. This function returns 0 for
1078 success, or 1 if the combined length of all of the data passed to `update_512`
1079 (since the last call to `reset_512`) exceeds 2^125-1 bytes.
1080
1081 This function is identical to the update function for SHA2_384.
1082 */
1083 Hacl_Streaming_Types_error_code
Hacl_Hash_SHA2_update_512(Hacl_Streaming_MD_state_64 * state,uint8_t * input,uint32_t input_len)1084 Hacl_Hash_SHA2_update_512(
1085 Hacl_Streaming_MD_state_64 *state,
1086 uint8_t *input,
1087 uint32_t input_len
1088 )
1089 {
1090 return update_384_512(state, input, input_len);
1091 }
1092
1093 /**
1094 Write the resulting hash into `output`, an array of 64 bytes. The state remains
1095 valid after a call to `digest_512`, meaning the user may feed more data into
1096 the hash via `update_512`. (The digest_512 function operates on an internal copy of
1097 the state and therefore does not invalidate the client-held state `p`.)
1098 */
Hacl_Hash_SHA2_digest_512(Hacl_Streaming_MD_state_64 * state,uint8_t * output)1099 void Hacl_Hash_SHA2_digest_512(Hacl_Streaming_MD_state_64 *state, uint8_t *output)
1100 {
1101 Hacl_Streaming_MD_state_64 scrut = *state;
1102 uint64_t *block_state = scrut.block_state;
1103 uint8_t *buf_ = scrut.buf;
1104 uint64_t total_len = scrut.total_len;
1105 uint32_t r;
1106 if (total_len % (uint64_t)128U == 0ULL && total_len > 0ULL)
1107 {
1108 r = 128U;
1109 }
1110 else
1111 {
1112 r = (uint32_t)(total_len % (uint64_t)128U);
1113 }
1114 uint8_t *buf_1 = buf_;
1115 uint64_t tmp_block_state[8U] = { 0U };
1116 memcpy(tmp_block_state, block_state, 8U * sizeof (uint64_t));
1117 uint32_t ite;
1118 if (r % 128U == 0U && r > 0U)
1119 {
1120 ite = 128U;
1121 }
1122 else
1123 {
1124 ite = r % 128U;
1125 }
1126 uint8_t *buf_last = buf_1 + r - ite;
1127 uint8_t *buf_multi = buf_1;
1128 Hacl_Hash_SHA2_sha512_update_nblocks(0U, buf_multi, tmp_block_state);
1129 uint64_t prev_len_last = total_len - (uint64_t)r;
1130 Hacl_Hash_SHA2_sha512_update_last(FStar_UInt128_add(FStar_UInt128_uint64_to_uint128(prev_len_last),
1131 FStar_UInt128_uint64_to_uint128((uint64_t)r)),
1132 r,
1133 buf_last,
1134 tmp_block_state);
1135 Hacl_Hash_SHA2_sha512_finish(tmp_block_state, output);
1136 }
1137
1138 /**
1139 Free a state allocated with `malloc_512`.
1140
1141 This function is identical to the free function for SHA2_384.
1142 */
Hacl_Hash_SHA2_free_512(Hacl_Streaming_MD_state_64 * state)1143 void Hacl_Hash_SHA2_free_512(Hacl_Streaming_MD_state_64 *state)
1144 {
1145 Hacl_Streaming_MD_state_64 scrut = *state;
1146 uint8_t *buf = scrut.buf;
1147 uint64_t *block_state = scrut.block_state;
1148 KRML_HOST_FREE(block_state);
1149 KRML_HOST_FREE(buf);
1150 KRML_HOST_FREE(state);
1151 }
1152
1153 /**
1154 Hash `input`, of len `input_len`, into `output`, an array of 64 bytes.
1155 */
Hacl_Hash_SHA2_hash_512(uint8_t * output,uint8_t * input,uint32_t input_len)1156 void Hacl_Hash_SHA2_hash_512(uint8_t *output, uint8_t *input, uint32_t input_len)
1157 {
1158 uint8_t *ib = input;
1159 uint8_t *rb = output;
1160 uint64_t st[8U] = { 0U };
1161 Hacl_Hash_SHA2_sha512_init(st);
1162 uint32_t rem = input_len % 128U;
1163 FStar_UInt128_uint128 len_ = FStar_UInt128_uint64_to_uint128((uint64_t)input_len);
1164 Hacl_Hash_SHA2_sha512_update_nblocks(input_len, ib, st);
1165 uint32_t rem1 = input_len % 128U;
1166 uint8_t *b0 = ib;
1167 uint8_t *lb = b0 + input_len - rem1;
1168 Hacl_Hash_SHA2_sha512_update_last(len_, rem, lb, st);
1169 Hacl_Hash_SHA2_sha512_finish(st, rb);
1170 }
1171
Hacl_Hash_SHA2_malloc_384(void)1172 Hacl_Streaming_MD_state_64 *Hacl_Hash_SHA2_malloc_384(void)
1173 {
1174 uint8_t *buf = (uint8_t *)KRML_HOST_CALLOC(128U, sizeof (uint8_t));
1175 uint64_t *block_state = (uint64_t *)KRML_HOST_CALLOC(8U, sizeof (uint64_t));
1176 Hacl_Streaming_MD_state_64
1177 s = { .block_state = block_state, .buf = buf, .total_len = (uint64_t)0U };
1178 Hacl_Streaming_MD_state_64
1179 *p = (Hacl_Streaming_MD_state_64 *)KRML_HOST_MALLOC(sizeof (Hacl_Streaming_MD_state_64));
1180 p[0U] = s;
1181 Hacl_Hash_SHA2_sha384_init(block_state);
1182 return p;
1183 }
1184
Hacl_Hash_SHA2_reset_384(Hacl_Streaming_MD_state_64 * state)1185 void Hacl_Hash_SHA2_reset_384(Hacl_Streaming_MD_state_64 *state)
1186 {
1187 Hacl_Streaming_MD_state_64 scrut = *state;
1188 uint8_t *buf = scrut.buf;
1189 uint64_t *block_state = scrut.block_state;
1190 Hacl_Hash_SHA2_sha384_init(block_state);
1191 Hacl_Streaming_MD_state_64
1192 tmp = { .block_state = block_state, .buf = buf, .total_len = (uint64_t)0U };
1193 state[0U] = tmp;
1194 }
1195
1196 Hacl_Streaming_Types_error_code
Hacl_Hash_SHA2_update_384(Hacl_Streaming_MD_state_64 * state,uint8_t * input,uint32_t input_len)1197 Hacl_Hash_SHA2_update_384(
1198 Hacl_Streaming_MD_state_64 *state,
1199 uint8_t *input,
1200 uint32_t input_len
1201 )
1202 {
1203 return update_384_512(state, input, input_len);
1204 }
1205
1206 /**
1207 Write the resulting hash into `output`, an array of 48 bytes. The state remains
1208 valid after a call to `digest_384`, meaning the user may feed more data into
1209 the hash via `update_384`.
1210 */
Hacl_Hash_SHA2_digest_384(Hacl_Streaming_MD_state_64 * state,uint8_t * output)1211 void Hacl_Hash_SHA2_digest_384(Hacl_Streaming_MD_state_64 *state, uint8_t *output)
1212 {
1213 Hacl_Streaming_MD_state_64 scrut = *state;
1214 uint64_t *block_state = scrut.block_state;
1215 uint8_t *buf_ = scrut.buf;
1216 uint64_t total_len = scrut.total_len;
1217 uint32_t r;
1218 if (total_len % (uint64_t)128U == 0ULL && total_len > 0ULL)
1219 {
1220 r = 128U;
1221 }
1222 else
1223 {
1224 r = (uint32_t)(total_len % (uint64_t)128U);
1225 }
1226 uint8_t *buf_1 = buf_;
1227 uint64_t tmp_block_state[8U] = { 0U };
1228 memcpy(tmp_block_state, block_state, 8U * sizeof (uint64_t));
1229 uint32_t ite;
1230 if (r % 128U == 0U && r > 0U)
1231 {
1232 ite = 128U;
1233 }
1234 else
1235 {
1236 ite = r % 128U;
1237 }
1238 uint8_t *buf_last = buf_1 + r - ite;
1239 uint8_t *buf_multi = buf_1;
1240 Hacl_Hash_SHA2_sha384_update_nblocks(0U, buf_multi, tmp_block_state);
1241 uint64_t prev_len_last = total_len - (uint64_t)r;
1242 Hacl_Hash_SHA2_sha384_update_last(FStar_UInt128_add(FStar_UInt128_uint64_to_uint128(prev_len_last),
1243 FStar_UInt128_uint64_to_uint128((uint64_t)r)),
1244 r,
1245 buf_last,
1246 tmp_block_state);
1247 Hacl_Hash_SHA2_sha384_finish(tmp_block_state, output);
1248 }
1249
Hacl_Hash_SHA2_free_384(Hacl_Streaming_MD_state_64 * state)1250 void Hacl_Hash_SHA2_free_384(Hacl_Streaming_MD_state_64 *state)
1251 {
1252 Hacl_Hash_SHA2_free_512(state);
1253 }
1254
1255 /**
1256 Hash `input`, of len `input_len`, into `output`, an array of 48 bytes.
1257 */
Hacl_Hash_SHA2_hash_384(uint8_t * output,uint8_t * input,uint32_t input_len)1258 void Hacl_Hash_SHA2_hash_384(uint8_t *output, uint8_t *input, uint32_t input_len)
1259 {
1260 uint8_t *ib = input;
1261 uint8_t *rb = output;
1262 uint64_t st[8U] = { 0U };
1263 Hacl_Hash_SHA2_sha384_init(st);
1264 uint32_t rem = input_len % 128U;
1265 FStar_UInt128_uint128 len_ = FStar_UInt128_uint64_to_uint128((uint64_t)input_len);
1266 Hacl_Hash_SHA2_sha384_update_nblocks(input_len, ib, st);
1267 uint32_t rem1 = input_len % 128U;
1268 uint8_t *b0 = ib;
1269 uint8_t *lb = b0 + input_len - rem1;
1270 Hacl_Hash_SHA2_sha384_update_last(len_, rem, lb, st);
1271 Hacl_Hash_SHA2_sha384_finish(st, rb);
1272 }
1273
1274