"Fossies" - the Fresh Open Source Software Archive

Member "tin-2.4.3/libcanlock/src/sha384-512.c" (5 Jan 2018, 37638 Bytes) of package /linux/misc/tin-2.4.3.tar.xz:


As a special service "Fossies" has tried to format the requested source page into HTML format using (guessed) C and C++ source code syntax highlighting (style: standard) with prefixed line numbers and code folding option. Alternatively you can here view or download the uninterpreted source code file. For more information about "sha384-512.c" see the Fossies "Dox" file reference documentation and the latest Fossies "Diffs" side-by-side code changes report: 2.4.2_vs_2.4.3.

    1 /************************* sha384-512.c ************************/
    2 /***************** See RFC 6234 for details. *******************/
    3 /* Copyright (c) 2011 IETF Trust and the persons identified as */
    4 /* authors of the code.  All rights reserved.                  */
    5 /* See sha.h for terms of use and redistribution.              */
    6 
    7 /*
    8  * Description:
    9  *   This file implements the Secure Hash Algorithms SHA-384 and
   10  *   SHA-512 as defined in the U.S. National Institute of Standards
   11  *   and Technology Federal Information Processing Standards
   12  *   Publication (FIPS PUB) 180-3 published in October 2008
   13  *   and formerly defined in its predecessors, FIPS PUB 180-1
   14  *   and FIP PUB 180-2.
   15  *
   16  *   A combined document showing all algorithms is available at
   17  *       http://csrc.nist.gov/publications/fips/
   18  *              fips180-3/fips180-3_final.pdf
   19  *
   20  *   The SHA-384 and SHA-512 algorithms produce 384-bit and 512-bit
   21  *   message digests for a given data stream.  It should take about
   22  *   2**n steps to find a message with the same digest as a given
   23  *   message and 2**(n/2) to find any two messages with the same
   24  *   digest, when n is the digest size in bits.  Therefore, this
   25  *   algorithm can serve as a means of providing a
   26  *   "fingerprint" for a message.
   27  *
   28  * Portability Issues:
   29  *   SHA-384 and SHA-512 are defined in terms of 64-bit "words",
   30  *   but if USE_32BIT_ONLY is #defined, this code is implemented in
   31  *   terms of 32-bit "words".  This code uses <stdint.h> (included
   32  *   via "sha.h") to define the 64-, 32- and 8-bit unsigned integer
   33  *   types.  If your C compiler does not support 64-bit unsigned
   34  *   integers and you do not #define USE_32BIT_ONLY, this code is
   35  *   not appropriate.
   36  *
   37  * Caveats:
   38  *   SHA-384 and SHA-512 are designed to work with messages less
   39  *   than 2^128 bits long.  This implementation uses SHA384/512Input()
   40  *   to hash the bits that are a multiple of the size of an 8-bit
   41  *   octet, and then optionally uses SHA384/256FinalBits()
   42  *   to hash the final few bits of the input.
   43  *
   44  */
   45 
   46 #include "canlock-private.h"
   47 #include "sha.h"
   48 
   49 #ifdef USE_32BIT_ONLY
   50 /*
   51  * Define 64-bit arithmetic in terms of 32-bit arithmetic.
   52  * Each 64-bit number is represented in a 2-word array.
   53  * All macros are defined such that the result is the last parameter.
   54  */
   55 
   56 /*
   57  * Define shift, rotate left, and rotate right functions
   58  */
   59 #define SHA512_SHR(bits, word, ret) (                          \
   60     /* (((uint64_t)((word))) >> (bits)) */                     \
   61     (ret)[0] = (((bits) < 32) && ((bits) >= 0)) ?              \
   62       ((word)[0] >> (bits)) : 0,                               \
   63     (ret)[1] = ((bits) > 32) ? ((word)[0] >> ((bits) - 32)) :  \
   64       ((bits) == 32) ? (word)[0] :                             \
   65       ((bits) >= 0) ?                                          \
   66         (((word)[0] << (32 - (bits))) |                        \
   67         ((word)[1] >> (bits))) : 0 )
   68 
   69 #define SHA512_SHL(bits, word, ret) (                          \
   70     /* (((uint64_t)(word)) << (bits)) */                       \
   71     (ret)[0] = ((bits) > 32) ? ((word)[1] << ((bits) - 32)) :  \
   72          ((bits) == 32) ? (word)[1] :                          \
   73          ((bits) >= 0) ?                                       \
   74            (((word)[0] << (bits)) |                            \
   75            ((word)[1] >> (32 - (bits)))) :                     \
   76          0,                                                    \
   77     (ret)[1] = (((bits) < 32) && ((bits) >= 0)) ?              \
   78         ((word)[1] << (bits)) : 0 )
   79 
   80 /*
   81  * Define 64-bit OR
   82  */
   83 #define SHA512_OR(word1, word2, ret) (                         \
   84     (ret)[0] = (word1)[0] | (word2)[0],                        \
   85     (ret)[1] = (word1)[1] | (word2)[1] )
   86 
   87 /*
   88  * Define 64-bit XOR
   89  */
   90 #define SHA512_XOR(word1, word2, ret) (                        \
   91     (ret)[0] = (word1)[0] ^ (word2)[0],                        \
   92     (ret)[1] = (word1)[1] ^ (word2)[1] )
   93 
   94 /*
   95  * Define 64-bit AND
   96  */
   97 #define SHA512_AND(word1, word2, ret) (                        \
   98     (ret)[0] = (word1)[0] & (word2)[0],                        \
   99     (ret)[1] = (word1)[1] & (word2)[1] )
  100 
  101 /*
  102  * Define 64-bit TILDA
  103  */
  104 #define SHA512_TILDA(word, ret)                                \
  105   ( (ret)[0] = ~(word)[0], (ret)[1] = ~(word)[1] )
  106 
  107 /*
  108  * Define 64-bit ADD
  109  */
  110 #define SHA512_ADD(word1, word2, ret) (                        \
  111     (ret)[1] = (word1)[1], (ret)[1] += (word2)[1],             \
  112     (ret)[0] = (word1)[0] + (word2)[0] + ((ret)[1] < (word1)[1]) )
  113 
  114 /*
  115  * Add the 4word value in word2 to word1.
  116  */
  117 static uint32_t ADDTO4_temp, ADDTO4_temp2;
  118 #define SHA512_ADDTO4(word1, word2) (                          \
  119     ADDTO4_temp = (word1)[3],                                  \
  120     (word1)[3] += (word2)[3],                                  \
  121     ADDTO4_temp2 = (word1)[2],                                 \
  122     (word1)[2] += (word2)[2] + ((word1)[3] < ADDTO4_temp),     \
  123     ADDTO4_temp = (word1)[1],                                  \
  124     (word1)[1] += (word2)[1] + ((word1)[2] < ADDTO4_temp2),    \
  125     (word1)[0] += (word2)[0] + ((word1)[1] < ADDTO4_temp) )
  126 
  127 /*
  128  * Add the 2word value in word2 to word1.
  129  */
  130 static uint32_t ADDTO2_temp;
  131 #define SHA512_ADDTO2(word1, word2) (                          \
  132     ADDTO2_temp = (word1)[1],                                  \
  133     (word1)[1] += (word2)[1],                                  \
  134     (word1)[0] += (word2)[0] + ((word1)[1] < ADDTO2_temp) )
  135 
  136 /*
  137  * SHA rotate   ((word >> bits) | (word << (64-bits)))
  138  */
  139 static uint32_t ROTR_temp1[2], ROTR_temp2[2];
  140 #define SHA512_ROTR(bits, word, ret) (                         \
  141     SHA512_SHR((bits), (word), ROTR_temp1),                    \
  142     SHA512_SHL(64-(bits), (word), ROTR_temp2),                 \
  143     SHA512_OR(ROTR_temp1, ROTR_temp2, (ret)) )
  144 
  145 /*
  146  * Define the SHA SIGMA and sigma macros
  147  *
  148  *  SHA512_ROTR(28,word) ^ SHA512_ROTR(34,word) ^ SHA512_ROTR(39,word)
  149  */
  150 static uint32_t SIGMA0_temp1[2], SIGMA0_temp2[2],
  151   SIGMA0_temp3[2], SIGMA0_temp4[2];
  152 #define SHA512_SIGMA0(word, ret) (                             \
  153     SHA512_ROTR(28, (word), SIGMA0_temp1),                     \
  154     SHA512_ROTR(34, (word), SIGMA0_temp2),                     \
  155     SHA512_ROTR(39, (word), SIGMA0_temp3),                     \
  156     SHA512_XOR(SIGMA0_temp2, SIGMA0_temp3, SIGMA0_temp4),      \
  157     SHA512_XOR(SIGMA0_temp1, SIGMA0_temp4, (ret)) )
  158 
  159 /*
  160  * SHA512_ROTR(14,word) ^ SHA512_ROTR(18,word) ^ SHA512_ROTR(41,word)
  161  */
  162 static uint32_t SIGMA1_temp1[2], SIGMA1_temp2[2],
  163   SIGMA1_temp3[2], SIGMA1_temp4[2];
  164 #define SHA512_SIGMA1(word, ret) (                             \
  165     SHA512_ROTR(14, (word), SIGMA1_temp1),                     \
  166     SHA512_ROTR(18, (word), SIGMA1_temp2),                     \
  167     SHA512_ROTR(41, (word), SIGMA1_temp3),                     \
  168     SHA512_XOR(SIGMA1_temp2, SIGMA1_temp3, SIGMA1_temp4),      \
  169     SHA512_XOR(SIGMA1_temp1, SIGMA1_temp4, (ret)) )
  170 
  171 /*
  172  * (SHA512_ROTR( 1,word) ^ SHA512_ROTR( 8,word) ^ SHA512_SHR( 7,word))
  173  */
  174 static uint32_t sigma0_temp1[2], sigma0_temp2[2],
  175   sigma0_temp3[2], sigma0_temp4[2];
  176 #define SHA512_sigma0(word, ret) (                             \
  177     SHA512_ROTR( 1, (word), sigma0_temp1),                     \
  178     SHA512_ROTR( 8, (word), sigma0_temp2),                     \
  179     SHA512_SHR( 7, (word), sigma0_temp3),                      \
  180     SHA512_XOR(sigma0_temp2, sigma0_temp3, sigma0_temp4),      \
  181     SHA512_XOR(sigma0_temp1, sigma0_temp4, (ret)) )
  182 
  183 /*
  184  * (SHA512_ROTR(19,word) ^ SHA512_ROTR(61,word) ^ SHA512_SHR( 6,word))
  185  */
  186 static uint32_t sigma1_temp1[2], sigma1_temp2[2],
  187   sigma1_temp3[2], sigma1_temp4[2];
  188 #define SHA512_sigma1(word, ret) (                             \
  189     SHA512_ROTR(19, (word), sigma1_temp1),                     \
  190     SHA512_ROTR(61, (word), sigma1_temp2),                     \
  191     SHA512_SHR( 6, (word), sigma1_temp3),                      \
  192     SHA512_XOR(sigma1_temp2, sigma1_temp3, sigma1_temp4),      \
  193     SHA512_XOR(sigma1_temp1, sigma1_temp4, (ret)) )
  194 
  195 #ifndef USE_MODIFIED_MACROS
  196 /*
  197  * These definitions are the ones used in FIPS 180-3, section 4.1.3
  198  *  Ch(x,y,z)   ((x & y) ^ (~x & z))
  199  */
  200 static uint32_t Ch_temp1[2], Ch_temp2[2], Ch_temp3[2];
  201 #define SHA_Ch(x, y, z, ret) (                                 \
  202     SHA512_AND(x, y, Ch_temp1),                                \
  203     SHA512_TILDA(x, Ch_temp2),                                 \
  204     SHA512_AND(Ch_temp2, z, Ch_temp3),                         \
  205     SHA512_XOR(Ch_temp1, Ch_temp3, (ret)) )
  206 
  207 /*
  208  *  Maj(x,y,z)  (((x)&(y)) ^ ((x)&(z)) ^ ((y)&(z)))
  209  */
  210 static uint32_t Maj_temp1[2], Maj_temp2[2],
  211   Maj_temp3[2], Maj_temp4[2];
  212 #define SHA_Maj(x, y, z, ret) (                                \
  213     SHA512_AND(x, y, Maj_temp1),                               \
  214     SHA512_AND(x, z, Maj_temp2),                               \
  215     SHA512_AND(y, z, Maj_temp3),                               \
  216     SHA512_XOR(Maj_temp2, Maj_temp3, Maj_temp4),               \
  217     SHA512_XOR(Maj_temp1, Maj_temp4, (ret)) )
  218 #else /* !USE_MODIFIED_MACROS */
  219 /*
  220  * These definitions are potentially faster equivalents for the ones
  221  * used in FIPS 180-3, section 4.1.3.
  222  *   ((x & y) ^ (~x & z)) becomes
  223  *   ((x & (y ^ z)) ^ z)
  224  */
  225 #define SHA_Ch(x, y, z, ret) (                                 \
  226    (ret)[0] = (((x)[0] & ((y)[0] ^ (z)[0])) ^ (z)[0]),         \
  227    (ret)[1] = (((x)[1] & ((y)[1] ^ (z)[1])) ^ (z)[1]) )
  228 
  229 /*
  230  *   ((x & y) ^ (x & z) ^ (y & z)) becomes
  231  *   ((x & (y | z)) | (y & z))
  232  */
  233 #define SHA_Maj(x, y, z, ret) (                                 \
  234    ret[0] = (((x)[0] & ((y)[0] | (z)[0])) | ((y)[0] & (z)[0])), \
  235    ret[1] = (((x)[1] & ((y)[1] | (z)[1])) | ((y)[1] & (z)[1])) )
  236 #endif /* USE_MODIFIED_MACROS */
  237 
  238 /*
  239  * Add "length" to the length.
  240  * Set Corrupted when overflow has occurred.
  241  */
  242 static uint32_t addTemp[4] = { 0, 0, 0, 0 };
  243 #define SHA384_512AddLength(context, length) (                        \
  244     addTemp[3] = (length), SHA512_ADDTO4((context)->Length, addTemp), \
  245     (context)->Corrupted = (((context)->Length[3] < (length)) &&      \
  246        ((context)->Length[2] == 0) && ((context)->Length[1] == 0) &&  \
  247        ((context)->Length[0] == 0)) ? shaInputTooLong :               \
  248                                       (context)->Corrupted )
  249 
  250 /* Local Function Prototypes */
  251 static int SHA384_512Reset(SHA512Context *context,
  252                            uint32_t H0[SHA512HashSize/4]);
  253 static void SHA384_512ProcessMessageBlock(SHA512Context *context);
  254 static void SHA384_512Finalize(SHA512Context *context,
  255   uint8_t Pad_Byte);
  256 static void SHA384_512PadMessage(SHA512Context *context,
  257   uint8_t Pad_Byte);
  258 static int SHA384_512ResultN( SHA512Context *context,
  259   uint8_t Message_Digest[ ], int HashSize);
  260 
  261 /* Initial Hash Values: FIPS 180-3 sections 5.3.4 and 5.3.5 */
  262 static uint32_t SHA384_H0[SHA512HashSize/4] = {
  263     0xCBBB9D5D, 0xC1059ED8, 0x629A292A, 0x367CD507, 0x9159015A,
  264     0x3070DD17, 0x152FECD8, 0xF70E5939, 0x67332667, 0xFFC00B31,
  265     0x8EB44A87, 0x68581511, 0xDB0C2E0D, 0x64F98FA7, 0x47B5481D,
  266     0xBEFA4FA4
  267 };
  268 static uint32_t SHA512_H0[SHA512HashSize/4] = {
  269     0x6A09E667, 0xF3BCC908, 0xBB67AE85, 0x84CAA73B, 0x3C6EF372,
  270     0xFE94F82B, 0xA54FF53A, 0x5F1D36F1, 0x510E527F, 0xADE682D1,
  271     0x9B05688C, 0x2B3E6C1F, 0x1F83D9AB, 0xFB41BD6B, 0x5BE0CD19,
  272     0x137E2179
  273 };
  274 
  275 #else /* !USE_32BIT_ONLY */
  276 
  277 #include "sha-private.h"
  278 
  279 /* Define the SHA shift, rotate left and rotate right macros */
  280 #define SHA512_SHR(bits,word)  (((uint64_t)(word)) >> (bits))
  281 #define SHA512_ROTR(bits,word) ((((uint64_t)(word)) >> (bits)) | \
  282                                 (((uint64_t)(word)) << (64-(bits))))
  283 
  284 /*
  285  * Define the SHA SIGMA and sigma macros
  286  *
  287  *  SHA512_ROTR(28,word) ^ SHA512_ROTR(34,word) ^ SHA512_ROTR(39,word)
  288  */
  289 #define SHA512_SIGMA0(word)   \
  290  (SHA512_ROTR(28,word) ^ SHA512_ROTR(34,word) ^ SHA512_ROTR(39,word))
  291 #define SHA512_SIGMA1(word)   \
  292  (SHA512_ROTR(14,word) ^ SHA512_ROTR(18,word) ^ SHA512_ROTR(41,word))
  293 #define SHA512_sigma0(word)   \
  294  (SHA512_ROTR( 1,word) ^ SHA512_ROTR( 8,word) ^ SHA512_SHR( 7,word))
  295 #define SHA512_sigma1(word)   \
  296  (SHA512_ROTR(19,word) ^ SHA512_ROTR(61,word) ^ SHA512_SHR( 6,word))
  297 
  298 /*
  299  * Add "length" to the length.
  300  * Set Corrupted when overflow has occurred.
  301  */
  302 static uint64_t addTemp;
  303 #define SHA384_512AddLength(context, length)                   \
  304    (addTemp = context->Length_Low, context->Corrupted =        \
  305     ((context->Length_Low += length) < addTemp) &&             \
  306     (++context->Length_High == 0) ? shaInputTooLong :          \
  307                                     (context)->Corrupted)
  308 
  309 /* Local Function Prototypes */
  310 static int SHA384_512Reset(SHA512Context *context,
  311                            uint64_t H0[SHA512HashSize/8]);
  312 static void SHA384_512ProcessMessageBlock(SHA512Context *context);
  313 static void SHA384_512Finalize(SHA512Context *context,
  314   uint8_t Pad_Byte);
  315 static void SHA384_512PadMessage(SHA512Context *context,
  316   uint8_t Pad_Byte);
  317 static int SHA384_512ResultN(SHA512Context *context,
  318   uint8_t Message_Digest[ ], int HashSize);
  319 
  320 /* Initial Hash Values: FIPS 180-3 sections 5.3.4 and 5.3.5 */
  321 static uint64_t SHA384_H0[ ] = {
  322     0xCBBB9D5DC1059ED8ll, 0x629A292A367CD507ll, 0x9159015A3070DD17ll,
  323     0x152FECD8F70E5939ll, 0x67332667FFC00B31ll, 0x8EB44A8768581511ll,
  324     0xDB0C2E0D64F98FA7ll, 0x47B5481DBEFA4FA4ll
  325 };
  326 static uint64_t SHA512_H0[ ] = {
  327     0x6A09E667F3BCC908ll, 0xBB67AE8584CAA73Bll, 0x3C6EF372FE94F82Bll,
  328     0xA54FF53A5F1D36F1ll, 0x510E527FADE682D1ll, 0x9B05688C2B3E6C1Fll,
  329     0x1F83D9ABFB41BD6Bll, 0x5BE0CD19137E2179ll
  330 };
  331 
  332 #endif /* USE_32BIT_ONLY */
  333 
  334 /*
  335  * SHA384Reset
  336  *
  337  * Description:
  338  *   This function will initialize the SHA384Context in preparation
  339  *   for computing a new SHA384 message digest.
  340  *
  341  * Parameters:
  342  *   context: [in/out]
  343  *     The context to reset.
  344  *
  345  * Returns:
  346  *   sha Error Code.
  347  *
  348  */
  349 int SHA384Reset(SHA384Context *context)
  350 {
  351   return SHA384_512Reset(context, SHA384_H0);
  352 }
  353 
  354 /*
  355  * SHA384Input
  356  *
  357  * Description:
  358  *   This function accepts an array of octets as the next portion
  359  *   of the message.
  360  *
  361  * Parameters:
  362  *   context: [in/out]
  363  *     The SHA context to update.
  364  *   message_array[ ]: [in]
  365  *     An array of octets representing the next portion of
  366  *     the message.
  367  *   length: [in]
  368  *     The length of the message in message_array.
  369  *
  370  * Returns:
  371  *   sha Error Code.
  372  *
  373  */
  374 int SHA384Input(SHA384Context *context,
  375     const uint8_t *message_array, unsigned int length)
  376 {
  377   return SHA512Input(context, message_array, length);
  378 }
  379 
  380 /*
  381  * SHA384FinalBits
  382  *
  383  * Description:
  384  *   This function will add in any final bits of the message.
  385  *
  386  * Parameters:
  387  *   context: [in/out]
  388  *     The SHA context to update.
  389  *   message_bits: [in]
  390  *     The final bits of the message, in the upper portion of the
  391  *     byte.  (Use 0b###00000 instead of 0b00000### to input the
  392  *     three bits ###.)
  393  *   length: [in]
  394  *     The number of bits in message_bits, between 1 and 7.
  395  *
  396  * Returns:
  397  *   sha Error Code.
  398  *
  399  */
  400 int SHA384FinalBits(SHA384Context *context,
  401                     uint8_t message_bits, unsigned int length)
  402 {
  403   return SHA512FinalBits(context, message_bits, length);
  404 }
  405 
  406 /*
  407  * SHA384Result
  408  *
  409  * Description:
  410  *   This function will return the 384-bit message digest
  411  *   into the Message_Digest array provided by the caller.
  412  *   NOTE:
  413  *    The first octet of hash is stored in the element with index 0,
  414  *    the last octet of hash in the element with index 47.
  415  *
  416  * Parameters:
  417  *   context: [in/out]
  418  *     The context to use to calculate the SHA hash.
  419  *   Message_Digest[ ]: [out]
  420  *     Where the digest is returned.
  421  *
  422  * Returns:
  423  *   sha Error Code.
  424  *
  425  */
  426 int SHA384Result(SHA384Context *context,
  427     uint8_t Message_Digest[SHA384HashSize])
  428 {
  429   return SHA384_512ResultN(context, Message_Digest, SHA384HashSize);
  430 }
  431 
  432 /*
  433  * SHA512Reset
  434  *
  435  * Description:
  436  *   This function will initialize the SHA512Context in preparation
  437  *   for computing a new SHA512 message digest.
  438  *
  439  * Parameters:
  440  *   context: [in/out]
  441  *     The context to reset.
  442  *
  443  * Returns:
  444  *   sha Error Code.
  445  *
  446  */
  447 int SHA512Reset(SHA512Context *context)
  448 {
  449   return SHA384_512Reset(context, SHA512_H0);
  450 }
  451 
  452 /*
  453  * SHA512Input
  454  *
  455  * Description:
  456  *   This function accepts an array of octets as the next portion
  457  *   of the message.
  458  *
  459  * Parameters:
  460  *   context: [in/out]
  461  *     The SHA context to update.
  462  *   message_array[ ]: [in]
  463  *     An array of octets representing the next portion of
  464  *     the message.
  465  *   length: [in]
  466  *     The length of the message in message_array.
  467  *
  468  * Returns:
  469  *   sha Error Code.
  470  *
  471  */
  472 int SHA512Input(SHA512Context *context,
  473         const uint8_t *message_array,
  474         unsigned int length)
  475 {
  476   if (!context) return shaNull;
  477   if (!length) return shaSuccess;
  478   if (!message_array) return shaNull;
  479   if (context->Computed) return context->Corrupted = shaStateError;
  480   if (context->Corrupted) return context->Corrupted;
  481 
  482   while (length--) {
  483     context->Message_Block[context->Message_Block_Index++] =
  484             *message_array;
  485 
  486     if ((SHA384_512AddLength(context, 8) == shaSuccess) &&
  487       (context->Message_Block_Index == SHA512_Message_Block_Size))
  488       SHA384_512ProcessMessageBlock(context);
  489 
  490     message_array++;
  491   }
  492 
  493   return context->Corrupted;
  494 }
  495 
  496 /*
  497  * SHA512FinalBits
  498  *
  499  * Description:
  500  *   This function will add in any final bits of the message.
  501  *
  502  * Parameters:
  503  *   context: [in/out]
  504  *     The SHA context to update.
  505  *   message_bits: [in]
  506  *     The final bits of the message, in the upper portion of the
  507  *     byte.  (Use 0b###00000 instead of 0b00000### to input the
  508  *     three bits ###.)
  509  *   length: [in]
  510  *     The number of bits in message_bits, between 1 and 7.
  511  *
  512  * Returns:
  513  *   sha Error Code.
  514  *
  515  */
  516 int SHA512FinalBits(SHA512Context *context,
  517                     uint8_t message_bits, unsigned int length)
  518 {
  519   static uint8_t masks[8] = {
  520       /* 0 0b00000000 */ 0x00, /* 1 0b10000000 */ 0x80,
  521       /* 2 0b11000000 */ 0xC0, /* 3 0b11100000 */ 0xE0,
  522       /* 4 0b11110000 */ 0xF0, /* 5 0b11111000 */ 0xF8,
  523       /* 6 0b11111100 */ 0xFC, /* 7 0b11111110 */ 0xFE
  524   };
  525   static uint8_t markbit[8] = {
  526       /* 0 0b10000000 */ 0x80, /* 1 0b01000000 */ 0x40,
  527       /* 2 0b00100000 */ 0x20, /* 3 0b00010000 */ 0x10,
  528       /* 4 0b00001000 */ 0x08, /* 5 0b00000100 */ 0x04,
  529       /* 6 0b00000010 */ 0x02, /* 7 0b00000001 */ 0x01
  530   };
  531 
  532   if (!context) return shaNull;
  533   if (!length) return shaSuccess;
  534   if (context->Corrupted) return context->Corrupted;
  535   if (context->Computed) return context->Corrupted = shaStateError;
  536   if (length >= 8) return context->Corrupted = shaBadParam;
  537 
  538   SHA384_512AddLength(context, length);
  539   SHA384_512Finalize(context, (uint8_t)
  540     ((message_bits & masks[length]) | markbit[length]));
  541 
  542   return context->Corrupted;
  543 }
  544 
  545 /*
  546  * SHA512Result
  547  *
  548  * Description:
  549  *   This function will return the 512-bit message digest
  550  *   into the Message_Digest array provided by the caller.
  551  *   NOTE:
  552  *    The first octet of hash is stored in the element with index 0,
  553  *    the last octet of hash in the element with index 63.
  554  *
  555  * Parameters:
  556  *   context: [in/out]
  557  *     The context to use to calculate the SHA hash.
  558  *   Message_Digest[ ]: [out]
  559  *     Where the digest is returned.
  560  *
  561  * Returns:
  562  *   sha Error Code.
  563  *
  564  */
  565 int SHA512Result(SHA512Context *context,
  566     uint8_t Message_Digest[SHA512HashSize])
  567 {
  568   return SHA384_512ResultN(context, Message_Digest, SHA512HashSize);
  569 }
  570 
  571 /*
  572  * SHA384_512Reset
  573  *
  574  * Description:
  575  *   This helper function will initialize the SHA512Context in
  576  *   preparation for computing a new SHA384 or SHA512 message
  577  *   digest.
  578  *
  579  * Parameters:
  580  *   context: [in/out]
  581  *     The context to reset.
  582  *   H0[ ]: [in]
  583  *     The initial hash value array to use.
  584  *
  585  * Returns:
  586  *   sha Error Code.
  587  *
  588  */
  589 #ifdef USE_32BIT_ONLY
  590 static int SHA384_512Reset(SHA512Context *context,
  591                            uint32_t H0[SHA512HashSize/4])
  592 #else /* !USE_32BIT_ONLY */
  593 static int SHA384_512Reset(SHA512Context *context,
  594                            uint64_t H0[SHA512HashSize/8])
  595 #endif /* USE_32BIT_ONLY */
  596 {
  597   int i;
  598   if (!context) return shaNull;
  599   context->Message_Block_Index = 0;
  600 
  601 #ifdef USE_32BIT_ONLY
  602   context->Length[0] = context->Length[1] =
  603   context->Length[2] = context->Length[3] = 0;
  604 
  605   for (i = 0; i < SHA512HashSize/4; i++)
  606     context->Intermediate_Hash[i] = H0[i];
  607 #else /* !USE_32BIT_ONLY */
  608   context->Length_High = context->Length_Low = 0;
  609 
  610   for (i = 0; i < SHA512HashSize/8; i++)
  611     context->Intermediate_Hash[i] = H0[i];
  612 #endif /* USE_32BIT_ONLY */
  613 
  614   context->Computed = 0;
  615   context->Corrupted = shaSuccess;
  616 
  617   return shaSuccess;
  618 }
  619 
  620 /*
  621  * SHA384_512ProcessMessageBlock
  622  *
  623  * Description:
  624  *   This helper function will process the next 1024 bits of the
  625  *   message stored in the Message_Block array.
  626  *
  627  * Parameters:
  628  *   context: [in/out]
  629  *     The SHA context to update.
  630  *
  631  * Returns:
  632  *   Nothing.
  633  *
  634  * Comments:
  635  *   Many of the variable names in this code, especially the
  636  *   single character names, were used because those were the
  637  *   names used in the Secure Hash Standard.
  638  *
  639  *
  640  */
  641 static void SHA384_512ProcessMessageBlock(SHA512Context *context)
  642 {
  643 #ifdef USE_32BIT_ONLY
  644   /* Constants defined in FIPS 180-3, section 4.2.3 */
  645   static const uint32_t K[80*2] = {
  646       0x428A2F98, 0xD728AE22, 0x71374491, 0x23EF65CD, 0xB5C0FBCF,
  647       0xEC4D3B2F, 0xE9B5DBA5, 0x8189DBBC, 0x3956C25B, 0xF348B538,
  648       0x59F111F1, 0xB605D019, 0x923F82A4, 0xAF194F9B, 0xAB1C5ED5,
  649       0xDA6D8118, 0xD807AA98, 0xA3030242, 0x12835B01, 0x45706FBE,
  650       0x243185BE, 0x4EE4B28C, 0x550C7DC3, 0xD5FFB4E2, 0x72BE5D74,
  651       0xF27B896F, 0x80DEB1FE, 0x3B1696B1, 0x9BDC06A7, 0x25C71235,
  652       0xC19BF174, 0xCF692694, 0xE49B69C1, 0x9EF14AD2, 0xEFBE4786,
  653       0x384F25E3, 0x0FC19DC6, 0x8B8CD5B5, 0x240CA1CC, 0x77AC9C65,
  654       0x2DE92C6F, 0x592B0275, 0x4A7484AA, 0x6EA6E483, 0x5CB0A9DC,
  655       0xBD41FBD4, 0x76F988DA, 0x831153B5, 0x983E5152, 0xEE66DFAB,
  656       0xA831C66D, 0x2DB43210, 0xB00327C8, 0x98FB213F, 0xBF597FC7,
  657       0xBEEF0EE4, 0xC6E00BF3, 0x3DA88FC2, 0xD5A79147, 0x930AA725,
  658       0x06CA6351, 0xE003826F, 0x14292967, 0x0A0E6E70, 0x27B70A85,
  659       0x46D22FFC, 0x2E1B2138, 0x5C26C926, 0x4D2C6DFC, 0x5AC42AED,
  660       0x53380D13, 0x9D95B3DF, 0x650A7354, 0x8BAF63DE, 0x766A0ABB,
  661       0x3C77B2A8, 0x81C2C92E, 0x47EDAEE6, 0x92722C85, 0x1482353B,
  662       0xA2BFE8A1, 0x4CF10364, 0xA81A664B, 0xBC423001, 0xC24B8B70,
  663       0xD0F89791, 0xC76C51A3, 0x0654BE30, 0xD192E819, 0xD6EF5218,
  664       0xD6990624, 0x5565A910, 0xF40E3585, 0x5771202A, 0x106AA070,
  665       0x32BBD1B8, 0x19A4C116, 0xB8D2D0C8, 0x1E376C08, 0x5141AB53,
  666       0x2748774C, 0xDF8EEB99, 0x34B0BCB5, 0xE19B48A8, 0x391C0CB3,
  667       0xC5C95A63, 0x4ED8AA4A, 0xE3418ACB, 0x5B9CCA4F, 0x7763E373,
  668       0x682E6FF3, 0xD6B2B8A3, 0x748F82EE, 0x5DEFB2FC, 0x78A5636F,
  669       0x43172F60, 0x84C87814, 0xA1F0AB72, 0x8CC70208, 0x1A6439EC,
  670       0x90BEFFFA, 0x23631E28, 0xA4506CEB, 0xDE82BDE9, 0xBEF9A3F7,
  671       0xB2C67915, 0xC67178F2, 0xE372532B, 0xCA273ECE, 0xEA26619C,
  672       0xD186B8C7, 0x21C0C207, 0xEADA7DD6, 0xCDE0EB1E, 0xF57D4F7F,
  673       0xEE6ED178, 0x06F067AA, 0x72176FBA, 0x0A637DC5, 0xA2C898A6,
  674       0x113F9804, 0xBEF90DAE, 0x1B710B35, 0x131C471B, 0x28DB77F5,
  675       0x23047D84, 0x32CAAB7B, 0x40C72493, 0x3C9EBE0A, 0x15C9BEBC,
  676       0x431D67C4, 0x9C100D4C, 0x4CC5D4BE, 0xCB3E42B6, 0x597F299C,
  677       0xFC657E2A, 0x5FCB6FAB, 0x3AD6FAEC, 0x6C44198C, 0x4A475817
  678   };
  679   int     t, t2, t8;                  /* Loop counter */
  680   uint32_t  temp1[2], temp2[2],       /* Temporary word values */
  681         temp3[2], temp4[2], temp5[2];
  682   uint32_t  W[2*80];          /* Word sequence. Security review: Location L6a */
  683   uint32_t  A[2], B[2], C[2], D[2],   /* Word buffers */
  684         E[2], F[2], G[2], H[2];
  685 
  686   /* Initialize the first 16 words in the array W */
  687   for (t = t2 = t8 = 0; t < 16; t++, t8 += 8) {
  688     W[t2++] = ((((uint32_t)context->Message_Block[t8    ])) << 24) |
  689               ((((uint32_t)context->Message_Block[t8 + 1])) << 16) |
  690               ((((uint32_t)context->Message_Block[t8 + 2])) << 8) |
  691               ((((uint32_t)context->Message_Block[t8 + 3])));
  692     W[t2++] = ((((uint32_t)context->Message_Block[t8 + 4])) << 24) |
  693               ((((uint32_t)context->Message_Block[t8 + 5])) << 16) |
  694               ((((uint32_t)context->Message_Block[t8 + 6])) << 8) |
  695               ((((uint32_t)context->Message_Block[t8 + 7])));
  696   }
  697 
  698   for (t = 16; t < 80; t++, t2 += 2) {
  699     /* W[t] = SHA512_sigma1(W[t-2]) + W[t-7] +
  700       SHA512_sigma0(W[t-15]) + W[t-16]; */
  701     uint32_t *Wt2 = &W[t2-2*2];
  702     uint32_t *Wt7 = &W[t2-7*2];
  703     uint32_t *Wt15 = &W[t2-15*2];
  704     uint32_t *Wt16 = &W[t2-16*2];
  705     SHA512_sigma1(Wt2, temp1);
  706     SHA512_ADD(temp1, Wt7, temp2);
  707     SHA512_sigma0(Wt15, temp1);
  708     SHA512_ADD(temp1, Wt16, temp3);
  709     SHA512_ADD(temp2, temp3, &W[t2]);
  710   }
  711 
  712   A[0] = context->Intermediate_Hash[0];
  713   A[1] = context->Intermediate_Hash[1];
  714   B[0] = context->Intermediate_Hash[2];
  715   B[1] = context->Intermediate_Hash[3];
  716   C[0] = context->Intermediate_Hash[4];
  717   C[1] = context->Intermediate_Hash[5];
  718   D[0] = context->Intermediate_Hash[6];
  719   D[1] = context->Intermediate_Hash[7];
  720   E[0] = context->Intermediate_Hash[8];
  721   E[1] = context->Intermediate_Hash[9];
  722   F[0] = context->Intermediate_Hash[10];
  723   F[1] = context->Intermediate_Hash[11];
  724   G[0] = context->Intermediate_Hash[12];
  725   G[1] = context->Intermediate_Hash[13];
  726   H[0] = context->Intermediate_Hash[14];
  727   H[1] = context->Intermediate_Hash[15];
  728 
  729   for (t = t2 = 0; t < 80; t++, t2 += 2) {
  730     /*
  731      * temp1 = H + SHA512_SIGMA1(E) + SHA_Ch(E,F,G) + K[t] + W[t];
  732      */
  733     SHA512_SIGMA1(E,temp1);
  734     SHA512_ADD(H, temp1, temp2);
  735     SHA_Ch(E,F,G,temp3);
  736     SHA512_ADD(temp2, temp3, temp4);
  737     SHA512_ADD(&K[t2], &W[t2], temp5);
  738     SHA512_ADD(temp4, temp5, temp1);
  739     /*
  740      * temp2 = SHA512_SIGMA0(A) + SHA_Maj(A,B,C);
  741      */
  742     SHA512_SIGMA0(A,temp3);
  743     SHA_Maj(A,B,C,temp4);
  744     SHA512_ADD(temp3, temp4, temp2);
  745     H[0] = G[0]; H[1] = G[1];
  746     G[0] = F[0]; G[1] = F[1];
  747     F[0] = E[0]; F[1] = E[1];
  748     SHA512_ADD(D, temp1, E);
  749     D[0] = C[0]; D[1] = C[1];
  750     C[0] = B[0]; C[1] = B[1];
  751     B[0] = A[0]; B[1] = A[1];
  752     SHA512_ADD(temp1, temp2, A);
  753   }
  754 
  755   cl_clear_secret((void *) W, sizeof(W), sizeof(W));
  756 
  757   SHA512_ADDTO2(&context->Intermediate_Hash[0], A);
  758   SHA512_ADDTO2(&context->Intermediate_Hash[2], B);
  759   SHA512_ADDTO2(&context->Intermediate_Hash[4], C);
  760   SHA512_ADDTO2(&context->Intermediate_Hash[6], D);
  761   SHA512_ADDTO2(&context->Intermediate_Hash[8], E);
  762   SHA512_ADDTO2(&context->Intermediate_Hash[10], F);
  763   SHA512_ADDTO2(&context->Intermediate_Hash[12], G);
  764   SHA512_ADDTO2(&context->Intermediate_Hash[14], H);
  765 
  766 #else /* !USE_32BIT_ONLY */
  767   /* Constants defined in FIPS 180-3, section 4.2.3 */
  768   static const uint64_t K[80] = {
  769       0x428A2F98D728AE22ll, 0x7137449123EF65CDll, 0xB5C0FBCFEC4D3B2Fll,
  770       0xE9B5DBA58189DBBCll, 0x3956C25BF348B538ll, 0x59F111F1B605D019ll,
  771       0x923F82A4AF194F9Bll, 0xAB1C5ED5DA6D8118ll, 0xD807AA98A3030242ll,
  772       0x12835B0145706FBEll, 0x243185BE4EE4B28Cll, 0x550C7DC3D5FFB4E2ll,
  773       0x72BE5D74F27B896Fll, 0x80DEB1FE3B1696B1ll, 0x9BDC06A725C71235ll,
  774       0xC19BF174CF692694ll, 0xE49B69C19EF14AD2ll, 0xEFBE4786384F25E3ll,
  775       0x0FC19DC68B8CD5B5ll, 0x240CA1CC77AC9C65ll, 0x2DE92C6F592B0275ll,
  776       0x4A7484AA6EA6E483ll, 0x5CB0A9DCBD41FBD4ll, 0x76F988DA831153B5ll,
  777       0x983E5152EE66DFABll, 0xA831C66D2DB43210ll, 0xB00327C898FB213Fll,
  778       0xBF597FC7BEEF0EE4ll, 0xC6E00BF33DA88FC2ll, 0xD5A79147930AA725ll,
  779       0x06CA6351E003826Fll, 0x142929670A0E6E70ll, 0x27B70A8546D22FFCll,
  780       0x2E1B21385C26C926ll, 0x4D2C6DFC5AC42AEDll, 0x53380D139D95B3DFll,
  781       0x650A73548BAF63DEll, 0x766A0ABB3C77B2A8ll, 0x81C2C92E47EDAEE6ll,
  782       0x92722C851482353Bll, 0xA2BFE8A14CF10364ll, 0xA81A664BBC423001ll,
  783       0xC24B8B70D0F89791ll, 0xC76C51A30654BE30ll, 0xD192E819D6EF5218ll,
  784       0xD69906245565A910ll, 0xF40E35855771202All, 0x106AA07032BBD1B8ll,
  785       0x19A4C116B8D2D0C8ll, 0x1E376C085141AB53ll, 0x2748774CDF8EEB99ll,
  786       0x34B0BCB5E19B48A8ll, 0x391C0CB3C5C95A63ll, 0x4ED8AA4AE3418ACBll,
  787       0x5B9CCA4F7763E373ll, 0x682E6FF3D6B2B8A3ll, 0x748F82EE5DEFB2FCll,
  788       0x78A5636F43172F60ll, 0x84C87814A1F0AB72ll, 0x8CC702081A6439ECll,
  789       0x90BEFFFA23631E28ll, 0xA4506CEBDE82BDE9ll, 0xBEF9A3F7B2C67915ll,
  790       0xC67178F2E372532Bll, 0xCA273ECEEA26619Cll, 0xD186B8C721C0C207ll,
  791       0xEADA7DD6CDE0EB1Ell, 0xF57D4F7FEE6ED178ll, 0x06F067AA72176FBAll,
  792       0x0A637DC5A2C898A6ll, 0x113F9804BEF90DAEll, 0x1B710B35131C471Bll,
  793       0x28DB77F523047D84ll, 0x32CAAB7B40C72493ll, 0x3C9EBE0A15C9BEBCll,
  794       0x431D67C49C100D4Cll, 0x4CC5D4BECB3E42B6ll, 0x597F299CFC657E2All,
  795       0x5FCB6FAB3AD6FAECll, 0x6C44198C4A475817ll
  796   };
  797   int        t, t8;           /* Loop counter */
  798   uint64_t   temp1, temp2;    /* Temporary word value */
  799   uint64_t   W[80];           /* Word sequence. Security review: Location L6b */
  800   uint64_t   A, B, C, D, E, F, G, H;  /* Word buffers */
  801 
  802   /*
  803    * Initialize the first 16 words in the array W
  804    */
  805   for (t = t8 = 0; t < 16; t++, t8 += 8)
  806     W[t] = ((uint64_t)(context->Message_Block[t8  ]) << 56) |
  807            ((uint64_t)(context->Message_Block[t8 + 1]) << 48) |
  808            ((uint64_t)(context->Message_Block[t8 + 2]) << 40) |
  809            ((uint64_t)(context->Message_Block[t8 + 3]) << 32) |
  810            ((uint64_t)(context->Message_Block[t8 + 4]) << 24) |
  811            ((uint64_t)(context->Message_Block[t8 + 5]) << 16) |
  812            ((uint64_t)(context->Message_Block[t8 + 6]) << 8) |
  813            ((uint64_t)(context->Message_Block[t8 + 7]));
  814 
  815   for (t = 16; t < 80; t++)
  816     W[t] = SHA512_sigma1(W[t-2]) + W[t-7] +
  817         SHA512_sigma0(W[t-15]) + W[t-16];
  818   A = context->Intermediate_Hash[0];
  819   B = context->Intermediate_Hash[1];
  820   C = context->Intermediate_Hash[2];
  821   D = context->Intermediate_Hash[3];
  822   E = context->Intermediate_Hash[4];
  823   F = context->Intermediate_Hash[5];
  824   G = context->Intermediate_Hash[6];
  825   H = context->Intermediate_Hash[7];
  826 
  827   for (t = 0; t < 80; t++) {
  828     temp1 = H + SHA512_SIGMA1(E) + SHA_Ch(E,F,G) + K[t] + W[t];
  829     temp2 = SHA512_SIGMA0(A) + SHA_Maj(A,B,C);
  830     H = G;
  831     G = F;
  832     F = E;
  833     E = D + temp1;
  834     D = C;
  835     C = B;
  836     B = A;
  837     A = temp1 + temp2;
  838   }
  839 
  840   cl_clear_secret((void *) W, sizeof(W), sizeof(W));
  841 
  842   context->Intermediate_Hash[0] += A;
  843   context->Intermediate_Hash[1] += B;
  844   context->Intermediate_Hash[2] += C;
  845   context->Intermediate_Hash[3] += D;
  846   context->Intermediate_Hash[4] += E;
  847   context->Intermediate_Hash[5] += F;
  848   context->Intermediate_Hash[6] += G;
  849   context->Intermediate_Hash[7] += H;
  850 #endif /* USE_32BIT_ONLY */
  851 
  852   context->Message_Block_Index = 0;
  853 }
  854 
  855 /*
  856  * SHA384_512Finalize
  857  *
  858  * Description:
  859  *   This helper function finishes off the digest calculations.
  860  *
  861  * Parameters:
  862  *   context: [in/out]
  863  *     The SHA context to update.
  864  *   Pad_Byte: [in]
  865  *     The last byte to add to the message block before the 0-padding
  866  *     and length.  This will contain the last bits of the message
  867  *     followed by another single bit.  If the message was an
  868  *     exact multiple of 8-bits long, Pad_Byte will be 0x80.
  869  *
  870  * Returns:
  871  *   sha Error Code.
  872  *
  873  */
  874 static void SHA384_512Finalize(SHA512Context *context,
  875     uint8_t Pad_Byte)
  876 {
  877   int_least16_t i;
  878   SHA384_512PadMessage(context, Pad_Byte);
  879   /* message may be sensitive, clear it out */
  880   for (i = 0; i < SHA512_Message_Block_Size; ++i)
  881     context->Message_Block[i] = 0;
  882 #ifdef USE_32BIT_ONLY    /* and clear length */
  883   context->Length[0] = context->Length[1] = 0;
  884   context->Length[2] = context->Length[3] = 0;
  885 #else /* !USE_32BIT_ONLY */
  886   context->Length_High = context->Length_Low = 0;
  887 #endif /* USE_32BIT_ONLY */
  888   context->Computed = 1;
  889 }
  890 
  891 /*
  892  * SHA384_512PadMessage
  893  *
  894  * Description:
  895  *   According to the standard, the message must be padded to the next
  896  *   even multiple of 1024 bits.  The first padding bit must be a '1'.
  897  *   The last 128 bits represent the length of the original message.
  898  *   All bits in between should be 0.  This helper function will
  899  *   pad the message according to those rules by filling the
  900  *   Message_Block array accordingly.  When it returns, it can be
  901  *   assumed that the message digest has been computed.
  902  *
  903  * Parameters:
  904  *   context: [in/out]
  905  *     The context to pad.
  906  *   Pad_Byte: [in]
  907  *     The last byte to add to the message block before the 0-padding
  908  *     and length.  This will contain the last bits of the message
  909  *     followed by another single bit.  If the message was an
  910  *     exact multiple of 8-bits long, Pad_Byte will be 0x80.
  911  *
  912  * Returns:
  913  *   Nothing.
  914  *
  915  */
  916 static void SHA384_512PadMessage(SHA512Context *context,
  917     uint8_t Pad_Byte)
  918 {
  919   /*
  920    * Check to see if the current message block is too small to hold
  921    * the initial padding bits and length.  If so, we will pad the
  922    * block, process it, and then continue padding into a second
  923    * block.
  924    */
  925   if (context->Message_Block_Index >= (SHA512_Message_Block_Size-16)) {
  926     context->Message_Block[context->Message_Block_Index++] = Pad_Byte;
  927     while (context->Message_Block_Index < SHA512_Message_Block_Size)
  928       context->Message_Block[context->Message_Block_Index++] = 0;
  929 
  930     SHA384_512ProcessMessageBlock(context);
  931   } else
  932     context->Message_Block[context->Message_Block_Index++] = Pad_Byte;
  933 
  934   while (context->Message_Block_Index < (SHA512_Message_Block_Size-16))
  935     context->Message_Block[context->Message_Block_Index++] = 0;
  936 
  937   /*
  938    * Store the message length as the last 16 octets
  939    */
  940 #ifdef USE_32BIT_ONLY
  941   context->Message_Block[112] = (uint8_t)(context->Length[0] >> 24);
  942   context->Message_Block[113] = (uint8_t)(context->Length[0] >> 16);
  943   context->Message_Block[114] = (uint8_t)(context->Length[0] >> 8);
  944   context->Message_Block[115] = (uint8_t)(context->Length[0]);
  945   context->Message_Block[116] = (uint8_t)(context->Length[1] >> 24);
  946   context->Message_Block[117] = (uint8_t)(context->Length[1] >> 16);
  947   context->Message_Block[118] = (uint8_t)(context->Length[1] >> 8);
  948   context->Message_Block[119] = (uint8_t)(context->Length[1]);
  949 
  950   context->Message_Block[120] = (uint8_t)(context->Length[2] >> 24);
  951   context->Message_Block[121] = (uint8_t)(context->Length[2] >> 16);
  952   context->Message_Block[122] = (uint8_t)(context->Length[2] >> 8);
  953   context->Message_Block[123] = (uint8_t)(context->Length[2]);
  954   context->Message_Block[124] = (uint8_t)(context->Length[3] >> 24);
  955   context->Message_Block[125] = (uint8_t)(context->Length[3] >> 16);
  956   context->Message_Block[126] = (uint8_t)(context->Length[3] >> 8);
  957   context->Message_Block[127] = (uint8_t)(context->Length[3]);
  958 #else /* !USE_32BIT_ONLY */
  959   context->Message_Block[112] = (uint8_t)(context->Length_High >> 56);
  960   context->Message_Block[113] = (uint8_t)(context->Length_High >> 48);
  961   context->Message_Block[114] = (uint8_t)(context->Length_High >> 40);
  962   context->Message_Block[115] = (uint8_t)(context->Length_High >> 32);
  963   context->Message_Block[116] = (uint8_t)(context->Length_High >> 24);
  964   context->Message_Block[117] = (uint8_t)(context->Length_High >> 16);
  965   context->Message_Block[118] = (uint8_t)(context->Length_High >> 8);
  966   context->Message_Block[119] = (uint8_t)(context->Length_High);
  967 
  968   context->Message_Block[120] = (uint8_t)(context->Length_Low >> 56);
  969   context->Message_Block[121] = (uint8_t)(context->Length_Low >> 48);
  970   context->Message_Block[122] = (uint8_t)(context->Length_Low >> 40);
  971   context->Message_Block[123] = (uint8_t)(context->Length_Low >> 32);
  972   context->Message_Block[124] = (uint8_t)(context->Length_Low >> 24);
  973   context->Message_Block[125] = (uint8_t)(context->Length_Low >> 16);
  974   context->Message_Block[126] = (uint8_t)(context->Length_Low >> 8);
  975   context->Message_Block[127] = (uint8_t)(context->Length_Low);
  976 #endif /* USE_32BIT_ONLY */
  977 
  978   SHA384_512ProcessMessageBlock(context);
  979 }
  980 
  981 /*
  982  * SHA384_512ResultN
  983  *
  984  * Description:
  985  *   This helper function will return the 384-bit or 512-bit message
  986  *   digest into the Message_Digest array provided by the caller.
  987  *   NOTE:
  988  *    The first octet of hash is stored in the element with index 0,
  989  *    the last octet of hash in the element with index 47/63.
  990  *
  991  * Parameters:
  992  *   context: [in/out]
  993  *     The context to use to calculate the SHA hash.
  994  *   Message_Digest[ ]: [out]
  995  *     Where the digest is returned.
  996  *   HashSize: [in]
  997  *     The size of the hash, either 48 or 64.
  998  *
  999  * Returns:
 1000  *   sha Error Code.
 1001  *
 1002  */
 1003 static int SHA384_512ResultN(SHA512Context *context,
 1004     uint8_t Message_Digest[ ], int HashSize)
 1005 {
 1006   int i;
 1007 #ifdef USE_32BIT_ONLY
 1008   int i2;
 1009 #endif /* USE_32BIT_ONLY */
 1010 
 1011   if (!context) return shaNull;
 1012   if (!Message_Digest) return shaNull;
 1013   if (context->Corrupted) return context->Corrupted;
 1014 
 1015   if (!context->Computed)
 1016     SHA384_512Finalize(context, 0x80);
 1017 
 1018 #ifdef USE_32BIT_ONLY
 1019   for (i = i2 = 0; i < HashSize; ) {
 1020     Message_Digest[i++]=(uint8_t)(context->Intermediate_Hash[i2]>>24);
 1021     Message_Digest[i++]=(uint8_t)(context->Intermediate_Hash[i2]>>16);
 1022     Message_Digest[i++]=(uint8_t)(context->Intermediate_Hash[i2]>>8);
 1023     Message_Digest[i++]=(uint8_t)(context->Intermediate_Hash[i2++]);
 1024     Message_Digest[i++]=(uint8_t)(context->Intermediate_Hash[i2]>>24);
 1025     Message_Digest[i++]=(uint8_t)(context->Intermediate_Hash[i2]>>16);
 1026     Message_Digest[i++]=(uint8_t)(context->Intermediate_Hash[i2]>>8);
 1027     Message_Digest[i++]=(uint8_t)(context->Intermediate_Hash[i2++]);
 1028   }
 1029 #else /* !USE_32BIT_ONLY */
 1030   for (i = 0; i < HashSize; ++i)
 1031     Message_Digest[i] = (uint8_t)
 1032       (context->Intermediate_Hash[i>>3] >> 8 * ( 7 - ( i % 8 ) ));
 1033 #endif /* USE_32BIT_ONLY */
 1034 
 1035   return shaSuccess;
 1036 }