"Fossies" - the Fresh Open Source Software Archive

Member "apt-1.9.4/apt-pkg/contrib/sha2_internal.cc" (19 Sep 2019, 32609 Bytes) of package /linux/misc/apt-1.9.4.tar.gz:


As a special service "Fossies" has tried to format the requested source page into HTML format using (guessed) C and C++ source code syntax highlighting (style: standard) with prefixed line numbers and code folding option. Alternatively you can here view or download the uninterpreted source code file. For more information about "sha2_internal.cc" see the Fossies "Dox" file reference documentation.

    1 /*
    2  * FILE:    sha2.c
    3  * AUTHOR:  Aaron D. Gifford - http://www.aarongifford.com/
    4  * 
    5  * Copyright (c) 2000-2001, Aaron D. Gifford
    6  * All rights reserved.
    7  *
    8  * Redistribution and use in source and binary forms, with or without
    9  * modification, are permitted provided that the following conditions
   10  * are met:
   11  * 1. Redistributions of source code must retain the above copyright
   12  *    notice, this list of conditions and the following disclaimer.
   13  * 2. Redistributions in binary form must reproduce the above copyright
   14  *    notice, this list of conditions and the following disclaimer in the
   15  *    documentation and/or other materials provided with the distribution.
   16  * 3. Neither the name of the copyright holder nor the names of contributors
   17  *    may be used to endorse or promote products derived from this software
   18  *    without specific prior written permission.
   19  * 
   20  * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTOR(S) ``AS IS'' AND
   21  * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
   22  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
   23  * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTOR(S) BE LIABLE
   24  * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
   25  * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
   26  * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
   27  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
   28  * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
   29  * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
   30  * SUCH DAMAGE.
   31  *
   32  */
   33 #include <config.h>
   34 
   35 #include "sha2_internal.h"
   36 #include <assert.h> /* assert() */
   37 #include <endian.h>
   38 #include <string.h> /* memcpy()/memset() or bcopy()/bzero() */
   39 
   40 /*
   41  * ASSERT NOTE:
   42  * Some sanity checking code is included using assert().  On my FreeBSD
   43  * system, this additional code can be removed by compiling with NDEBUG
   44  * defined.  Check your own systems manpage on assert() to see how to
   45  * compile WITHOUT the sanity checking code on your system.
   46  *
   47  * UNROLLED TRANSFORM LOOP NOTE:
   48  * You can define SHA2_UNROLL_TRANSFORM to use the unrolled transform
   49  * loop version for the hash transform rounds (defined using macros
   50  * later in this file).  Either define on the command line, for example:
   51  *
   52  *   cc -DSHA2_UNROLL_TRANSFORM -o sha2 sha2.c sha2prog.c
   53  *
   54  * or define below:
   55  *
   56  *   #define SHA2_UNROLL_TRANSFORM
   57  *
   58  */
   59 
   60 
   61 /*** SHA-256/384/512 Machine Architecture Definitions *****************/
   62 /*
   63  * BYTE_ORDER NOTE:
   64  *
   65  * Please make sure that your system defines BYTE_ORDER.  If your
   66  * architecture is little-endian, make sure it also defines
   67  * LITTLE_ENDIAN and that the two (BYTE_ORDER and LITTLE_ENDIAN) are
   68  * equivalent.
   69  *
   70  * If your system does not define the above, then you can do so by
   71  * hand like this:
   72  *
   73  *   #define LITTLE_ENDIAN 1234
   74  *   #define BIG_ENDIAN    4321
   75  *
   76  * And for little-endian machines, add:
   77  *
   78  *   #define BYTE_ORDER LITTLE_ENDIAN 
   79  *
   80  * Or for big-endian machines:
   81  *
   82  *   #define BYTE_ORDER BIG_ENDIAN
   83  *
   84  * The FreeBSD machine this was written on defines BYTE_ORDER
   85  * appropriately by including <sys/types.h> (which in turn includes
   86  * <machine/endian.h> where the appropriate definitions are actually
   87  * made).
   88  */
   89 #if !defined(BYTE_ORDER) || (BYTE_ORDER != LITTLE_ENDIAN && BYTE_ORDER != BIG_ENDIAN)
   90 #error Define BYTE_ORDER to be equal to either LITTLE_ENDIAN or BIG_ENDIAN
   91 #endif
   92 
   93 /*
   94  * Define the followingsha2_* types to types of the correct length on
   95  * the native architecture.   Most BSD systems and Linux define u_intXX_t
   96  * types.  Machines with very recent ANSI C headers, can use the
   97  * uintXX_t definintions from inttypes.h by defining SHA2_USE_INTTYPES_H
   98  * during compile or in the sha.h header file.
   99  *
  100  * Machines that support neither u_intXX_t nor inttypes.h's uintXX_t
  101  * will need to define these three typedefs below (and the appropriate
  102  * ones in sha.h too) by hand according to their system architecture.
  103  *
  104  * Thank you, Jun-ichiro itojun Hagino, for suggesting using u_intXX_t
  105  * types and pointing out recent ANSI C support for uintXX_t in inttypes.h.
  106  */
  107 #ifdef SHA2_USE_INTTYPES_H
  108 
  109 typedef uint8_t  sha2_byte; /* Exactly 1 byte */
  110 typedef uint32_t sha2_word32;   /* Exactly 4 bytes */
  111 typedef uint64_t sha2_word64;   /* Exactly 8 bytes */
  112 
  113 #else /* SHA2_USE_INTTYPES_H */
  114 
  115 typedef u_int8_t  sha2_byte;    /* Exactly 1 byte */
  116 typedef u_int32_t sha2_word32;  /* Exactly 4 bytes */
  117 typedef u_int64_t sha2_word64;  /* Exactly 8 bytes */
  118 
  119 #endif /* SHA2_USE_INTTYPES_H */
  120 
  121 
  122 /*** SHA-256/384/512 Various Length Definitions ***********************/
  123 /* NOTE: Most of these are in sha2.h */
  124 #define SHA256_SHORT_BLOCK_LENGTH   (SHA256_BLOCK_LENGTH - 8)
  125 #define SHA384_SHORT_BLOCK_LENGTH   (SHA384_BLOCK_LENGTH - 16)
  126 #define SHA512_SHORT_BLOCK_LENGTH   (SHA512_BLOCK_LENGTH - 16)
  127 
  128 
  129 /*** ENDIAN REVERSAL MACROS *******************************************/
  130 #if BYTE_ORDER == LITTLE_ENDIAN
  131 #if defined(__GNUC__) && (__GNUC__ > 4 || (__GNUC__ == 4 && __GNUC_MINOR__ >= 3))
  132 #define REVERSE32(w,x)  { \
  133     (x) = __builtin_bswap32(w); \
  134 }
  135 #define REVERSE64(w,x)  { \
  136     (x) = __builtin_bswap64(w); \
  137 }
  138 #else
  139 #define REVERSE32(w,x)  { \
  140     sha2_word32 tmp = (w); \
  141     tmp = (tmp >> 16) | (tmp << 16); \
  142     (x) = ((tmp & 0xff00ff00UL) >> 8) | ((tmp & 0x00ff00ffUL) << 8); \
  143 }
  144 #define REVERSE64(w,x)  { \
  145     sha2_word64 tmp = (w); \
  146     tmp = (tmp >> 32) | (tmp << 32); \
  147     tmp = ((tmp & 0xff00ff00ff00ff00ULL) >> 8) | \
  148           ((tmp & 0x00ff00ff00ff00ffULL) << 8); \
  149     (x) = ((tmp & 0xffff0000ffff0000ULL) >> 16) | \
  150           ((tmp & 0x0000ffff0000ffffULL) << 16); \
  151 }
  152 #endif
  153 #endif /* BYTE_ORDER == LITTLE_ENDIAN */
  154 
  155 /*
  156  * Macro for incrementally adding the unsigned 64-bit integer n to the
  157  * unsigned 128-bit integer (represented using a two-element array of
  158  * 64-bit words):
  159  */
  160 #define ADDINC128(w,n)  { \
  161     (w)[0] += (sha2_word64)(n); \
  162     if ((w)[0] < (n)) { \
  163         (w)[1]++; \
  164     } \
  165 }
  166 
  167 /*
  168  * Macros for copying blocks of memory and for zeroing out ranges
  169  * of memory.  Using these macros makes it easy to switch from
  170  * using memset()/memcpy() and using bzero()/bcopy().
  171  *
  172  * Please define either SHA2_USE_MEMSET_MEMCPY or define
  173  * SHA2_USE_BZERO_BCOPY depending on which function set you
  174  * choose to use:
  175  */
  176 #if !defined(SHA2_USE_MEMSET_MEMCPY) && !defined(SHA2_USE_BZERO_BCOPY)
  177 /* Default to memset()/memcpy() if no option is specified */
  178 #define SHA2_USE_MEMSET_MEMCPY  1
  179 #endif
  180 #if defined(SHA2_USE_MEMSET_MEMCPY) && defined(SHA2_USE_BZERO_BCOPY)
  181 /* Abort with an error if BOTH options are defined */
  182 #error Define either SHA2_USE_MEMSET_MEMCPY or SHA2_USE_BZERO_BCOPY, not both!
  183 #endif
  184 
  185 #ifdef SHA2_USE_MEMSET_MEMCPY
  186 #define MEMSET_BZERO(p,l)   memset((p), 0, (l))
  187 #define MEMCPY_BCOPY(d,s,l) memcpy((d), (s), (l))
  188 #endif
  189 #ifdef SHA2_USE_BZERO_BCOPY
  190 #define MEMSET_BZERO(p,l)   bzero((p), (l))
  191 #define MEMCPY_BCOPY(d,s,l) bcopy((s), (d), (l))
  192 #endif
  193 
  194 
  195 /*** THE SIX LOGICAL FUNCTIONS ****************************************/
  196 /*
  197  * Bit shifting and rotation (used by the six SHA-XYZ logical functions:
  198  *
  199  *   NOTE:  The naming of R and S appears backwards here (R is a SHIFT and
  200  *   S is a ROTATION) because the SHA-256/384/512 description document
  201  *   (see http://csrc.nist.gov/cryptval/shs/sha256-384-512.pdf) uses this
  202  *   same "backwards" definition.
  203  */
  204 /* Shift-right (used in SHA-256, SHA-384, and SHA-512): */
  205 #define R(b,x)      ((x) >> (b))
  206 /* 32-bit Rotate-right (used in SHA-256): */
  207 #define S32(b,x)    (((x) >> (b)) | ((x) << (32 - (b))))
  208 /* 64-bit Rotate-right (used in SHA-384 and SHA-512): */
  209 #define S64(b,x)    (((x) >> (b)) | ((x) << (64 - (b))))
  210 
  211 /* Two of six logical functions used in SHA-256, SHA-384, and SHA-512: */
  212 #define Ch(x,y,z)   (((x) & (y)) ^ ((~(x)) & (z)))
  213 #define Maj(x,y,z)  (((x) & (y)) ^ ((x) & (z)) ^ ((y) & (z)))
  214 
  215 /* Four of six logical functions used in SHA-256: */
  216 #define Sigma0_256(x)   (S32(2,  (x)) ^ S32(13, (x)) ^ S32(22, (x)))
  217 #define Sigma1_256(x)   (S32(6,  (x)) ^ S32(11, (x)) ^ S32(25, (x)))
  218 #define sigma0_256(x)   (S32(7,  (x)) ^ S32(18, (x)) ^ R(3 ,   (x)))
  219 #define sigma1_256(x)   (S32(17, (x)) ^ S32(19, (x)) ^ R(10,   (x)))
  220 
  221 /* Four of six logical functions used in SHA-384 and SHA-512: */
  222 #define Sigma0_512(x)   (S64(28, (x)) ^ S64(34, (x)) ^ S64(39, (x)))
  223 #define Sigma1_512(x)   (S64(14, (x)) ^ S64(18, (x)) ^ S64(41, (x)))
  224 #define sigma0_512(x)   (S64( 1, (x)) ^ S64( 8, (x)) ^ R( 7,   (x)))
  225 #define sigma1_512(x)   (S64(19, (x)) ^ S64(61, (x)) ^ R( 6,   (x)))
  226 
  227 /*** INTERNAL FUNCTION PROTOTYPES *************************************/
  228 /* NOTE: These should not be accessed directly from outside this
  229  * library -- they are intended for private internal visibility/use
  230  * only.
  231  */
  232 static void SHA512_Last(SHA512_CTX*);
  233 static void SHA256_Transform(SHA256_CTX*, const sha2_word32*);
  234 static void SHA512_Transform(SHA512_CTX*, const sha2_word64*);
  235 
  236 
  237 /*** SHA-XYZ INITIAL HASH VALUES AND CONSTANTS ************************/
  238 /* Hash constant words K for SHA-256: */
  239 const static sha2_word32 K256[64] = {
  240     0x428a2f98UL, 0x71374491UL, 0xb5c0fbcfUL, 0xe9b5dba5UL,
  241     0x3956c25bUL, 0x59f111f1UL, 0x923f82a4UL, 0xab1c5ed5UL,
  242     0xd807aa98UL, 0x12835b01UL, 0x243185beUL, 0x550c7dc3UL,
  243     0x72be5d74UL, 0x80deb1feUL, 0x9bdc06a7UL, 0xc19bf174UL,
  244     0xe49b69c1UL, 0xefbe4786UL, 0x0fc19dc6UL, 0x240ca1ccUL,
  245     0x2de92c6fUL, 0x4a7484aaUL, 0x5cb0a9dcUL, 0x76f988daUL,
  246     0x983e5152UL, 0xa831c66dUL, 0xb00327c8UL, 0xbf597fc7UL,
  247     0xc6e00bf3UL, 0xd5a79147UL, 0x06ca6351UL, 0x14292967UL,
  248     0x27b70a85UL, 0x2e1b2138UL, 0x4d2c6dfcUL, 0x53380d13UL,
  249     0x650a7354UL, 0x766a0abbUL, 0x81c2c92eUL, 0x92722c85UL,
  250     0xa2bfe8a1UL, 0xa81a664bUL, 0xc24b8b70UL, 0xc76c51a3UL,
  251     0xd192e819UL, 0xd6990624UL, 0xf40e3585UL, 0x106aa070UL,
  252     0x19a4c116UL, 0x1e376c08UL, 0x2748774cUL, 0x34b0bcb5UL,
  253     0x391c0cb3UL, 0x4ed8aa4aUL, 0x5b9cca4fUL, 0x682e6ff3UL,
  254     0x748f82eeUL, 0x78a5636fUL, 0x84c87814UL, 0x8cc70208UL,
  255     0x90befffaUL, 0xa4506cebUL, 0xbef9a3f7UL, 0xc67178f2UL
  256 };
  257 
  258 /* Initial hash value H for SHA-256: */
  259 const static sha2_word32 sha256_initial_hash_value[8] = {
  260     0x6a09e667UL,
  261     0xbb67ae85UL,
  262     0x3c6ef372UL,
  263     0xa54ff53aUL,
  264     0x510e527fUL,
  265     0x9b05688cUL,
  266     0x1f83d9abUL,
  267     0x5be0cd19UL
  268 };
  269 
  270 /* Hash constant words K for SHA-384 and SHA-512: */
  271 const static sha2_word64 K512[80] = {
  272     0x428a2f98d728ae22ULL, 0x7137449123ef65cdULL,
  273     0xb5c0fbcfec4d3b2fULL, 0xe9b5dba58189dbbcULL,
  274     0x3956c25bf348b538ULL, 0x59f111f1b605d019ULL,
  275     0x923f82a4af194f9bULL, 0xab1c5ed5da6d8118ULL,
  276     0xd807aa98a3030242ULL, 0x12835b0145706fbeULL,
  277     0x243185be4ee4b28cULL, 0x550c7dc3d5ffb4e2ULL,
  278     0x72be5d74f27b896fULL, 0x80deb1fe3b1696b1ULL,
  279     0x9bdc06a725c71235ULL, 0xc19bf174cf692694ULL,
  280     0xe49b69c19ef14ad2ULL, 0xefbe4786384f25e3ULL,
  281     0x0fc19dc68b8cd5b5ULL, 0x240ca1cc77ac9c65ULL,
  282     0x2de92c6f592b0275ULL, 0x4a7484aa6ea6e483ULL,
  283     0x5cb0a9dcbd41fbd4ULL, 0x76f988da831153b5ULL,
  284     0x983e5152ee66dfabULL, 0xa831c66d2db43210ULL,
  285     0xb00327c898fb213fULL, 0xbf597fc7beef0ee4ULL,
  286     0xc6e00bf33da88fc2ULL, 0xd5a79147930aa725ULL,
  287     0x06ca6351e003826fULL, 0x142929670a0e6e70ULL,
  288     0x27b70a8546d22ffcULL, 0x2e1b21385c26c926ULL,
  289     0x4d2c6dfc5ac42aedULL, 0x53380d139d95b3dfULL,
  290     0x650a73548baf63deULL, 0x766a0abb3c77b2a8ULL,
  291     0x81c2c92e47edaee6ULL, 0x92722c851482353bULL,
  292     0xa2bfe8a14cf10364ULL, 0xa81a664bbc423001ULL,
  293     0xc24b8b70d0f89791ULL, 0xc76c51a30654be30ULL,
  294     0xd192e819d6ef5218ULL, 0xd69906245565a910ULL,
  295     0xf40e35855771202aULL, 0x106aa07032bbd1b8ULL,
  296     0x19a4c116b8d2d0c8ULL, 0x1e376c085141ab53ULL,
  297     0x2748774cdf8eeb99ULL, 0x34b0bcb5e19b48a8ULL,
  298     0x391c0cb3c5c95a63ULL, 0x4ed8aa4ae3418acbULL,
  299     0x5b9cca4f7763e373ULL, 0x682e6ff3d6b2b8a3ULL,
  300     0x748f82ee5defb2fcULL, 0x78a5636f43172f60ULL,
  301     0x84c87814a1f0ab72ULL, 0x8cc702081a6439ecULL,
  302     0x90befffa23631e28ULL, 0xa4506cebde82bde9ULL,
  303     0xbef9a3f7b2c67915ULL, 0xc67178f2e372532bULL,
  304     0xca273eceea26619cULL, 0xd186b8c721c0c207ULL,
  305     0xeada7dd6cde0eb1eULL, 0xf57d4f7fee6ed178ULL,
  306     0x06f067aa72176fbaULL, 0x0a637dc5a2c898a6ULL,
  307     0x113f9804bef90daeULL, 0x1b710b35131c471bULL,
  308     0x28db77f523047d84ULL, 0x32caab7b40c72493ULL,
  309     0x3c9ebe0a15c9bebcULL, 0x431d67c49c100d4cULL,
  310     0x4cc5d4becb3e42b6ULL, 0x597f299cfc657e2aULL,
  311     0x5fcb6fab3ad6faecULL, 0x6c44198c4a475817ULL
  312 };
  313 
  314 /* Initial hash value H for SHA-384 */
  315 const static sha2_word64 sha384_initial_hash_value[8] = {
  316     0xcbbb9d5dc1059ed8ULL,
  317     0x629a292a367cd507ULL,
  318     0x9159015a3070dd17ULL,
  319     0x152fecd8f70e5939ULL,
  320     0x67332667ffc00b31ULL,
  321     0x8eb44a8768581511ULL,
  322     0xdb0c2e0d64f98fa7ULL,
  323     0x47b5481dbefa4fa4ULL
  324 };
  325 
  326 /* Initial hash value H for SHA-512 */
  327 const static sha2_word64 sha512_initial_hash_value[8] = {
  328     0x6a09e667f3bcc908ULL,
  329     0xbb67ae8584caa73bULL,
  330     0x3c6ef372fe94f82bULL,
  331     0xa54ff53a5f1d36f1ULL,
  332     0x510e527fade682d1ULL,
  333     0x9b05688c2b3e6c1fULL,
  334     0x1f83d9abfb41bd6bULL,
  335     0x5be0cd19137e2179ULL
  336 };
  337 
  338 /*
  339  * Constant used by SHA256/384/512_End() functions for converting the
  340  * digest to a readable hexadecimal character string:
  341  */
  342 static const char *sha2_hex_digits = "0123456789abcdef";
  343 
  344 
  345 /*** SHA-256: *********************************************************/
  346 void SHA256_Init(SHA256_CTX* context) {
  347     if (context == (SHA256_CTX*)0) {
  348         return;
  349     }
  350     MEMCPY_BCOPY(context->state, sha256_initial_hash_value, SHA256_DIGEST_LENGTH);
  351     MEMSET_BZERO(context->buffer, SHA256_BLOCK_LENGTH);
  352     context->bitcount = 0;
  353 }
  354 
  355 #ifdef SHA2_UNROLL_TRANSFORM
  356 
  357 /* Unrolled SHA-256 round macros: */
  358 
  359 #if BYTE_ORDER == LITTLE_ENDIAN
  360 
  361 #define ROUND256_0_TO_15(a,b,c,d,e,f,g,h)   \
  362     REVERSE32(*data++, W256[j]); \
  363     T1 = (h) + Sigma1_256(e) + Ch((e), (f), (g)) + \
  364              K256[j] + W256[j]; \
  365     (d) += T1; \
  366     (h) = T1 + Sigma0_256(a) + Maj((a), (b), (c)); \
  367     j++
  368 
  369 
  370 #else /* BYTE_ORDER == LITTLE_ENDIAN */
  371 
  372 #define ROUND256_0_TO_15(a,b,c,d,e,f,g,h)   \
  373     T1 = (h) + Sigma1_256(e) + Ch((e), (f), (g)) + \
  374          K256[j] + (W256[j] = *data++); \
  375     (d) += T1; \
  376     (h) = T1 + Sigma0_256(a) + Maj((a), (b), (c)); \
  377     j++
  378 
  379 #endif /* BYTE_ORDER == LITTLE_ENDIAN */
  380 
  381 #define ROUND256(a,b,c,d,e,f,g,h)   \
  382     s0 = W256[(j+1)&0x0f]; \
  383     s0 = sigma0_256(s0); \
  384     s1 = W256[(j+14)&0x0f]; \
  385     s1 = sigma1_256(s1); \
  386     T1 = (h) + Sigma1_256(e) + Ch((e), (f), (g)) + K256[j] + \
  387          (W256[j&0x0f] += s1 + W256[(j+9)&0x0f] + s0); \
  388     (d) += T1; \
  389     (h) = T1 + Sigma0_256(a) + Maj((a), (b), (c)); \
  390     j++
  391 
  392 static void SHA256_Transform(SHA256_CTX* context, const sha2_word32* data) {
  393     sha2_word32 a, b, c, d, e, f, g, h, s0, s1;
  394     sha2_word32 T1, *W256;
  395     int     j;
  396 
  397     W256 = (sha2_word32*)context->buffer;
  398 
  399     /* Initialize registers with the prev. intermediate value */
  400     a = context->state[0];
  401     b = context->state[1];
  402     c = context->state[2];
  403     d = context->state[3];
  404     e = context->state[4];
  405     f = context->state[5];
  406     g = context->state[6];
  407     h = context->state[7];
  408 
  409     j = 0;
  410     do {
  411         /* Rounds 0 to 15 (unrolled): */
  412         ROUND256_0_TO_15(a,b,c,d,e,f,g,h);
  413         ROUND256_0_TO_15(h,a,b,c,d,e,f,g);
  414         ROUND256_0_TO_15(g,h,a,b,c,d,e,f);
  415         ROUND256_0_TO_15(f,g,h,a,b,c,d,e);
  416         ROUND256_0_TO_15(e,f,g,h,a,b,c,d);
  417         ROUND256_0_TO_15(d,e,f,g,h,a,b,c);
  418         ROUND256_0_TO_15(c,d,e,f,g,h,a,b);
  419         ROUND256_0_TO_15(b,c,d,e,f,g,h,a);
  420     } while (j < 16);
  421 
  422     /* Now for the remaining rounds to 64: */
  423     do {
  424         ROUND256(a,b,c,d,e,f,g,h);
  425         ROUND256(h,a,b,c,d,e,f,g);
  426         ROUND256(g,h,a,b,c,d,e,f);
  427         ROUND256(f,g,h,a,b,c,d,e);
  428         ROUND256(e,f,g,h,a,b,c,d);
  429         ROUND256(d,e,f,g,h,a,b,c);
  430         ROUND256(c,d,e,f,g,h,a,b);
  431         ROUND256(b,c,d,e,f,g,h,a);
  432     } while (j < 64);
  433 
  434     /* Compute the current intermediate hash value */
  435     context->state[0] += a;
  436     context->state[1] += b;
  437     context->state[2] += c;
  438     context->state[3] += d;
  439     context->state[4] += e;
  440     context->state[5] += f;
  441     context->state[6] += g;
  442     context->state[7] += h;
  443 
  444     /* Clean up */
  445     a = b = c = d = e = f = g = h = T1 = 0;
  446 }
  447 
  448 #else /* SHA2_UNROLL_TRANSFORM */
  449 
  450 static void SHA256_Transform(SHA256_CTX* context, const sha2_word32* data) {
  451     sha2_word32 a, b, c, d, e, f, g, h, s0, s1;
  452     sha2_word32 T1, T2, *W256;
  453     int     j;
  454 
  455     W256 = (sha2_word32*)context->buffer;
  456 
  457     /* Initialize registers with the prev. intermediate value */
  458     a = context->state[0];
  459     b = context->state[1];
  460     c = context->state[2];
  461     d = context->state[3];
  462     e = context->state[4];
  463     f = context->state[5];
  464     g = context->state[6];
  465     h = context->state[7];
  466 
  467     j = 0;
  468     do {
  469 #if BYTE_ORDER == LITTLE_ENDIAN
  470         /* Copy data while converting to host byte order */
  471         REVERSE32(*data++,W256[j]);
  472         /* Apply the SHA-256 compression function to update a..h */
  473         T1 = h + Sigma1_256(e) + Ch(e, f, g) + K256[j] + W256[j];
  474 #else /* BYTE_ORDER == LITTLE_ENDIAN */
  475         /* Apply the SHA-256 compression function to update a..h with copy */
  476         T1 = h + Sigma1_256(e) + Ch(e, f, g) + K256[j] + (W256[j] = *data++);
  477 #endif /* BYTE_ORDER == LITTLE_ENDIAN */
  478         T2 = Sigma0_256(a) + Maj(a, b, c);
  479         h = g;
  480         g = f;
  481         f = e;
  482         e = d + T1;
  483         d = c;
  484         c = b;
  485         b = a;
  486         a = T1 + T2;
  487 
  488         j++;
  489     } while (j < 16);
  490 
  491     do {
  492         /* Part of the message block expansion: */
  493         s0 = W256[(j+1)&0x0f];
  494         s0 = sigma0_256(s0);
  495         s1 = W256[(j+14)&0x0f]; 
  496         s1 = sigma1_256(s1);
  497 
  498         /* Apply the SHA-256 compression function to update a..h */
  499         T1 = h + Sigma1_256(e) + Ch(e, f, g) + K256[j] + 
  500              (W256[j&0x0f] += s1 + W256[(j+9)&0x0f] + s0);
  501         T2 = Sigma0_256(a) + Maj(a, b, c);
  502         h = g;
  503         g = f;
  504         f = e;
  505         e = d + T1;
  506         d = c;
  507         c = b;
  508         b = a;
  509         a = T1 + T2;
  510 
  511         j++;
  512     } while (j < 64);
  513 
  514     /* Compute the current intermediate hash value */
  515     context->state[0] += a;
  516     context->state[1] += b;
  517     context->state[2] += c;
  518     context->state[3] += d;
  519     context->state[4] += e;
  520     context->state[5] += f;
  521     context->state[6] += g;
  522     context->state[7] += h;
  523 
  524     /* Clean up */
  525     a = b = c = d = e = f = g = h = T1 = T2 = 0;
  526 }
  527 
  528 #endif /* SHA2_UNROLL_TRANSFORM */
  529 
  530 void SHA256_Update(SHA256_CTX* context, const sha2_byte *data, size_t len) {
  531     unsigned int    freespace, usedspace;
  532 
  533     if (len == 0) {
  534         /* Calling with no data is valid - we do nothing */
  535         return;
  536     }
  537 
  538     /* Sanity check: */
  539     assert(context != (SHA256_CTX*)0 && data != (sha2_byte*)0);
  540 
  541     usedspace = (context->bitcount >> 3) % SHA256_BLOCK_LENGTH;
  542     if (usedspace > 0) {
  543         /* Calculate how much free space is available in the buffer */
  544         freespace = SHA256_BLOCK_LENGTH - usedspace;
  545 
  546         if (len >= freespace) {
  547             /* Fill the buffer completely and process it */
  548             MEMCPY_BCOPY(&context->buffer[usedspace], data, freespace);
  549             context->bitcount += freespace << 3;
  550             len -= freespace;
  551             data += freespace;
  552             SHA256_Transform(context, (sha2_word32*)context->buffer);
  553         } else {
  554             /* The buffer is not yet full */
  555             MEMCPY_BCOPY(&context->buffer[usedspace], data, len);
  556             context->bitcount += len << 3;
  557             /* Clean up: */
  558             usedspace = freespace = 0;
  559             return;
  560         }
  561     }
  562     while (len >= SHA256_BLOCK_LENGTH) {
  563         /* Process as many complete blocks as we can */
  564         sha2_byte buffer[SHA256_BLOCK_LENGTH];
  565         MEMCPY_BCOPY(buffer, data, SHA256_BLOCK_LENGTH);
  566         SHA256_Transform(context, (sha2_word32*)buffer);
  567         context->bitcount += SHA256_BLOCK_LENGTH << 3;
  568         len -= SHA256_BLOCK_LENGTH;
  569         data += SHA256_BLOCK_LENGTH;
  570     }
  571     if (len > 0) {
  572         /* There's left-overs, so save 'em */
  573         MEMCPY_BCOPY(context->buffer, data, len);
  574         context->bitcount += len << 3;
  575     }
  576     /* Clean up: */
  577     usedspace = freespace = 0;
  578 }
  579 
  580 void SHA256_Final(sha2_byte digest[], SHA256_CTX* context) {
  581     sha2_word32 *d = (sha2_word32*)digest;
  582     unsigned int    usedspace;
  583 
  584     /* Sanity check: */
  585     assert(context != (SHA256_CTX*)0);
  586 
  587     /* If no digest buffer is passed, we don't bother doing this: */
  588     if (digest != (sha2_byte*)0) {
  589         usedspace = (context->bitcount >> 3) % SHA256_BLOCK_LENGTH;
  590 #if BYTE_ORDER == LITTLE_ENDIAN
  591         /* Convert FROM host byte order */
  592         REVERSE64(context->bitcount,context->bitcount);
  593 #endif
  594         if (usedspace > 0) {
  595             /* Begin padding with a 1 bit: */
  596             context->buffer[usedspace++] = 0x80;
  597 
  598             if (usedspace <= SHA256_SHORT_BLOCK_LENGTH) {
  599                 /* Set-up for the last transform: */
  600                 MEMSET_BZERO(&context->buffer[usedspace], SHA256_SHORT_BLOCK_LENGTH - usedspace);
  601             } else {
  602                 if (usedspace < SHA256_BLOCK_LENGTH) {
  603                     MEMSET_BZERO(&context->buffer[usedspace], SHA256_BLOCK_LENGTH - usedspace);
  604                 }
  605                 /* Do second-to-last transform: */
  606                 SHA256_Transform(context, (sha2_word32*)context->buffer);
  607 
  608                 /* And set-up for the last transform: */
  609                 MEMSET_BZERO(context->buffer, SHA256_SHORT_BLOCK_LENGTH);
  610             }
  611         } else {
  612             /* Set-up for the last transform: */
  613             MEMSET_BZERO(context->buffer, SHA256_SHORT_BLOCK_LENGTH);
  614 
  615             /* Begin padding with a 1 bit: */
  616             *context->buffer = 0x80;
  617         }
  618         /* Set the bit count: */
  619         union {
  620             sha2_byte* c;
  621             sha2_word64* l;
  622         } bitcount;
  623         bitcount.c = &context->buffer[SHA256_SHORT_BLOCK_LENGTH];
  624         *(bitcount.l) = context->bitcount;
  625 
  626         /* Final transform: */
  627         SHA256_Transform(context, (sha2_word32*)context->buffer);
  628 
  629 #if BYTE_ORDER == LITTLE_ENDIAN
  630         {
  631             /* Convert TO host byte order */
  632             int j;
  633             for (j = 0; j < 8; j++) {
  634                 REVERSE32(context->state[j],context->state[j]);
  635                 *d++ = context->state[j];
  636             }
  637         }
  638 #else
  639         MEMCPY_BCOPY(d, context->state, SHA256_DIGEST_LENGTH);
  640 #endif
  641     }
  642 
  643     /* Clean up state data: */
  644     MEMSET_BZERO(context, sizeof(*context));
  645     usedspace = 0;
  646 }
  647 
  648 char *SHA256_End(SHA256_CTX* context, char buffer[]) {
  649     sha2_byte   digest[SHA256_DIGEST_LENGTH], *d = digest;
  650     int     i;
  651 
  652     /* Sanity check: */
  653     assert(context != (SHA256_CTX*)0);
  654 
  655     if (buffer != (char*)0) {
  656         SHA256_Final(digest, context);
  657 
  658         for (i = 0; i < SHA256_DIGEST_LENGTH; i++) {
  659             *buffer++ = sha2_hex_digits[(*d & 0xf0) >> 4];
  660             *buffer++ = sha2_hex_digits[*d & 0x0f];
  661             d++;
  662         }
  663         *buffer = (char)0;
  664     } else {
  665         MEMSET_BZERO(context, sizeof(*context));
  666     }
  667     MEMSET_BZERO(digest, SHA256_DIGEST_LENGTH);
  668     return buffer;
  669 }
  670 
  671 char* SHA256_Data(const sha2_byte* data, size_t len, char digest[SHA256_DIGEST_STRING_LENGTH]) {
  672     SHA256_CTX  context;
  673 
  674     SHA256_Init(&context);
  675     SHA256_Update(&context, data, len);
  676     return SHA256_End(&context, digest);
  677 }
  678 
  679 
  680 /*** SHA-512: *********************************************************/
  681 void SHA512_Init(SHA512_CTX* context) {
  682     if (context == (SHA512_CTX*)0) {
  683         return;
  684     }
  685     MEMCPY_BCOPY(context->state, sha512_initial_hash_value, SHA512_DIGEST_LENGTH);
  686     MEMSET_BZERO(context->buffer, SHA512_BLOCK_LENGTH);
  687     context->bitcount[0] = context->bitcount[1] =  0;
  688 }
  689 
  690 #ifdef SHA2_UNROLL_TRANSFORM
  691 
  692 /* Unrolled SHA-512 round macros: */
  693 #if BYTE_ORDER == LITTLE_ENDIAN
  694 
  695 #define ROUND512_0_TO_15(a,b,c,d,e,f,g,h)   \
  696     REVERSE64(*data++, W512[j]); \
  697     T1 = (h) + Sigma1_512(e) + Ch((e), (f), (g)) + \
  698              K512[j] + W512[j]; \
  699     (d) += T1, \
  700     (h) = T1 + Sigma0_512(a) + Maj((a), (b), (c)), \
  701     j++
  702 
  703 
  704 #else /* BYTE_ORDER == LITTLE_ENDIAN */
  705 
  706 #define ROUND512_0_TO_15(a,b,c,d,e,f,g,h)   \
  707     T1 = (h) + Sigma1_512(e) + Ch((e), (f), (g)) + \
  708              K512[j] + (W512[j] = *data++); \
  709     (d) += T1; \
  710     (h) = T1 + Sigma0_512(a) + Maj((a), (b), (c)); \
  711     j++
  712 
  713 #endif /* BYTE_ORDER == LITTLE_ENDIAN */
  714 
  715 #define ROUND512(a,b,c,d,e,f,g,h)   \
  716     s0 = W512[(j+1)&0x0f]; \
  717     s0 = sigma0_512(s0); \
  718     s1 = W512[(j+14)&0x0f]; \
  719     s1 = sigma1_512(s1); \
  720     T1 = (h) + Sigma1_512(e) + Ch((e), (f), (g)) + K512[j] + \
  721              (W512[j&0x0f] += s1 + W512[(j+9)&0x0f] + s0); \
  722     (d) += T1; \
  723     (h) = T1 + Sigma0_512(a) + Maj((a), (b), (c)); \
  724     j++
  725 
  726 static void SHA512_Transform(SHA512_CTX* context, const sha2_word64* data) {
  727     sha2_word64 a, b, c, d, e, f, g, h, s0, s1;
  728     sha2_word64 T1, *W512 = (sha2_word64*)context->buffer;
  729     int     j;
  730 
  731     /* Initialize registers with the prev. intermediate value */
  732     a = context->state[0];
  733     b = context->state[1];
  734     c = context->state[2];
  735     d = context->state[3];
  736     e = context->state[4];
  737     f = context->state[5];
  738     g = context->state[6];
  739     h = context->state[7];
  740 
  741     j = 0;
  742     do {
  743         ROUND512_0_TO_15(a,b,c,d,e,f,g,h);
  744         ROUND512_0_TO_15(h,a,b,c,d,e,f,g);
  745         ROUND512_0_TO_15(g,h,a,b,c,d,e,f);
  746         ROUND512_0_TO_15(f,g,h,a,b,c,d,e);
  747         ROUND512_0_TO_15(e,f,g,h,a,b,c,d);
  748         ROUND512_0_TO_15(d,e,f,g,h,a,b,c);
  749         ROUND512_0_TO_15(c,d,e,f,g,h,a,b);
  750         ROUND512_0_TO_15(b,c,d,e,f,g,h,a);
  751     } while (j < 16);
  752 
  753     /* Now for the remaining rounds up to 79: */
  754     do {
  755         ROUND512(a,b,c,d,e,f,g,h);
  756         ROUND512(h,a,b,c,d,e,f,g);
  757         ROUND512(g,h,a,b,c,d,e,f);
  758         ROUND512(f,g,h,a,b,c,d,e);
  759         ROUND512(e,f,g,h,a,b,c,d);
  760         ROUND512(d,e,f,g,h,a,b,c);
  761         ROUND512(c,d,e,f,g,h,a,b);
  762         ROUND512(b,c,d,e,f,g,h,a);
  763     } while (j < 80);
  764 
  765     /* Compute the current intermediate hash value */
  766     context->state[0] += a;
  767     context->state[1] += b;
  768     context->state[2] += c;
  769     context->state[3] += d;
  770     context->state[4] += e;
  771     context->state[5] += f;
  772     context->state[6] += g;
  773     context->state[7] += h;
  774 
  775     /* Clean up */
  776     a = b = c = d = e = f = g = h = T1 = 0;
  777 }
  778 
  779 #else /* SHA2_UNROLL_TRANSFORM */
  780 
  781 static void SHA512_Transform(SHA512_CTX* context, const sha2_word64* data) {
  782     sha2_word64 a, b, c, d, e, f, g, h, s0, s1;
  783     sha2_word64 T1, T2, *W512 = (sha2_word64*)context->buffer;
  784     int     j;
  785 
  786     /* Initialize registers with the prev. intermediate value */
  787     a = context->state[0];
  788     b = context->state[1];
  789     c = context->state[2];
  790     d = context->state[3];
  791     e = context->state[4];
  792     f = context->state[5];
  793     g = context->state[6];
  794     h = context->state[7];
  795 
  796     j = 0;
  797     do {
  798 #if BYTE_ORDER == LITTLE_ENDIAN
  799         /* Convert TO host byte order */
  800         REVERSE64(*data++, W512[j]);
  801         /* Apply the SHA-512 compression function to update a..h */
  802         T1 = h + Sigma1_512(e) + Ch(e, f, g) + K512[j] + W512[j];
  803 #else /* BYTE_ORDER == LITTLE_ENDIAN */
  804         /* Apply the SHA-512 compression function to update a..h with copy */
  805         T1 = h + Sigma1_512(e) + Ch(e, f, g) + K512[j] + (W512[j] = *data++);
  806 #endif /* BYTE_ORDER == LITTLE_ENDIAN */
  807         T2 = Sigma0_512(a) + Maj(a, b, c);
  808         h = g;
  809         g = f;
  810         f = e;
  811         e = d + T1;
  812         d = c;
  813         c = b;
  814         b = a;
  815         a = T1 + T2;
  816 
  817         j++;
  818     } while (j < 16);
  819 
  820     do {
  821         /* Part of the message block expansion: */
  822         s0 = W512[(j+1)&0x0f];
  823         s0 = sigma0_512(s0);
  824         s1 = W512[(j+14)&0x0f];
  825         s1 =  sigma1_512(s1);
  826 
  827         /* Apply the SHA-512 compression function to update a..h */
  828         T1 = h + Sigma1_512(e) + Ch(e, f, g) + K512[j] +
  829              (W512[j&0x0f] += s1 + W512[(j+9)&0x0f] + s0);
  830         T2 = Sigma0_512(a) + Maj(a, b, c);
  831         h = g;
  832         g = f;
  833         f = e;
  834         e = d + T1;
  835         d = c;
  836         c = b;
  837         b = a;
  838         a = T1 + T2;
  839 
  840         j++;
  841     } while (j < 80);
  842 
  843     /* Compute the current intermediate hash value */
  844     context->state[0] += a;
  845     context->state[1] += b;
  846     context->state[2] += c;
  847     context->state[3] += d;
  848     context->state[4] += e;
  849     context->state[5] += f;
  850     context->state[6] += g;
  851     context->state[7] += h;
  852 
  853     /* Clean up */
  854     a = b = c = d = e = f = g = h = T1 = T2 = 0;
  855 }
  856 
  857 #endif /* SHA2_UNROLL_TRANSFORM */
  858 
  859 void SHA512_Update(SHA512_CTX* context, const sha2_byte *data, size_t len) {
  860     unsigned int    freespace, usedspace;
  861 
  862     if (len == 0) {
  863         /* Calling with no data is valid - we do nothing */
  864         return;
  865     }
  866 
  867     /* Sanity check: */
  868     assert(context != (SHA512_CTX*)0 && data != (sha2_byte*)0);
  869 
  870     usedspace = (context->bitcount[0] >> 3) % SHA512_BLOCK_LENGTH;
  871     if (usedspace > 0) {
  872         /* Calculate how much free space is available in the buffer */
  873         freespace = SHA512_BLOCK_LENGTH - usedspace;
  874 
  875         if (len >= freespace) {
  876             /* Fill the buffer completely and process it */
  877             MEMCPY_BCOPY(&context->buffer[usedspace], data, freespace);
  878             ADDINC128(context->bitcount, freespace << 3);
  879             len -= freespace;
  880             data += freespace;
  881             SHA512_Transform(context, (sha2_word64*)context->buffer);
  882         } else {
  883             /* The buffer is not yet full */
  884             MEMCPY_BCOPY(&context->buffer[usedspace], data, len);
  885             ADDINC128(context->bitcount, len << 3);
  886             /* Clean up: */
  887             usedspace = freespace = 0;
  888             return;
  889         }
  890     }
  891     while (len >= SHA512_BLOCK_LENGTH) {
  892         /* Process as many complete blocks as we can */
  893         sha2_byte buffer[SHA512_BLOCK_LENGTH];
  894         MEMCPY_BCOPY(buffer, data, SHA512_BLOCK_LENGTH);
  895         SHA512_Transform(context, (sha2_word64*)buffer);
  896         ADDINC128(context->bitcount, SHA512_BLOCK_LENGTH << 3);
  897         len -= SHA512_BLOCK_LENGTH;
  898         data += SHA512_BLOCK_LENGTH;
  899     }
  900     if (len > 0) {
  901         /* There's left-overs, so save 'em */
  902         MEMCPY_BCOPY(context->buffer, data, len);
  903         ADDINC128(context->bitcount, len << 3);
  904     }
  905     /* Clean up: */
  906     usedspace = freespace = 0;
  907 }
  908 
  909 static void SHA512_Last(SHA512_CTX* context) {
  910     unsigned int    usedspace;
  911 
  912     usedspace = (context->bitcount[0] >> 3) % SHA512_BLOCK_LENGTH;
  913 #if BYTE_ORDER == LITTLE_ENDIAN
  914     /* Convert FROM host byte order */
  915     REVERSE64(context->bitcount[0],context->bitcount[0]);
  916     REVERSE64(context->bitcount[1],context->bitcount[1]);
  917 #endif
  918     if (usedspace > 0) {
  919         /* Begin padding with a 1 bit: */
  920         context->buffer[usedspace++] = 0x80;
  921 
  922         if (usedspace <= SHA512_SHORT_BLOCK_LENGTH) {
  923             /* Set-up for the last transform: */
  924             MEMSET_BZERO(&context->buffer[usedspace], SHA512_SHORT_BLOCK_LENGTH - usedspace);
  925         } else {
  926             if (usedspace < SHA512_BLOCK_LENGTH) {
  927                 MEMSET_BZERO(&context->buffer[usedspace], SHA512_BLOCK_LENGTH - usedspace);
  928             }
  929             /* Do second-to-last transform: */
  930             SHA512_Transform(context, (sha2_word64*)context->buffer);
  931 
  932             /* And set-up for the last transform: */
  933             MEMSET_BZERO(context->buffer, SHA512_BLOCK_LENGTH - 2);
  934         }
  935     } else {
  936         /* Prepare for final transform: */
  937         MEMSET_BZERO(context->buffer, SHA512_SHORT_BLOCK_LENGTH);
  938 
  939         /* Begin padding with a 1 bit: */
  940         *context->buffer = 0x80;
  941     }
  942     /* Store the length of input data (in bits): */
  943     union {
  944         sha2_byte* c;
  945         sha2_word64* l;
  946     } bitcount;
  947     bitcount.c = &context->buffer[SHA512_SHORT_BLOCK_LENGTH];
  948     bitcount.l[0] = context->bitcount[1];
  949     bitcount.l[1] = context->bitcount[0];
  950 
  951     /* Final transform: */
  952     SHA512_Transform(context, (sha2_word64*)context->buffer);
  953 }
  954 
  955 void SHA512_Final(sha2_byte digest[], SHA512_CTX* context) {
  956     sha2_word64 *d = (sha2_word64*)digest;
  957 
  958     /* Sanity check: */
  959     assert(context != (SHA512_CTX*)0);
  960 
  961     /* If no digest buffer is passed, we don't bother doing this: */
  962     if (digest != (sha2_byte*)0) {
  963         SHA512_Last(context);
  964 
  965         /* Save the hash data for output: */
  966 #if BYTE_ORDER == LITTLE_ENDIAN
  967         {
  968             /* Convert TO host byte order */
  969             int j;
  970             for (j = 0; j < 8; j++) {
  971                 REVERSE64(context->state[j],context->state[j]);
  972                 *d++ = context->state[j];
  973             }
  974         }
  975 #else
  976         MEMCPY_BCOPY(d, context->state, SHA512_DIGEST_LENGTH);
  977 #endif
  978     }
  979 
  980     /* Zero out state data */
  981     MEMSET_BZERO(context, sizeof(*context));
  982 }
  983 
  984 char *SHA512_End(SHA512_CTX* context, char buffer[]) {
  985     sha2_byte   digest[SHA512_DIGEST_LENGTH], *d = digest;
  986     int     i;
  987 
  988     /* Sanity check: */
  989     assert(context != (SHA512_CTX*)0);
  990 
  991     if (buffer != (char*)0) {
  992         SHA512_Final(digest, context);
  993 
  994         for (i = 0; i < SHA512_DIGEST_LENGTH; i++) {
  995             *buffer++ = sha2_hex_digits[(*d & 0xf0) >> 4];
  996             *buffer++ = sha2_hex_digits[*d & 0x0f];
  997             d++;
  998         }
  999         *buffer = (char)0;
 1000     } else {
 1001         MEMSET_BZERO(context, sizeof(*context));
 1002     }
 1003     MEMSET_BZERO(digest, SHA512_DIGEST_LENGTH);
 1004     return buffer;
 1005 }
 1006 
 1007 char* SHA512_Data(const sha2_byte* data, size_t len, char digest[SHA512_DIGEST_STRING_LENGTH]) {
 1008     SHA512_CTX  context;
 1009 
 1010     SHA512_Init(&context);
 1011     SHA512_Update(&context, data, len);
 1012     return SHA512_End(&context, digest);
 1013 }
 1014 
 1015 
 1016 /*** SHA-384: *********************************************************/
 1017 void SHA384_Init(SHA384_CTX* context) {
 1018     if (context == (SHA384_CTX*)0) {
 1019         return;
 1020     }
 1021     MEMCPY_BCOPY(context->state, sha384_initial_hash_value, SHA512_DIGEST_LENGTH);
 1022     MEMSET_BZERO(context->buffer, SHA384_BLOCK_LENGTH);
 1023     context->bitcount[0] = context->bitcount[1] = 0;
 1024 }
 1025 
 1026 void SHA384_Update(SHA384_CTX* context, const sha2_byte* data, size_t len) {
 1027     SHA512_Update((SHA512_CTX*)context, data, len);
 1028 }
 1029 
 1030 void SHA384_Final(sha2_byte digest[], SHA384_CTX* context) {
 1031     sha2_word64 *d = (sha2_word64*)digest;
 1032 
 1033     /* Sanity check: */
 1034     assert(context != (SHA384_CTX*)0);
 1035 
 1036     /* If no digest buffer is passed, we don't bother doing this: */
 1037     if (digest != (sha2_byte*)0) {
 1038         SHA512_Last((SHA512_CTX*)context);
 1039 
 1040         /* Save the hash data for output: */
 1041 #if BYTE_ORDER == LITTLE_ENDIAN
 1042         {
 1043             /* Convert TO host byte order */
 1044             int j;
 1045             for (j = 0; j < 6; j++) {
 1046                 REVERSE64(context->state[j],context->state[j]);
 1047                 *d++ = context->state[j];
 1048             }
 1049         }
 1050 #else
 1051         MEMCPY_BCOPY(d, context->state, SHA384_DIGEST_LENGTH);
 1052 #endif
 1053     }
 1054 
 1055     /* Zero out state data */
 1056     MEMSET_BZERO(context, sizeof(*context));
 1057 }
 1058 
 1059 char *SHA384_End(SHA384_CTX* context, char buffer[]) {
 1060     sha2_byte   digest[SHA384_DIGEST_LENGTH], *d = digest;
 1061     int     i;
 1062 
 1063     /* Sanity check: */
 1064     assert(context != (SHA384_CTX*)0);
 1065 
 1066     if (buffer != (char*)0) {
 1067         SHA384_Final(digest, context);
 1068 
 1069         for (i = 0; i < SHA384_DIGEST_LENGTH; i++) {
 1070             *buffer++ = sha2_hex_digits[(*d & 0xf0) >> 4];
 1071             *buffer++ = sha2_hex_digits[*d & 0x0f];
 1072             d++;
 1073         }
 1074         *buffer = (char)0;
 1075     } else {
 1076         MEMSET_BZERO(context, sizeof(*context));
 1077     }
 1078     MEMSET_BZERO(digest, SHA384_DIGEST_LENGTH);
 1079     return buffer;
 1080 }
 1081 
 1082 char* SHA384_Data(const sha2_byte* data, size_t len, char digest[SHA384_DIGEST_STRING_LENGTH]) {
 1083     SHA384_CTX  context;
 1084 
 1085     SHA384_Init(&context);
 1086     SHA384_Update(&context, data, len);
 1087     return SHA384_End(&context, digest);
 1088 }
 1089