/src/gnutls/lib/accelerated/x86/sha-padlock.c

Source
/*
 * Copyright (C) 2011-2012 Free Software Foundation, Inc.
 * Portions Copyright (C) 2001 Niels Moeller
 *
 * Author: Nikos Mavrogiannopoulos
 *
 * This file is part of GNUTLS.
 *
 * The GNUTLS library is free software; you can redistribute it and/or
 * modify it under the terms of the GNU Lesser General Public License
 * as published by the Free Software Foundation; either version 2.1 of
 * the License, or (at your option) any later version.
 *
 * This library is distributed in the hope that it will be useful, but
 * WITHOUT ANY WARRANTY; without even the implied warranty of
 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
 * Lesser General Public License for more details.
 *
 * You should have received a copy of the GNU Lesser General Public License
 * along with this program.  If not, see <https://www.gnu.org/licenses/>
 *
 */

#include "gnutls_int.h"
#include "hash_int.h"
#include "errors.h"
#include <nettle/sha1.h>
#include <nettle/sha2.h>
#include <nettle/hmac.h>
#include <nettle/macros.h>
#include <nettle/version.h>
#include "aes-padlock.h"
#include <assert.h>
#include "sha-padlock.h"
#include "x86-common.h"

#ifdef HAVE_LIBNETTLE

/* Can't use nettle_set_key_func as it doesn't have the second argument */
typedef void (*set_key_func)(void *, size_t, const uint8_t *);

struct padlock_hash_ctx {
  union {
    struct sha1_ctx sha1;
    struct sha224_ctx sha224;
    struct sha256_ctx sha256;
    struct sha384_ctx sha384;
    struct sha512_ctx sha512;
  } ctx;
  void *ctx_ptr;
  gnutls_digest_algorithm_t algo;
  size_t length;
  nettle_hash_update_func *update;
  nettle_hash_digest_func *digest;
  nettle_hash_init_func *init;
};

static int wrap_padlock_hash_update(void *_ctx, const void *text,
            size_t textsize)
{
  struct padlock_hash_ctx *ctx = _ctx;

  ctx->update(ctx->ctx_ptr, textsize, text);

  return GNUTLS_E_SUCCESS;
}

static void wrap_padlock_hash_deinit(void *hd)
{
  gnutls_free(hd);
}

#define MD1_INCR(c) (c->count++)
#define SHA1_COMPRESS(ctx, data) \
  (padlock_sha1_blocks((void *)(ctx)->state, data, 1))
#define SHA256_COMPRESS(ctx, data) \
  (padlock_sha256_blocks((void *)(ctx)->state, data, 1))
#define SHA512_COMPRESS(ctx, data) \
  (padlock_sha512_blocks((void *)(ctx)->state, data, 1))

void padlock_sha1_update(struct sha1_ctx *ctx, size_t length,
       const uint8_t *data)
{
  MD_UPDATE(ctx, length, data, SHA1_COMPRESS, MD1_INCR(ctx));
}

void padlock_sha256_update(struct sha256_ctx *ctx, size_t length,
         const uint8_t *data)
{
  MD_UPDATE(ctx, length, data, SHA256_COMPRESS, MD1_INCR(ctx));
}

void padlock_sha512_update(struct sha512_ctx *ctx, size_t length,
         const uint8_t *data)
{
  MD_UPDATE(ctx, length, data, SHA512_COMPRESS, MD_INCR(ctx));
}

static void _nettle_write_be32(unsigned length, uint8_t *dst, uint32_t *src)
{
  unsigned i;
  unsigned words;
  unsigned leftover;

  words = length / 4;
  leftover = length % 4;

  for (i = 0; i < words; i++, dst += 4)
    WRITE_UINT32(dst, src[i]);

  if (leftover) {
    uint32_t word;
    unsigned j = leftover;

    word = src[i];

    switch (leftover) {
    default:
      abort();
    case 3:
      dst[--j] = (word >> 8) & 0xff;
      FALLTHROUGH;
    case 2:
      dst[--j] = (word >> 16) & 0xff;
      FALLTHROUGH;
    case 1:
      dst[--j] = (word >> 24) & 0xff;
    }
  }
}

static void _padlock_sha1_digest(struct sha1_ctx *ctx, size_t length,
         uint8_t *digest)
{
  uint64_t bit_count;

  assert(length <= SHA1_DIGEST_SIZE);

  MD_PAD(ctx, 8, SHA1_COMPRESS);

  /* There are 512 = 2^9 bits in one block */
  bit_count = (ctx->count << 9) | (ctx->index << 3);

  /* append the 64 bit count */
  WRITE_UINT64(ctx->block + (SHA1_BLOCK_SIZE - 8), bit_count);
  SHA1_COMPRESS(ctx, ctx->block);

  _nettle_write_be32(length, digest, ctx->state);
}

static void _padlock_sha256_digest(struct sha256_ctx *ctx, size_t length,
           uint8_t *digest)
{
  uint64_t bit_count;

  assert(length <= SHA256_DIGEST_SIZE);

  MD_PAD(ctx, 8, SHA256_COMPRESS);

  /* There are 512 = 2^9 bits in one block */
  bit_count = (ctx->count << 9) | (ctx->index << 3);

  /* This is slightly inefficient, as the numbers are converted to
     big-endian format, and will be converted back by the compression
     function. It's probably not worth the effort to fix this. */
  WRITE_UINT64(ctx->block + (SHA256_BLOCK_SIZE - 8), bit_count);
  SHA256_COMPRESS(ctx, ctx->block);

  _nettle_write_be32(length, digest, ctx->state);
}

static void _padlock_sha512_digest(struct sha512_ctx *ctx, size_t length,
           uint8_t *digest)
{
  uint64_t high, low;

  unsigned i;
  unsigned words;
  unsigned leftover;

  assert(length <= SHA512_DIGEST_SIZE);

  MD_PAD(ctx, 16, SHA512_COMPRESS);

  /* There are 1024 = 2^10 bits in one block */
  high = (ctx->count_high << 10) | (ctx->count_low >> 54);
  low = (ctx->count_low << 10) | (ctx->index << 3);

  /* This is slightly inefficient, as the numbers are converted to
     big-endian format, and will be converted back by the compression
     function. It's probably not worth the effort to fix this. */
  WRITE_UINT64(ctx->block + (SHA512_BLOCK_SIZE - 16), high);
  WRITE_UINT64(ctx->block + (SHA512_BLOCK_SIZE - 8), low);
  SHA512_COMPRESS(ctx, ctx->block);

  words = length / 8;
  leftover = length % 8;

  for (i = 0; i < words; i++, digest += 8)
    WRITE_UINT64(digest, ctx->state[i]);

  if (leftover) {
    /* Truncate to the right size */
    uint64_t word = ctx->state[i] >> (8 * (8 - leftover));

    do {
      digest[--leftover] = word & 0xff;
      word >>= 8;
    } while (leftover);
  }
}

#if NETTLE_VERSION_MAJOR >= 4
static void padlock_sha1_digest(struct sha1_ctx *ctx, uint8_t *digest)
{
  _padlock_sha1_digest(ctx, SHA1_DIGEST_SIZE, digest);
}
static void padlock_sha256_digest(struct sha256_ctx *ctx, uint8_t *digest)
{
  _padlock_sha256_digest(ctx, SHA256_DIGEST_SIZE, digest);
}
static void padlock_sha512_digest(struct sha512_ctx *ctx, uint8_t *digest)
{
  _padlock_sha512_digest(ctx, SHA512_DIGEST_SIZE, digest);
}
#else
#define padlock_sha1_digest _padlock_sha1_digest
#define padlock_sha256_digest _padlock_sha256_digest
#define padlock_sha512_digest _padlock_sha512_digest
#endif

static int _ctx_init(gnutls_digest_algorithm_t algo,
         struct padlock_hash_ctx *ctx)
{
  switch (algo) {
  case GNUTLS_DIG_SHA1:
    sha1_init(&ctx->ctx.sha1);
    ctx->update = (nettle_hash_update_func *)padlock_sha1_update;
    ctx->digest = (nettle_hash_digest_func *)padlock_sha1_digest;
    ctx->init = (nettle_hash_init_func *)sha1_init;
    ctx->ctx_ptr = &ctx->ctx.sha1;
    ctx->length = SHA1_DIGEST_SIZE;
    break;
  case GNUTLS_DIG_SHA224:
    sha224_init(&ctx->ctx.sha224);
    ctx->update = (nettle_hash_update_func *)padlock_sha256_update;
    ctx->digest = (nettle_hash_digest_func *)padlock_sha256_digest;
    ctx->init = (nettle_hash_init_func *)sha224_init;
    ctx->ctx_ptr = &ctx->ctx.sha224;
    ctx->length = SHA224_DIGEST_SIZE;
    break;
  case GNUTLS_DIG_SHA256:
    sha256_init(&ctx->ctx.sha256);
    ctx->update = (nettle_hash_update_func *)padlock_sha256_update;
    ctx->digest = (nettle_hash_digest_func *)padlock_sha256_digest;
    ctx->init = (nettle_hash_init_func *)sha256_init;
    ctx->ctx_ptr = &ctx->ctx.sha256;
    ctx->length = SHA256_DIGEST_SIZE;
    break;
  case GNUTLS_DIG_SHA384:
    sha384_init(&ctx->ctx.sha384);
    ctx->update = (nettle_hash_update_func *)padlock_sha512_update;
    ctx->digest = (nettle_hash_digest_func *)padlock_sha512_digest;
    ctx->init = (nettle_hash_init_func *)sha384_init;
    ctx->ctx_ptr = &ctx->ctx.sha384;
    ctx->length = SHA384_DIGEST_SIZE;
    break;
  case GNUTLS_DIG_SHA512:
    sha512_init(&ctx->ctx.sha512);
    ctx->update = (nettle_hash_update_func *)padlock_sha512_update;
    ctx->digest = (nettle_hash_digest_func *)padlock_sha512_digest;
    ctx->init = (nettle_hash_init_func *)sha512_init;
    ctx->ctx_ptr = &ctx->ctx.sha512;
    ctx->length = SHA512_DIGEST_SIZE;
    break;
  default:
    gnutls_assert();
    return GNUTLS_E_INVALID_REQUEST;
  }

  return 0;
}

static int wrap_padlock_hash_init(gnutls_digest_algorithm_t algo, void **_ctx)
{
  struct padlock_hash_ctx *ctx;
  int ret;

  ctx = gnutls_malloc(sizeof(struct padlock_hash_ctx));
  if (ctx == NULL) {
    gnutls_assert();
    return GNUTLS_E_MEMORY_ERROR;
  }

  ctx->algo = algo;

  if ((ret = _ctx_init(algo, ctx)) < 0) {
    gnutls_free(ctx);
    gnutls_assert();
    return ret;
  }

  *_ctx = ctx;

  return 0;
}

static void *wrap_padlock_hash_copy(const void *_ctx)
{
  struct padlock_hash_ctx *new_ctx;
  const struct padlock_hash_ctx *ctx = _ctx;
  ptrdiff_t off = (uint8_t *)ctx->ctx_ptr - (uint8_t *)(&ctx->ctx);

  new_ctx = gnutls_malloc(sizeof(struct padlock_hash_ctx));
  if (new_ctx == NULL) {
    gnutls_assert();
    return NULL;
  }

  memcpy(new_ctx, ctx, sizeof(*new_ctx));
  new_ctx->ctx_ptr = (uint8_t *)&new_ctx->ctx + off;

  return new_ctx;
}

static int wrap_padlock_hash_output(void *src_ctx, void *digest,
            size_t digestsize)
{
  struct padlock_hash_ctx *ctx;
  ctx = src_ctx;

  if (digest == NULL) {
    ctx->init(ctx->ctx_ptr);
    return 0;
  }

  if (digestsize < ctx->length)
    return gnutls_assert_val(GNUTLS_E_SHORT_MEMORY_BUFFER);

#if NETTLE_VERSION_MAJOR >= 4
  if (digestsize != ctx->length) {
    gnutls_assert();
    return GNUTLS_E_INVALID_REQUEST;
  }
  ctx->digest(ctx->ctx_ptr, digest);
#else
  ctx->digest(ctx->ctx_ptr, digestsize, digest);
#endif

  ctx->init(ctx->ctx_ptr);

  return 0;
}

int wrap_padlock_hash_fast(gnutls_digest_algorithm_t algo, const void *text,
         size_t text_size, void *digest)
{
  if (text_size == 0 && text == NULL)
    text = digest;
  if (algo == GNUTLS_DIG_SHA1) {
    uint32_t iv[5] = {
      0x67452301UL, 0xEFCDAB89UL, 0x98BADCFEUL,
      0x10325476UL, 0xC3D2E1F0UL,
    };
    padlock_sha1_oneshot(iv, text, text_size);
    _nettle_write_be32(20, digest, iv);
  } else if (algo == GNUTLS_DIG_SHA256) {
    uint32_t iv[8] = {
      0x6a09e667UL, 0xbb67ae85UL, 0x3c6ef372UL, 0xa54ff53aUL,
      0x510e527fUL, 0x9b05688cUL, 0x1f83d9abUL, 0x5be0cd19UL,
    };
    padlock_sha256_oneshot(iv, text, text_size);
    _nettle_write_be32(32, digest, iv);
  } else {
    struct padlock_hash_ctx ctx;
    int ret;

    ret = _ctx_init(algo, &ctx);
    if (ret < 0)
      return gnutls_assert_val(ret);
    ctx.algo = algo;

    wrap_padlock_hash_update(&ctx, text, text_size);

    wrap_padlock_hash_output(&ctx, digest, ctx.length);
  }

  return 0;
}

const struct nettle_hash padlock_sha1 =
  NN_HASH(sha1, padlock_sha1_update, padlock_sha1_digest, SHA1);
const struct nettle_hash padlock_sha224 =
  NN_HASH(sha224, padlock_sha256_update, padlock_sha256_digest, SHA224);
const struct nettle_hash padlock_sha256 =
  NN_HASH(sha256, padlock_sha256_update, padlock_sha256_digest, SHA256);
const struct nettle_hash padlock_sha384 =
  NN_HASH(sha384, padlock_sha512_update, padlock_sha512_digest, SHA384);
const struct nettle_hash padlock_sha512 =
  NN_HASH(sha512, padlock_sha512_update, padlock_sha512_digest, SHA512);

const gnutls_crypto_digest_st _gnutls_sha_padlock_oneshot = {
  .init = NULL,
  .hash = NULL,
  .output = NULL,
  .deinit = NULL,
  .fast = wrap_padlock_hash_fast
};

const gnutls_crypto_digest_st _gnutls_sha_padlock = {
  .init = wrap_padlock_hash_init,
  .hash = wrap_padlock_hash_update,
  .output = wrap_padlock_hash_output,
  .copy = wrap_padlock_hash_copy,
  .deinit = wrap_padlock_hash_deinit,
  .fast = wrap_padlock_hash_fast,
};

#endif /* HAVE_LIBNETTLE */

Coverage Report

Created: 2026-03-31 07:20

Line	Count	Source
1		/*
2		* Copyright (C) 2011-2012 Free Software Foundation, Inc.
3		* Portions Copyright (C) 2001 Niels Moeller
4		*
5		* Author: Nikos Mavrogiannopoulos
6		*
7		* This file is part of GNUTLS.
8		*
9		* The GNUTLS library is free software; you can redistribute it and/or
10		* modify it under the terms of the GNU Lesser General Public License
11		* as published by the Free Software Foundation; either version 2.1 of
12		* the License, or (at your option) any later version.
13		*
14		* This library is distributed in the hope that it will be useful, but
15		* WITHOUT ANY WARRANTY; without even the implied warranty of
16		* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
17		* Lesser General Public License for more details.
18		*
19		* You should have received a copy of the GNU Lesser General Public License
20		* along with this program. If not, see <https://www.gnu.org/licenses/>
21		*
22		*/
23
24		#include "gnutls_int.h"
25		#include "hash_int.h"
26		#include "errors.h"
27		#include <nettle/sha1.h>
28		#include <nettle/sha2.h>
29		#include <nettle/hmac.h>
30		#include <nettle/macros.h>
31		#include <nettle/version.h>
32		#include "aes-padlock.h"
33		#include <assert.h>
34		#include "sha-padlock.h"
35		#include "x86-common.h"
36
37		#ifdef HAVE_LIBNETTLE
38
39		/* Can't use nettle_set_key_func as it doesn't have the second argument */
40		typedef void (set_key_func)(void , size_t, const uint8_t *);
41
42		struct padlock_hash_ctx {
43		union {
44		struct sha1_ctx sha1;
45		struct sha224_ctx sha224;
46		struct sha256_ctx sha256;
47		struct sha384_ctx sha384;
48		struct sha512_ctx sha512;
49		} ctx;
50		void *ctx_ptr;
51		gnutls_digest_algorithm_t algo;
52		size_t length;
53		nettle_hash_update_func *update;
54		nettle_hash_digest_func *digest;
55		nettle_hash_init_func *init;
56		};
57
58		static int wrap_padlock_hash_update(void _ctx, const void text,
59		size_t textsize)
60	0	{
61	0	struct padlock_hash_ctx *ctx = _ctx;
62
63	0	ctx->update(ctx->ctx_ptr, textsize, text);
64
65	0	return GNUTLS_E_SUCCESS;
66	0	}
67
68		static void wrap_padlock_hash_deinit(void *hd)
69	0	{
70	0	gnutls_free(hd);
71	0	}
72
73		#define MD1_INCR(c) (c->count++)
74		#define SHA1_COMPRESS(ctx, data) \
75	0	(padlock_sha1_blocks((void *)(ctx)->state, data, 1))
76		#define SHA256_COMPRESS(ctx, data) \
77	0	(padlock_sha256_blocks((void *)(ctx)->state, data, 1))
78		#define SHA512_COMPRESS(ctx, data) \
79	0	(padlock_sha512_blocks((void *)(ctx)->state, data, 1))
80
81		void padlock_sha1_update(struct sha1_ctx *ctx, size_t length,
82		const uint8_t *data)
83	0	{
84	0	MD_UPDATE(ctx, length, data, SHA1_COMPRESS, MD1_INCR(ctx));
85	0	}
86
87		void padlock_sha256_update(struct sha256_ctx *ctx, size_t length,
88		const uint8_t *data)
89	0	{
90	0	MD_UPDATE(ctx, length, data, SHA256_COMPRESS, MD1_INCR(ctx));
91	0	}
92
93		void padlock_sha512_update(struct sha512_ctx *ctx, size_t length,
94		const uint8_t *data)
95	0	{
96	0	MD_UPDATE(ctx, length, data, SHA512_COMPRESS, MD_INCR(ctx));
97	0	}
98
99		static void _nettle_write_be32(unsigned length, uint8_t dst, uint32_t src)
100	0	{
101	0	unsigned i;
102	0	unsigned words;
103	0	unsigned leftover;
104
105	0	words = length / 4;
106	0	leftover = length % 4;
107
108	0	for (i = 0; i < words; i++, dst += 4)
109	0	WRITE_UINT32(dst, src[i]);
110
111	0	if (leftover) {
112	0	uint32_t word;
113	0	unsigned j = leftover;
114
115	0	word = src[i];
116
117	0	switch (leftover) {
118	0	default:
119	0	abort();
120	0	case 3:
121	0	dst[--j] = (word >> 8) & 0xff;
122	0	FALLTHROUGH;
123	0	case 2:
124	0	dst[--j] = (word >> 16) & 0xff;
125	0	FALLTHROUGH;
126	0	case 1:
127	0	dst[--j] = (word >> 24) & 0xff;
128	0	}
129	0	}
130	0	}
131
132		static void _padlock_sha1_digest(struct sha1_ctx *ctx, size_t length,
133		uint8_t *digest)
134	0	{
135	0	uint64_t bit_count;
136
137	0	assert(length <= SHA1_DIGEST_SIZE);
138
139	0	MD_PAD(ctx, 8, SHA1_COMPRESS);
140
141		/* There are 512 = 2^9 bits in one block */
142	0	bit_count = (ctx->count << 9) \| (ctx->index << 3);
143
144		/* append the 64 bit count */
145	0	WRITE_UINT64(ctx->block + (SHA1_BLOCK_SIZE - 8), bit_count);
146	0	SHA1_COMPRESS(ctx, ctx->block);
147
148	0	_nettle_write_be32(length, digest, ctx->state);
149	0	}
150
151		static void _padlock_sha256_digest(struct sha256_ctx *ctx, size_t length,
152		uint8_t *digest)
153	0	{
154	0	uint64_t bit_count;
155
156	0	assert(length <= SHA256_DIGEST_SIZE);
157
158	0	MD_PAD(ctx, 8, SHA256_COMPRESS);
159
160		/* There are 512 = 2^9 bits in one block */
161	0	bit_count = (ctx->count << 9) \| (ctx->index << 3);
162
163		/* This is slightly inefficient, as the numbers are converted to
164		big-endian format, and will be converted back by the compression
165		function. It's probably not worth the effort to fix this. */
166	0	WRITE_UINT64(ctx->block + (SHA256_BLOCK_SIZE - 8), bit_count);
167	0	SHA256_COMPRESS(ctx, ctx->block);
168
169	0	_nettle_write_be32(length, digest, ctx->state);
170	0	}
171
172		static void _padlock_sha512_digest(struct sha512_ctx *ctx, size_t length,
173		uint8_t *digest)
174	0	{
175	0	uint64_t high, low;
176
177	0	unsigned i;
178	0	unsigned words;
179	0	unsigned leftover;
180
181	0	assert(length <= SHA512_DIGEST_SIZE);
182
183	0	MD_PAD(ctx, 16, SHA512_COMPRESS);
184
185		/* There are 1024 = 2^10 bits in one block */
186	0	high = (ctx->count_high << 10) \| (ctx->count_low >> 54);
187	0	low = (ctx->count_low << 10) \| (ctx->index << 3);
188
189		/* This is slightly inefficient, as the numbers are converted to
190		big-endian format, and will be converted back by the compression
191		function. It's probably not worth the effort to fix this. */
192	0	WRITE_UINT64(ctx->block + (SHA512_BLOCK_SIZE - 16), high);
193	0	WRITE_UINT64(ctx->block + (SHA512_BLOCK_SIZE - 8), low);
194	0	SHA512_COMPRESS(ctx, ctx->block);
195
196	0	words = length / 8;
197	0	leftover = length % 8;
198
199	0	for (i = 0; i < words; i++, digest += 8)
200	0	WRITE_UINT64(digest, ctx->state[i]);
201
202	0	if (leftover) {
203		/* Truncate to the right size */
204	0	uint64_t word = ctx->state[i] >> (8 * (8 - leftover));
205
206	0	do {
207	0	digest[--leftover] = word & 0xff;
208	0	word >>= 8;
209	0	} while (leftover);
210	0	}
211	0	}
212
213		#if NETTLE_VERSION_MAJOR >= 4
214		static void padlock_sha1_digest(struct sha1_ctx ctx, uint8_t digest)
215		{
216		_padlock_sha1_digest(ctx, SHA1_DIGEST_SIZE, digest);
217		}
218		static void padlock_sha256_digest(struct sha256_ctx ctx, uint8_t digest)
219		{
220		_padlock_sha256_digest(ctx, SHA256_DIGEST_SIZE, digest);
221		}
222		static void padlock_sha512_digest(struct sha512_ctx ctx, uint8_t digest)
223		{
224		_padlock_sha512_digest(ctx, SHA512_DIGEST_SIZE, digest);
225		}
226		#else
227	0	#define padlock_sha1_digest _padlock_sha1_digest
228	0	#define padlock_sha256_digest _padlock_sha256_digest
229	0	#define padlock_sha512_digest _padlock_sha512_digest
230		#endif
231
232		static int _ctx_init(gnutls_digest_algorithm_t algo,
233		struct padlock_hash_ctx *ctx)
234	0	{
235	0	switch (algo) {
236	0	case GNUTLS_DIG_SHA1:
237	0	sha1_init(&ctx->ctx.sha1);
238	0	ctx->update = (nettle_hash_update_func *)padlock_sha1_update;
239	0	ctx->digest = (nettle_hash_digest_func *)padlock_sha1_digest;
240	0	ctx->init = (nettle_hash_init_func *)sha1_init;
241	0	ctx->ctx_ptr = &ctx->ctx.sha1;
242	0	ctx->length = SHA1_DIGEST_SIZE;
243	0	break;
244	0	case GNUTLS_DIG_SHA224:
245	0	sha224_init(&ctx->ctx.sha224);
246	0	ctx->update = (nettle_hash_update_func *)padlock_sha256_update;
247	0	ctx->digest = (nettle_hash_digest_func *)padlock_sha256_digest;
248	0	ctx->init = (nettle_hash_init_func *)sha224_init;
249	0	ctx->ctx_ptr = &ctx->ctx.sha224;
250	0	ctx->length = SHA224_DIGEST_SIZE;
251	0	break;
252	0	case GNUTLS_DIG_SHA256:
253	0	sha256_init(&ctx->ctx.sha256);
254	0	ctx->update = (nettle_hash_update_func *)padlock_sha256_update;
255	0	ctx->digest = (nettle_hash_digest_func *)padlock_sha256_digest;
256	0	ctx->init = (nettle_hash_init_func *)sha256_init;
257	0	ctx->ctx_ptr = &ctx->ctx.sha256;
258	0	ctx->length = SHA256_DIGEST_SIZE;
259	0	break;
260	0	case GNUTLS_DIG_SHA384:
261	0	sha384_init(&ctx->ctx.sha384);
262	0	ctx->update = (nettle_hash_update_func *)padlock_sha512_update;
263	0	ctx->digest = (nettle_hash_digest_func *)padlock_sha512_digest;
264	0	ctx->init = (nettle_hash_init_func *)sha384_init;
265	0	ctx->ctx_ptr = &ctx->ctx.sha384;
266	0	ctx->length = SHA384_DIGEST_SIZE;
267	0	break;
268	0	case GNUTLS_DIG_SHA512:
269	0	sha512_init(&ctx->ctx.sha512);
270	0	ctx->update = (nettle_hash_update_func *)padlock_sha512_update;
271	0	ctx->digest = (nettle_hash_digest_func *)padlock_sha512_digest;
272	0	ctx->init = (nettle_hash_init_func *)sha512_init;
273	0	ctx->ctx_ptr = &ctx->ctx.sha512;
274	0	ctx->length = SHA512_DIGEST_SIZE;
275	0	break;
276	0	default:
277	0	gnutls_assert();
278	0	return GNUTLS_E_INVALID_REQUEST;
279	0	}
280
281	0	return 0;
282	0	}
283
284		static int wrap_padlock_hash_init(gnutls_digest_algorithm_t algo, void **_ctx)
285	0	{
286	0	struct padlock_hash_ctx *ctx;
287	0	int ret;
288
289	0	ctx = gnutls_malloc(sizeof(struct padlock_hash_ctx));
290	0	if (ctx == NULL) {
291	0	gnutls_assert();
292	0	return GNUTLS_E_MEMORY_ERROR;
293	0	}
294
295	0	ctx->algo = algo;
296
297	0	if ((ret = _ctx_init(algo, ctx)) < 0) {
298	0	gnutls_free(ctx);
299	0	gnutls_assert();
300	0	return ret;
301	0	}
302
303	0	*_ctx = ctx;
304
305	0	return 0;
306	0	}
307
308		static void wrap_padlock_hash_copy(const void _ctx)
309	0	{
310	0	struct padlock_hash_ctx *new_ctx;
311	0	const struct padlock_hash_ctx *ctx = _ctx;
312	0	ptrdiff_t off = (uint8_t )ctx->ctx_ptr - (uint8_t )(&ctx->ctx);
313
314	0	new_ctx = gnutls_malloc(sizeof(struct padlock_hash_ctx));
315	0	if (new_ctx == NULL) {
316	0	gnutls_assert();
317	0	return NULL;
318	0	}
319
320	0	memcpy(new_ctx, ctx, sizeof(*new_ctx));
321	0	new_ctx->ctx_ptr = (uint8_t *)&new_ctx->ctx + off;
322
323	0	return new_ctx;
324	0	}
325
326		static int wrap_padlock_hash_output(void src_ctx, void digest,
327		size_t digestsize)
328	0	{
329	0	struct padlock_hash_ctx *ctx;
330	0	ctx = src_ctx;
331
332	0	if (digest == NULL) {
333	0	ctx->init(ctx->ctx_ptr);
334	0	return 0;
335	0	}
336
337	0	if (digestsize < ctx->length)
338	0	return gnutls_assert_val(GNUTLS_E_SHORT_MEMORY_BUFFER);
339
340		#if NETTLE_VERSION_MAJOR >= 4
341		if (digestsize != ctx->length) {
342		gnutls_assert();
343		return GNUTLS_E_INVALID_REQUEST;
344		}
345		ctx->digest(ctx->ctx_ptr, digest);
346		#else
347	0	ctx->digest(ctx->ctx_ptr, digestsize, digest);
348	0	#endif
349
350	0	ctx->init(ctx->ctx_ptr);
351
352	0	return 0;
353	0	}
354
355		int wrap_padlock_hash_fast(gnutls_digest_algorithm_t algo, const void *text,
356		size_t text_size, void *digest)
357	0	{
358	0	if (text_size == 0 && text == NULL)
359	0	text = digest;
360	0	if (algo == GNUTLS_DIG_SHA1) {
361	0	uint32_t iv[5] = {
362	0	0x67452301UL, 0xEFCDAB89UL, 0x98BADCFEUL,
363	0	0x10325476UL, 0xC3D2E1F0UL,
364	0	};
365	0	padlock_sha1_oneshot(iv, text, text_size);
366	0	_nettle_write_be32(20, digest, iv);
367	0	} else if (algo == GNUTLS_DIG_SHA256) {
368	0	uint32_t iv[8] = {
369	0	0x6a09e667UL, 0xbb67ae85UL, 0x3c6ef372UL, 0xa54ff53aUL,
370	0	0x510e527fUL, 0x9b05688cUL, 0x1f83d9abUL, 0x5be0cd19UL,
371	0	};
372	0	padlock_sha256_oneshot(iv, text, text_size);
373	0	_nettle_write_be32(32, digest, iv);
374	0	} else {
375	0	struct padlock_hash_ctx ctx;
376	0	int ret;
377
378	0	ret = _ctx_init(algo, &ctx);
379	0	if (ret < 0)
380	0	return gnutls_assert_val(ret);
381	0	ctx.algo = algo;
382
383	0	wrap_padlock_hash_update(&ctx, text, text_size);
384
385	0	wrap_padlock_hash_output(&ctx, digest, ctx.length);
386	0	}
387
388	0	return 0;
389	0	}
390
391		const struct nettle_hash padlock_sha1 =
392		NN_HASH(sha1, padlock_sha1_update, padlock_sha1_digest, SHA1);
393		const struct nettle_hash padlock_sha224 =
394		NN_HASH(sha224, padlock_sha256_update, padlock_sha256_digest, SHA224);
395		const struct nettle_hash padlock_sha256 =
396		NN_HASH(sha256, padlock_sha256_update, padlock_sha256_digest, SHA256);
397		const struct nettle_hash padlock_sha384 =
398		NN_HASH(sha384, padlock_sha512_update, padlock_sha512_digest, SHA384);
399		const struct nettle_hash padlock_sha512 =
400		NN_HASH(sha512, padlock_sha512_update, padlock_sha512_digest, SHA512);
401
402		const gnutls_crypto_digest_st _gnutls_sha_padlock_oneshot = {
403		.init = NULL,
404		.hash = NULL,
405		.output = NULL,
406		.deinit = NULL,
407		.fast = wrap_padlock_hash_fast
408		};
409
410		const gnutls_crypto_digest_st _gnutls_sha_padlock = {
411		.init = wrap_padlock_hash_init,
412		.hash = wrap_padlock_hash_update,
413		.output = wrap_padlock_hash_output,
414		.copy = wrap_padlock_hash_copy,
415		.deinit = wrap_padlock_hash_deinit,
416		.fast = wrap_padlock_hash_fast,
417		};
418
419		#endif /* HAVE_LIBNETTLE */