sha.go

     1  // Copyright 2017 The Go Authors. All rights reserved.
     2  // Use of this source code is governed by a BSD-style
     3  // license that can be found in the LICENSE file.
     4  
     5  //go:build boringcrypto && linux && (amd64 || arm64) && !android && !msan
     6  
     7  package boring
     8  
     9  /*
    10  #include "goboringcrypto.h"
    11  
    12  int
    13  _goboringcrypto_gosha1(void *p, size_t n, void *out)
    14  {
    15  	GO_SHA_CTX ctx;
    16  	_goboringcrypto_SHA1_Init(&ctx);
    17  	return _goboringcrypto_SHA1_Update(&ctx, p, n) &&
    18  		_goboringcrypto_SHA1_Final(out, &ctx);
    19  }
    20  
    21  int
    22  _goboringcrypto_gosha224(void *p, size_t n, void *out)
    23  {
    24  	GO_SHA256_CTX ctx;
    25  	_goboringcrypto_SHA224_Init(&ctx);
    26  	return _goboringcrypto_SHA224_Update(&ctx, p, n) &&
    27  		_goboringcrypto_SHA224_Final(out, &ctx);
    28  }
    29  
    30  int
    31  _goboringcrypto_gosha256(void *p, size_t n, void *out)
    32  {
    33  	GO_SHA256_CTX ctx;
    34  	_goboringcrypto_SHA256_Init(&ctx);
    35  	return _goboringcrypto_SHA256_Update(&ctx, p, n) &&
    36  		_goboringcrypto_SHA256_Final(out, &ctx);
    37  }
    38  
    39  int
    40  _goboringcrypto_gosha384(void *p, size_t n, void *out)
    41  {
    42  	GO_SHA512_CTX ctx;
    43  	_goboringcrypto_SHA384_Init(&ctx);
    44  	return _goboringcrypto_SHA384_Update(&ctx, p, n) &&
    45  		_goboringcrypto_SHA384_Final(out, &ctx);
    46  }
    47  
    48  int
    49  _goboringcrypto_gosha512(void *p, size_t n, void *out)
    50  {
    51  	GO_SHA512_CTX ctx;
    52  	_goboringcrypto_SHA512_Init(&ctx);
    53  	return _goboringcrypto_SHA512_Update(&ctx, p, n) &&
    54  		_goboringcrypto_SHA512_Final(out, &ctx);
    55  }
    56  
    57  */
    58  import "C"
    59  import (
    60  	"errors"
    61  	"hash"
    62  	"unsafe"
    63  )
    64  
    65  // NOTE: The cgo calls in this file are arranged to avoid marking the parameters as escaping.
    66  // To do that, we call noescape (including via addr).
    67  // We must also make sure that the data pointer arguments have the form unsafe.Pointer(&...)
    68  // so that cgo does not annotate them with cgoCheckPointer calls. If it did that, it might look
    69  // beyond the byte slice and find Go pointers in unprocessed parts of a larger allocation.
    70  // To do both of these simultaneously, the idiom is unsafe.Pointer(&*addr(p)),
    71  // where addr returns the base pointer of p, substituting a non-nil pointer for nil,
    72  // and applying a noescape along the way.
    73  // This is all to preserve compatibility with the allocation behavior of the non-boring implementations.
    74  
    75  func SHA1(p []byte) (sum [20]byte) {
    76  	if C._goboringcrypto_gosha1(unsafe.Pointer(&*addr(p)), C.size_t(len(p)), unsafe.Pointer(&*addr(sum[:]))) == 0 {
    77  		panic("boringcrypto: SHA1 failed")
    78  	}
    79  	return
    80  }
    81  
    82  func SHA224(p []byte) (sum [28]byte) {
    83  	if C._goboringcrypto_gosha224(unsafe.Pointer(&*addr(p)), C.size_t(len(p)), unsafe.Pointer(&*addr(sum[:]))) == 0 {
    84  		panic("boringcrypto: SHA224 failed")
    85  	}
    86  	return
    87  }
    88  
    89  func SHA256(p []byte) (sum [32]byte) {
    90  	if C._goboringcrypto_gosha256(unsafe.Pointer(&*addr(p)), C.size_t(len(p)), unsafe.Pointer(&*addr(sum[:]))) == 0 {
    91  		panic("boringcrypto: SHA256 failed")
    92  	}
    93  	return
    94  }
    95  
    96  func SHA384(p []byte) (sum [48]byte) {
    97  	if C._goboringcrypto_gosha384(unsafe.Pointer(&*addr(p)), C.size_t(len(p)), unsafe.Pointer(&*addr(sum[:]))) == 0 {
    98  		panic("boringcrypto: SHA384 failed")
    99  	}
   100  	return
   101  }
   102  
   103  func SHA512(p []byte) (sum [64]byte) {
   104  	if C._goboringcrypto_gosha512(unsafe.Pointer(&*addr(p)), C.size_t(len(p)), unsafe.Pointer(&*addr(sum[:]))) == 0 {
   105  		panic("boringcrypto: SHA512 failed")
   106  	}
   107  	return
   108  }
   109  
   110  // NewSHA1 returns a new SHA1 hash.
   111  func NewSHA1() hash.Hash {
   112  	h := new(sha1Hash)
   113  	h.Reset()
   114  	return h
   115  }
   116  
   117  type sha1Hash struct {
   118  	ctx C.GO_SHA_CTX
   119  	out [20]byte
   120  }
   121  
   122  type sha1Ctx struct {
   123  	h      [5]uint32
   124  	nl, nh uint32
   125  	x      [64]byte
   126  	nx     uint32
   127  }
   128  
   129  func (h *sha1Hash) noescapeCtx() *C.GO_SHA_CTX {
   130  	return (*C.GO_SHA_CTX)(noescape(unsafe.Pointer(&h.ctx)))
   131  }
   132  
   133  func (h *sha1Hash) Reset() {
   134  	C._goboringcrypto_SHA1_Init(h.noescapeCtx())
   135  }
   136  
   137  func (h *sha1Hash) Size() int             { return 20 }
   138  func (h *sha1Hash) BlockSize() int        { return 64 }
   139  func (h *sha1Hash) Sum(dst []byte) []byte { return h.sum(dst) }
   140  
   141  func (h *sha1Hash) Write(p []byte) (int, error) {
   142  	if len(p) > 0 && C._goboringcrypto_SHA1_Update(h.noescapeCtx(), unsafe.Pointer(&*addr(p)), C.size_t(len(p))) == 0 {
   143  		panic("boringcrypto: SHA1_Update failed")
   144  	}
   145  	return len(p), nil
   146  }
   147  
   148  func (h0 *sha1Hash) sum(dst []byte) []byte {
   149  	h := *h0 // make copy so future Write+Sum is valid
   150  	if C._goboringcrypto_SHA1_Final((*C.uint8_t)(noescape(unsafe.Pointer(&h.out[0]))), h.noescapeCtx()) == 0 {
   151  		panic("boringcrypto: SHA1_Final failed")
   152  	}
   153  	return append(dst, h.out[:]...)
   154  }
   155  
   156  const (
   157  	sha1Magic         = "sha\x01"
   158  	sha1MarshaledSize = len(sha1Magic) + 5*4 + 64 + 8
   159  )
   160  
   161  func (h *sha1Hash) MarshalBinary() ([]byte, error) {
   162  	d := (*sha1Ctx)(unsafe.Pointer(&h.ctx))
   163  	b := make([]byte, 0, sha1MarshaledSize)
   164  	b = append(b, sha1Magic...)
   165  	b = appendUint32(b, d.h[0])
   166  	b = appendUint32(b, d.h[1])
   167  	b = appendUint32(b, d.h[2])
   168  	b = appendUint32(b, d.h[3])
   169  	b = appendUint32(b, d.h[4])
   170  	b = append(b, d.x[:d.nx]...)
   171  	b = b[:len(b)+len(d.x)-int(d.nx)] // already zero
   172  	b = appendUint64(b, uint64(d.nl)>>3|uint64(d.nh)<<29)
   173  	return b, nil
   174  }
   175  
   176  func (h *sha1Hash) UnmarshalBinary(b []byte) error {
   177  	if len(b) < len(sha1Magic) || string(b[:len(sha1Magic)]) != sha1Magic {
   178  		return errors.New("crypto/sha1: invalid hash state identifier")
   179  	}
   180  	if len(b) != sha1MarshaledSize {
   181  		return errors.New("crypto/sha1: invalid hash state size")
   182  	}
   183  	d := (*sha1Ctx)(unsafe.Pointer(&h.ctx))
   184  	b = b[len(sha1Magic):]
   185  	b, d.h[0] = consumeUint32(b)
   186  	b, d.h[1] = consumeUint32(b)
   187  	b, d.h[2] = consumeUint32(b)
   188  	b, d.h[3] = consumeUint32(b)
   189  	b, d.h[4] = consumeUint32(b)
   190  	b = b[copy(d.x[:], b):]
   191  	b, n := consumeUint64(b)
   192  	d.nl = uint32(n << 3)
   193  	d.nh = uint32(n >> 29)
   194  	d.nx = uint32(n) % 64
   195  	return nil
   196  }
   197  
   198  // NewSHA224 returns a new SHA224 hash.
   199  func NewSHA224() hash.Hash {
   200  	h := new(sha224Hash)
   201  	h.Reset()
   202  	return h
   203  }
   204  
   205  type sha224Hash struct {
   206  	ctx C.GO_SHA256_CTX
   207  	out [224 / 8]byte
   208  }
   209  
   210  func (h *sha224Hash) noescapeCtx() *C.GO_SHA256_CTX {
   211  	return (*C.GO_SHA256_CTX)(noescape(unsafe.Pointer(&h.ctx)))
   212  }
   213  
   214  func (h *sha224Hash) Reset() {
   215  	C._goboringcrypto_SHA224_Init(h.noescapeCtx())
   216  }
   217  func (h *sha224Hash) Size() int             { return 224 / 8 }
   218  func (h *sha224Hash) BlockSize() int        { return 64 }
   219  func (h *sha224Hash) Sum(dst []byte) []byte { return h.sum(dst) }
   220  
   221  func (h *sha224Hash) Write(p []byte) (int, error) {
   222  	if len(p) > 0 && C._goboringcrypto_SHA224_Update(h.noescapeCtx(), unsafe.Pointer(&*addr(p)), C.size_t(len(p))) == 0 {
   223  		panic("boringcrypto: SHA224_Update failed")
   224  	}
   225  	return len(p), nil
   226  }
   227  
   228  func (h0 *sha224Hash) sum(dst []byte) []byte {
   229  	h := *h0 // make copy so future Write+Sum is valid
   230  	if C._goboringcrypto_SHA224_Final((*C.uint8_t)(noescape(unsafe.Pointer(&h.out[0]))), h.noescapeCtx()) == 0 {
   231  		panic("boringcrypto: SHA224_Final failed")
   232  	}
   233  	return append(dst, h.out[:]...)
   234  }
   235  
   236  // NewSHA256 returns a new SHA256 hash.
   237  func NewSHA256() hash.Hash {
   238  	h := new(sha256Hash)
   239  	h.Reset()
   240  	return h
   241  }
   242  
   243  type sha256Hash struct {
   244  	ctx C.GO_SHA256_CTX
   245  	out [256 / 8]byte
   246  }
   247  
   248  func (h *sha256Hash) noescapeCtx() *C.GO_SHA256_CTX {
   249  	return (*C.GO_SHA256_CTX)(noescape(unsafe.Pointer(&h.ctx)))
   250  }
   251  
   252  func (h *sha256Hash) Reset() {
   253  	C._goboringcrypto_SHA256_Init(h.noescapeCtx())
   254  }
   255  func (h *sha256Hash) Size() int             { return 256 / 8 }
   256  func (h *sha256Hash) BlockSize() int        { return 64 }
   257  func (h *sha256Hash) Sum(dst []byte) []byte { return h.sum(dst) }
   258  
   259  func (h *sha256Hash) Write(p []byte) (int, error) {
   260  	if len(p) > 0 && C._goboringcrypto_SHA256_Update(h.noescapeCtx(), unsafe.Pointer(&*addr(p)), C.size_t(len(p))) == 0 {
   261  		panic("boringcrypto: SHA256_Update failed")
   262  	}
   263  	return len(p), nil
   264  }
   265  
   266  func (h0 *sha256Hash) sum(dst []byte) []byte {
   267  	h := *h0 // make copy so future Write+Sum is valid
   268  	if C._goboringcrypto_SHA256_Final((*C.uint8_t)(noescape(unsafe.Pointer(&h.out[0]))), h.noescapeCtx()) == 0 {
   269  		panic("boringcrypto: SHA256_Final failed")
   270  	}
   271  	return append(dst, h.out[:]...)
   272  }
   273  
   274  const (
   275  	magic224         = "sha\x02"
   276  	magic256         = "sha\x03"
   277  	marshaledSize256 = len(magic256) + 8*4 + 64 + 8
   278  )
   279  
   280  type sha256Ctx struct {
   281  	h      [8]uint32
   282  	nl, nh uint32
   283  	x      [64]byte
   284  	nx     uint32
   285  }
   286  
   287  func (h *sha224Hash) MarshalBinary() ([]byte, error) {
   288  	d := (*sha256Ctx)(unsafe.Pointer(&h.ctx))
   289  	b := make([]byte, 0, marshaledSize256)
   290  	b = append(b, magic224...)
   291  	b = appendUint32(b, d.h[0])
   292  	b = appendUint32(b, d.h[1])
   293  	b = appendUint32(b, d.h[2])
   294  	b = appendUint32(b, d.h[3])
   295  	b = appendUint32(b, d.h[4])
   296  	b = appendUint32(b, d.h[5])
   297  	b = appendUint32(b, d.h[6])
   298  	b = appendUint32(b, d.h[7])
   299  	b = append(b, d.x[:d.nx]...)
   300  	b = b[:len(b)+len(d.x)-int(d.nx)] // already zero
   301  	b = appendUint64(b, uint64(d.nl)>>3|uint64(d.nh)<<29)
   302  	return b, nil
   303  }
   304  
   305  func (h *sha256Hash) MarshalBinary() ([]byte, error) {
   306  	d := (*sha256Ctx)(unsafe.Pointer(&h.ctx))
   307  	b := make([]byte, 0, marshaledSize256)
   308  	b = append(b, magic256...)
   309  	b = appendUint32(b, d.h[0])
   310  	b = appendUint32(b, d.h[1])
   311  	b = appendUint32(b, d.h[2])
   312  	b = appendUint32(b, d.h[3])
   313  	b = appendUint32(b, d.h[4])
   314  	b = appendUint32(b, d.h[5])
   315  	b = appendUint32(b, d.h[6])
   316  	b = appendUint32(b, d.h[7])
   317  	b = append(b, d.x[:d.nx]...)
   318  	b = b[:len(b)+len(d.x)-int(d.nx)] // already zero
   319  	b = appendUint64(b, uint64(d.nl)>>3|uint64(d.nh)<<29)
   320  	return b, nil
   321  }
   322  
   323  func (h *sha224Hash) UnmarshalBinary(b []byte) error {
   324  	if len(b) < len(magic224) || string(b[:len(magic224)]) != magic224 {
   325  		return errors.New("crypto/sha256: invalid hash state identifier")
   326  	}
   327  	if len(b) != marshaledSize256 {
   328  		return errors.New("crypto/sha256: invalid hash state size")
   329  	}
   330  	d := (*sha256Ctx)(unsafe.Pointer(&h.ctx))
   331  	b = b[len(magic224):]
   332  	b, d.h[0] = consumeUint32(b)
   333  	b, d.h[1] = consumeUint32(b)
   334  	b, d.h[2] = consumeUint32(b)
   335  	b, d.h[3] = consumeUint32(b)
   336  	b, d.h[4] = consumeUint32(b)
   337  	b, d.h[5] = consumeUint32(b)
   338  	b, d.h[6] = consumeUint32(b)
   339  	b, d.h[7] = consumeUint32(b)
   340  	b = b[copy(d.x[:], b):]
   341  	b, n := consumeUint64(b)
   342  	d.nl = uint32(n << 3)
   343  	d.nh = uint32(n >> 29)
   344  	d.nx = uint32(n) % 64
   345  	return nil
   346  }
   347  
   348  func (h *sha256Hash) UnmarshalBinary(b []byte) error {
   349  	if len(b) < len(magic256) || string(b[:len(magic256)]) != magic256 {
   350  		return errors.New("crypto/sha256: invalid hash state identifier")
   351  	}
   352  	if len(b) != marshaledSize256 {
   353  		return errors.New("crypto/sha256: invalid hash state size")
   354  	}
   355  	d := (*sha256Ctx)(unsafe.Pointer(&h.ctx))
   356  	b = b[len(magic256):]
   357  	b, d.h[0] = consumeUint32(b)
   358  	b, d.h[1] = consumeUint32(b)
   359  	b, d.h[2] = consumeUint32(b)
   360  	b, d.h[3] = consumeUint32(b)
   361  	b, d.h[4] = consumeUint32(b)
   362  	b, d.h[5] = consumeUint32(b)
   363  	b, d.h[6] = consumeUint32(b)
   364  	b, d.h[7] = consumeUint32(b)
   365  	b = b[copy(d.x[:], b):]
   366  	b, n := consumeUint64(b)
   367  	d.nl = uint32(n << 3)
   368  	d.nh = uint32(n >> 29)
   369  	d.nx = uint32(n) % 64
   370  	return nil
   371  }
   372  
   373  // NewSHA384 returns a new SHA384 hash.
   374  func NewSHA384() hash.Hash {
   375  	h := new(sha384Hash)
   376  	h.Reset()
   377  	return h
   378  }
   379  
   380  type sha384Hash struct {
   381  	ctx C.GO_SHA512_CTX
   382  	out [384 / 8]byte
   383  }
   384  
   385  func (h *sha384Hash) noescapeCtx() *C.GO_SHA512_CTX {
   386  	return (*C.GO_SHA512_CTX)(noescape(unsafe.Pointer(&h.ctx)))
   387  }
   388  
   389  func (h *sha384Hash) Reset() {
   390  	C._goboringcrypto_SHA384_Init(h.noescapeCtx())
   391  }
   392  func (h *sha384Hash) Size() int             { return 384 / 8 }
   393  func (h *sha384Hash) BlockSize() int        { return 128 }
   394  func (h *sha384Hash) Sum(dst []byte) []byte { return h.sum(dst) }
   395  
   396  func (h *sha384Hash) Write(p []byte) (int, error) {
   397  	if len(p) > 0 && C._goboringcrypto_SHA384_Update(h.noescapeCtx(), unsafe.Pointer(&*addr(p)), C.size_t(len(p))) == 0 {
   398  		panic("boringcrypto: SHA384_Update failed")
   399  	}
   400  	return len(p), nil
   401  }
   402  
   403  func (h0 *sha384Hash) sum(dst []byte) []byte {
   404  	h := *h0 // make copy so future Write+Sum is valid
   405  	if C._goboringcrypto_SHA384_Final((*C.uint8_t)(noescape(unsafe.Pointer(&h.out[0]))), h.noescapeCtx()) == 0 {
   406  		panic("boringcrypto: SHA384_Final failed")
   407  	}
   408  	return append(dst, h.out[:]...)
   409  }
   410  
   411  // NewSHA512 returns a new SHA512 hash.
   412  func NewSHA512() hash.Hash {
   413  	h := new(sha512Hash)
   414  	h.Reset()
   415  	return h
   416  }
   417  
   418  type sha512Hash struct {
   419  	ctx C.GO_SHA512_CTX
   420  	out [512 / 8]byte
   421  }
   422  
   423  func (h *sha512Hash) noescapeCtx() *C.GO_SHA512_CTX {
   424  	return (*C.GO_SHA512_CTX)(noescape(unsafe.Pointer(&h.ctx)))
   425  }
   426  
   427  func (h *sha512Hash) Reset() {
   428  	C._goboringcrypto_SHA512_Init(h.noescapeCtx())
   429  }
   430  func (h *sha512Hash) Size() int             { return 512 / 8 }
   431  func (h *sha512Hash) BlockSize() int        { return 128 }
   432  func (h *sha512Hash) Sum(dst []byte) []byte { return h.sum(dst) }
   433  
   434  func (h *sha512Hash) Write(p []byte) (int, error) {
   435  	if len(p) > 0 && C._goboringcrypto_SHA512_Update(h.noescapeCtx(), unsafe.Pointer(&*addr(p)), C.size_t(len(p))) == 0 {
   436  		panic("boringcrypto: SHA512_Update failed")
   437  	}
   438  	return len(p), nil
   439  }
   440  
   441  func (h0 *sha512Hash) sum(dst []byte) []byte {
   442  	h := *h0 // make copy so future Write+Sum is valid
   443  	if C._goboringcrypto_SHA512_Final((*C.uint8_t)(noescape(unsafe.Pointer(&h.out[0]))), h.noescapeCtx()) == 0 {
   444  		panic("boringcrypto: SHA512_Final failed")
   445  	}
   446  	return append(dst, h.out[:]...)
   447  }
   448  
   449  type sha512Ctx struct {
   450  	h      [8]uint64
   451  	nl, nh uint64
   452  	x      [128]byte
   453  	nx     uint32
   454  }
   455  
   456  const (
   457  	magic384         = "sha\x04"
   458  	magic512_224     = "sha\x05"
   459  	magic512_256     = "sha\x06"
   460  	magic512         = "sha\x07"
   461  	marshaledSize512 = len(magic512) + 8*8 + 128 + 8
   462  )
   463  
   464  func (h *sha384Hash) MarshalBinary() ([]byte, error) {
   465  	d := (*sha512Ctx)(unsafe.Pointer(&h.ctx))
   466  	b := make([]byte, 0, marshaledSize512)
   467  	b = append(b, magic384...)
   468  	b = appendUint64(b, d.h[0])
   469  	b = appendUint64(b, d.h[1])
   470  	b = appendUint64(b, d.h[2])
   471  	b = appendUint64(b, d.h[3])
   472  	b = appendUint64(b, d.h[4])
   473  	b = appendUint64(b, d.h[5])
   474  	b = appendUint64(b, d.h[6])
   475  	b = appendUint64(b, d.h[7])
   476  	b = append(b, d.x[:d.nx]...)
   477  	b = b[:len(b)+len(d.x)-int(d.nx)] // already zero
   478  	b = appendUint64(b, d.nl>>3|d.nh<<61)
   479  	return b, nil
   480  }
   481  
   482  func (h *sha512Hash) MarshalBinary() ([]byte, error) {
   483  	d := (*sha512Ctx)(unsafe.Pointer(&h.ctx))
   484  	b := make([]byte, 0, marshaledSize512)
   485  	b = append(b, magic512...)
   486  	b = appendUint64(b, d.h[0])
   487  	b = appendUint64(b, d.h[1])
   488  	b = appendUint64(b, d.h[2])
   489  	b = appendUint64(b, d.h[3])
   490  	b = appendUint64(b, d.h[4])
   491  	b = appendUint64(b, d.h[5])
   492  	b = appendUint64(b, d.h[6])
   493  	b = appendUint64(b, d.h[7])
   494  	b = append(b, d.x[:d.nx]...)
   495  	b = b[:len(b)+len(d.x)-int(d.nx)] // already zero
   496  	b = appendUint64(b, d.nl>>3|d.nh<<61)
   497  	return b, nil
   498  }
   499  
   500  func (h *sha384Hash) UnmarshalBinary(b []byte) error {
   501  	if len(b) < len(magic512) {
   502  		return errors.New("crypto/sha512: invalid hash state identifier")
   503  	}
   504  	if string(b[:len(magic384)]) != magic384 {
   505  		return errors.New("crypto/sha512: invalid hash state identifier")
   506  	}
   507  	if len(b) != marshaledSize512 {
   508  		return errors.New("crypto/sha512: invalid hash state size")
   509  	}
   510  	d := (*sha512Ctx)(unsafe.Pointer(&h.ctx))
   511  	b = b[len(magic512):]
   512  	b, d.h[0] = consumeUint64(b)
   513  	b, d.h[1] = consumeUint64(b)
   514  	b, d.h[2] = consumeUint64(b)
   515  	b, d.h[3] = consumeUint64(b)
   516  	b, d.h[4] = consumeUint64(b)
   517  	b, d.h[5] = consumeUint64(b)
   518  	b, d.h[6] = consumeUint64(b)
   519  	b, d.h[7] = consumeUint64(b)
   520  	b = b[copy(d.x[:], b):]
   521  	b, n := consumeUint64(b)
   522  	d.nl = n << 3
   523  	d.nh = n >> 61
   524  	d.nx = uint32(n) % 128
   525  	return nil
   526  }
   527  
   528  func (h *sha512Hash) UnmarshalBinary(b []byte) error {
   529  	if len(b) < len(magic512) {
   530  		return errors.New("crypto/sha512: invalid hash state identifier")
   531  	}
   532  	if string(b[:len(magic512)]) != magic512 {
   533  		return errors.New("crypto/sha512: invalid hash state identifier")
   534  	}
   535  	if len(b) != marshaledSize512 {
   536  		return errors.New("crypto/sha512: invalid hash state size")
   537  	}
   538  	d := (*sha512Ctx)(unsafe.Pointer(&h.ctx))
   539  	b = b[len(magic512):]
   540  	b, d.h[0] = consumeUint64(b)
   541  	b, d.h[1] = consumeUint64(b)
   542  	b, d.h[2] = consumeUint64(b)
   543  	b, d.h[3] = consumeUint64(b)
   544  	b, d.h[4] = consumeUint64(b)
   545  	b, d.h[5] = consumeUint64(b)
   546  	b, d.h[6] = consumeUint64(b)
   547  	b, d.h[7] = consumeUint64(b)
   548  	b = b[copy(d.x[:], b):]
   549  	b, n := consumeUint64(b)
   550  	d.nl = n << 3
   551  	d.nh = n >> 61
   552  	d.nx = uint32(n) % 128
   553  	return nil
   554  }
   555  
   556  func appendUint64(b []byte, x uint64) []byte {
   557  	var a [8]byte
   558  	putUint64(a[:], x)
   559  	return append(b, a[:]...)
   560  }
   561  
   562  func appendUint32(b []byte, x uint32) []byte {
   563  	var a [4]byte
   564  	putUint32(a[:], x)
   565  	return append(b, a[:]...)
   566  }
   567  
   568  func consumeUint64(b []byte) ([]byte, uint64) {
   569  	_ = b[7]
   570  	x := uint64(b[7]) | uint64(b[6])<<8 | uint64(b[5])<<16 | uint64(b[4])<<24 |
   571  		uint64(b[3])<<32 | uint64(b[2])<<40 | uint64(b[1])<<48 | uint64(b[0])<<56
   572  	return b[8:], x
   573  }
   574  
   575  func consumeUint32(b []byte) ([]byte, uint32) {
   576  	_ = b[3]
   577  	x := uint32(b[3]) | uint32(b[2])<<8 | uint32(b[1])<<16 | uint32(b[0])<<24
   578  	return b[4:], x
   579  }
   580  
   581  func putUint64(x []byte, s uint64) {
   582  	_ = x[7]
   583  	x[0] = byte(s >> 56)
   584  	x[1] = byte(s >> 48)
   585  	x[2] = byte(s >> 40)
   586  	x[3] = byte(s >> 32)
   587  	x[4] = byte(s >> 24)
   588  	x[5] = byte(s >> 16)
   589  	x[6] = byte(s >> 8)
   590  	x[7] = byte(s)
   591  }
   592  
   593  func putUint32(x []byte, s uint32) {
   594  	_ = x[3]
   595  	x[0] = byte(s >> 24)
   596  	x[1] = byte(s >> 16)
   597  	x[2] = byte(s >> 8)
   598  	x[3] = byte(s)
   599  }
   600
View as plain text