"Fossies" - the Fresh Open Source Software Archive

Member "tin-2.4.2/libcanlock/src/sha384-512.c" (4 May 2017, 37471 Bytes) of package /linux/misc/tin-2.4.2.tar.xz:


As a special service "Fossies" has tried to format the requested source page into HTML format using (guessed) C and C++ source code syntax highlighting (style: standard) with prefixed line numbers and code folding option. Alternatively you can here view or download the uninterpreted source code file. For more information about "sha384-512.c" see the Fossies "Dox" file reference documentation.

    1 /************************* sha384-512.c ************************/
    2 /***************** See RFC 6234 for details. *******************/
    3 /* Copyright (c) 2011 IETF Trust and the persons identified as */
    4 /* authors of the code.  All rights reserved.                  */
    5 /* See sha.h for terms of use and redistribution.              */
    6 
    7 /*
    8  * Description:
    9  *   This file implements the Secure Hash Algorithms SHA-384 and
   10  *   SHA-512 as defined in the U.S. National Institute of Standards
   11  *   and Technology Federal Information Processing Standards
   12  *   Publication (FIPS PUB) 180-3 published in October 2008
   13  *   and formerly defined in its predecessors, FIPS PUB 180-1
   14  *   and FIP PUB 180-2.
   15  *
   16  *   A combined document showing all algorithms is available at
   17  *       http://csrc.nist.gov/publications/fips/
   18  *              fips180-3/fips180-3_final.pdf
   19  *
   20  *   The SHA-384 and SHA-512 algorithms produce 384-bit and 512-bit
   21  *   message digests for a given data stream.  It should take about
   22  *   2**n steps to find a message with the same digest as a given
   23  *   message and 2**(n/2) to find any two messages with the same
   24  *   digest, when n is the digest size in bits.  Therefore, this
   25  *   algorithm can serve as a means of providing a
   26  *   "fingerprint" for a message.
   27  *
   28  * Portability Issues:
   29  *   SHA-384 and SHA-512 are defined in terms of 64-bit "words",
   30  *   but if USE_32BIT_ONLY is #defined, this code is implemented in
   31  *   terms of 32-bit "words".  This code uses <stdint.h> (included
   32  *   via "sha.h") to define the 64-, 32- and 8-bit unsigned integer
   33  *   types.  If your C compiler does not support 64-bit unsigned
   34  *   integers and you do not #define USE_32BIT_ONLY, this code is
   35  *   not appropriate.
   36  *
   37  * Caveats:
   38  *   SHA-384 and SHA-512 are designed to work with messages less
   39  *   than 2^128 bits long.  This implementation uses SHA384/512Input()
   40  *   to hash the bits that are a multiple of the size of an 8-bit
   41  *   octet, and then optionally uses SHA384/256FinalBits()
   42  *   to hash the final few bits of the input.
   43  *
   44  */
   45 
   46 #include "sha.h"
   47 
   48 #ifdef USE_32BIT_ONLY
   49 /*
   50  * Define 64-bit arithmetic in terms of 32-bit arithmetic.
   51  * Each 64-bit number is represented in a 2-word array.
   52  * All macros are defined such that the result is the last parameter.
   53  */
   54 
   55 /*
   56  * Define shift, rotate left, and rotate right functions
   57  */
   58 #define SHA512_SHR(bits, word, ret) (                          \
   59     /* (((uint64_t)((word))) >> (bits)) */                     \
   60     (ret)[0] = (((bits) < 32) && ((bits) >= 0)) ?              \
   61       ((word)[0] >> (bits)) : 0,                               \
   62     (ret)[1] = ((bits) > 32) ? ((word)[0] >> ((bits) - 32)) :  \
   63       ((bits) == 32) ? (word)[0] :                             \
   64       ((bits) >= 0) ?                                          \
   65         (((word)[0] << (32 - (bits))) |                        \
   66         ((word)[1] >> (bits))) : 0 )
   67 
   68 #define SHA512_SHL(bits, word, ret) (                          \
   69     /* (((uint64_t)(word)) << (bits)) */                       \
   70     (ret)[0] = ((bits) > 32) ? ((word)[1] << ((bits) - 32)) :  \
   71          ((bits) == 32) ? (word)[1] :                          \
   72          ((bits) >= 0) ?                                       \
   73            (((word)[0] << (bits)) |                            \
   74            ((word)[1] >> (32 - (bits)))) :                     \
   75          0,                                                    \
   76     (ret)[1] = (((bits) < 32) && ((bits) >= 0)) ?              \
   77         ((word)[1] << (bits)) : 0 )
   78 
   79 /*
   80  * Define 64-bit OR
   81  */
   82 #define SHA512_OR(word1, word2, ret) (                         \
   83     (ret)[0] = (word1)[0] | (word2)[0],                        \
   84     (ret)[1] = (word1)[1] | (word2)[1] )
   85 
   86 /*
   87  * Define 64-bit XOR
   88  */
   89 #define SHA512_XOR(word1, word2, ret) (                        \
   90     (ret)[0] = (word1)[0] ^ (word2)[0],                        \
   91     (ret)[1] = (word1)[1] ^ (word2)[1] )
   92 
   93 /*
   94  * Define 64-bit AND
   95  */
   96 #define SHA512_AND(word1, word2, ret) (                        \
   97     (ret)[0] = (word1)[0] & (word2)[0],                        \
   98     (ret)[1] = (word1)[1] & (word2)[1] )
   99 
  100 /*
  101  * Define 64-bit TILDA
  102  */
  103 #define SHA512_TILDA(word, ret)                                \
  104   ( (ret)[0] = ~(word)[0], (ret)[1] = ~(word)[1] )
  105 
  106 /*
  107  * Define 64-bit ADD
  108  */
  109 #define SHA512_ADD(word1, word2, ret) (                        \
  110     (ret)[1] = (word1)[1], (ret)[1] += (word2)[1],             \
  111     (ret)[0] = (word1)[0] + (word2)[0] + ((ret)[1] < (word1)[1]) )
  112 
  113 /*
  114  * Add the 4word value in word2 to word1.
  115  */
  116 static uint32_t ADDTO4_temp, ADDTO4_temp2;
  117 #define SHA512_ADDTO4(word1, word2) (                          \
  118     ADDTO4_temp = (word1)[3],                                  \
  119     (word1)[3] += (word2)[3],                                  \
  120     ADDTO4_temp2 = (word1)[2],                                 \
  121     (word1)[2] += (word2)[2] + ((word1)[3] < ADDTO4_temp),     \
  122     ADDTO4_temp = (word1)[1],                                  \
  123     (word1)[1] += (word2)[1] + ((word1)[2] < ADDTO4_temp2),    \
  124     (word1)[0] += (word2)[0] + ((word1)[1] < ADDTO4_temp) )
  125 
  126 /*
  127  * Add the 2word value in word2 to word1.
  128  */
  129 static uint32_t ADDTO2_temp;
  130 #define SHA512_ADDTO2(word1, word2) (                          \
  131     ADDTO2_temp = (word1)[1],                                  \
  132     (word1)[1] += (word2)[1],                                  \
  133     (word1)[0] += (word2)[0] + ((word1)[1] < ADDTO2_temp) )
  134 
  135 /*
  136  * SHA rotate   ((word >> bits) | (word << (64-bits)))
  137  */
  138 static uint32_t ROTR_temp1[2], ROTR_temp2[2];
  139 #define SHA512_ROTR(bits, word, ret) (                         \
  140     SHA512_SHR((bits), (word), ROTR_temp1),                    \
  141     SHA512_SHL(64-(bits), (word), ROTR_temp2),                 \
  142     SHA512_OR(ROTR_temp1, ROTR_temp2, (ret)) )
  143 
  144 /*
  145  * Define the SHA SIGMA and sigma macros
  146  *
  147  *  SHA512_ROTR(28,word) ^ SHA512_ROTR(34,word) ^ SHA512_ROTR(39,word)
  148  */
  149 static uint32_t SIGMA0_temp1[2], SIGMA0_temp2[2],
  150   SIGMA0_temp3[2], SIGMA0_temp4[2];
  151 #define SHA512_SIGMA0(word, ret) (                             \
  152     SHA512_ROTR(28, (word), SIGMA0_temp1),                     \
  153     SHA512_ROTR(34, (word), SIGMA0_temp2),                     \
  154     SHA512_ROTR(39, (word), SIGMA0_temp3),                     \
  155     SHA512_XOR(SIGMA0_temp2, SIGMA0_temp3, SIGMA0_temp4),      \
  156     SHA512_XOR(SIGMA0_temp1, SIGMA0_temp4, (ret)) )
  157 
  158 /*
  159  * SHA512_ROTR(14,word) ^ SHA512_ROTR(18,word) ^ SHA512_ROTR(41,word)
  160  */
  161 static uint32_t SIGMA1_temp1[2], SIGMA1_temp2[2],
  162   SIGMA1_temp3[2], SIGMA1_temp4[2];
  163 #define SHA512_SIGMA1(word, ret) (                             \
  164     SHA512_ROTR(14, (word), SIGMA1_temp1),                     \
  165     SHA512_ROTR(18, (word), SIGMA1_temp2),                     \
  166     SHA512_ROTR(41, (word), SIGMA1_temp3),                     \
  167     SHA512_XOR(SIGMA1_temp2, SIGMA1_temp3, SIGMA1_temp4),      \
  168     SHA512_XOR(SIGMA1_temp1, SIGMA1_temp4, (ret)) )
  169 
  170 /*
  171  * (SHA512_ROTR( 1,word) ^ SHA512_ROTR( 8,word) ^ SHA512_SHR( 7,word))
  172  */
  173 static uint32_t sigma0_temp1[2], sigma0_temp2[2],
  174   sigma0_temp3[2], sigma0_temp4[2];
  175 #define SHA512_sigma0(word, ret) (                             \
  176     SHA512_ROTR( 1, (word), sigma0_temp1),                     \
  177     SHA512_ROTR( 8, (word), sigma0_temp2),                     \
  178     SHA512_SHR( 7, (word), sigma0_temp3),                      \
  179     SHA512_XOR(sigma0_temp2, sigma0_temp3, sigma0_temp4),      \
  180     SHA512_XOR(sigma0_temp1, sigma0_temp4, (ret)) )
  181 
  182 /*
  183  * (SHA512_ROTR(19,word) ^ SHA512_ROTR(61,word) ^ SHA512_SHR( 6,word))
  184  */
  185 static uint32_t sigma1_temp1[2], sigma1_temp2[2],
  186   sigma1_temp3[2], sigma1_temp4[2];
  187 #define SHA512_sigma1(word, ret) (                             \
  188     SHA512_ROTR(19, (word), sigma1_temp1),                     \
  189     SHA512_ROTR(61, (word), sigma1_temp2),                     \
  190     SHA512_SHR( 6, (word), sigma1_temp3),                      \
  191     SHA512_XOR(sigma1_temp2, sigma1_temp3, sigma1_temp4),      \
  192     SHA512_XOR(sigma1_temp1, sigma1_temp4, (ret)) )
  193 
  194 #ifndef USE_MODIFIED_MACROS
  195 /*
  196  * These definitions are the ones used in FIPS 180-3, section 4.1.3
  197  *  Ch(x,y,z)   ((x & y) ^ (~x & z))
  198  */
  199 static uint32_t Ch_temp1[2], Ch_temp2[2], Ch_temp3[2];
  200 #define SHA_Ch(x, y, z, ret) (                                 \
  201     SHA512_AND(x, y, Ch_temp1),                                \
  202     SHA512_TILDA(x, Ch_temp2),                                 \
  203     SHA512_AND(Ch_temp2, z, Ch_temp3),                         \
  204     SHA512_XOR(Ch_temp1, Ch_temp3, (ret)) )
  205 
  206 /*
  207  *  Maj(x,y,z)  (((x)&(y)) ^ ((x)&(z)) ^ ((y)&(z)))
  208  */
  209 static uint32_t Maj_temp1[2], Maj_temp2[2],
  210   Maj_temp3[2], Maj_temp4[2];
  211 #define SHA_Maj(x, y, z, ret) (                                \
  212     SHA512_AND(x, y, Maj_temp1),                               \
  213     SHA512_AND(x, z, Maj_temp2),                               \
  214     SHA512_AND(y, z, Maj_temp3),                               \
  215     SHA512_XOR(Maj_temp2, Maj_temp3, Maj_temp4),               \
  216     SHA512_XOR(Maj_temp1, Maj_temp4, (ret)) )
  217 #else /* !USE_MODIFIED_MACROS */
  218 /*
  219  * These definitions are potentially faster equivalents for the ones
  220  * used in FIPS 180-3, section 4.1.3.
  221  *   ((x & y) ^ (~x & z)) becomes
  222  *   ((x & (y ^ z)) ^ z)
  223  */
  224 #define SHA_Ch(x, y, z, ret) (                                 \
  225    (ret)[0] = (((x)[0] & ((y)[0] ^ (z)[0])) ^ (z)[0]),         \
  226    (ret)[1] = (((x)[1] & ((y)[1] ^ (z)[1])) ^ (z)[1]) )
  227 
  228 /*
  229  *   ((x & y) ^ (x & z) ^ (y & z)) becomes
  230  *   ((x & (y | z)) | (y & z))
  231  */
  232 #define SHA_Maj(x, y, z, ret) (                                 \
  233    ret[0] = (((x)[0] & ((y)[0] | (z)[0])) | ((y)[0] & (z)[0])), \
  234    ret[1] = (((x)[1] & ((y)[1] | (z)[1])) | ((y)[1] & (z)[1])) )
  235 #endif /* USE_MODIFIED_MACROS */
  236 
  237 /*
  238  * Add "length" to the length.
  239  * Set Corrupted when overflow has occurred.
  240  */
  241 static uint32_t addTemp[4] = { 0, 0, 0, 0 };
  242 #define SHA384_512AddLength(context, length) (                        \
  243     addTemp[3] = (length), SHA512_ADDTO4((context)->Length, addTemp), \
  244     (context)->Corrupted = (((context)->Length[3] < (length)) &&      \
  245        ((context)->Length[2] == 0) && ((context)->Length[1] == 0) &&  \
  246        ((context)->Length[0] == 0)) ? shaInputTooLong :               \
  247                                       (context)->Corrupted )
  248 
  249 /* Local Function Prototypes */
  250 static int SHA384_512Reset(SHA512Context *context,
  251                            uint32_t H0[SHA512HashSize/4]);
  252 static void SHA384_512ProcessMessageBlock(SHA512Context *context);
  253 static void SHA384_512Finalize(SHA512Context *context,
  254   uint8_t Pad_Byte);
  255 static void SHA384_512PadMessage(SHA512Context *context,
  256   uint8_t Pad_Byte);
  257 static int SHA384_512ResultN( SHA512Context *context,
  258   uint8_t Message_Digest[ ], int HashSize);
  259 
  260 /* Initial Hash Values: FIPS 180-3 sections 5.3.4 and 5.3.5 */
  261 static uint32_t SHA384_H0[SHA512HashSize/4] = {
  262     0xCBBB9D5D, 0xC1059ED8, 0x629A292A, 0x367CD507, 0x9159015A,
  263     0x3070DD17, 0x152FECD8, 0xF70E5939, 0x67332667, 0xFFC00B31,
  264     0x8EB44A87, 0x68581511, 0xDB0C2E0D, 0x64F98FA7, 0x47B5481D,
  265     0xBEFA4FA4
  266 };
  267 static uint32_t SHA512_H0[SHA512HashSize/4] = {
  268     0x6A09E667, 0xF3BCC908, 0xBB67AE85, 0x84CAA73B, 0x3C6EF372,
  269     0xFE94F82B, 0xA54FF53A, 0x5F1D36F1, 0x510E527F, 0xADE682D1,
  270     0x9B05688C, 0x2B3E6C1F, 0x1F83D9AB, 0xFB41BD6B, 0x5BE0CD19,
  271     0x137E2179
  272 };
  273 
  274 #else /* !USE_32BIT_ONLY */
  275 
  276 #include "sha-private.h"
  277 
  278 /* Define the SHA shift, rotate left and rotate right macros */
  279 #define SHA512_SHR(bits,word)  (((uint64_t)(word)) >> (bits))
  280 #define SHA512_ROTR(bits,word) ((((uint64_t)(word)) >> (bits)) | \
  281                                 (((uint64_t)(word)) << (64-(bits))))
  282 
  283 /*
  284  * Define the SHA SIGMA and sigma macros
  285  *
  286  *  SHA512_ROTR(28,word) ^ SHA512_ROTR(34,word) ^ SHA512_ROTR(39,word)
  287  */
  288 #define SHA512_SIGMA0(word)   \
  289  (SHA512_ROTR(28,word) ^ SHA512_ROTR(34,word) ^ SHA512_ROTR(39,word))
  290 #define SHA512_SIGMA1(word)   \
  291  (SHA512_ROTR(14,word) ^ SHA512_ROTR(18,word) ^ SHA512_ROTR(41,word))
  292 #define SHA512_sigma0(word)   \
  293  (SHA512_ROTR( 1,word) ^ SHA512_ROTR( 8,word) ^ SHA512_SHR( 7,word))
  294 #define SHA512_sigma1(word)   \
  295  (SHA512_ROTR(19,word) ^ SHA512_ROTR(61,word) ^ SHA512_SHR( 6,word))
  296 
  297 /*
  298  * Add "length" to the length.
  299  * Set Corrupted when overflow has occurred.
  300  */
  301 static uint64_t addTemp;
  302 #define SHA384_512AddLength(context, length)                   \
  303    (addTemp = context->Length_Low, context->Corrupted =        \
  304     ((context->Length_Low += length) < addTemp) &&             \
  305     (++context->Length_High == 0) ? shaInputTooLong :          \
  306                                     (context)->Corrupted)
  307 
  308 /* Local Function Prototypes */
  309 static int SHA384_512Reset(SHA512Context *context,
  310                            uint64_t H0[SHA512HashSize/8]);
  311 static void SHA384_512ProcessMessageBlock(SHA512Context *context);
  312 static void SHA384_512Finalize(SHA512Context *context,
  313   uint8_t Pad_Byte);
  314 static void SHA384_512PadMessage(SHA512Context *context,
  315   uint8_t Pad_Byte);
  316 static int SHA384_512ResultN(SHA512Context *context,
  317   uint8_t Message_Digest[ ], int HashSize);
  318 
  319 /* Initial Hash Values: FIPS 180-3 sections 5.3.4 and 5.3.5 */
  320 static uint64_t SHA384_H0[ ] = {
  321     0xCBBB9D5DC1059ED8ll, 0x629A292A367CD507ll, 0x9159015A3070DD17ll,
  322     0x152FECD8F70E5939ll, 0x67332667FFC00B31ll, 0x8EB44A8768581511ll,
  323     0xDB0C2E0D64F98FA7ll, 0x47B5481DBEFA4FA4ll
  324 };
  325 static uint64_t SHA512_H0[ ] = {
  326     0x6A09E667F3BCC908ll, 0xBB67AE8584CAA73Bll, 0x3C6EF372FE94F82Bll,
  327     0xA54FF53A5F1D36F1ll, 0x510E527FADE682D1ll, 0x9B05688C2B3E6C1Fll,
  328     0x1F83D9ABFB41BD6Bll, 0x5BE0CD19137E2179ll
  329 };
  330 
  331 #endif /* USE_32BIT_ONLY */
  332 
  333 /*
  334  * SHA384Reset
  335  *
  336  * Description:
  337  *   This function will initialize the SHA384Context in preparation
  338  *   for computing a new SHA384 message digest.
  339  *
  340  * Parameters:
  341  *   context: [in/out]
  342  *     The context to reset.
  343  *
  344  * Returns:
  345  *   sha Error Code.
  346  *
  347  */
  348 int SHA384Reset(SHA384Context *context)
  349 {
  350   return SHA384_512Reset(context, SHA384_H0);
  351 }
  352 
  353 /*
  354  * SHA384Input
  355  *
  356  * Description:
  357  *   This function accepts an array of octets as the next portion
  358  *   of the message.
  359  *
  360  * Parameters:
  361  *   context: [in/out]
  362  *     The SHA context to update.
  363  *   message_array[ ]: [in]
  364  *     An array of octets representing the next portion of
  365  *     the message.
  366  *   length: [in]
  367  *     The length of the message in message_array.
  368  *
  369  * Returns:
  370  *   sha Error Code.
  371  *
  372  */
  373 int SHA384Input(SHA384Context *context,
  374     const uint8_t *message_array, unsigned int length)
  375 {
  376   return SHA512Input(context, message_array, length);
  377 }
  378 
  379 /*
  380  * SHA384FinalBits
  381  *
  382  * Description:
  383  *   This function will add in any final bits of the message.
  384  *
  385  * Parameters:
  386  *   context: [in/out]
  387  *     The SHA context to update.
  388  *   message_bits: [in]
  389  *     The final bits of the message, in the upper portion of the
  390  *     byte.  (Use 0b###00000 instead of 0b00000### to input the
  391  *     three bits ###.)
  392  *   length: [in]
  393  *     The number of bits in message_bits, between 1 and 7.
  394  *
  395  * Returns:
  396  *   sha Error Code.
  397  *
  398  */
  399 int SHA384FinalBits(SHA384Context *context,
  400                     uint8_t message_bits, unsigned int length)
  401 {
  402   return SHA512FinalBits(context, message_bits, length);
  403 }
  404 
  405 /*
  406  * SHA384Result
  407  *
  408  * Description:
  409  *   This function will return the 384-bit message digest
  410  *   into the Message_Digest array provided by the caller.
  411  *   NOTE:
  412  *    The first octet of hash is stored in the element with index 0,
  413  *    the last octet of hash in the element with index 47.
  414  *
  415  * Parameters:
  416  *   context: [in/out]
  417  *     The context to use to calculate the SHA hash.
  418  *   Message_Digest[ ]: [out]
  419  *     Where the digest is returned.
  420  *
  421  * Returns:
  422  *   sha Error Code.
  423  *
  424  */
  425 int SHA384Result(SHA384Context *context,
  426     uint8_t Message_Digest[SHA384HashSize])
  427 {
  428   return SHA384_512ResultN(context, Message_Digest, SHA384HashSize);
  429 }
  430 
  431 /*
  432  * SHA512Reset
  433  *
  434  * Description:
  435  *   This function will initialize the SHA512Context in preparation
  436  *   for computing a new SHA512 message digest.
  437  *
  438  * Parameters:
  439  *   context: [in/out]
  440  *     The context to reset.
  441  *
  442  * Returns:
  443  *   sha Error Code.
  444  *
  445  */
  446 int SHA512Reset(SHA512Context *context)
  447 {
  448   return SHA384_512Reset(context, SHA512_H0);
  449 }
  450 
  451 /*
  452  * SHA512Input
  453  *
  454  * Description:
  455  *   This function accepts an array of octets as the next portion
  456  *   of the message.
  457  *
  458  * Parameters:
  459  *   context: [in/out]
  460  *     The SHA context to update.
  461  *   message_array[ ]: [in]
  462  *     An array of octets representing the next portion of
  463  *     the message.
  464  *   length: [in]
  465  *     The length of the message in message_array.
  466  *
  467  * Returns:
  468  *   sha Error Code.
  469  *
  470  */
  471 int SHA512Input(SHA512Context *context,
  472         const uint8_t *message_array,
  473         unsigned int length)
  474 {
  475   if (!context) return shaNull;
  476   if (!length) return shaSuccess;
  477   if (!message_array) return shaNull;
  478   if (context->Computed) return context->Corrupted = shaStateError;
  479   if (context->Corrupted) return context->Corrupted;
  480 
  481   while (length--) {
  482     context->Message_Block[context->Message_Block_Index++] =
  483             *message_array;
  484 
  485     if ((SHA384_512AddLength(context, 8) == shaSuccess) &&
  486       (context->Message_Block_Index == SHA512_Message_Block_Size))
  487       SHA384_512ProcessMessageBlock(context);
  488 
  489     message_array++;
  490   }
  491 
  492   return context->Corrupted;
  493 }
  494 
  495 /*
  496  * SHA512FinalBits
  497  *
  498  * Description:
  499  *   This function will add in any final bits of the message.
  500  *
  501  * Parameters:
  502  *   context: [in/out]
  503  *     The SHA context to update.
  504  *   message_bits: [in]
  505  *     The final bits of the message, in the upper portion of the
  506  *     byte.  (Use 0b###00000 instead of 0b00000### to input the
  507  *     three bits ###.)
  508  *   length: [in]
  509  *     The number of bits in message_bits, between 1 and 7.
  510  *
  511  * Returns:
  512  *   sha Error Code.
  513  *
  514  */
  515 int SHA512FinalBits(SHA512Context *context,
  516                     uint8_t message_bits, unsigned int length)
  517 {
  518   static uint8_t masks[8] = {
  519       /* 0 0b00000000 */ 0x00, /* 1 0b10000000 */ 0x80,
  520       /* 2 0b11000000 */ 0xC0, /* 3 0b11100000 */ 0xE0,
  521       /* 4 0b11110000 */ 0xF0, /* 5 0b11111000 */ 0xF8,
  522       /* 6 0b11111100 */ 0xFC, /* 7 0b11111110 */ 0xFE
  523   };
  524   static uint8_t markbit[8] = {
  525       /* 0 0b10000000 */ 0x80, /* 1 0b01000000 */ 0x40,
  526       /* 2 0b00100000 */ 0x20, /* 3 0b00010000 */ 0x10,
  527       /* 4 0b00001000 */ 0x08, /* 5 0b00000100 */ 0x04,
  528       /* 6 0b00000010 */ 0x02, /* 7 0b00000001 */ 0x01
  529   };
  530 
  531   if (!context) return shaNull;
  532   if (!length) return shaSuccess;
  533   if (context->Corrupted) return context->Corrupted;
  534   if (context->Computed) return context->Corrupted = shaStateError;
  535   if (length >= 8) return context->Corrupted = shaBadParam;
  536 
  537   SHA384_512AddLength(context, length);
  538   SHA384_512Finalize(context, (uint8_t)
  539     ((message_bits & masks[length]) | markbit[length]));
  540 
  541   return context->Corrupted;
  542 }
  543 
  544 /*
  545  * SHA512Result
  546  *
  547  * Description:
  548  *   This function will return the 512-bit message digest
  549  *   into the Message_Digest array provided by the caller.
  550  *   NOTE:
  551  *    The first octet of hash is stored in the element with index 0,
  552  *    the last octet of hash in the element with index 63.
  553  *
  554  * Parameters:
  555  *   context: [in/out]
  556  *     The context to use to calculate the SHA hash.
  557  *   Message_Digest[ ]: [out]
  558  *     Where the digest is returned.
  559  *
  560  * Returns:
  561  *   sha Error Code.
  562  *
  563  */
  564 int SHA512Result(SHA512Context *context,
  565     uint8_t Message_Digest[SHA512HashSize])
  566 {
  567   return SHA384_512ResultN(context, Message_Digest, SHA512HashSize);
  568 }
  569 
  570 /*
  571  * SHA384_512Reset
  572  *
  573  * Description:
  574  *   This helper function will initialize the SHA512Context in
  575  *   preparation for computing a new SHA384 or SHA512 message
  576  *   digest.
  577  *
  578  * Parameters:
  579  *   context: [in/out]
  580  *     The context to reset.
  581  *   H0[ ]: [in]
  582  *     The initial hash value array to use.
  583  *
  584  * Returns:
  585  *   sha Error Code.
  586  *
  587  */
  588 #ifdef USE_32BIT_ONLY
  589 static int SHA384_512Reset(SHA512Context *context,
  590                            uint32_t H0[SHA512HashSize/4])
  591 #else /* !USE_32BIT_ONLY */
  592 static int SHA384_512Reset(SHA512Context *context,
  593                            uint64_t H0[SHA512HashSize/8])
  594 #endif /* USE_32BIT_ONLY */
  595 {
  596   int i;
  597   if (!context) return shaNull;
  598   context->Message_Block_Index = 0;
  599 
  600 #ifdef USE_32BIT_ONLY
  601   context->Length[0] = context->Length[1] =
  602   context->Length[2] = context->Length[3] = 0;
  603 
  604   for (i = 0; i < SHA512HashSize/4; i++)
  605     context->Intermediate_Hash[i] = H0[i];
  606 #else /* !USE_32BIT_ONLY */
  607   context->Length_High = context->Length_Low = 0;
  608 
  609   for (i = 0; i < SHA512HashSize/8; i++)
  610     context->Intermediate_Hash[i] = H0[i];
  611 #endif /* USE_32BIT_ONLY */
  612 
  613   context->Computed = 0;
  614   context->Corrupted = shaSuccess;
  615 
  616   return shaSuccess;
  617 }
  618 
  619 /*
  620  * SHA384_512ProcessMessageBlock
  621  *
  622  * Description:
  623  *   This helper function will process the next 1024 bits of the
  624  *   message stored in the Message_Block array.
  625  *
  626  * Parameters:
  627  *   context: [in/out]
  628  *     The SHA context to update.
  629  *
  630  * Returns:
  631  *   Nothing.
  632  *
  633  * Comments:
  634  *   Many of the variable names in this code, especially the
  635  *   single character names, were used because those were the
  636  *   names used in the Secure Hash Standard.
  637  *
  638  *
  639  */
  640 static void SHA384_512ProcessMessageBlock(SHA512Context *context)
  641 {
  642 #ifdef USE_32BIT_ONLY
  643   /* Constants defined in FIPS 180-3, section 4.2.3 */
  644   static const uint32_t K[80*2] = {
  645       0x428A2F98, 0xD728AE22, 0x71374491, 0x23EF65CD, 0xB5C0FBCF,
  646       0xEC4D3B2F, 0xE9B5DBA5, 0x8189DBBC, 0x3956C25B, 0xF348B538,
  647       0x59F111F1, 0xB605D019, 0x923F82A4, 0xAF194F9B, 0xAB1C5ED5,
  648       0xDA6D8118, 0xD807AA98, 0xA3030242, 0x12835B01, 0x45706FBE,
  649       0x243185BE, 0x4EE4B28C, 0x550C7DC3, 0xD5FFB4E2, 0x72BE5D74,
  650       0xF27B896F, 0x80DEB1FE, 0x3B1696B1, 0x9BDC06A7, 0x25C71235,
  651       0xC19BF174, 0xCF692694, 0xE49B69C1, 0x9EF14AD2, 0xEFBE4786,
  652       0x384F25E3, 0x0FC19DC6, 0x8B8CD5B5, 0x240CA1CC, 0x77AC9C65,
  653       0x2DE92C6F, 0x592B0275, 0x4A7484AA, 0x6EA6E483, 0x5CB0A9DC,
  654       0xBD41FBD4, 0x76F988DA, 0x831153B5, 0x983E5152, 0xEE66DFAB,
  655       0xA831C66D, 0x2DB43210, 0xB00327C8, 0x98FB213F, 0xBF597FC7,
  656       0xBEEF0EE4, 0xC6E00BF3, 0x3DA88FC2, 0xD5A79147, 0x930AA725,
  657       0x06CA6351, 0xE003826F, 0x14292967, 0x0A0E6E70, 0x27B70A85,
  658       0x46D22FFC, 0x2E1B2138, 0x5C26C926, 0x4D2C6DFC, 0x5AC42AED,
  659       0x53380D13, 0x9D95B3DF, 0x650A7354, 0x8BAF63DE, 0x766A0ABB,
  660       0x3C77B2A8, 0x81C2C92E, 0x47EDAEE6, 0x92722C85, 0x1482353B,
  661       0xA2BFE8A1, 0x4CF10364, 0xA81A664B, 0xBC423001, 0xC24B8B70,
  662       0xD0F89791, 0xC76C51A3, 0x0654BE30, 0xD192E819, 0xD6EF5218,
  663       0xD6990624, 0x5565A910, 0xF40E3585, 0x5771202A, 0x106AA070,
  664       0x32BBD1B8, 0x19A4C116, 0xB8D2D0C8, 0x1E376C08, 0x5141AB53,
  665       0x2748774C, 0xDF8EEB99, 0x34B0BCB5, 0xE19B48A8, 0x391C0CB3,
  666       0xC5C95A63, 0x4ED8AA4A, 0xE3418ACB, 0x5B9CCA4F, 0x7763E373,
  667       0x682E6FF3, 0xD6B2B8A3, 0x748F82EE, 0x5DEFB2FC, 0x78A5636F,
  668       0x43172F60, 0x84C87814, 0xA1F0AB72, 0x8CC70208, 0x1A6439EC,
  669       0x90BEFFFA, 0x23631E28, 0xA4506CEB, 0xDE82BDE9, 0xBEF9A3F7,
  670       0xB2C67915, 0xC67178F2, 0xE372532B, 0xCA273ECE, 0xEA26619C,
  671       0xD186B8C7, 0x21C0C207, 0xEADA7DD6, 0xCDE0EB1E, 0xF57D4F7F,
  672       0xEE6ED178, 0x06F067AA, 0x72176FBA, 0x0A637DC5, 0xA2C898A6,
  673       0x113F9804, 0xBEF90DAE, 0x1B710B35, 0x131C471B, 0x28DB77F5,
  674       0x23047D84, 0x32CAAB7B, 0x40C72493, 0x3C9EBE0A, 0x15C9BEBC,
  675       0x431D67C4, 0x9C100D4C, 0x4CC5D4BE, 0xCB3E42B6, 0x597F299C,
  676       0xFC657E2A, 0x5FCB6FAB, 0x3AD6FAEC, 0x6C44198C, 0x4A475817
  677   };
  678   int     t, t2, t8;                  /* Loop counter */
  679   uint32_t  temp1[2], temp2[2],       /* Temporary word values */
  680         temp3[2], temp4[2], temp5[2];
  681   uint32_t  W[2*80];                  /* Word sequence */
  682   uint32_t  A[2], B[2], C[2], D[2],   /* Word buffers */
  683         E[2], F[2], G[2], H[2];
  684 
  685   /* Initialize the first 16 words in the array W */
  686   for (t = t2 = t8 = 0; t < 16; t++, t8 += 8) {
  687     W[t2++] = ((((uint32_t)context->Message_Block[t8    ])) << 24) |
  688               ((((uint32_t)context->Message_Block[t8 + 1])) << 16) |
  689               ((((uint32_t)context->Message_Block[t8 + 2])) << 8) |
  690               ((((uint32_t)context->Message_Block[t8 + 3])));
  691     W[t2++] = ((((uint32_t)context->Message_Block[t8 + 4])) << 24) |
  692               ((((uint32_t)context->Message_Block[t8 + 5])) << 16) |
  693               ((((uint32_t)context->Message_Block[t8 + 6])) << 8) |
  694               ((((uint32_t)context->Message_Block[t8 + 7])));
  695   }
  696 
  697   for (t = 16; t < 80; t++, t2 += 2) {
  698     /* W[t] = SHA512_sigma1(W[t-2]) + W[t-7] +
  699       SHA512_sigma0(W[t-15]) + W[t-16]; */
  700     uint32_t *Wt2 = &W[t2-2*2];
  701     uint32_t *Wt7 = &W[t2-7*2];
  702     uint32_t *Wt15 = &W[t2-15*2];
  703     uint32_t *Wt16 = &W[t2-16*2];
  704     SHA512_sigma1(Wt2, temp1);
  705     SHA512_ADD(temp1, Wt7, temp2);
  706     SHA512_sigma0(Wt15, temp1);
  707     SHA512_ADD(temp1, Wt16, temp3);
  708     SHA512_ADD(temp2, temp3, &W[t2]);
  709   }
  710 
  711   A[0] = context->Intermediate_Hash[0];
  712   A[1] = context->Intermediate_Hash[1];
  713   B[0] = context->Intermediate_Hash[2];
  714   B[1] = context->Intermediate_Hash[3];
  715   C[0] = context->Intermediate_Hash[4];
  716   C[1] = context->Intermediate_Hash[5];
  717   D[0] = context->Intermediate_Hash[6];
  718   D[1] = context->Intermediate_Hash[7];
  719   E[0] = context->Intermediate_Hash[8];
  720   E[1] = context->Intermediate_Hash[9];
  721   F[0] = context->Intermediate_Hash[10];
  722   F[1] = context->Intermediate_Hash[11];
  723   G[0] = context->Intermediate_Hash[12];
  724   G[1] = context->Intermediate_Hash[13];
  725   H[0] = context->Intermediate_Hash[14];
  726   H[1] = context->Intermediate_Hash[15];
  727 
  728   for (t = t2 = 0; t < 80; t++, t2 += 2) {
  729     /*
  730      * temp1 = H + SHA512_SIGMA1(E) + SHA_Ch(E,F,G) + K[t] + W[t];
  731      */
  732     SHA512_SIGMA1(E,temp1);
  733     SHA512_ADD(H, temp1, temp2);
  734     SHA_Ch(E,F,G,temp3);
  735     SHA512_ADD(temp2, temp3, temp4);
  736     SHA512_ADD(&K[t2], &W[t2], temp5);
  737     SHA512_ADD(temp4, temp5, temp1);
  738     /*
  739      * temp2 = SHA512_SIGMA0(A) + SHA_Maj(A,B,C);
  740      */
  741     SHA512_SIGMA0(A,temp3);
  742     SHA_Maj(A,B,C,temp4);
  743     SHA512_ADD(temp3, temp4, temp2);
  744     H[0] = G[0]; H[1] = G[1];
  745     G[0] = F[0]; G[1] = F[1];
  746     F[0] = E[0]; F[1] = E[1];
  747     SHA512_ADD(D, temp1, E);
  748     D[0] = C[0]; D[1] = C[1];
  749     C[0] = B[0]; C[1] = B[1];
  750     B[0] = A[0]; B[1] = A[1];
  751     SHA512_ADD(temp1, temp2, A);
  752   }
  753 
  754   SHA512_ADDTO2(&context->Intermediate_Hash[0], A);
  755   SHA512_ADDTO2(&context->Intermediate_Hash[2], B);
  756   SHA512_ADDTO2(&context->Intermediate_Hash[4], C);
  757   SHA512_ADDTO2(&context->Intermediate_Hash[6], D);
  758   SHA512_ADDTO2(&context->Intermediate_Hash[8], E);
  759   SHA512_ADDTO2(&context->Intermediate_Hash[10], F);
  760   SHA512_ADDTO2(&context->Intermediate_Hash[12], G);
  761   SHA512_ADDTO2(&context->Intermediate_Hash[14], H);
  762 
  763 #else /* !USE_32BIT_ONLY */
  764   /* Constants defined in FIPS 180-3, section 4.2.3 */
  765   static const uint64_t K[80] = {
  766       0x428A2F98D728AE22ll, 0x7137449123EF65CDll, 0xB5C0FBCFEC4D3B2Fll,
  767       0xE9B5DBA58189DBBCll, 0x3956C25BF348B538ll, 0x59F111F1B605D019ll,
  768       0x923F82A4AF194F9Bll, 0xAB1C5ED5DA6D8118ll, 0xD807AA98A3030242ll,
  769       0x12835B0145706FBEll, 0x243185BE4EE4B28Cll, 0x550C7DC3D5FFB4E2ll,
  770       0x72BE5D74F27B896Fll, 0x80DEB1FE3B1696B1ll, 0x9BDC06A725C71235ll,
  771       0xC19BF174CF692694ll, 0xE49B69C19EF14AD2ll, 0xEFBE4786384F25E3ll,
  772       0x0FC19DC68B8CD5B5ll, 0x240CA1CC77AC9C65ll, 0x2DE92C6F592B0275ll,
  773       0x4A7484AA6EA6E483ll, 0x5CB0A9DCBD41FBD4ll, 0x76F988DA831153B5ll,
  774       0x983E5152EE66DFABll, 0xA831C66D2DB43210ll, 0xB00327C898FB213Fll,
  775       0xBF597FC7BEEF0EE4ll, 0xC6E00BF33DA88FC2ll, 0xD5A79147930AA725ll,
  776       0x06CA6351E003826Fll, 0x142929670A0E6E70ll, 0x27B70A8546D22FFCll,
  777       0x2E1B21385C26C926ll, 0x4D2C6DFC5AC42AEDll, 0x53380D139D95B3DFll,
  778       0x650A73548BAF63DEll, 0x766A0ABB3C77B2A8ll, 0x81C2C92E47EDAEE6ll,
  779       0x92722C851482353Bll, 0xA2BFE8A14CF10364ll, 0xA81A664BBC423001ll,
  780       0xC24B8B70D0F89791ll, 0xC76C51A30654BE30ll, 0xD192E819D6EF5218ll,
  781       0xD69906245565A910ll, 0xF40E35855771202All, 0x106AA07032BBD1B8ll,
  782       0x19A4C116B8D2D0C8ll, 0x1E376C085141AB53ll, 0x2748774CDF8EEB99ll,
  783       0x34B0BCB5E19B48A8ll, 0x391C0CB3C5C95A63ll, 0x4ED8AA4AE3418ACBll,
  784       0x5B9CCA4F7763E373ll, 0x682E6FF3D6B2B8A3ll, 0x748F82EE5DEFB2FCll,
  785       0x78A5636F43172F60ll, 0x84C87814A1F0AB72ll, 0x8CC702081A6439ECll,
  786       0x90BEFFFA23631E28ll, 0xA4506CEBDE82BDE9ll, 0xBEF9A3F7B2C67915ll,
  787       0xC67178F2E372532Bll, 0xCA273ECEEA26619Cll, 0xD186B8C721C0C207ll,
  788       0xEADA7DD6CDE0EB1Ell, 0xF57D4F7FEE6ED178ll, 0x06F067AA72176FBAll,
  789       0x0A637DC5A2C898A6ll, 0x113F9804BEF90DAEll, 0x1B710B35131C471Bll,
  790       0x28DB77F523047D84ll, 0x32CAAB7B40C72493ll, 0x3C9EBE0A15C9BEBCll,
  791       0x431D67C49C100D4Cll, 0x4CC5D4BECB3E42B6ll, 0x597F299CFC657E2All,
  792       0x5FCB6FAB3AD6FAECll, 0x6C44198C4A475817ll
  793   };
  794   int        t, t8;                   /* Loop counter */
  795   uint64_t   temp1, temp2;            /* Temporary word value */
  796   uint64_t   W[80];                   /* Word sequence */
  797   uint64_t   A, B, C, D, E, F, G, H;  /* Word buffers */
  798 
  799   /*
  800    * Initialize the first 16 words in the array W
  801    */
  802   for (t = t8 = 0; t < 16; t++, t8 += 8)
  803     W[t] = ((uint64_t)(context->Message_Block[t8  ]) << 56) |
  804            ((uint64_t)(context->Message_Block[t8 + 1]) << 48) |
  805            ((uint64_t)(context->Message_Block[t8 + 2]) << 40) |
  806            ((uint64_t)(context->Message_Block[t8 + 3]) << 32) |
  807            ((uint64_t)(context->Message_Block[t8 + 4]) << 24) |
  808            ((uint64_t)(context->Message_Block[t8 + 5]) << 16) |
  809            ((uint64_t)(context->Message_Block[t8 + 6]) << 8) |
  810            ((uint64_t)(context->Message_Block[t8 + 7]));
  811 
  812   for (t = 16; t < 80; t++)
  813     W[t] = SHA512_sigma1(W[t-2]) + W[t-7] +
  814         SHA512_sigma0(W[t-15]) + W[t-16];
  815   A = context->Intermediate_Hash[0];
  816   B = context->Intermediate_Hash[1];
  817   C = context->Intermediate_Hash[2];
  818   D = context->Intermediate_Hash[3];
  819   E = context->Intermediate_Hash[4];
  820   F = context->Intermediate_Hash[5];
  821   G = context->Intermediate_Hash[6];
  822   H = context->Intermediate_Hash[7];
  823 
  824   for (t = 0; t < 80; t++) {
  825     temp1 = H + SHA512_SIGMA1(E) + SHA_Ch(E,F,G) + K[t] + W[t];
  826     temp2 = SHA512_SIGMA0(A) + SHA_Maj(A,B,C);
  827     H = G;
  828     G = F;
  829     F = E;
  830     E = D + temp1;
  831     D = C;
  832     C = B;
  833     B = A;
  834     A = temp1 + temp2;
  835   }
  836 
  837   context->Intermediate_Hash[0] += A;
  838   context->Intermediate_Hash[1] += B;
  839   context->Intermediate_Hash[2] += C;
  840   context->Intermediate_Hash[3] += D;
  841   context->Intermediate_Hash[4] += E;
  842   context->Intermediate_Hash[5] += F;
  843   context->Intermediate_Hash[6] += G;
  844   context->Intermediate_Hash[7] += H;
  845 #endif /* USE_32BIT_ONLY */
  846 
  847   context->Message_Block_Index = 0;
  848 }
  849 
  850 /*
  851  * SHA384_512Finalize
  852  *
  853  * Description:
  854  *   This helper function finishes off the digest calculations.
  855  *
  856  * Parameters:
  857  *   context: [in/out]
  858  *     The SHA context to update.
  859  *   Pad_Byte: [in]
  860  *     The last byte to add to the message block before the 0-padding
  861  *     and length.  This will contain the last bits of the message
  862  *     followed by another single bit.  If the message was an
  863  *     exact multiple of 8-bits long, Pad_Byte will be 0x80.
  864  *
  865  * Returns:
  866  *   sha Error Code.
  867  *
  868  */
  869 static void SHA384_512Finalize(SHA512Context *context,
  870     uint8_t Pad_Byte)
  871 {
  872   int_least16_t i;
  873   SHA384_512PadMessage(context, Pad_Byte);
  874   /* message may be sensitive, clear it out */
  875   for (i = 0; i < SHA512_Message_Block_Size; ++i)
  876     context->Message_Block[i] = 0;
  877 #ifdef USE_32BIT_ONLY    /* and clear length */
  878   context->Length[0] = context->Length[1] = 0;
  879   context->Length[2] = context->Length[3] = 0;
  880 #else /* !USE_32BIT_ONLY */
  881   context->Length_High = context->Length_Low = 0;
  882 #endif /* USE_32BIT_ONLY */
  883   context->Computed = 1;
  884 }
  885 
  886 /*
  887  * SHA384_512PadMessage
  888  *
  889  * Description:
  890  *   According to the standard, the message must be padded to the next
  891  *   even multiple of 1024 bits.  The first padding bit must be a '1'.
  892  *   The last 128 bits represent the length of the original message.
  893  *   All bits in between should be 0.  This helper function will
  894  *   pad the message according to those rules by filling the
  895  *   Message_Block array accordingly.  When it returns, it can be
  896  *   assumed that the message digest has been computed.
  897  *
  898  * Parameters:
  899  *   context: [in/out]
  900  *     The context to pad.
  901  *   Pad_Byte: [in]
  902  *     The last byte to add to the message block before the 0-padding
  903  *     and length.  This will contain the last bits of the message
  904  *     followed by another single bit.  If the message was an
  905  *     exact multiple of 8-bits long, Pad_Byte will be 0x80.
  906  *
  907  * Returns:
  908  *   Nothing.
  909  *
  910  */
  911 static void SHA384_512PadMessage(SHA512Context *context,
  912     uint8_t Pad_Byte)
  913 {
  914   /*
  915    * Check to see if the current message block is too small to hold
  916    * the initial padding bits and length.  If so, we will pad the
  917    * block, process it, and then continue padding into a second
  918    * block.
  919    */
  920   if (context->Message_Block_Index >= (SHA512_Message_Block_Size-16)) {
  921     context->Message_Block[context->Message_Block_Index++] = Pad_Byte;
  922     while (context->Message_Block_Index < SHA512_Message_Block_Size)
  923       context->Message_Block[context->Message_Block_Index++] = 0;
  924 
  925     SHA384_512ProcessMessageBlock(context);
  926   } else
  927     context->Message_Block[context->Message_Block_Index++] = Pad_Byte;
  928 
  929   while (context->Message_Block_Index < (SHA512_Message_Block_Size-16))
  930     context->Message_Block[context->Message_Block_Index++] = 0;
  931 
  932   /*
  933    * Store the message length as the last 16 octets
  934    */
  935 #ifdef USE_32BIT_ONLY
  936   context->Message_Block[112] = (uint8_t)(context->Length[0] >> 24);
  937   context->Message_Block[113] = (uint8_t)(context->Length[0] >> 16);
  938   context->Message_Block[114] = (uint8_t)(context->Length[0] >> 8);
  939   context->Message_Block[115] = (uint8_t)(context->Length[0]);
  940   context->Message_Block[116] = (uint8_t)(context->Length[1] >> 24);
  941   context->Message_Block[117] = (uint8_t)(context->Length[1] >> 16);
  942   context->Message_Block[118] = (uint8_t)(context->Length[1] >> 8);
  943   context->Message_Block[119] = (uint8_t)(context->Length[1]);
  944 
  945   context->Message_Block[120] = (uint8_t)(context->Length[2] >> 24);
  946   context->Message_Block[121] = (uint8_t)(context->Length[2] >> 16);
  947   context->Message_Block[122] = (uint8_t)(context->Length[2] >> 8);
  948   context->Message_Block[123] = (uint8_t)(context->Length[2]);
  949   context->Message_Block[124] = (uint8_t)(context->Length[3] >> 24);
  950   context->Message_Block[125] = (uint8_t)(context->Length[3] >> 16);
  951   context->Message_Block[126] = (uint8_t)(context->Length[3] >> 8);
  952   context->Message_Block[127] = (uint8_t)(context->Length[3]);
  953 #else /* !USE_32BIT_ONLY */
  954   context->Message_Block[112] = (uint8_t)(context->Length_High >> 56);
  955   context->Message_Block[113] = (uint8_t)(context->Length_High >> 48);
  956   context->Message_Block[114] = (uint8_t)(context->Length_High >> 40);
  957   context->Message_Block[115] = (uint8_t)(context->Length_High >> 32);
  958   context->Message_Block[116] = (uint8_t)(context->Length_High >> 24);
  959   context->Message_Block[117] = (uint8_t)(context->Length_High >> 16);
  960   context->Message_Block[118] = (uint8_t)(context->Length_High >> 8);
  961   context->Message_Block[119] = (uint8_t)(context->Length_High);
  962 
  963   context->Message_Block[120] = (uint8_t)(context->Length_Low >> 56);
  964   context->Message_Block[121] = (uint8_t)(context->Length_Low >> 48);
  965   context->Message_Block[122] = (uint8_t)(context->Length_Low >> 40);
  966   context->Message_Block[123] = (uint8_t)(context->Length_Low >> 32);
  967   context->Message_Block[124] = (uint8_t)(context->Length_Low >> 24);
  968   context->Message_Block[125] = (uint8_t)(context->Length_Low >> 16);
  969   context->Message_Block[126] = (uint8_t)(context->Length_Low >> 8);
  970   context->Message_Block[127] = (uint8_t)(context->Length_Low);
  971 #endif /* USE_32BIT_ONLY */
  972 
  973   SHA384_512ProcessMessageBlock(context);
  974 }
  975 
  976 /*
  977  * SHA384_512ResultN
  978  *
  979  * Description:
  980  *   This helper function will return the 384-bit or 512-bit message
  981  *   digest into the Message_Digest array provided by the caller.
  982  *   NOTE:
  983  *    The first octet of hash is stored in the element with index 0,
  984  *    the last octet of hash in the element with index 47/63.
  985  *
  986  * Parameters:
  987  *   context: [in/out]
  988  *     The context to use to calculate the SHA hash.
  989  *   Message_Digest[ ]: [out]
  990  *     Where the digest is returned.
  991  *   HashSize: [in]
  992  *     The size of the hash, either 48 or 64.
  993  *
  994  * Returns:
  995  *   sha Error Code.
  996  *
  997  */
  998 static int SHA384_512ResultN(SHA512Context *context,
  999     uint8_t Message_Digest[ ], int HashSize)
 1000 {
 1001   int i;
 1002 #ifdef USE_32BIT_ONLY
 1003   int i2;
 1004 #endif /* USE_32BIT_ONLY */
 1005 
 1006   if (!context) return shaNull;
 1007   if (!Message_Digest) return shaNull;
 1008   if (context->Corrupted) return context->Corrupted;
 1009 
 1010   if (!context->Computed)
 1011     SHA384_512Finalize(context, 0x80);
 1012 
 1013 #ifdef USE_32BIT_ONLY
 1014   for (i = i2 = 0; i < HashSize; ) {
 1015     Message_Digest[i++]=(uint8_t)(context->Intermediate_Hash[i2]>>24);
 1016     Message_Digest[i++]=(uint8_t)(context->Intermediate_Hash[i2]>>16);
 1017     Message_Digest[i++]=(uint8_t)(context->Intermediate_Hash[i2]>>8);
 1018     Message_Digest[i++]=(uint8_t)(context->Intermediate_Hash[i2++]);
 1019     Message_Digest[i++]=(uint8_t)(context->Intermediate_Hash[i2]>>24);
 1020     Message_Digest[i++]=(uint8_t)(context->Intermediate_Hash[i2]>>16);
 1021     Message_Digest[i++]=(uint8_t)(context->Intermediate_Hash[i2]>>8);
 1022     Message_Digest[i++]=(uint8_t)(context->Intermediate_Hash[i2++]);
 1023   }
 1024 #else /* !USE_32BIT_ONLY */
 1025   for (i = 0; i < HashSize; ++i)
 1026     Message_Digest[i] = (uint8_t)
 1027       (context->Intermediate_Hash[i>>3] >> 8 * ( 7 - ( i % 8 ) ));
 1028 #endif /* USE_32BIT_ONLY */
 1029 
 1030   return shaSuccess;
 1031 }