Pull HASH_MAKE_STRING out of md32_common.h.

This is in preparation for taking md_len out of SHA256_CTX by allowing us to do
something similar to SHA512_CTX. md32_common.h now emits a static "finish"
function which Final composes with the extraction step.

Change-Id: I314fb31e2482af642fd280500cc0e4716aef1ac6
Reviewed-on: https://boringssl-review.googlesource.com/7721
Reviewed-by: Adam Langley <agl@google.com>

2 files changed, 54 insertions, 55 deletions

diff --git a/crypto/sha/sha1.c b/crypto/sha/sha1.c
index 74e841ca..5967af0c 100644
--- a/crypto/sha/sha1.c
+++ b/crypto/sha/sha1.c
@@ -98,24 +98,10 @@ uint8_t *SHA1(const uint8_t *data, size_t len, uint8_t *out) {
 
 #define HASH_CTX                SHA_CTX
 #define HASH_CBLOCK             64
-#define HASH_MAKE_STRING(c, s) \
-  do {                         \
-    uint32_t ll;               \
-    ll = (c)->h[0];            \
-    HOST_l2c(ll, (s));         \
-    ll = (c)->h[1];            \
-    HOST_l2c(ll, (s));         \
-    ll = (c)->h[2];            \
-    HOST_l2c(ll, (s));         \
-    ll = (c)->h[3];            \
-    HOST_l2c(ll, (s));         \
-    ll = (c)->h[4];            \
-    HOST_l2c(ll, (s));         \
-  } while (0)
 
 #define HASH_UPDATE SHA1_Update
 #define HASH_TRANSFORM SHA1_Transform
-#define HASH_FINAL SHA1_Final
+#define HASH_FINISH sha1_finish
 #define HASH_BLOCK_DATA_ORDER sha1_block_data_order
 #define ROTATE(a, n) (((a) << (n)) | ((a) >> (32 - (n))))
 #define Xupdate(a, ix, ia, ib, ic, id) \
@@ -128,6 +114,24 @@ void sha1_block_data_order(uint32_t *state, const uint8_t *data, size_t num);
 
 #include "../digest/md32_common.h"
 
+int SHA1_Final(uint8_t *md, SHA_CTX *sha) {
+  sha1_finish(sha);
+
+  uint32_t ll;
+  ll = sha->h[0];
+  HOST_l2c(ll, md);
+  ll = sha->h[1];
+  HOST_l2c(ll, md);
+  ll = sha->h[2];
+  HOST_l2c(ll, md);
+  ll = sha->h[3];
+  HOST_l2c(ll, md);
+  ll = sha->h[4];
+  HOST_l2c(ll, md);
+
+  return 1;
+}
+
 #define K_00_19 0x5a827999UL
 #define K_20_39 0x6ed9eba1UL
 #define K_40_59 0x8f1bbcdcUL
diff --git a/crypto/sha/sha256.c b/crypto/sha/sha256.c
index 0ddacbad..d165cffe 100644
--- a/crypto/sha/sha256.c
+++ b/crypto/sha/sha256.c
@@ -138,48 +138,9 @@ int SHA224_Final(uint8_t *md, SHA256_CTX *ctx) {
 #define HASH_CTX SHA256_CTX
 #define HASH_CBLOCK 64
 
-/* Note that FIPS180-2 discusses "Truncation of the Hash Function Output."
- * default: case below covers for it. It's not clear however if it's permitted
- * to truncate to amount of bytes not divisible by 4. I bet not, but if it is,
- * then default: case shall be extended. For reference. Idea behind separate
- * cases for pre-defined lenghts is to let the compiler decide if it's
- * appropriate to unroll small loops.
- *
- * TODO(davidben): The small |md_len| case is one of the few places a low-level
- * hash 'final' function can fail. This should never happen. */
-#define HASH_MAKE_STRING(c, s)                              \
-  do {                                                      \
-    uint32_t ll;                                            \
-    unsigned int nn;                                        \
-    switch ((c)->md_len) {                                  \
-      case SHA224_DIGEST_LENGTH:                            \
-        for (nn = 0; nn < SHA224_DIGEST_LENGTH / 4; nn++) { \
-          ll = (c)->h[nn];                                  \
-          HOST_l2c(ll, (s));                                \
-        }                                                   \
-        break;                                              \
-      case SHA256_DIGEST_LENGTH:                            \
-        for (nn = 0; nn < SHA256_DIGEST_LENGTH / 4; nn++) { \
-          ll = (c)->h[nn];                                  \
-          HOST_l2c(ll, (s));                                \
-        }                                                   \
-        break;                                              \
-      default:                                              \
-        if ((c)->md_len > SHA256_DIGEST_LENGTH) {           \
-          return 0;                                         \
-        }                                                   \
-        for (nn = 0; nn < (c)->md_len / 4; nn++) {          \
-          ll = (c)->h[nn];                                  \
-          HOST_l2c(ll, (s));                                \
-        }                                                   \
-        break;                                              \
-    }                                                       \
-  } while (0)
-
-
 #define HASH_UPDATE SHA256_Update
 #define HASH_TRANSFORM SHA256_Transform
-#define HASH_FINAL SHA256_Final
+#define HASH_FINISH sha256_finish
 #define HASH_BLOCK_DATA_ORDER sha256_block_data_order
 #ifndef SHA256_ASM
 static
@@ -188,6 +149,40 @@ void sha256_block_data_order(uint32_t *state, const uint8_t *in, size_t num);
 
 #include "../digest/md32_common.h"
 
+int SHA256_Final(uint8_t *md, SHA256_CTX *sha) {
+  sha256_finish(sha);
+
+  /* TODO(davidben): Replace this with different versions of SHA256_Final
+   * and SHA224_Final. */
+  uint32_t ll;
+  unsigned int nn;
+  switch (sha->md_len) {
+    case SHA224_DIGEST_LENGTH:
+      for (nn = 0; nn < SHA224_DIGEST_LENGTH / 4; nn++) {
+        ll = sha->h[nn];
+        HOST_l2c(ll, md);
+      }
+      break;
+    case SHA256_DIGEST_LENGTH:
+      for (nn = 0; nn < SHA256_DIGEST_LENGTH / 4; nn++) {
+        ll = sha->h[nn];
+        HOST_l2c(ll, md);
+      }
+      break;
+    default:
+      if (sha->md_len > SHA256_DIGEST_LENGTH) {
+        return 0;
+      }
+      for (nn = 0; nn < sha->md_len / 4; nn++) {
+        ll = sha->h[nn];
+        HOST_l2c(ll, md);
+      }
+      break;
+  }
+
+  return 1;
+}
+
 #ifndef SHA256_ASM
 static const uint32_t K256[64] = {
     0x428a2f98UL, 0x71374491UL, 0xb5c0fbcfUL, 0xe9b5dba5UL, 0x3956c25bUL,