1 // SPDX-License-Identifier: (BSD-2-Clause AND BSD-3-Clause)
2 /*
3 * Copyright (c) 2014, STMicroelectronics International N.V.
4 * All rights reserved.
5 */
6
7 /*
8 * FIPS 180-2 SHA-224/256/384/512 implementation
9 * Last update: 02/02/2007
10 * Issue date: 04/30/2005
11 *
12 * Copyright (C) 2005, 2007 Olivier Gay <olivier.gay@a3.epfl.ch>
13 * All rights reserved.
14 *
15 * Redistribution and use in source and binary forms, with or without
16 * modification, are permitted provided that the following conditions
17 * are met:
18 * 1. Redistributions of source code must retain the above copyright
19 * notice, this list of conditions and the following disclaimer.
20 * 2. Redistributions in binary form must reproduce the above copyright
21 * notice, this list of conditions and the following disclaimer in the
22 * documentation and/or other materials provided with the distribution.
23 * 3. Neither the name of the project nor the names of its contributors
24 * may be used to endorse or promote products derived from this software
25 * without specific prior written permission.
26 *
27 * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND
28 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
29 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
30 * ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE
31 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
32 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
33 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
34 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
35 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
36 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
37 * SUCH DAMAGE.
38 */
39 #include <stddef.h>
40 #include <stdint.h>
41 #include <tee_api.h>
42
43 #include "sha2_impl.h"
44
45 #define SHFR(x, n) (x >> n)
46 #define ROTR(x, n) ((x >> n) | (x << ((sizeof(x) << 3) - n)))
47 #define ROTL(x, n) ((x << n) | (x >> ((sizeof(x) << 3) - n)))
48 #define CH(x, y, z) ((x & y) ^ (~x & z))
49 #define MAJ(x, y, z) ((x & y) ^ (x & z) ^ (y & z))
50
51 #define SHA256_F1(x) (ROTR(x, 2) ^ ROTR(x, 13) ^ ROTR(x, 22))
52 #define SHA256_F2(x) (ROTR(x, 6) ^ ROTR(x, 11) ^ ROTR(x, 25))
53 #define SHA256_F3(x) (ROTR(x, 7) ^ ROTR(x, 18) ^ SHFR(x, 3))
54 #define SHA256_F4(x) (ROTR(x, 17) ^ ROTR(x, 19) ^ SHFR(x, 10))
55
56 #define UNPACK32(x, str) \
57 { \
58 *((str) + 3) = (uint8_t) ((x)); \
59 *((str) + 2) = (uint8_t) ((x) >> 8); \
60 *((str) + 1) = (uint8_t) ((x) >> 16); \
61 *((str) + 0) = (uint8_t) ((x) >> 24); \
62 }
63
64 #define PACK32(str, x) \
65 { \
66 *(x) = ((uint32_t) *((str) + 3)) \
67 | ((uint32_t) *((str) + 2) << 8) \
68 | ((uint32_t) *((str) + 1) << 16) \
69 | ((uint32_t) *((str) + 0) << 24); \
70 }
71
72 /* Macros used for loops unrolling */
73 #define SHA256_SCR(i) \
74 { \
75 w[i] = SHA256_F4(w[i - 2]) + w[i - 7] \
76 + SHA256_F3(w[i - 15]) + w[i - 16]; \
77 }
78
79 #define SHA256_EXP(a, b, c, d, e, f, g, h, j) \
80 { \
81 t1 = wv[h] + SHA256_F2(wv[e]) + CH(wv[e], wv[f], wv[g]) \
82 + sha256_k[j] + w[j]; \
83 t2 = SHA256_F1(wv[a]) + MAJ(wv[a], wv[b], wv[c]); \
84 wv[d] += t1; \
85 wv[h] = t1 + t2; \
86 }
87
88 uint32_t sha224_h0[8] = {
89 0xc1059ed8, 0x367cd507, 0x3070dd17, 0xf70e5939,
90 0xffc00b31, 0x68581511, 0x64f98fa7, 0xbefa4fa4
91 };
92
93 uint32_t sha256_h0[8] = {
94 0x6a09e667, 0xbb67ae85, 0x3c6ef372, 0xa54ff53a,
95 0x510e527f, 0x9b05688c, 0x1f83d9ab, 0x5be0cd19
96 };
97
98 uint32_t sha256_k[64] = {
99 0x428a2f98, 0x71374491, 0xb5c0fbcf, 0xe9b5dba5,
100 0x3956c25b, 0x59f111f1, 0x923f82a4, 0xab1c5ed5,
101 0xd807aa98, 0x12835b01, 0x243185be, 0x550c7dc3,
102 0x72be5d74, 0x80deb1fe, 0x9bdc06a7, 0xc19bf174,
103 0xe49b69c1, 0xefbe4786, 0x0fc19dc6, 0x240ca1cc,
104 0x2de92c6f, 0x4a7484aa, 0x5cb0a9dc, 0x76f988da,
105 0x983e5152, 0xa831c66d, 0xb00327c8, 0xbf597fc7,
106 0xc6e00bf3, 0xd5a79147, 0x06ca6351, 0x14292967,
107 0x27b70a85, 0x2e1b2138, 0x4d2c6dfc, 0x53380d13,
108 0x650a7354, 0x766a0abb, 0x81c2c92e, 0x92722c85,
109 0xa2bfe8a1, 0xa81a664b, 0xc24b8b70, 0xc76c51a3,
110 0xd192e819, 0xd6990624, 0xf40e3585, 0x106aa070,
111 0x19a4c116, 0x1e376c08, 0x2748774c, 0x34b0bcb5,
112 0x391c0cb3, 0x4ed8aa4a, 0x5b9cca4f, 0x682e6ff3,
113 0x748f82ee, 0x78a5636f, 0x84c87814, 0x8cc70208,
114 0x90befffa, 0xa4506ceb, 0xbef9a3f7, 0xc67178f2
115 };
116
117 /* SHA-256 functions */
sha256_transf(struct sha256_ctx * ctx,const unsigned char * message,unsigned int block_nb)118 void sha256_transf(struct sha256_ctx *ctx, const unsigned char *message,
119 unsigned int block_nb)
120 {
121 uint32_t w[64] = { };
122 uint32_t wv[8] = { };
123 uint32_t t1 = 0;
124 uint32_t t2 = 0;
125 const unsigned char *sub_block = NULL;
126 int i = 0;
127 #ifndef UNROLL_LOOPS
128 int j = 0;
129 #endif
130
131 for (i = 0; i < (int)block_nb; i++) {
132 sub_block = message + (i << 6);
133
134 #ifndef UNROLL_LOOPS
135 for (j = 0; j < 16; j++)
136 PACK32(&sub_block[j << 2], &w[j]);
137
138 for (j = 16; j < 64; j++)
139 SHA256_SCR(j);
140
141 for (j = 0; j < 8; j++)
142 wv[j] = ctx->h[j];
143
144 for (j = 0; j < 64; j++) {
145 t1 = wv[7] + SHA256_F2(wv[4]) + CH(wv[4], wv[5], wv[6])
146 + sha256_k[j] + w[j];
147 t2 = SHA256_F1(wv[0]) + MAJ(wv[0], wv[1], wv[2]);
148 wv[7] = wv[6];
149 wv[6] = wv[5];
150 wv[5] = wv[4];
151 wv[4] = wv[3] + t1;
152 wv[3] = wv[2];
153 wv[2] = wv[1];
154 wv[1] = wv[0];
155 wv[0] = t1 + t2;
156 }
157
158 for (j = 0; j < 8; j++)
159 ctx->h[j] += wv[j];
160 #else
161 PACK32(&sub_block[0], &w[0]);
162 PACK32(&sub_block[4], &w[1]);
163 PACK32(&sub_block[8], &w[2]);
164 PACK32(&sub_block[12], &w[3]);
165 PACK32(&sub_block[16], &w[4]);
166 PACK32(&sub_block[20], &w[5]);
167 PACK32(&sub_block[24], &w[6]);
168 PACK32(&sub_block[28], &w[7]);
169 PACK32(&sub_block[32], &w[8]);
170 PACK32(&sub_block[36], &w[9]);
171 PACK32(&sub_block[40], &w[10]);
172 PACK32(&sub_block[44], &w[11]);
173 PACK32(&sub_block[48], &w[12]);
174 PACK32(&sub_block[52], &w[13]);
175 PACK32(&sub_block[56], &w[14]);
176 PACK32(&sub_block[60], &w[15]);
177
178 SHA256_SCR(16);
179 SHA256_SCR(17);
180 SHA256_SCR(18);
181 SHA256_SCR(19);
182 SHA256_SCR(20);
183 SHA256_SCR(21);
184 SHA256_SCR(22);
185 SHA256_SCR(23);
186 SHA256_SCR(24);
187 SHA256_SCR(25);
188 SHA256_SCR(26);
189 SHA256_SCR(27);
190 SHA256_SCR(28);
191 SHA256_SCR(29);
192 SHA256_SCR(30);
193 SHA256_SCR(31);
194 SHA256_SCR(32);
195 SHA256_SCR(33);
196 SHA256_SCR(34);
197 SHA256_SCR(35);
198 SHA256_SCR(36);
199 SHA256_SCR(37);
200 SHA256_SCR(38);
201 SHA256_SCR(39);
202 SHA256_SCR(40);
203 SHA256_SCR(41);
204 SHA256_SCR(42);
205 SHA256_SCR(43);
206 SHA256_SCR(44);
207 SHA256_SCR(45);
208 SHA256_SCR(46);
209 SHA256_SCR(47);
210 SHA256_SCR(48);
211 SHA256_SCR(49);
212 SHA256_SCR(50);
213 SHA256_SCR(51);
214 SHA256_SCR(52);
215 SHA256_SCR(53);
216 SHA256_SCR(54);
217 SHA256_SCR(55);
218 SHA256_SCR(56);
219 SHA256_SCR(57);
220 SHA256_SCR(58);
221 SHA256_SCR(59);
222 SHA256_SCR(60);
223 SHA256_SCR(61);
224 SHA256_SCR(62);
225 SHA256_SCR(63);
226
227 wv[0] = ctx->h[0];
228 wv[1] = ctx->h[1];
229 wv[2] = ctx->h[2];
230 wv[3] = ctx->h[3];
231 wv[4] = ctx->h[4];
232 wv[5] = ctx->h[5];
233 wv[6] = ctx->h[6];
234 wv[7] = ctx->h[7];
235
236 SHA256_EXP(0, 1, 2, 3, 4, 5, 6, 7, 0);
237 SHA256_EXP(7, 0, 1, 2, 3, 4, 5, 6, 1);
238 SHA256_EXP(6, 7, 0, 1, 2, 3, 4, 5, 2);
239 SHA256_EXP(5, 6, 7, 0, 1, 2, 3, 4, 3);
240 SHA256_EXP(4, 5, 6, 7, 0, 1, 2, 3, 4);
241 SHA256_EXP(3, 4, 5, 6, 7, 0, 1, 2, 5);
242 SHA256_EXP(2, 3, 4, 5, 6, 7, 0, 1, 6);
243 SHA256_EXP(1, 2, 3, 4, 5, 6, 7, 0, 7);
244 SHA256_EXP(0, 1, 2, 3, 4, 5, 6, 7, 8);
245 SHA256_EXP(7, 0, 1, 2, 3, 4, 5, 6, 9);
246 SHA256_EXP(6, 7, 0, 1, 2, 3, 4, 5, 10);
247 SHA256_EXP(5, 6, 7, 0, 1, 2, 3, 4, 11);
248 SHA256_EXP(4, 5, 6, 7, 0, 1, 2, 3, 12);
249 SHA256_EXP(3, 4, 5, 6, 7, 0, 1, 2, 13);
250 SHA256_EXP(2, 3, 4, 5, 6, 7, 0, 1, 14);
251 SHA256_EXP(1, 2, 3, 4, 5, 6, 7, 0, 15);
252 SHA256_EXP(0, 1, 2, 3, 4, 5, 6, 7, 16);
253 SHA256_EXP(7, 0, 1, 2, 3, 4, 5, 6, 17);
254 SHA256_EXP(6, 7, 0, 1, 2, 3, 4, 5, 18);
255 SHA256_EXP(5, 6, 7, 0, 1, 2, 3, 4, 19);
256 SHA256_EXP(4, 5, 6, 7, 0, 1, 2, 3, 20);
257 SHA256_EXP(3, 4, 5, 6, 7, 0, 1, 2, 21);
258 SHA256_EXP(2, 3, 4, 5, 6, 7, 0, 1, 22);
259 SHA256_EXP(1, 2, 3, 4, 5, 6, 7, 0, 23);
260 SHA256_EXP(0, 1, 2, 3, 4, 5, 6, 7, 24);
261 SHA256_EXP(7, 0, 1, 2, 3, 4, 5, 6, 25);
262 SHA256_EXP(6, 7, 0, 1, 2, 3, 4, 5, 26);
263 SHA256_EXP(5, 6, 7, 0, 1, 2, 3, 4, 27);
264 SHA256_EXP(4, 5, 6, 7, 0, 1, 2, 3, 28);
265 SHA256_EXP(3, 4, 5, 6, 7, 0, 1, 2, 29);
266 SHA256_EXP(2, 3, 4, 5, 6, 7, 0, 1, 30);
267 SHA256_EXP(1, 2, 3, 4, 5, 6, 7, 0, 31);
268 SHA256_EXP(0, 1, 2, 3, 4, 5, 6, 7, 32);
269 SHA256_EXP(7, 0, 1, 2, 3, 4, 5, 6, 33);
270 SHA256_EXP(6, 7, 0, 1, 2, 3, 4, 5, 34);
271 SHA256_EXP(5, 6, 7, 0, 1, 2, 3, 4, 35);
272 SHA256_EXP(4, 5, 6, 7, 0, 1, 2, 3, 36);
273 SHA256_EXP(3, 4, 5, 6, 7, 0, 1, 2, 37);
274 SHA256_EXP(2, 3, 4, 5, 6, 7, 0, 1, 38);
275 SHA256_EXP(1, 2, 3, 4, 5, 6, 7, 0, 39);
276 SHA256_EXP(0, 1, 2, 3, 4, 5, 6, 7, 40);
277 SHA256_EXP(7, 0, 1, 2, 3, 4, 5, 6, 41);
278 SHA256_EXP(6, 7, 0, 1, 2, 3, 4, 5, 42);
279 SHA256_EXP(5, 6, 7, 0, 1, 2, 3, 4, 43);
280 SHA256_EXP(4, 5, 6, 7, 0, 1, 2, 3, 44);
281 SHA256_EXP(3, 4, 5, 6, 7, 0, 1, 2, 45);
282 SHA256_EXP(2, 3, 4, 5, 6, 7, 0, 1, 46);
283 SHA256_EXP(1, 2, 3, 4, 5, 6, 7, 0, 47);
284 SHA256_EXP(0, 1, 2, 3, 4, 5, 6, 7, 48);
285 SHA256_EXP(7, 0, 1, 2, 3, 4, 5, 6, 49);
286 SHA256_EXP(6, 7, 0, 1, 2, 3, 4, 5, 50);
287 SHA256_EXP(5, 6, 7, 0, 1, 2, 3, 4, 51);
288 SHA256_EXP(4, 5, 6, 7, 0, 1, 2, 3, 52);
289 SHA256_EXP(3, 4, 5, 6, 7, 0, 1, 2, 53);
290 SHA256_EXP(2, 3, 4, 5, 6, 7, 0, 1, 54);
291 SHA256_EXP(1, 2, 3, 4, 5, 6, 7, 0, 55);
292 SHA256_EXP(0, 1, 2, 3, 4, 5, 6, 7, 56);
293 SHA256_EXP(7, 0, 1, 2, 3, 4, 5, 6, 57);
294 SHA256_EXP(6, 7, 0, 1, 2, 3, 4, 5, 58);
295 SHA256_EXP(5, 6, 7, 0, 1, 2, 3, 4, 59);
296 SHA256_EXP(4, 5, 6, 7, 0, 1, 2, 3, 60);
297 SHA256_EXP(3, 4, 5, 6, 7, 0, 1, 2, 61);
298 SHA256_EXP(2, 3, 4, 5, 6, 7, 0, 1, 62);
299 SHA256_EXP(1, 2, 3, 4, 5, 6, 7, 0, 63);
300
301 ctx->h[0] += wv[0];
302 ctx->h[1] += wv[1];
303 ctx->h[2] += wv[2];
304 ctx->h[3] += wv[3];
305 ctx->h[4] += wv[4];
306 ctx->h[5] += wv[5];
307 ctx->h[6] += wv[6];
308 ctx->h[7] += wv[7];
309 #endif
310 }
311 }
312
sha256(const unsigned char * message,unsigned int len,unsigned char * digest)313 void sha256(const unsigned char *message,
314 unsigned int len, unsigned char *digest)
315 {
316 struct sha256_ctx ctx = { };
317
318 sha256_init(&ctx);
319 sha256_update(&ctx, message, len);
320 sha256_final(&ctx, digest);
321 }
322
sha256_init(struct sha256_ctx * ctx)323 void sha256_init(struct sha256_ctx *ctx)
324 {
325 #ifndef UNROLL_LOOPS
326 int i = 0;
327
328 for (i = 0; i < 8; i++)
329 ctx->h[i] = sha256_h0[i];
330 #else
331 ctx->h[0] = sha256_h0[0];
332 ctx->h[1] = sha256_h0[1];
333 ctx->h[2] = sha256_h0[2];
334 ctx->h[3] = sha256_h0[3];
335 ctx->h[4] = sha256_h0[4];
336 ctx->h[5] = sha256_h0[5];
337 ctx->h[6] = sha256_h0[6];
338 ctx->h[7] = sha256_h0[7];
339 #endif
340
341 ctx->len = 0;
342 ctx->tot_len = 0;
343 }
344
sha256_update(struct sha256_ctx * ctx,const unsigned char * message,unsigned int len)345 void sha256_update(struct sha256_ctx *ctx, const unsigned char *message,
346 unsigned int len)
347 {
348 unsigned int block_nb = 0;
349 unsigned int new_len = 0;
350 unsigned int rem_len = 0;
351 unsigned int tmp_len = 0;
352 const unsigned char *shifted_message = NULL;
353 unsigned long int i = 0;
354
355 tmp_len = SHA256_BLOCK_SIZE - ctx->len;
356 rem_len = len < tmp_len ? len : tmp_len;
357
358 for (i = 0; i < rem_len; i++)
359 ctx->block[ctx->len + i] = message[i];
360
361 if (ctx->len + len < SHA256_BLOCK_SIZE) {
362 ctx->len += len;
363 return;
364 }
365
366 new_len = len - rem_len;
367 block_nb = new_len / SHA256_BLOCK_SIZE;
368
369 shifted_message = message + rem_len;
370
371 sha256_transf(ctx, ctx->block, 1);
372 sha256_transf(ctx, shifted_message, block_nb);
373
374 rem_len = new_len % SHA256_BLOCK_SIZE;
375
376 for (i = 0; i < rem_len; i++)
377 ctx->block[i] = shifted_message[(block_nb << 6) + i];
378
379 ctx->len = rem_len;
380 ctx->tot_len += (block_nb + 1) << 6;
381 }
382
sha256_final(struct sha256_ctx * ctx,unsigned char * digest)383 void sha256_final(struct sha256_ctx *ctx, unsigned char *digest)
384 {
385 unsigned int block_nb = 0;
386 unsigned int pm_len = 0;
387 unsigned int len_b = 0;
388 unsigned long int i_m = 0;
389 #ifndef UNROLL_LOOPS
390 int i = 0;
391 #endif
392
393 block_nb = 1;
394 if ((SHA256_BLOCK_SIZE - 9) < (ctx->len % SHA256_BLOCK_SIZE))
395 block_nb++;
396
397 len_b = (ctx->tot_len + ctx->len) << 3;
398 pm_len = block_nb << 6;
399
400 for (i_m = 0; i_m < pm_len - ctx->len; i_m++)
401 ctx->block[ctx->len + i_m] = 0;
402
403 ctx->block[ctx->len] = 0x80;
404 UNPACK32(len_b, ctx->block + pm_len - 4);
405
406 sha256_transf(ctx, ctx->block, block_nb);
407
408 #ifndef UNROLL_LOOPS
409 for (i = 0; i < 8; i++)
410 UNPACK32(ctx->h[i], &digest[i << 2]);
411 #else
412 UNPACK32(ctx->h[0], &digest[0]);
413 UNPACK32(ctx->h[1], &digest[4]);
414 UNPACK32(ctx->h[2], &digest[8]);
415 UNPACK32(ctx->h[3], &digest[12]);
416 UNPACK32(ctx->h[4], &digest[16]);
417 UNPACK32(ctx->h[5], &digest[20]);
418 UNPACK32(ctx->h[6], &digest[24]);
419 UNPACK32(ctx->h[7], &digest[28]);
420 #endif
421 }
422
423 /* SHA-224 functions */
sha224(const unsigned char * message,unsigned int len,unsigned char * digest)424 void sha224(const unsigned char *message, unsigned int len,
425 unsigned char *digest)
426 {
427 struct sha224_ctx ctx = { };
428
429 sha224_init(&ctx);
430 sha224_update(&ctx, message, len);
431 sha224_final(&ctx, digest);
432 }
433
sha224_init(struct sha224_ctx * ctx)434 void sha224_init(struct sha224_ctx *ctx)
435 {
436 #ifndef UNROLL_LOOPS
437 int i = 0;
438
439 for (i = 0; i < 8; i++)
440 ctx->h[i] = sha224_h0[i];
441 #else
442 ctx->h[0] = sha224_h0[0];
443 ctx->h[1] = sha224_h0[1];
444 ctx->h[2] = sha224_h0[2];
445 ctx->h[3] = sha224_h0[3];
446 ctx->h[4] = sha224_h0[4];
447 ctx->h[5] = sha224_h0[5];
448 ctx->h[6] = sha224_h0[6];
449 ctx->h[7] = sha224_h0[7];
450 #endif
451
452 ctx->len = 0;
453 ctx->tot_len = 0;
454 }
455
sha224_update(struct sha224_ctx * ctx,const unsigned char * message,unsigned int len)456 void sha224_update(struct sha224_ctx *ctx, const unsigned char *message,
457 unsigned int len)
458 {
459 unsigned int block_nb = 0;
460 unsigned int new_len = 0;
461 unsigned int rem_len = 0;
462 unsigned int tmp_len = 0;
463 const unsigned char *shifted_message = NULL;
464 unsigned long int i = 0;
465
466 tmp_len = SHA224_BLOCK_SIZE - ctx->len;
467 rem_len = len < tmp_len ? len : tmp_len;
468
469 for (i = 0; i < rem_len; i++)
470 ctx->block[ctx->len + i] = message[i];
471
472 if (ctx->len + len < SHA224_BLOCK_SIZE) {
473 ctx->len += len;
474 return;
475 }
476
477 new_len = len - rem_len;
478 block_nb = new_len / SHA224_BLOCK_SIZE;
479
480 shifted_message = message + rem_len;
481
482 sha256_transf((struct sha256_ctx *)ctx, ctx->block, 1);
483 sha256_transf((struct sha256_ctx *)ctx, shifted_message, block_nb);
484
485 rem_len = new_len % SHA224_BLOCK_SIZE;
486
487 for (i = 0; i < rem_len; i++)
488 ctx->block[i] = shifted_message[(block_nb << 6) + i];
489
490 ctx->len = rem_len;
491 ctx->tot_len += (block_nb + 1) << 6;
492 }
493
sha224_final(struct sha224_ctx * ctx,unsigned char * digest)494 void sha224_final(struct sha224_ctx *ctx, unsigned char *digest)
495 {
496 unsigned int block_nb = 0;
497 unsigned int pm_len = 0;
498 unsigned int len_b = 0;
499 unsigned long int i_m = 0;
500 #ifndef UNROLL_LOOPS
501 int i = 0;
502 #endif
503
504 block_nb = 1;
505 if ((SHA224_BLOCK_SIZE - 9) < (ctx->len % SHA224_BLOCK_SIZE))
506 block_nb++;
507
508 len_b = (ctx->tot_len + ctx->len) << 3;
509 pm_len = block_nb << 6;
510
511 for (i_m = 0; i_m < pm_len - ctx->len; i_m++)
512 ctx->block[ctx->len + i_m] = 0;
513
514 ctx->block[ctx->len] = 0x80;
515 UNPACK32(len_b, ctx->block + pm_len - 4);
516
517 sha256_transf((struct sha256_ctx *)ctx, ctx->block, block_nb);
518
519 #ifndef UNROLL_LOOPS
520 for (i = 0; i < 7; i++)
521 UNPACK32(ctx->h[i], &digest[i << 2]);
522 #else
523 UNPACK32(ctx->h[0], &digest[0]);
524 UNPACK32(ctx->h[1], &digest[4]);
525 UNPACK32(ctx->h[2], &digest[8]);
526 UNPACK32(ctx->h[3], &digest[12]);
527 UNPACK32(ctx->h[4], &digest[16]);
528 UNPACK32(ctx->h[5], &digest[20]);
529 UNPACK32(ctx->h[6], &digest[24]);
530 #endif
531 }
532