sha384-512.c source code [qtbase/src/3rdparty/rfc6234/sha384-512.c]

1	/********************** sha384-512.c *********************/
2	/************** See RFC 6234 for details. ****************/
3	/ Copyright (c) 2011 IETF Trust and the persons identified as /
4	/ authors of the code. All rights reserved. /
5	/ See sha.h for terms of use and redistribution. /
6
7	/*
8	* Description:
9	* This file implements the Secure Hash Algorithms SHA-384 and
10	* SHA-512 as defined in the U.S. National Institute of Standards
11	* and Technology Federal Information Processing Standards
12	* Publication (FIPS PUB) 180-3 published in October 2008
13	* and formerly defined in its predecessors, FIPS PUB 180-1
14	* and FIP PUB 180-2.
15	*
16	* A combined document showing all algorithms is available at
17	* http://csrc.nist.gov/publications/fips/
18	* fips180-3/fips180-3_final.pdf
19	*
20	* The SHA-384 and SHA-512 algorithms produce 384-bit and 512-bit
21	* message digests for a given data stream. It should take about
22	* 2**n steps to find a message with the same digest as a given
23	* message and 2**(n/2) to find any two messages with the same
24	* digest, when n is the digest size in bits. Therefore, this
25	* algorithm can serve as a means of providing a
26	* "fingerprint" for a message.
27	*
28	* Portability Issues:
29	* SHA-384 and SHA-512 are defined in terms of 64-bit "words",
30	* but if USE_32BIT_ONLY is #defined, this code is implemented in
31	* terms of 32-bit "words". This code uses <stdint.h> (included
32	* via "sha.h") to define the 64-, 32- and 8-bit unsigned integer
33	* types. If your C compiler does not support 64-bit unsigned
34	* integers and you do not #define USE_32BIT_ONLY, this code is
35	* not appropriate.
36	*
37	* Caveats:
38	* SHA-384 and SHA-512 are designed to work with messages less
39	* than 2^128 bits long. This implementation uses SHA384/512Input()
40	* to hash the bits that are a multiple of the size of an 8-bit
41	* octet, and then optionally uses SHA384/256FinalBits()
42	* to hash the final few bits of the input.
43	*
44	*/
45
46	#include "sha.h"
47
48	#ifdef USE_32BIT_ONLY
49	/*
50	* Define 64-bit arithmetic in terms of 32-bit arithmetic.
51	* Each 64-bit number is represented in a 2-word array.
52	* All macros are defined such that the result is the last parameter.
53	*/
54
55	/*
56	* Define shift, rotate left, and rotate right functions
57	*/
58	#define SHA512_SHR(bits, word, ret) ( \
59	/* (((uint64_t)((word))) >> (bits)) */ \
60	(ret)[0] = (((bits) < 32) && ((bits) >= 0)) ? \
61	((word)[0] >> (bits)) : 0, \
62	(ret)[1] = ((bits) > 32) ? ((word)[0] >> ((bits) - 32)) : \
63	((bits) == 32) ? (word)[0] : \
64	((bits) >= 0) ? \
65	(((word)[0] << (32 - (bits))) \| \
66	((word)[1] >> (bits))) : 0 )
67
68	#define SHA512_SHL(bits, word, ret) ( \
69	/* (((uint64_t)(word)) << (bits)) */ \
70	(ret)[0] = ((bits) > 32) ? ((word)[1] << ((bits) - 32)) : \
71	((bits) == 32) ? (word)[1] : \
72	((bits) >= 0) ? \
73	(((word)[0] << (bits)) \| \
74	((word)[1] >> (32 - (bits)))) : \
75	0, \
76	(ret)[1] = (((bits) < 32) && ((bits) >= 0)) ? \
77	((word)[1] << (bits)) : 0 )
78
79	/*
80	* Define 64-bit OR
81	*/
82	#define SHA512_OR(word1, word2, ret) ( \
83	(ret)[0] = (word1)[0] \| (word2)[0], \
84	(ret)[1] = (word1)[1] \| (word2)[1] )
85
86	/*
87	* Define 64-bit XOR
88	*/
89	#define SHA512_XOR(word1, word2, ret) ( \
90	(ret)[0] = (word1)[0] ^ (word2)[0], \
91	(ret)[1] = (word1)[1] ^ (word2)[1] )
92
93	/*
94	* Define 64-bit AND
95	*/
96	#define SHA512_AND(word1, word2, ret) ( \
97	(ret)[0] = (word1)[0] & (word2)[0], \
98	(ret)[1] = (word1)[1] & (word2)[1] )
99
100	/*
101	* Define 64-bit TILDA
102	*/
103	#define SHA512_TILDA(word, ret) \
104	( (ret)[0] = ~(word)[0], (ret)[1] = ~(word)[1] )
105
106	/*
107	* Define 64-bit ADD
108	*/
109	#define SHA512_ADD(word1, word2, ret) ( \
110	(ret)[1] = (word1)[1], (ret)[1] += (word2)[1], \
111	(ret)[0] = (word1)[0] + (word2)[0] + ((ret)[1] < (word1)[1]) )
112
113	/*
114	* Add the 4word value in word2 to word1.
115	*/
116	static uint32_t ADDTO4_temp, ADDTO4_temp2;
117	#define SHA512_ADDTO4(word1, word2) ( \
118	ADDTO4_temp = (word1)[3], \
119	(word1)[3] += (word2)[3], \
120	ADDTO4_temp2 = (word1)[2], \
121	(word1)[2] += (word2)[2] + ((word1)[3] < ADDTO4_temp), \
122	ADDTO4_temp = (word1)[1], \
123	(word1)[1] += (word2)[1] + ((word1)[2] < ADDTO4_temp2), \
124	(word1)[0] += (word2)[0] + ((word1)[1] < ADDTO4_temp) )
125
126	/*
127	* Add the 2word value in word2 to word1.
128	*/
129	static uint32_t ADDTO2_temp;
130	#define SHA512_ADDTO2(word1, word2) ( \
131	ADDTO2_temp = (word1)[1], \
132	(word1)[1] += (word2)[1], \
133	(word1)[0] += (word2)[0] + ((word1)[1] < ADDTO2_temp) )
134
135	/*
136	* SHA rotate ((word >> bits) \| (word << (64-bits)))
137	*/
138	static uint32_t ROTR_temp1[`2`], ROTR_temp2[`2`];
139	#define SHA512_ROTR(bits, word, ret) ( \
140	SHA512_SHR((bits), (word), ROTR_temp1), \
141	SHA512_SHL(64-(bits), (word), ROTR_temp2), \
142	SHA512_OR(ROTR_temp1, ROTR_temp2, (ret)) )
143
144	/*
145	* Define the SHA SIGMA and sigma macros
146	*
147	* SHA512_ROTR(28,word) ^ SHA512_ROTR(34,word) ^ SHA512_ROTR(39,word)
148	*/
149	static uint32_t SIGMA0_temp1[`2`], SIGMA0_temp2[`2`],
150	SIGMA0_temp3[`2`], SIGMA0_temp4[`2`];
151	#define SHA512_SIGMA0(word, ret) ( \
152	SHA512_ROTR(28, (word), SIGMA0_temp1), \
153	SHA512_ROTR(34, (word), SIGMA0_temp2), \
154	SHA512_ROTR(39, (word), SIGMA0_temp3), \
155	SHA512_XOR(SIGMA0_temp2, SIGMA0_temp3, SIGMA0_temp4), \
156	SHA512_XOR(SIGMA0_temp1, SIGMA0_temp4, (ret)) )
157
158	/*
159	* SHA512_ROTR(14,word) ^ SHA512_ROTR(18,word) ^ SHA512_ROTR(41,word)
160	*/
161	static uint32_t SIGMA1_temp1[`2`], SIGMA1_temp2[`2`],
162	SIGMA1_temp3[`2`], SIGMA1_temp4[`2`];
163	#define SHA512_SIGMA1(word, ret) ( \
164	SHA512_ROTR(14, (word), SIGMA1_temp1), \
165	SHA512_ROTR(18, (word), SIGMA1_temp2), \
166	SHA512_ROTR(41, (word), SIGMA1_temp3), \
167	SHA512_XOR(SIGMA1_temp2, SIGMA1_temp3, SIGMA1_temp4), \
168	SHA512_XOR(SIGMA1_temp1, SIGMA1_temp4, (ret)) )
169
170	/*
171	* (SHA512_ROTR( 1,word) ^ SHA512_ROTR( 8,word) ^ SHA512_SHR( 7,word))
172	*/
173	static uint32_t sigma0_temp1[`2`], sigma0_temp2[`2`],
174	sigma0_temp3[`2`], sigma0_temp4[`2`];
175	#define SHA512_sigma0(word, ret) ( \
176	SHA512_ROTR( 1, (word), sigma0_temp1), \
177	SHA512_ROTR( 8, (word), sigma0_temp2), \
178	SHA512_SHR( 7, (word), sigma0_temp3), \
179	SHA512_XOR(sigma0_temp2, sigma0_temp3, sigma0_temp4), \
180	SHA512_XOR(sigma0_temp1, sigma0_temp4, (ret)) )
181
182	/*
183	* (SHA512_ROTR(19,word) ^ SHA512_ROTR(61,word) ^ SHA512_SHR( 6,word))
184	*/
185	static uint32_t sigma1_temp1[`2`], sigma1_temp2[`2`],
186	sigma1_temp3[`2`], sigma1_temp4[`2`];
187	#define SHA512_sigma1(word, ret) ( \
188	SHA512_ROTR(19, (word), sigma1_temp1), \
189	SHA512_ROTR(61, (word), sigma1_temp2), \
190	SHA512_SHR( 6, (word), sigma1_temp3), \
191	SHA512_XOR(sigma1_temp2, sigma1_temp3, sigma1_temp4), \
192	SHA512_XOR(sigma1_temp1, sigma1_temp4, (ret)) )
193
194	#ifndef USE_MODIFIED_MACROS
195	/*
196	* These definitions are the ones used in FIPS 180-3, section 4.1.3
197	* Ch(x,y,z) ((x & y) ^ (~x & z))
198	*/
199	static uint32_t Ch_temp1[`2`], Ch_temp2[`2`], Ch_temp3[`2`];
200	#define SHA_Ch(x, y, z, ret) ( \
201	SHA512_AND(x, y, Ch_temp1), \
202	SHA512_TILDA(x, Ch_temp2), \
203	SHA512_AND(Ch_temp2, z, Ch_temp3), \
204	SHA512_XOR(Ch_temp1, Ch_temp3, (ret)) )
205
206	/*
207	* Maj(x,y,z) (((x)&(y)) ^ ((x)&(z)) ^ ((y)&(z)))
208	*/
209	static uint32_t Maj_temp1[`2`], Maj_temp2[`2`],
210	Maj_temp3[`2`], Maj_temp4[`2`];
211	#define SHA_Maj(x, y, z, ret) ( \
212	SHA512_AND(x, y, Maj_temp1), \
213	SHA512_AND(x, z, Maj_temp2), \
214	SHA512_AND(y, z, Maj_temp3), \
215	SHA512_XOR(Maj_temp2, Maj_temp3, Maj_temp4), \
216	SHA512_XOR(Maj_temp1, Maj_temp4, (ret)) )
217	#else /* !USE_MODIFIED_MACROS */
218	/*
219	* These definitions are potentially faster equivalents for the ones
220	* used in FIPS 180-3, section 4.1.3.
221	* ((x & y) ^ (~x & z)) becomes
222	* ((x & (y ^ z)) ^ z)
223	*/
224	#define SHA_Ch(x, y, z, ret) ( \
225	(ret)[0] = (((x)[0] & ((y)[0] ^ (z)[0])) ^ (z)[0]), \
226	(ret)[1] = (((x)[1] & ((y)[1] ^ (z)[1])) ^ (z)[1]) )
227
228	/*
229	* ((x & y) ^ (x & z) ^ (y & z)) becomes
230	* ((x & (y \| z)) \| (y & z))
231	*/
232	#define SHA_Maj(x, y, z, ret) ( \
233	ret[0] = (((x)[0] & ((y)[0] \| (z)[0])) \| ((y)[0] & (z)[0])), \
234	ret[1] = (((x)[1] & ((y)[1] \| (z)[1])) \| ((y)[1] & (z)[1])) )
235	#endif /* USE_MODIFIED_MACROS */
236
237	/*
238	* Add "length" to the length.
239	* Set Corrupted when overflow has occurred.
240	*/
241	static uint32_t addTemp[`4`] = { `0`, `0`, `0`, `0` };
242	#define SHA384_512AddLength(context, length) ( \
243	addTemp[3] = (length), SHA512_ADDTO4((context)->Length, addTemp), \
244	(context)->Corrupted = (((context)->Length[3] < (length)) && \
245	((context)->Length[2] == 0) && ((context)->Length[1] == 0) && \
246	((context)->Length[0] == 0)) ? shaInputTooLong : \
247	(context)->Corrupted )
248
249	/ Local Function Prototypes /
250	static int SHA384_512Reset(SHA512Context *context,
251	uint32_t H0[SHA512HashSize/`4`]);
252	static void SHA384_512ProcessMessageBlock(SHA512Context *context);
253	static void SHA384_512Finalize(SHA512Context *context,
254	uint8_t Pad_Byte);
255	static void SHA384_512PadMessage(SHA512Context *context,
256	uint8_t Pad_Byte);
257	static int SHA384_512ResultN( SHA512Context *context,
258	uint8_t Message_Digest[ ], int HashSize);
259
260	/ Initial Hash Values: FIPS 180-3 sections 5.3.4 and 5.3.5 /
261	static uint32_t SHA384_H0[SHA512HashSize/`4`] = {
262	`0xCBBB9D5D`, `0xC1059ED8`, `0x629A292A`, `0x367CD507`, `0x9159015A`,
263	`0x3070DD17`, `0x152FECD8`, `0xF70E5939`, `0x67332667`, `0xFFC00B31`,
264	`0x8EB44A87`, `0x68581511`, `0xDB0C2E0D`, `0x64F98FA7`, `0x47B5481D`,
265	`0xBEFA4FA4`
266	};
267	static uint32_t SHA512_H0[SHA512HashSize/`4`] = {
268	`0x6A09E667`, `0xF3BCC908`, `0xBB67AE85`, `0x84CAA73B`, `0x3C6EF372`,
269	`0xFE94F82B`, `0xA54FF53A`, `0x5F1D36F1`, `0x510E527F`, `0xADE682D1`,
270	`0x9B05688C`, `0x2B3E6C1F`, `0x1F83D9AB`, `0xFB41BD6B`, `0x5BE0CD19`,
271	`0x137E2179`
272	};
273
274	#else /* !USE_32BIT_ONLY */
275
276	#include "sha-private.h"
277
278	/ Define the SHA shift, rotate left and rotate right macros /
279	#define SHA512_SHR(bits,word) (((uint64_t)(word)) >> (bits))
280	#define SHA512_ROTR(bits,word) ((((uint64_t)(word)) >> (bits)) \| \
281	(((uint64_t)(word)) << (64-(bits))))
282
283	/*
284	* Define the SHA SIGMA and sigma macros
285	*
286	* SHA512_ROTR(28,word) ^ SHA512_ROTR(34,word) ^ SHA512_ROTR(39,word)
287	*/
288	#define SHA512_SIGMA0(word) \
289	(SHA512_ROTR(28,word) ^ SHA512_ROTR(34,word) ^ SHA512_ROTR(39,word))
290	#define SHA512_SIGMA1(word) \
291	(SHA512_ROTR(14,word) ^ SHA512_ROTR(18,word) ^ SHA512_ROTR(41,word))
292	#define SHA512_sigma0(word) \
293	(SHA512_ROTR( 1,word) ^ SHA512_ROTR( 8,word) ^ SHA512_SHR( 7,word))
294	#define SHA512_sigma1(word) \
295	(SHA512_ROTR(19,word) ^ SHA512_ROTR(61,word) ^ SHA512_SHR( 6,word))
296
297	/*
298	* Add "length" to the length.
299	* Set Corrupted when overflow has occurred.
300	*/
301	/ addTemp commented out by Nokia, static variables are not thread-safe /
302	/ static uint64_t addTemp; /
303	/ 'M' appended to Macro name by Nokia /
304	#define SHA384_512AddLengthM(context, length) \
305	(addTemp = context->Length_Low, context->Corrupted = \
306	((context->Length_Low += length) < addTemp) && \
307	(++context->Length_High == 0) ? shaInputTooLong : \
308	(context)->Corrupted)
309
310	/ Local Function Prototypes /
311	static int SHA384_512Reset(SHA512Context *context,
312	uint64_t H0[SHA512HashSize/`8`]);
313	static void SHA384_512ProcessMessageBlock(SHA512Context *context);
314	static void SHA384_512Finalize(SHA512Context *context,
315	uint8_t Pad_Byte);
316	static void SHA384_512PadMessage(SHA512Context *context,
317	uint8_t Pad_Byte);
318	static int SHA384_512ResultN(SHA512Context *context,
319	uint8_t Message_Digest[ ], int HashSize);
320
321	/ Initial Hash Values: FIPS 180-3 sections 5.3.4 and 5.3.5 /
322	static uint64_t SHA384_H0[ ] = {
323	`0xCBBB9D5DC1059ED8ull`, `0x629A292A367CD507ull`, `0x9159015A3070DD17ull`,
324	`0x152FECD8F70E5939ull`, `0x67332667FFC00B31ull`, `0x8EB44A8768581511ull`,
325	`0xDB0C2E0D64F98FA7ull`, `0x47B5481DBEFA4FA4ull`
326	};
327	static uint64_t SHA512_H0[ ] = {
328	`0x6A09E667F3BCC908ull`, `0xBB67AE8584CAA73Bull`, `0x3C6EF372FE94F82Bull`,
329	`0xA54FF53A5F1D36F1ull`, `0x510E527FADE682D1ull`, `0x9B05688C2B3E6C1Full`,
330	`0x1F83D9ABFB41BD6Bull`, `0x5BE0CD19137E2179ull`
331	};
332
333	#endif /* USE_32BIT_ONLY */
334
335	/*
336	* SHA384Reset
337	*
338	* Description:
339	* This function will initialize the SHA384Context in preparation
340	* for computing a new SHA384 message digest.
341	*
342	* Parameters:
343	* context: [in/out]
344	* The context to reset.
345	*
346	* Returns:
347	* sha Error Code.
348	*
349	*/
350	int SHA384Reset(SHA384Context *context)
351	{
352	return SHA384_512Reset(context, H0: SHA384_H0);
353	}
354
355	/*
356	* SHA384Input
357	*
358	* Description:
359	* This function accepts an array of octets as the next portion
360	* of the message.
361	*
362	* Parameters:
363	* context: [in/out]
364	* The SHA context to update.
365	* message_array[ ]: [in]
366	* An array of octets representing the next portion of
367	* the message.
368	* length: [in]
369	* The length of the message in message_array.
370	*
371	* Returns:
372	* sha Error Code.
373	*
374	*/
375	int SHA384Input(SHA384Context *context,
376	const uint8_t message_array, unsigned* int length)
377	{
378	return SHA512Input(context, bytes: message_array, bytecount: length);
379	}
380
381	/*
382	* SHA384FinalBits
383	*
384	* Description:
385	* This function will add in any final bits of the message.
386	*
387	* Parameters:
388	* context: [in/out]
389	* The SHA context to update.
390	* message_bits: [in]
391	* The final bits of the message, in the upper portion of the
392	* byte. (Use 0b###00000 instead of 0b00000### to input the
393	* three bits ###.)
394	* length: [in]
395	* The number of bits in message_bits, between 1 and 7.
396	*
397	* Returns:
398	* sha Error Code.
399	*
400	*/
401	int SHA384FinalBits(SHA384Context *context,
402	uint8_t message_bits, unsigned int length)
403	{
404	return SHA512FinalBits(context, bits: message_bits, bit_count: length);
405	}
406
407	/*
408	* SHA384Result
409	*
410	* Description:
411	* This function will return the 384-bit message digest
412	* into the Message_Digest array provided by the caller.
413	* NOTE:
414	* The first octet of hash is stored in the element with index 0,
415	* the last octet of hash in the element with index 47.
416	*
417	* Parameters:
418	* context: [in/out]
419	* The context to use to calculate the SHA hash.
420	* Message_Digest[ ]: [out]
421	* Where the digest is returned.
422	*
423	* Returns:
424	* sha Error Code.
425	*
426	*/
427	int SHA384Result(SHA384Context *context,
428	uint8_t Message_Digest[SHA384HashSize])
429	{
430	return SHA384_512ResultN(context, Message_Digest, HashSize: SHA384HashSize);
431	}
432
433	/*
434	* SHA512Reset
435	*
436	* Description:
437	* This function will initialize the SHA512Context in preparation
438	* for computing a new SHA512 message digest.
439	*
440	* Parameters:
441	* context: [in/out]
442	* The context to reset.
443	*
444	* Returns:
445	* sha Error Code.
446	*
447	*/
448	int SHA512Reset(SHA512Context *context)
449	{
450	return SHA384_512Reset(context, H0: SHA512_H0);
451	}
452
453	/*
454	* SHA512Input
455	*
456	* Description:
457	* This function accepts an array of octets as the next portion
458	* of the message.
459	*
460	* Parameters:
461	* context: [in/out]
462	* The SHA context to update.
463	* message_array[ ]: [in]
464	* An array of octets representing the next portion of
465	* the message.
466	* length: [in]
467	* The length of the message in message_array.
468	*
469	* Returns:
470	* sha Error Code.
471	*
472	*/
473	int SHA512Input(SHA512Context *context,
474	const uint8_t *message_array,
475	unsigned int length)
476	{
477	if (!context) return shaNull;
478	if (!length) return shaSuccess;
479	if (!message_array) return shaNull;
480	if (context->Computed) return context->Corrupted = shaStateError;
481	if (context->Corrupted) return context->Corrupted;
482
483	while (length--) {
484	context->Message_Block[context->Message_Block_Index++] =
485	*message_array;
486
487	if ((SHA384_512AddLength(context, length: `8`) == shaSuccess) &&
488	(context->Message_Block_Index == SHA512_Message_Block_Size))
489	SHA384_512ProcessMessageBlock(context);
490
491	message_array++;
492	}
493
494	return context->Corrupted;
495	}
496
497	/*
498	* SHA512FinalBits
499	*
500	* Description:
501	* This function will add in any final bits of the message.
502	*
503	* Parameters:
504	* context: [in/out]
505	* The SHA context to update.
506	* message_bits: [in]
507	* The final bits of the message, in the upper portion of the
508	* byte. (Use 0b###00000 instead of 0b00000### to input the
509	* three bits ###.)
510	* length: [in]
511	* The number of bits in message_bits, between 1 and 7.
512	*
513	* Returns:
514	* sha Error Code.
515	*
516	*/
517	int SHA512FinalBits(SHA512Context *context,
518	uint8_t message_bits, unsigned int length)
519	{
520	static uint8_t masks[`8`] = {
521	/ 0 0b00000000 / `0x00`, / 1 0b10000000 / `0x80`,
522	/ 2 0b11000000 / `0xC0`, / 3 0b11100000 / `0xE0`,
523	/ 4 0b11110000 / `0xF0`, / 5 0b11111000 / `0xF8`,
524	/ 6 0b11111100 / `0xFC`, / 7 0b11111110 / `0xFE`
525	};
526	static uint8_t markbit[`8`] = {
527	/ 0 0b10000000 / `0x80`, / 1 0b01000000 / `0x40`,
528	/ 2 0b00100000 / `0x20`, / 3 0b00010000 / `0x10`,
529	/ 4 0b00001000 / `0x08`, / 5 0b00000100 / `0x04`,
530	/ 6 0b00000010 / `0x02`, / 7 0b00000001 / `0x01`
531	};
532
533	if (!context) return shaNull;
534	if (!length) return shaSuccess;
535	if (context->Corrupted) return context->Corrupted;
536	if (context->Computed) return context->Corrupted = shaStateError;
537	if (length >= `8`) return context->Corrupted = shaBadParam;
538
539	SHA384_512AddLength(context, length);
540	SHA384_512Finalize(context, Pad_Byte: (uint8_t)
541	((message_bits & masks[length]) \| markbit[length]));
542
543	return context->Corrupted;
544	}
545
546	/*
547	* SHA512Result
548	*
549	* Description:
550	* This function will return the 512-bit message digest
551	* into the Message_Digest array provided by the caller.
552	* NOTE:
553	* The first octet of hash is stored in the element with index 0,
554	* the last octet of hash in the element with index 63.
555	*
556	* Parameters:
557	* context: [in/out]
558	* The context to use to calculate the SHA hash.
559	* Message_Digest[ ]: [out]
560	* Where the digest is returned.
561	*
562	* Returns:
563	* sha Error Code.
564	*
565	*/
566	int SHA512Result(SHA512Context *context,
567	uint8_t Message_Digest[SHA512HashSize])
568	{
569	return SHA384_512ResultN(context, Message_Digest, HashSize: SHA512HashSize);
570	}
571
572	/*
573	* SHA384_512Reset
574	*
575	* Description:
576	* This helper function will initialize the SHA512Context in
577	* preparation for computing a new SHA384 or SHA512 message
578	* digest.
579	*
580	* Parameters:
581	* context: [in/out]
582	* The context to reset.
583	* H0[ ]: [in]
584	* The initial hash value array to use.
585	*
586	* Returns:
587	* sha Error Code.
588	*
589	*/
590	#ifdef USE_32BIT_ONLY
591	static int SHA384_512Reset(SHA512Context *context,
592	uint32_t H0[SHA512HashSize/`4`])
593	#else /* !USE_32BIT_ONLY */
594	static int SHA384_512Reset(SHA512Context *context,
595	uint64_t H0[SHA512HashSize/`8`])
596	#endif /* USE_32BIT_ONLY */
597	{
598	int i;
599	if (!context) return shaNull;
600
601	context->Message_Block_Index = `0`;
602
603	#ifdef USE_32BIT_ONLY
604	context->Length[`0`] = context->Length[`1`] =
605	context->Length[`2`] = context->Length[`3`] = `0`;
606
607	for (i = `0`; i < SHA512HashSize/`4`; i++)
608	context->Intermediate_Hash[i] = H0[i];
609	#else /* !USE_32BIT_ONLY */
610	context->Length_High = context->Length_Low = `0`;
611
612	for (i = `0`; i < SHA512HashSize/`8`; i++)
613	context->Intermediate_Hash[i] = H0[i];
614	#endif /* USE_32BIT_ONLY */
615
616	context->Computed = `0`;
617	context->Corrupted = shaSuccess;
618
619	return shaSuccess;
620	}
621
622	/*
623	* SHA384_512ProcessMessageBlock
624	*
625	* Description:
626	* This helper function will process the next 1024 bits of the
627	* message stored in the Message_Block array.
628	*
629	* Parameters:
630	* context: [in/out]
631	* The SHA context to update.
632	*
633	* Returns:
634	* Nothing.
635	*
636	* Comments:
637	* Many of the variable names in this code, especially the
638	* single character names, were used because those were the
639	* names used in the Secure Hash Standard.
640	*
641	*
642	*/
643	static void SHA384_512ProcessMessageBlock(SHA512Context *context)
644	{
645	#ifdef USE_32BIT_ONLY
646	/ Constants defined in FIPS 180-3, section 4.2.3 /
647	static const uint32_t K[`80`*`2`] = {
648	`0x428A2F98`, `0xD728AE22`, `0x71374491`, `0x23EF65CD`, `0xB5C0FBCF`,
649	`0xEC4D3B2F`, `0xE9B5DBA5`, `0x8189DBBC`, `0x3956C25B`, `0xF348B538`,
650	`0x59F111F1`, `0xB605D019`, `0x923F82A4`, `0xAF194F9B`, `0xAB1C5ED5`,
651	`0xDA6D8118`, `0xD807AA98`, `0xA3030242`, `0x12835B01`, `0x45706FBE`,
652	`0x243185BE`, `0x4EE4B28C`, `0x550C7DC3`, `0xD5FFB4E2`, `0x72BE5D74`,
653	`0xF27B896F`, `0x80DEB1FE`, `0x3B1696B1`, `0x9BDC06A7`, `0x25C71235`,
654	`0xC19BF174`, `0xCF692694`, `0xE49B69C1`, `0x9EF14AD2`, `0xEFBE4786`,
655	`0x384F25E3`, `0x0FC19DC6`, `0x8B8CD5B5`, `0x240CA1CC`, `0x77AC9C65`,
656	`0x2DE92C6F`, `0x592B0275`, `0x4A7484AA`, `0x6EA6E483`, `0x5CB0A9DC`,
657	`0xBD41FBD4`, `0x76F988DA`, `0x831153B5`, `0x983E5152`, `0xEE66DFAB`,
658	`0xA831C66D`, `0x2DB43210`, `0xB00327C8`, `0x98FB213F`, `0xBF597FC7`,
659	`0xBEEF0EE4`, `0xC6E00BF3`, `0x3DA88FC2`, `0xD5A79147`, `0x930AA725`,
660	`0x06CA6351`, `0xE003826F`, `0x14292967`, `0x0A0E6E70`, `0x27B70A85`,
661	`0x46D22FFC`, `0x2E1B2138`, `0x5C26C926`, `0x4D2C6DFC`, `0x5AC42AED`,
662	`0x53380D13`, `0x9D95B3DF`, `0x650A7354`, `0x8BAF63DE`, `0x766A0ABB`,
663	`0x3C77B2A8`, `0x81C2C92E`, `0x47EDAEE6`, `0x92722C85`, `0x1482353B`,
664	`0xA2BFE8A1`, `0x4CF10364`, `0xA81A664B`, `0xBC423001`, `0xC24B8B70`,
665	`0xD0F89791`, `0xC76C51A3`, `0x0654BE30`, `0xD192E819`, `0xD6EF5218`,
666	`0xD6990624`, `0x5565A910`, `0xF40E3585`, `0x5771202A`, `0x106AA070`,
667	`0x32BBD1B8`, `0x19A4C116`, `0xB8D2D0C8`, `0x1E376C08`, `0x5141AB53`,
668	`0x2748774C`, `0xDF8EEB99`, `0x34B0BCB5`, `0xE19B48A8`, `0x391C0CB3`,
669	`0xC5C95A63`, `0x4ED8AA4A`, `0xE3418ACB`, `0x5B9CCA4F`, `0x7763E373`,
670	`0x682E6FF3`, `0xD6B2B8A3`, `0x748F82EE`, `0x5DEFB2FC`, `0x78A5636F`,
671	`0x43172F60`, `0x84C87814`, `0xA1F0AB72`, `0x8CC70208`, `0x1A6439EC`,
672	`0x90BEFFFA`, `0x23631E28`, `0xA4506CEB`, `0xDE82BDE9`, `0xBEF9A3F7`,
673	`0xB2C67915`, `0xC67178F2`, `0xE372532B`, `0xCA273ECE`, `0xEA26619C`,
674	`0xD186B8C7`, `0x21C0C207`, `0xEADA7DD6`, `0xCDE0EB1E`, `0xF57D4F7F`,
675	`0xEE6ED178`, `0x06F067AA`, `0x72176FBA`, `0x0A637DC5`, `0xA2C898A6`,
676	`0x113F9804`, `0xBEF90DAE`, `0x1B710B35`, `0x131C471B`, `0x28DB77F5`,
677	`0x23047D84`, `0x32CAAB7B`, `0x40C72493`, `0x3C9EBE0A`, `0x15C9BEBC`,
678	`0x431D67C4`, `0x9C100D4C`, `0x4CC5D4BE`, `0xCB3E42B6`, `0x597F299C`,
679	`0xFC657E2A`, `0x5FCB6FAB`, `0x3AD6FAEC`, `0x6C44198C`, `0x4A475817`
680	};
681	int t, t2, t8; / Loop counter /
682	uint32_t temp1[`2`], temp2[`2`], / Temporary word values /
683	temp3[`2`], temp4[`2`], temp5[`2`];
684	uint32_t W[`2``80`]; /* Word sequence /
685	uint32_t A[`2`], B[`2`], C[`2`], D[`2`], / Word buffers /
686	E[`2`], F[`2`], G[`2`], H[`2`];
687
688	/ Initialize the first 16 words in the array W /
689	for (t = t2 = t8 = `0`; t < `16`; t++, t8 += `8`) {
690	W[t2++] = ((((uint32_t)context->Message_Block[t8 ])) << `24`) \|
691	((((uint32_t)context->Message_Block[t8 + `1`])) << `16`) \|
692	((((uint32_t)context->Message_Block[t8 + `2`])) << `8`) \|
693	((((uint32_t)context->Message_Block[t8 + `3`])));
694	W[t2++] = ((((uint32_t)context->Message_Block[t8 + `4`])) << `24`) \|
695	((((uint32_t)context->Message_Block[t8 + `5`])) << `16`) \|
696	((((uint32_t)context->Message_Block[t8 + `6`])) << `8`) \|
697	((((uint32_t)context->Message_Block[t8 + `7`])));
698	}
699
700	for (t = `16`; t < `80`; t++, t2 += `2`) {
701	/ W[t] = SHA512_sigma1(W[t-2]) + W[t-7] +*
702	SHA512_sigma0(W[t-15]) + W[t-16]; /*
703	uint32_t Wt2 = &W[t2-`2``2`];
704	uint32_t Wt7 = &W[t2-`7``2`];
705	uint32_t Wt15 = &W[t2-`15``2`];
706	uint32_t Wt16 = &W[t2-`16``2`];
707	SHA512_sigma1(Wt2, temp1);
708	SHA512_ADD(temp1, Wt7, temp2);
709	SHA512_sigma0(Wt15, temp1);
710	SHA512_ADD(temp1, Wt16, temp3);
711	SHA512_ADD(temp2, temp3, &W[t2]);
712	}
713
714	A[`0`] = context->Intermediate_Hash[`0`];
715	A[`1`] = context->Intermediate_Hash[`1`];
716	B[`0`] = context->Intermediate_Hash[`2`];
717	B[`1`] = context->Intermediate_Hash[`3`];
718	C[`0`] = context->Intermediate_Hash[`4`];
719	C[`1`] = context->Intermediate_Hash[`5`];
720	D[`0`] = context->Intermediate_Hash[`6`];
721	D[`1`] = context->Intermediate_Hash[`7`];
722	E[`0`] = context->Intermediate_Hash[`8`];
723	E[`1`] = context->Intermediate_Hash[`9`];
724	F[`0`] = context->Intermediate_Hash[`10`];
725	F[`1`] = context->Intermediate_Hash[`11`];
726	G[`0`] = context->Intermediate_Hash[`12`];
727	G[`1`] = context->Intermediate_Hash[`13`];
728	H[`0`] = context->Intermediate_Hash[`14`];
729	H[`1`] = context->Intermediate_Hash[`15`];
730
731	for (t = t2 = `0`; t < `80`; t++, t2 += `2`) {
732	/*
733	* temp1 = H + SHA512_SIGMA1(E) + SHA_Ch(E,F,G) + K[t] + W[t];
734	*/
735	SHA512_SIGMA1(E,temp1);
736	SHA512_ADD(H, temp1, temp2);
737	SHA_Ch(E,F,G,temp3);
738	SHA512_ADD(temp2, temp3, temp4);
739	SHA512_ADD(&K[t2], &W[t2], temp5);
740	SHA512_ADD(temp4, temp5, temp1);
741	/*
742	* temp2 = SHA512_SIGMA0(A) + SHA_Maj(A,B,C);
743	*/
744	SHA512_SIGMA0(A,temp3);
745	SHA_Maj(A,B,C,temp4);
746	SHA512_ADD(temp3, temp4, temp2);
747	H[`0`] = G[`0`]; H[`1`] = G[`1`];
748	G[`0`] = F[`0`]; G[`1`] = F[`1`];
749	F[`0`] = E[`0`]; F[`1`] = E[`1`];
750	SHA512_ADD(D, temp1, E);
751	D[`0`] = C[`0`]; D[`1`] = C[`1`];
752	C[`0`] = B[`0`]; C[`1`] = B[`1`];
753	B[`0`] = A[`0`]; B[`1`] = A[`1`];
754	SHA512_ADD(temp1, temp2, A);
755	}
756
757	SHA512_ADDTO2(&context->Intermediate_Hash[`0`], A);
758	SHA512_ADDTO2(&context->Intermediate_Hash[`2`], B);
759	SHA512_ADDTO2(&context->Intermediate_Hash[`4`], C);
760	SHA512_ADDTO2(&context->Intermediate_Hash[`6`], D);
761	SHA512_ADDTO2(&context->Intermediate_Hash[`8`], E);
762	SHA512_ADDTO2(&context->Intermediate_Hash[`10`], F);
763	SHA512_ADDTO2(&context->Intermediate_Hash[`12`], G);
764	SHA512_ADDTO2(&context->Intermediate_Hash[`14`], H);
765
766	#else /* !USE_32BIT_ONLY */
767	/ Constants defined in FIPS 180-3, section 4.2.3 /
768	static const uint64_t K[`80`] = {
769	`0x428A2F98D728AE22ull`, `0x7137449123EF65CDull`, `0xB5C0FBCFEC4D3B2Full`,
770	`0xE9B5DBA58189DBBCull`, `0x3956C25BF348B538ull`, `0x59F111F1B605D019ull`,
771	`0x923F82A4AF194F9Bull`, `0xAB1C5ED5DA6D8118ull`, `0xD807AA98A3030242ull`,
772	`0x12835B0145706FBEull`, `0x243185BE4EE4B28Cull`, `0x550C7DC3D5FFB4E2ull`,
773	`0x72BE5D74F27B896Full`, `0x80DEB1FE3B1696B1ull`, `0x9BDC06A725C71235ull`,
774	`0xC19BF174CF692694ull`, `0xE49B69C19EF14AD2ull`, `0xEFBE4786384F25E3ull`,
775	`0x0FC19DC68B8CD5B5ull`, `0x240CA1CC77AC9C65ull`, `0x2DE92C6F592B0275ull`,
776	`0x4A7484AA6EA6E483ull`, `0x5CB0A9DCBD41FBD4ull`, `0x76F988DA831153B5ull`,
777	`0x983E5152EE66DFABull`, `0xA831C66D2DB43210ull`, `0xB00327C898FB213Full`,
778	`0xBF597FC7BEEF0EE4ull`, `0xC6E00BF33DA88FC2ull`, `0xD5A79147930AA725ull`,
779	`0x06CA6351E003826Full`, `0x142929670A0E6E70ull`, `0x27B70A8546D22FFCull`,
780	`0x2E1B21385C26C926ull`, `0x4D2C6DFC5AC42AEDull`, `0x53380D139D95B3DFull`,
781	`0x650A73548BAF63DEull`, `0x766A0ABB3C77B2A8ull`, `0x81C2C92E47EDAEE6ull`,
782	`0x92722C851482353Bull`, `0xA2BFE8A14CF10364ull`, `0xA81A664BBC423001ull`,
783	`0xC24B8B70D0F89791ull`, `0xC76C51A30654BE30ull`, `0xD192E819D6EF5218ull`,
784	`0xD69906245565A910ull`, `0xF40E35855771202Aull`, `0x106AA07032BBD1B8ull`,
785	`0x19A4C116B8D2D0C8ull`, `0x1E376C085141AB53ull`, `0x2748774CDF8EEB99ull`,
786	`0x34B0BCB5E19B48A8ull`, `0x391C0CB3C5C95A63ull`, `0x4ED8AA4AE3418ACBull`,
787	`0x5B9CCA4F7763E373ull`, `0x682E6FF3D6B2B8A3ull`, `0x748F82EE5DEFB2FCull`,
788	`0x78A5636F43172F60ull`, `0x84C87814A1F0AB72ull`, `0x8CC702081A6439ECull`,
789	`0x90BEFFFA23631E28ull`, `0xA4506CEBDE82BDE9ull`, `0xBEF9A3F7B2C67915ull`,
790	`0xC67178F2E372532Bull`, `0xCA273ECEEA26619Cull`, `0xD186B8C721C0C207ull`,
791	`0xEADA7DD6CDE0EB1Eull`, `0xF57D4F7FEE6ED178ull`, `0x06F067AA72176FBAull`,
792	`0x0A637DC5A2C898A6ull`, `0x113F9804BEF90DAEull`, `0x1B710B35131C471Bull`,
793	`0x28DB77F523047D84ull`, `0x32CAAB7B40C72493ull`, `0x3C9EBE0A15C9BEBCull`,
794	`0x431D67C49C100D4Cull`, `0x4CC5D4BECB3E42B6ull`, `0x597F299CFC657E2Aull`,
795	`0x5FCB6FAB3AD6FAECull`, `0x6C44198C4A475817ull`
796	};
797	int t, t8; / Loop counter /
798	uint64_t temp1, temp2; / Temporary word value /
799	uint64_t W[`80`]; / Word sequence /
800	uint64_t A, B, C, D, E, F, G, H; / Word buffers /
801
802	/*
803	* Initialize the first 16 words in the array W
804	*/
805	for (t = t8 = `0`; t < `16`; t++, t8 += `8`)
806	W[t] = ((uint64_t)(context->Message_Block[t8 ]) << `56`) \|
807	((uint64_t)(context->Message_Block[t8 + `1`]) << `48`) \|
808	((uint64_t)(context->Message_Block[t8 + `2`]) << `40`) \|
809	((uint64_t)(context->Message_Block[t8 + `3`]) << `32`) \|
810	((uint64_t)(context->Message_Block[t8 + `4`]) << `24`) \|
811	((uint64_t)(context->Message_Block[t8 + `5`]) << `16`) \|
812	((uint64_t)(context->Message_Block[t8 + `6`]) << `8`) \|
813	((uint64_t)(context->Message_Block[t8 + `7`]));
814
815	for (t = `16`; t < `80`; t++)
816	W[t] = SHA512_sigma1(W[t-`2`]) + W[t-`7`] +
817	SHA512_sigma0(W[t-`15`]) + W[t-`16`];
818	A = context->Intermediate_Hash[`0`];
819	B = context->Intermediate_Hash[`1`];
820	C = context->Intermediate_Hash[`2`];
821	D = context->Intermediate_Hash[`3`];
822	E = context->Intermediate_Hash[`4`];
823	F = context->Intermediate_Hash[`5`];
824	G = context->Intermediate_Hash[`6`];
825	H = context->Intermediate_Hash[`7`];
826
827	for (t = `0`; t < `80`; t++) {
828	temp1 = H + SHA512_SIGMA1(E) + SHA_Ch(E,F,G) + K[t] + W[t];
829	temp2 = SHA512_SIGMA0(A) + SHA_Maj(A,B,C);
830	H = G;
831	G = F;
832	F = E;
833	E = D + temp1;
834	D = C;
835	C = B;
836	B = A;
837	A = temp1 + temp2;
838	}
839
840	context->Intermediate_Hash[`0`] += A;
841	context->Intermediate_Hash[`1`] += B;
842	context->Intermediate_Hash[`2`] += C;
843	context->Intermediate_Hash[`3`] += D;
844	context->Intermediate_Hash[`4`] += E;
845	context->Intermediate_Hash[`5`] += F;
846	context->Intermediate_Hash[`6`] += G;
847	context->Intermediate_Hash[`7`] += H;
848	#endif /* USE_32BIT_ONLY */
849
850	context->Message_Block_Index = `0`;
851	}
852
853	/*
854	* SHA384_512Finalize
855	*
856	* Description:
857	* This helper function finishes off the digest calculations.
858	*
859	* Parameters:
860	* context: [in/out]
861	* The SHA context to update.
862	* Pad_Byte: [in]
863	* The last byte to add to the message block before the 0-padding
864	* and length. This will contain the last bits of the message
865	* followed by another single bit. If the message was an
866	* exact multiple of 8-bits long, Pad_Byte will be 0x80.
867	*
868	* Returns:
869	* sha Error Code.
870	*
871	*/
872	static void SHA384_512Finalize(SHA512Context *context,
873	uint8_t Pad_Byte)
874	{
875	int_least16_t i;
876	SHA384_512PadMessage(context, Pad_Byte);
877	/ message may be sensitive, clear it out /
878	for (i = `0`; i < SHA512_Message_Block_Size; ++i)
879	context->Message_Block[i] = `0`;
880	#ifdef USE_32BIT_ONLY /* and clear length */
881	context->Length[`0`] = context->Length[`1`] = `0`;
882	context->Length[`2`] = context->Length[`3`] = `0`;
883	#else /* !USE_32BIT_ONLY */
884	context->Length_High = context->Length_Low = `0`;
885	#endif /* USE_32BIT_ONLY */
886	context->Computed = `1`;
887	}
888
889	/*
890	* SHA384_512PadMessage
891	*
892	* Description:
893	* According to the standard, the message must be padded to the next
894	* even multiple of 1024 bits. The first padding bit must be a '1'.
895	* The last 128 bits represent the length of the original message.
896	* All bits in between should be 0. This helper function will
897	* pad the message according to those rules by filling the
898	* Message_Block array accordingly. When it returns, it can be
899	* assumed that the message digest has been computed.
900	*
901	* Parameters:
902	* context: [in/out]
903	* The context to pad.
904	* Pad_Byte: [in]
905	* The last byte to add to the message block before the 0-padding
906	* and length. This will contain the last bits of the message
907	* followed by another single bit. If the message was an
908	* exact multiple of 8-bits long, Pad_Byte will be 0x80.
909	*
910	* Returns:
911	* Nothing.
912	*
913	*/
914	static void SHA384_512PadMessage(SHA512Context *context,
915	uint8_t Pad_Byte)
916	{
917	/*
918	* Check to see if the current message block is too small to hold
919	* the initial padding bits and length. If so, we will pad the
920	* block, process it, and then continue padding into a second
921	* block.
922	*/
923	if (context->Message_Block_Index >= (SHA512_Message_Block_Size-`16`)) {
924	context->Message_Block[context->Message_Block_Index++] = Pad_Byte;
925	while (context->Message_Block_Index < SHA512_Message_Block_Size)
926	context->Message_Block[context->Message_Block_Index++] = `0`;
927
928	SHA384_512ProcessMessageBlock(context);
929	} else
930	context->Message_Block[context->Message_Block_Index++] = Pad_Byte;
931
932	while (context->Message_Block_Index < (SHA512_Message_Block_Size-`16`))
933	context->Message_Block[context->Message_Block_Index++] = `0`;
934
935	/*
936	* Store the message length as the last 16 octets
937	*/
938	#ifdef USE_32BIT_ONLY
939	context->Message_Block[`112`] = (uint8_t)(context->Length[`0`] >> `24`);
940	context->Message_Block[`113`] = (uint8_t)(context->Length[`0`] >> `16`);
941	context->Message_Block[`114`] = (uint8_t)(context->Length[`0`] >> `8`);
942	context->Message_Block[`115`] = (uint8_t)(context->Length[`0`]);
943	context->Message_Block[`116`] = (uint8_t)(context->Length[`1`] >> `24`);
944	context->Message_Block[`117`] = (uint8_t)(context->Length[`1`] >> `16`);
945	context->Message_Block[`118`] = (uint8_t)(context->Length[`1`] >> `8`);
946	context->Message_Block[`119`] = (uint8_t)(context->Length[`1`]);
947
948	context->Message_Block[`120`] = (uint8_t)(context->Length[`2`] >> `24`);
949	context->Message_Block[`121`] = (uint8_t)(context->Length[`2`] >> `16`);
950	context->Message_Block[`122`] = (uint8_t)(context->Length[`2`] >> `8`);
951	context->Message_Block[`123`] = (uint8_t)(context->Length[`2`]);
952	context->Message_Block[`124`] = (uint8_t)(context->Length[`3`] >> `24`);
953	context->Message_Block[`125`] = (uint8_t)(context->Length[`3`] >> `16`);
954	context->Message_Block[`126`] = (uint8_t)(context->Length[`3`] >> `8`);
955	context->Message_Block[`127`] = (uint8_t)(context->Length[`3`]);
956	#else /* !USE_32BIT_ONLY */
957	context->Message_Block[`112`] = (uint8_t)(context->Length_High >> `56`);
958	context->Message_Block[`113`] = (uint8_t)(context->Length_High >> `48`);
959	context->Message_Block[`114`] = (uint8_t)(context->Length_High >> `40`);
960	context->Message_Block[`115`] = (uint8_t)(context->Length_High >> `32`);
961	context->Message_Block[`116`] = (uint8_t)(context->Length_High >> `24`);
962	context->Message_Block[`117`] = (uint8_t)(context->Length_High >> `16`);
963	context->Message_Block[`118`] = (uint8_t)(context->Length_High >> `8`);
964	context->Message_Block[`119`] = (uint8_t)(context->Length_High);
965
966	context->Message_Block[`120`] = (uint8_t)(context->Length_Low >> `56`);
967	context->Message_Block[`121`] = (uint8_t)(context->Length_Low >> `48`);
968	context->Message_Block[`122`] = (uint8_t)(context->Length_Low >> `40`);
969	context->Message_Block[`123`] = (uint8_t)(context->Length_Low >> `32`);
970	context->Message_Block[`124`] = (uint8_t)(context->Length_Low >> `24`);
971	context->Message_Block[`125`] = (uint8_t)(context->Length_Low >> `16`);
972	context->Message_Block[`126`] = (uint8_t)(context->Length_Low >> `8`);
973	context->Message_Block[`127`] = (uint8_t)(context->Length_Low);
974	#endif /* USE_32BIT_ONLY */
975
976	SHA384_512ProcessMessageBlock(context);
977	}
978
979	/*
980	* SHA384_512ResultN
981	*
982	* Description:
983	* This helper function will return the 384-bit or 512-bit message
984	* digest into the Message_Digest array provided by the caller.
985	* NOTE:
986	* The first octet of hash is stored in the element with index 0,
987	* the last octet of hash in the element with index 47/63.
988	*
989	* Parameters:
990	* context: [in/out]
991	* The context to use to calculate the SHA hash.
992	* Message_Digest[ ]: [out]
993	* Where the digest is returned.
994	* HashSize: [in]
995	* The size of the hash, either 48 or 64.
996	*
997	* Returns:
998	* sha Error Code.
999	*
1000	*/
1001	static int SHA384_512ResultN(SHA512Context *context,
1002	uint8_t Message_Digest[ ], int HashSize)
1003	{
1004	int i;
1005	#ifdef USE_32BIT_ONLY
1006	int i2;
1007	#endif /* USE_32BIT_ONLY */
1008
1009	if (!context) return shaNull;
1010	if (!Message_Digest) return shaNull;
1011	if (context->Corrupted) return context->Corrupted;
1012
1013	if (!context->Computed)
1014	SHA384_512Finalize(context, Pad_Byte: `0x80`);
1015
1016	#ifdef USE_32BIT_ONLY
1017	for (i = i2 = `0`; i < HashSize; ) {
1018	Message_Digest[i++]=(uint8_t)(context->Intermediate_Hash[i2]>>`24`);
1019	Message_Digest[i++]=(uint8_t)(context->Intermediate_Hash[i2]>>`16`);
1020	Message_Digest[i++]=(uint8_t)(context->Intermediate_Hash[i2]>>`8`);
1021	Message_Digest[i++]=(uint8_t)(context->Intermediate_Hash[i2++]);
1022	Message_Digest[i++]=(uint8_t)(context->Intermediate_Hash[i2]>>`24`);
1023	Message_Digest[i++]=(uint8_t)(context->Intermediate_Hash[i2]>>`16`);
1024	Message_Digest[i++]=(uint8_t)(context->Intermediate_Hash[i2]>>`8`);
1025	Message_Digest[i++]=(uint8_t)(context->Intermediate_Hash[i2++]);
1026	}
1027	#else /* !USE_32BIT_ONLY */
1028	for (i = `0`; i < HashSize; ++i)
1029	Message_Digest[i] = (uint8_t)
1030	(context->Intermediate_Hash[i>>`3`] >> `8` * ( `7` - ( i % `8` ) ));
1031	#endif /* USE_32BIT_ONLY */
1032
1033	return shaSuccess;
1034	}
1035

source code of qtbase/src/3rdparty/rfc6234/sha384-512.c