/* sha512.c

 *

 * Copyright (C) 2006-2025 wolfSSL Inc.

 *

 * This file is part of wolfSSL.

 *

 * wolfSSL is free software; you can redistribute it and/or modify

 * it under the terms of the GNU General Public License as published by

 * the Free Software Foundation; either version 3 of the License, or

 * (at your option) any later version.

 *

 * wolfSSL is distributed in the hope that it will be useful,

 * but WITHOUT ANY WARRANTY; without even the implied warranty of

 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the

 * GNU General Public License for more details.

 *

 * You should have received a copy of the GNU General Public License

 * along with this program; if not, write to the Free Software

 * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1335, USA

 */

#include <wolfssl/wolfcrypt/libwolfssl_sources.h>

#if (defined(WOLFSSL_SHA512) || defined(WOLFSSL_SHA384)) && \

    !defined(WOLFSSL_RISCV_ASM)

/* determine if we are using Espressif SHA hardware acceleration */

#undef WOLFSSL_USE_ESP32_CRYPT_HASH_HW

#if defined(WOLFSSL_ESP32_CRYPT) && !defined(NO_WOLFSSL_ESP32_CRYPT_HASH)

    #include "sdkconfig.h"

    /* Define a single keyword for simplicity & readability.

     *

     * By default the HW acceleration is on for ESP32 Chipsets,

     * but individual components can be turned off. See user_settings.h

     */

    #define TAG "wc_sha_512"

    #define WOLFSSL_USE_ESP32_CRYPT_HASH_HW

#else

    #undef WOLFSSL_USE_ESP32_CRYPT_HASH_HW

#endif

#if defined(HAVE_FIPS) && defined(HAVE_FIPS_VERSION) && (HAVE_FIPS_VERSION >= 2)

    /* set NO_WRAPPERS before headers, use direct internal f()s not wrappers */

    #define FIPS_NO_WRAPPERS

    #ifdef USE_WINDOWS_API

        #pragma code_seg(".fipsA$m")

        #pragma const_seg(".fipsB$m")

    #endif

#endif

#include <wolfssl/wolfcrypt/sha512.h>

#include <wolfssl/wolfcrypt/cpuid.h>

#include <wolfssl/wolfcrypt/hash.h>

#ifdef WOLF_CRYPTO_CB

    #include <wolfssl/wolfcrypt/cryptocb.h>

#endif

#ifdef WOLFSSL_IMXRT1170_CAAM

    #include <wolfssl/wolfcrypt/port/caam/wolfcaam_fsl_nxp.h>

#endif

/* deprecated USE_SLOW_SHA2 (replaced with USE_SLOW_SHA512) */

#if defined(USE_SLOW_SHA2) && !defined(USE_SLOW_SHA512)

    #define USE_SLOW_SHA512

#endif

#ifdef NO_INLINE

    #include <wolfssl/wolfcrypt/misc.h>

#else

    #define WOLFSSL_MISC_INCLUDED

    #include <wolfcrypt/src/misc.c>

#endif

#if FIPS_VERSION3_GE(6,0,0)

    const unsigned int wolfCrypt_FIPS_sha512_ro_sanity[2] =

                                                     { 0x1a2b3c4d, 0x00000015 };

    int wolfCrypt_FIPS_SHA512_sanity(void)

    {

        return 0;

    }

#endif

#if defined(WOLFSSL_SE050) && defined(WOLFSSL_SE050_HASH)

    #include <wolfssl/wolfcrypt/port/nxp/se050_port.h>

#endif

#if defined(MAX3266X_SHA)

    /* Already brought in by sha512.h */

    /* #include <wolfssl/wolfcrypt/port/maxim/max3266x.h> */

#endif

#if defined(WOLFSSL_PSOC6_CRYPTO)

    #include <wolfssl/wolfcrypt/port/cypress/psoc6_crypto.h>

#endif

#if defined(WOLFSSL_X86_64_BUILD) && defined(USE_INTEL_SPEEDUP)

    #if defined(__GNUC__) && ((__GNUC__ < 4) || \

                              (__GNUC__ == 4 && __GNUC_MINOR__ <= 8))

        #undef  NO_AVX2_SUPPORT

        #define NO_AVX2_SUPPORT

    #endif

    #if defined(__clang__) && ((__clang_major__ < 3) || \

                               (__clang_major__ == 3 && __clang_minor__ <= 5))

        #define NO_AVX2_SUPPORT

    #elif defined(__clang__) && defined(NO_AVX2_SUPPORT)

        #undef NO_AVX2_SUPPORT

    #endif

    #define HAVE_INTEL_AVX1

    #ifndef NO_AVX2_SUPPORT

        #define HAVE_INTEL_AVX2

    #endif

#endif

#if defined(HAVE_INTEL_AVX1)

    /* #define DEBUG_XMM  */

#endif

#if defined(HAVE_INTEL_AVX2)

    #define HAVE_INTEL_RORX

    /* #define DEBUG_YMM  */

#endif

#if defined(WOLFSSL_IMX6_CAAM) && !defined(NO_IMX6_CAAM_HASH) && \

    !defined(WOLFSSL_QNX_CAAM)

    /* functions defined in wolfcrypt/src/port/caam/caam_sha.c */

#elif defined(WOLFSSL_SILABS_SHA512)

    /* functions defined in wolfcrypt/src/port/silabs/silabs_hash.c */

#elif defined(WOLFSSL_KCAPI_HASH)

    /* functions defined in wolfcrypt/src/port/kcapi/kcapi_hash.c */

#elif defined(WOLFSSL_RENESAS_RSIP) && \

     !defined(NO_WOLFSSL_RENESAS_FSPSM_HASH)

    /* functions defined in wolfcrypt/src/port/Renesas/renesas_fspsm_sha.c */

#elif defined(MAX3266X_SHA)

    /* Functions defined in wolfcrypt/src/port/maxim/max3266x.c */

#elif defined(WOLFSSL_SE050) && defined(WOLFSSL_SE050_HASH)

    int wc_InitSha512(wc_Sha512* sha512)

    {

        if (sha512 == NULL)

            return BAD_FUNC_ARG;

        return se050_hash_init(&sha512->se050Ctx, NULL);

    }

    int wc_InitSha512_ex(wc_Sha512* sha512, void* heap, int devId)

    {

        if (sha512 == NULL) {

            return BAD_FUNC_ARG;

        }

        (void)devId;

        return se050_hash_init(&sha512->se050Ctx, heap);

    }

    int wc_Sha512Update(wc_Sha512* sha512, const byte* data, word32 len)

    {

        if (sha512 == NULL) {

            return BAD_FUNC_ARG;

        }

        if (data == NULL && len == 0) {

            /* valid, but do nothing */

            return 0;

        }

        if (data == NULL) {

            return BAD_FUNC_ARG;

        }

        return se050_hash_update(&sha512->se050Ctx, data, len);

    }

    int wc_Sha512Final(wc_Sha512* sha512, byte* hash)

    {

        int ret = 0;

        int devId = INVALID_DEVID;

        if (sha512 == NULL) {

            return BAD_FUNC_ARG;

        }

    #ifdef WOLF_CRYPTO_CB

        devId = sha512->devId;

    #endif

        ret = se050_hash_final(&sha512->se050Ctx, hash, WC_SHA512_DIGEST_SIZE,

                               kAlgorithm_SSS_SHA512);

        return ret;

    }

    int wc_Sha512FinalRaw(wc_Sha512* sha512, byte* hash)

    {

        int ret = 0;

        int devId = INVALID_DEVID;

        if (sha512 == NULL) {

            return BAD_FUNC_ARG;

        }

    #ifdef WOLF_CRYPTO_CB

        devId = sha512->devId;

    #endif

        ret = se050_hash_final(&sha512->se050Ctx, hash, WC_SHA512_DIGEST_SIZE,

                               kAlgorithm_SSS_SHA512);

        return ret;

    }

    void wc_Sha512Free(wc_Sha512* sha512)

    {

        se050_hash_free(&sha512->se050Ctx);

    }

#elif defined(STM32_HASH_SHA512)

    /* Supports CubeMX HAL or Standard Peripheral Library */

    int wc_InitSha512_ex(wc_Sha512* sha512, void* heap, int devId)

    {

        if (sha512 == NULL)

            return BAD_FUNC_ARG;

        (void)devId;

        (void)heap;

        XMEMSET(sha512, 0, sizeof(wc_Sha512));

        wc_Stm32_Hash_Init(&sha512->stmCtx);

        return 0;

    }

    int wc_Sha512Update(wc_Sha512* sha512, const byte* data, word32 len)

    {

        int ret = 0;

        if (sha512 == NULL) {

            return BAD_FUNC_ARG;

        }

        if (data == NULL && len == 0) {

            /* valid, but do nothing */

            return 0;

        }

        if (data == NULL) {

            return BAD_FUNC_ARG;

        }

        ret = wolfSSL_CryptHwMutexLock();

        if (ret == 0) {

            ret = wc_Stm32_Hash_Update(&sha512->stmCtx,

                HASH_ALGOSELECTION_SHA512, data, len, WC_SHA512_BLOCK_SIZE);

            wolfSSL_CryptHwMutexUnLock();

        }

        return ret;

    }

    int wc_Sha512Final(wc_Sha512* sha512, byte* hash)

    {

        int ret = 0;

        if (sha512 == NULL || hash == NULL) {

            return BAD_FUNC_ARG;

        }

        ret = wolfSSL_CryptHwMutexLock();

        if (ret == 0) {

            ret = wc_Stm32_Hash_Final(&sha512->stmCtx,

                HASH_ALGOSELECTION_SHA512, hash, WC_SHA512_DIGEST_SIZE);

            wolfSSL_CryptHwMutexUnLock();

        }

        (void)wc_InitSha512(sha512); /* reset state */

        return ret;

    }

#elif defined(PSOC6_HASH_SHA2)

    /* Functions defined in wolfcrypt/src/port/cypress/psoc6_crypto.c */

#else

#ifdef WOLFSSL_SHA512

#if (defined(WOLFSSL_X86_64_BUILD) && defined(USE_INTEL_SPEEDUP) && \

     (defined(HAVE_INTEL_AVX1) || defined(HAVE_INTEL_AVX2))) || \

    defined(WOLFSSL_ARMASM)

#ifdef WC_C_DYNAMIC_FALLBACK

    #define SHA512_SETTRANSFORM_ARGS int *sha_method

#else

    #define SHA512_SETTRANSFORM_ARGS void

#endif

static void Sha512_SetTransform(SHA512_SETTRANSFORM_ARGS);

#endif

static int InitSha512(wc_Sha512* sha512)

{

    if (sha512 == NULL)

        return BAD_FUNC_ARG;

    sha512->digest[0] = W64LIT(0x6a09e667f3bcc908);

    sha512->digest[1] = W64LIT(0xbb67ae8584caa73b);

    sha512->digest[2] = W64LIT(0x3c6ef372fe94f82b);

    sha512->digest[3] = W64LIT(0xa54ff53a5f1d36f1);

    sha512->digest[4] = W64LIT(0x510e527fade682d1);

    sha512->digest[5] = W64LIT(0x9b05688c2b3e6c1f);

    sha512->digest[6] = W64LIT(0x1f83d9abfb41bd6b);

    sha512->digest[7] = W64LIT(0x5be0cd19137e2179);

    sha512->buffLen = 0;

    sha512->loLen   = 0;

    sha512->hiLen   = 0;

#if (defined(WOLFSSL_X86_64_BUILD) && defined(USE_INTEL_SPEEDUP) && \

     (defined(HAVE_INTEL_AVX1) || defined(HAVE_INTEL_AVX2))) || \

    defined(WOLFSSL_ARMASM)

#ifdef WC_C_DYNAMIC_FALLBACK

    sha512->sha_method = 0;

    Sha512_SetTransform(&sha512->sha_method);

#else

    Sha512_SetTransform();

#endif

#endif

#if defined(WOLFSSL_USE_ESP32_CRYPT_HASH_HW) && \

   !defined(NO_WOLFSSL_ESP32_CRYPT_HASH_SHA512)

    /* HW needs to be carefully initialized, taking into account soft copy.

    ** If already in use; copy may revert to SW as needed. */

    esp_sha_init(&(sha512->ctx), WC_HASH_TYPE_SHA512);

#endif

#ifdef WOLFSSL_HASH_FLAGS

    sha512->flags = 0;

#endif

#if defined(WOLFSSL_SHA512_HASHTYPE)

    sha512->hashType = WC_HASH_TYPE_SHA512;

#endif /* WOLFSSL_SHA512_HASHTYPE */

    return 0;

}

#if !defined(WOLFSSL_NOSHA512_224) && \

   (!defined(HAVE_FIPS) || FIPS_VERSION_GE(5, 3)) && !defined(HAVE_SELFTEST)

/**

 * Initialize given wc_Sha512 structure with value specific to sha512/224.

 * Note that sha512/224 has different initial hash value from sha512.

 * The initial hash value consists of eight 64bit words. They are given

 * in FIPS180-4.

 */

static int InitSha512_224(wc_Sha512* sha512)

{

    if (sha512 == NULL)

        return BAD_FUNC_ARG;

    sha512->digest[0] = W64LIT(0x8c3d37c819544da2);

    sha512->digest[1] = W64LIT(0x73e1996689dcd4d6);

    sha512->digest[2] = W64LIT(0x1dfab7ae32ff9c82);

    sha512->digest[3] = W64LIT(0x679dd514582f9fcf);

    sha512->digest[4] = W64LIT(0x0f6d2b697bd44da8);

    sha512->digest[5] = W64LIT(0x77e36f7304c48942);

    sha512->digest[6] = W64LIT(0x3f9d85a86a1d36c8);

    sha512->digest[7] = W64LIT(0x1112e6ad91d692a1);

    sha512->buffLen = 0;

    sha512->loLen   = 0;

    sha512->hiLen   = 0;

#if (defined(WOLFSSL_X86_64_BUILD) && defined(USE_INTEL_SPEEDUP) && \

     (defined(HAVE_INTEL_AVX1) || defined(HAVE_INTEL_AVX2))) || \

    defined(WOLFSSL_ARMASM)

#ifdef WC_C_DYNAMIC_FALLBACK

    sha512->sha_method = 0;

    Sha512_SetTransform(&sha512->sha_method);

#else

    Sha512_SetTransform();

#endif

#endif

#if defined(WOLFSSL_USE_ESP32_CRYPT_HASH_HW) && \

   !defined(NO_WOLFSSL_ESP32_CRYPT_HASH_SHA512)

    /* HW needs to be carefully initialized, taking into account soft copy.

    ** If already in use; copy may revert to SW as needed.

    **

    ** Note for original ESP32, there's no HW for SHA512/224

    */

    esp_sha_init(&(sha512->ctx), WC_HASH_TYPE_SHA512_224);

#endif

#ifdef WOLFSSL_HASH_FLAGS

    sha512->flags = 0;

#endif

#if defined(WOLFSSL_SHA512_HASHTYPE)

    sha512->hashType = WC_HASH_TYPE_SHA512_224;

#endif /* WOLFSSL_SHA512_HASHTYPE */

    return 0;

}

#endif /* !WOLFSSL_NOSHA512_224 && !FIPS ... */

#if !defined(WOLFSSL_NOSHA512_256) && \

   (!defined(HAVE_FIPS) || FIPS_VERSION_GE(5, 3)) && !defined(HAVE_SELFTEST)

/**

 * Initialize given wc_Sha512 structure with value specific to sha512/256.

 * Note that sha512/256 has different initial hash value from sha512.

 * The initial hash value consists of eight 64bit words. They are given

 * in FIPS180-4.

 */

static int InitSha512_256(wc_Sha512* sha512)

{

    if (sha512 == NULL)

        return BAD_FUNC_ARG;

    sha512->digest[0] = W64LIT(0x22312194fc2bf72c);

    sha512->digest[1] = W64LIT(0x9f555fa3c84c64c2);

    sha512->digest[2] = W64LIT(0x2393b86b6f53b151);

    sha512->digest[3] = W64LIT(0x963877195940eabd);

    sha512->digest[4] = W64LIT(0x96283ee2a88effe3);

    sha512->digest[5] = W64LIT(0xbe5e1e2553863992);

    sha512->digest[6] = W64LIT(0x2b0199fc2c85b8aa);

    sha512->digest[7] = W64LIT(0x0eb72ddc81c52ca2);

    sha512->buffLen = 0;

    sha512->loLen   = 0;

    sha512->hiLen   = 0;

#if (defined(WOLFSSL_X86_64_BUILD) && defined(USE_INTEL_SPEEDUP) && \

     (defined(HAVE_INTEL_AVX1) || defined(HAVE_INTEL_AVX2))) || \

    defined(WOLFSSL_ARMASM)

#ifdef WC_C_DYNAMIC_FALLBACK

    sha512->sha_method = 0;

    Sha512_SetTransform(&sha512->sha_method);

#else

    Sha512_SetTransform();

#endif

#endif

#if defined(WOLFSSL_USE_ESP32_CRYPT_HASH_HW) && \

   !defined(NO_WOLFSSL_ESP32_CRYPT_HASH_SHA512)

    /* HW needs to be carefully initialized, taking into account soft copy.

    ** If already in use; copy may revert to SW as needed.

    **

    ** Note for original ESP32, there's no HW for SHA512/2256.

    */

    esp_sha_init(&(sha512->ctx), WC_HASH_TYPE_SHA512_256);

#endif

#ifdef WOLFSSL_HASH_FLAGS

    sha512->flags = 0;

#endif

#if defined(WOLFSSL_SHA512_HASHTYPE)

    sha512->hashType = WC_HASH_TYPE_SHA512_256;

#endif /* WOLFSSL_SHA512_HASHTYPE */

    return 0;

}

#endif /* !WOLFSSL_NOSHA512_256 && !FIPS... */

#endif /* WOLFSSL_SHA512 */

/* Hardware Acceleration */

#if defined(WOLFSSL_X86_64_BUILD) && defined(USE_INTEL_SPEEDUP) && \

    (defined(HAVE_INTEL_AVX1) || defined(HAVE_INTEL_AVX2))

    /*****

    Intel AVX1/AVX2 Macro Control Structure

    #if defined(HAVE_INTEL_SPEEDUP)

        #define HAVE_INTEL_AVX1

        #define HAVE_INTEL_AVX2

    #endif

    int InitSha512(wc_Sha512* sha512) {

         Save/Recover XMM, YMM

         ...

         Check Intel AVX cpuid flags

    }

    #if defined(HAVE_INTEL_AVX1)|| defined(HAVE_INTEL_AVX2)

      Transform_Sha512_AVX1(); # Function prototype

      Transform_Sha512_AVX2(); #

    #endif

      _Transform_Sha512() {     # Native Transform Function body

      }

      int Sha512Update() {

         Save/Recover XMM, YMM

         ...

      }

      int Sha512Final() {

         Save/Recover XMM, YMM

         ...

      }

    #if defined(HAVE_INTEL_AVX1)

       XMM Instructions/INLINE asm Definitions

    #endif

    #if defined(HAVE_INTEL_AVX2)

       YMM Instructions/INLINE asm Definitions

    #endif

    #if defined(HAVE_INTEL_AVX1)

      int Transform_Sha512_AVX1() {

          Stitched Message Sched/Round

      }

    #endif

    #if defined(HAVE_INTEL_AVX2)

      int Transform_Sha512_AVX2() {

          Stitched Message Sched/Round

      }

    #endif

    */

    /* Each platform needs to query info type 1 from cpuid to see if aesni is

     * supported. Also, let's setup a macro for proper linkage w/o ABI conflicts

     */

#ifdef __cplusplus

    extern "C" {

#endif

    #if defined(HAVE_INTEL_AVX1)

        extern int Transform_Sha512_AVX1(wc_Sha512 *sha512);

        extern int Transform_Sha512_AVX1_Len(wc_Sha512 *sha512, word32 len);

    #endif

    #if defined(HAVE_INTEL_AVX2)

        extern int Transform_Sha512_AVX2(wc_Sha512 *sha512);

        extern int Transform_Sha512_AVX2_Len(wc_Sha512 *sha512, word32 len);

        #if defined(HAVE_INTEL_RORX)

            extern int Transform_Sha512_AVX1_RORX(wc_Sha512 *sha512);

            extern int Transform_Sha512_AVX1_RORX_Len(wc_Sha512 *sha512,

                                                      word32 len);

            extern int Transform_Sha512_AVX2_RORX(wc_Sha512 *sha512);

            extern int Transform_Sha512_AVX2_RORX_Len(wc_Sha512 *sha512,

                                                      word32 len);

        #endif

    #endif

#ifdef __cplusplus

    }  /* extern "C" */

#endif

    static cpuid_flags_t intel_flags = WC_CPUID_INITIALIZER;

#if defined(WC_C_DYNAMIC_FALLBACK) && !defined(WC_NO_INTERNAL_FUNCTION_POINTERS)

    #define WC_NO_INTERNAL_FUNCTION_POINTERS

#endif

    static int _Transform_Sha512(wc_Sha512 *sha512);

#ifdef WC_NO_INTERNAL_FUNCTION_POINTERS

    enum sha_methods { SHA512_UNSET = 0, SHA512_AVX1, SHA512_AVX2,

                       SHA512_AVX1_RORX, SHA512_AVX2_RORX, SHA512_C };

#ifndef WC_C_DYNAMIC_FALLBACK

    /* note that all write access to this static variable must be idempotent,

     * as arranged by Sha512_SetTransform(), else it will be susceptible to

     * data races.

     */

    static enum sha_methods sha_method = SHA512_UNSET;

#endif

    static void Sha512_SetTransform(SHA512_SETTRANSFORM_ARGS)

    {

    #ifdef WC_C_DYNAMIC_FALLBACK

        #define SHA_METHOD (*sha_method)

    #else

        #define SHA_METHOD sha_method

    #endif

        if (SHA_METHOD != SHA512_UNSET)

            return;

    #ifdef WC_C_DYNAMIC_FALLBACK

        if (! CAN_SAVE_VECTOR_REGISTERS()) {

            SHA_METHOD = SHA512_C;

            return;

        }

    #endif

        cpuid_get_flags_ex(&intel_flags);

    #if defined(HAVE_INTEL_AVX2)

        if (IS_INTEL_AVX2(intel_flags)) {

        #ifdef HAVE_INTEL_RORX

            if (IS_INTEL_BMI2(intel_flags)) {

                SHA_METHOD = SHA512_AVX2_RORX;

            }

            else

        #endif

            {

                SHA_METHOD = SHA512_AVX2;

            }

        }

        else

    #endif

    #if defined(HAVE_INTEL_AVX1)

        if (IS_INTEL_AVX1(intel_flags)) {

        #ifdef HAVE_INTEL_RORX

            if (IS_INTEL_BMI2(intel_flags)) {

                SHA_METHOD = SHA512_AVX1_RORX;

            }

            else

        #endif

            {

                SHA_METHOD = SHA512_AVX1;

            }

        }

        else

    #endif

        {

            SHA_METHOD = SHA512_C;

        }

    #undef SHA_METHOD

    }

    static WC_INLINE int Transform_Sha512(wc_Sha512 *sha512) {

    #ifdef WC_C_DYNAMIC_FALLBACK

        #define SHA_METHOD (sha512->sha_method)

    #else

        #define SHA_METHOD sha_method

    #endif

        int ret;

        if (SHA_METHOD == SHA512_C)

            return _Transform_Sha512(sha512);

        SAVE_VECTOR_REGISTERS(return _svr_ret;);

        switch (SHA_METHOD) {

        case SHA512_AVX2:

            ret = Transform_Sha512_AVX2(sha512);

            break;

        case SHA512_AVX2_RORX:

            ret = Transform_Sha512_AVX2_RORX(sha512);

            break;

        case SHA512_AVX1:

            ret = Transform_Sha512_AVX1(sha512);

            break;

        case SHA512_AVX1_RORX:

            ret = Transform_Sha512_AVX1_RORX(sha512);

            break;

        case SHA512_C:

        case SHA512_UNSET:

        default:

            ret = _Transform_Sha512(sha512);

            break;

        }

        RESTORE_VECTOR_REGISTERS();

        return ret;

    #undef SHA_METHOD

    }

    static WC_INLINE int Transform_Sha512_Len(wc_Sha512 *sha512, word32 len) {

    #ifdef WC_C_DYNAMIC_FALLBACK

        #define SHA_METHOD (sha512->sha_method)

    #else

        #define SHA_METHOD sha_method

    #endif

        int ret;

        SAVE_VECTOR_REGISTERS(return _svr_ret;);

        switch (SHA_METHOD) {

        case SHA512_AVX2:

            ret = Transform_Sha512_AVX2_Len(sha512, len);

            break;

        case SHA512_AVX2_RORX:

            ret = Transform_Sha512_AVX2_RORX_Len(sha512, len);

            break;

        case SHA512_AVX1:

            ret = Transform_Sha512_AVX1_Len(sha512, len);

            break;

        case SHA512_AVX1_RORX:

            ret = Transform_Sha512_AVX1_RORX_Len(sha512, len);

            break;

        case SHA512_C:

        case SHA512_UNSET:

        default:

            ret = 0;

            break;

        }

        RESTORE_VECTOR_REGISTERS();

        return ret;

    #undef SHA_METHOD

    }

#else /* !WC_NO_INTERNAL_FUNCTION_POINTERS */

    static int (*Transform_Sha512_p)(wc_Sha512* sha512) = _Transform_Sha512;

    static int (*Transform_Sha512_Len_p)(wc_Sha512* sha512, word32 len) = NULL;

    static int transform_check = 0;

    static int Transform_Sha512_is_vectorized = 0;

    static WC_INLINE int Transform_Sha512(wc_Sha512 *sha512) {

        int ret;

    #ifdef WOLFSSL_USE_SAVE_VECTOR_REGISTERS

        if (Transform_Sha512_is_vectorized)

            SAVE_VECTOR_REGISTERS(return _svr_ret;);

    #endif

        ret = (*Transform_Sha512_p)(sha512);

    #ifdef WOLFSSL_USE_SAVE_VECTOR_REGISTERS

        if (Transform_Sha512_is_vectorized)

            RESTORE_VECTOR_REGISTERS();

    #endif

        return ret;

    }

    static WC_INLINE int Transform_Sha512_Len(wc_Sha512 *sha512, word32 len) {

        int ret;

    #ifdef WOLFSSL_USE_SAVE_VECTOR_REGISTERS

        if (Transform_Sha512_is_vectorized)

            SAVE_VECTOR_REGISTERS(return _svr_ret;);

    #endif

        ret = (*Transform_Sha512_Len_p)(sha512, len);

    #ifdef WOLFSSL_USE_SAVE_VECTOR_REGISTERS

        if (Transform_Sha512_is_vectorized)

            RESTORE_VECTOR_REGISTERS();

    #endif

        return ret;

    }

    static void Sha512_SetTransform(void)

    {

        if (transform_check)

            return;

        cpuid_get_flags_ex(&intel_flags);

    #if defined(HAVE_INTEL_AVX2)

        if (IS_INTEL_AVX2(intel_flags)) {

        #ifdef HAVE_INTEL_RORX

            if (IS_INTEL_BMI2(intel_flags)) {

                Transform_Sha512_p = Transform_Sha512_AVX2_RORX;

                Transform_Sha512_Len_p = Transform_Sha512_AVX2_RORX_Len;

                Transform_Sha512_is_vectorized = 1;

            }

            else

        #endif

            {

                Transform_Sha512_p = Transform_Sha512_AVX2;

                Transform_Sha512_Len_p = Transform_Sha512_AVX2_Len;

                Transform_Sha512_is_vectorized = 1;

            }

        }

        else

    #endif

    #if defined(HAVE_INTEL_AVX1)

        if (IS_INTEL_AVX1(intel_flags)) {

        #ifdef HAVE_INTEL_RORX

            if (IS_INTEL_BMI2(intel_flags)) {

                Transform_Sha512_p = Transform_Sha512_AVX1_RORX;

                Transform_Sha512_Len_p = Transform_Sha512_AVX1_RORX_Len;

                Transform_Sha512_is_vectorized = 1;

            }

            else

        #endif

            {

                Transform_Sha512_p = Transform_Sha512_AVX1;

                Transform_Sha512_Len_p = Transform_Sha512_AVX1_Len;

                Transform_Sha512_is_vectorized = 1;

            }

        }

        else

    #endif

        {

            Transform_Sha512_p = _Transform_Sha512;

            Transform_Sha512_Len_p = NULL;

            Transform_Sha512_is_vectorized = 0;

        }

        transform_check = 1;

    }

#endif /* !WC_NO_INTERNAL_FUNCTION_POINTERS */

#elif defined(WOLFSSL_ARMASM)

#if defined(__aarch64__) && defined(WOLFSSL_ARMASM_NO_NEON)

#error "No SHA-512 implementation."

#endif

static int transform_check = 0;

#if defined(__aarch64__) && defined(WOLFSSL_ARMASM_CRYPTO_SHA512)

static word32 cpuid_flags = 0;

static int cpuid_flags_set = 0;

#endif

#if defined(__aarch64__) && defined(WOLFSSL_ARMASM_CRYPTO_SHA512)

static void Transform_Sha512_crypto(wc_Sha512* sha512, const byte* data)

{

    Transform_Sha512_Len_crypto(sha512, data, WC_SHA512_BLOCK_SIZE);

}

#endif

#if !defined(WOLFSSL_ARMASM_THUMB2) && !defined(WOLFSSL_ARMASM_NO_NEON)

static void Transform_Sha512_neon(wc_Sha512* sha512, const byte* data)

{

    Transform_Sha512_Len_neon(sha512, data, WC_SHA512_BLOCK_SIZE);

}

#endif

#if defined(WOLFSSL_ARMASM_THUMB2) || defined(WOLFSSL_ARMASM_NO_NEON)

static void Transform_Sha512_base(wc_Sha512* sha512, const byte* data)

{

    Transform_Sha512_Len_base(sha512, data, WC_SHA512_BLOCK_SIZE);

}

#endif

static void (*Transform_Sha512_p)(wc_Sha512* sha512, const byte* data) = NULL;

static void (*Transform_Sha512_Len_p)(wc_Sha512* sha512, const byte* data,

    word32 len) = NULL;

static WC_INLINE int Transform_Sha512(wc_Sha512 *sha512, const byte* data)

{

    (*Transform_Sha512_p)(sha512, data);

    return 0;

}

static WC_INLINE int Transform_Sha512_Len(wc_Sha512 *sha512, const byte* data,

    word32 len)

{

    (*Transform_Sha512_Len_p)(sha512, data, len);

    return 0;

}

static void Sha512_SetTransform(void)

{

    if (transform_check)

        return;

#if defined(__aarch64__) && defined(WOLFSSL_ARMASM_CRYPTO_SHA512)

    if (!cpuid_flags_set) {

        cpuid_flags = cpuid_get_flags();

        cpuid_flags_set = 1;

    }

#endif

#if defined(__aarch64__) && defined(WOLFSSL_ARMASM_CRYPTO_SHA512)

    if (IS_AARCH64_SHA512(cpuid_flags)) {

        Transform_Sha512_p = Transform_Sha512_crypto;

        Transform_Sha512_Len_p = Transform_Sha512_Len_crypto;

    }

    else

#endif

#if !defined(WOLFSSL_ARMASM_THUMB2) && !defined(WOLFSSL_ARMASM_NO_NEON)

    {

        Transform_Sha512_p = Transform_Sha512_neon;

        Transform_Sha512_Len_p = Transform_Sha512_Len_neon;

    }

#else

    {

        Transform_Sha512_p = Transform_Sha512_base;

        Transform_Sha512_Len_p = Transform_Sha512_Len_base;

    }

#endif

    transform_check = 1;

}

#else

    #define Transform_Sha512(sha512) _Transform_Sha512(sha512)

#endif

#ifdef WOLFSSL_SHA512

static int InitSha512_Family(wc_Sha512* sha512, void* heap, int devId,

                             int (*initfp)(wc_Sha512*))

{

    int ret = 0;

    if (sha512 == NULL) {

        return BAD_FUNC_ARG;

    }

    XMEMSET(sha512, 0, sizeof(*sha512));

    sha512->heap = heap;

#ifdef WOLFSSL_SMALL_STACK_CACHE

    /* This allocation combines the customary W buffer used by

     * _Transform_Sha512() with additional buffer space used by

     * wc_Sha512Transform().

     */

    sha512->W = (word64 *)XMALLOC((sizeof(word64) * 16) + WC_SHA512_BLOCK_SIZE,

                                  sha512->heap, DYNAMIC_TYPE_DIGEST);

    if (sha512->W == NULL)

        return MEMORY_E;

#endif

#ifdef WOLF_CRYPTO_CB

    sha512->devId = devId;

    sha512->devCtx = NULL;

#endif

#ifdef WOLFSSL_HASH_KEEP

    sha512->msg  = NULL;

#endif

    /* call the initialization function pointed to by initfp */

    ret = initfp(sha512);

#if defined(WOLFSSL_ASYNC_CRYPT) && defined(WC_ASYNC_ENABLE_SHA512)

    if (ret == 0) {

        ret = wolfAsync_DevCtxInit(&sha512->asyncDev,

                        WOLFSSL_ASYNC_MARKER_SHA512, sha512->heap, devId);

    }

#else

    (void)devId;

#endif /* WOLFSSL_ASYNC_CRYPT */

#ifdef WOLFSSL_IMXRT1170_CAAM

    if (ret == 0)

        ret = wc_CAAM_HashInit(&sha512->hndl, &sha512->ctx, WC_HASH_TYPE_SHA512);

#endif

#ifdef WOLFSSL_SMALL_STACK_CACHE

    if (ret != 0) {

        XFREE(sha512->W, sha512->heap, DYNAMIC_TYPE_DIGEST);

        sha512->W = NULL;

    }

#endif

    return ret;

} /* InitSha512_Family */

int wc_InitSha512_ex(wc_Sha512* sha512, void* heap, int devId)

{

#if defined(WOLFSSL_USE_ESP32_CRYPT_HASH_HW) && \

   !defined(NO_WOLFSSL_ESP32_CRYPT_HASH_SHA512)

    if (sha512->ctx.mode != ESP32_SHA_INIT) {

        ESP_LOGV(TAG, "Set ctx mode from prior value: "

                      "%d", sha512->ctx.mode);

    }

    /* We know this is a fresh, uninitialized item, so set to INIT */

    sha512->ctx.mode = ESP32_SHA_INIT;

#endif

#ifdef MAX3266X_SHA_CB

    if (wc_MXC_TPU_SHA_Init(&(sha512->mxcCtx)) != 0){

        return BAD_FUNC_ARG;

    }

#endif

    return InitSha512_Family(sha512, heap, devId, InitSha512);

}

#if !defined(WOLFSSL_NOSHA512_224) && \

   (!defined(HAVE_FIPS) || FIPS_VERSION_GE(5, 3)) && !defined(HAVE_SELFTEST)

int wc_InitSha512_224_ex(wc_Sha512* sha512, void* heap, int devId)

{

#if defined(WOLFSSL_USE_ESP32_CRYPT_HASH_HW) && \

   !defined(NO_WOLFSSL_ESP32_CRYPT_HASH_SHA512)

    /* No SHA512/224 HW support is available, set to SW. */

    sha512->ctx.mode = ESP32_SHA_SW; /* no SHA224 HW, so always SW */

#endif

    return InitSha512_Family(sha512, heap, devId, InitSha512_224);

}

#endif /* !WOLFSSL_NOSHA512_224 ... */

#if !defined(WOLFSSL_NOSHA512_256) && \

   (!defined(HAVE_FIPS) || FIPS_VERSION_GE(5, 3)) && !defined(HAVE_SELFTEST)

int wc_InitSha512_256_ex(wc_Sha512* sha512, void* heap, int devId)

{

#if defined(WOLFSSL_USE_ESP32_CRYPT_HASH_HW) && \

   !defined(NO_WOLFSSL_ESP32_CRYPT_HASH_SHA512)

    /* No SHA512/256 HW support is available on ESP32, set to SW. */

    sha512->ctx.mode = ESP32_SHA_SW;

#endif

    return InitSha512_Family(sha512, heap, devId, InitSha512_256);

}

#endif /* !WOLFSSL_NOSHA512_256 ... */

#endif /* WOLFSSL_SHA512 */

#ifndef WOLFSSL_ARMASM

static const word64 K512[80] = {

    W64LIT(0x428a2f98d728ae22), W64LIT(0x7137449123ef65cd),

    W64LIT(0xb5c0fbcfec4d3b2f), W64LIT(0xe9b5dba58189dbbc),

    W64LIT(0x3956c25bf348b538), W64LIT(0x59f111f1b605d019),

    W64LIT(0x923f82a4af194f9b), W64LIT(0xab1c5ed5da6d8118),

    W64LIT(0xd807aa98a3030242), W64LIT(0x12835b0145706fbe),

    W64LIT(0x243185be4ee4b28c), W64LIT(0x550c7dc3d5ffb4e2),

    W64LIT(0x72be5d74f27b896f), W64LIT(0x80deb1fe3b1696b1),

    W64LIT(0x9bdc06a725c71235), W64LIT(0xc19bf174cf692694),

    W64LIT(0xe49b69c19ef14ad2), W64LIT(0xefbe4786384f25e3),

    W64LIT(0x0fc19dc68b8cd5b5), W64LIT(0x240ca1cc77ac9c65),

    W64LIT(0x2de92c6f592b0275), W64LIT(0x4a7484aa6ea6e483),

    W64LIT(0x5cb0a9dcbd41fbd4), W64LIT(0x76f988da831153b5),

    W64LIT(0x983e5152ee66dfab), W64LIT(0xa831c66d2db43210),

    W64LIT(0xb00327c898fb213f), W64LIT(0xbf597fc7beef0ee4),

    W64LIT(0xc6e00bf33da88fc2), W64LIT(0xd5a79147930aa725),

    W64LIT(0x06ca6351e003826f), W64LIT(0x142929670a0e6e70),

    W64LIT(0x27b70a8546d22ffc), W64LIT(0x2e1b21385c26c926),

    W64LIT(0x4d2c6dfc5ac42aed), W64LIT(0x53380d139d95b3df),

    W64LIT(0x650a73548baf63de), W64LIT(0x766a0abb3c77b2a8),

    W64LIT(0x81c2c92e47edaee6), W64LIT(0x92722c851482353b),

    W64LIT(0xa2bfe8a14cf10364), W64LIT(0xa81a664bbc423001),

    W64LIT(0xc24b8b70d0f89791), W64LIT(0xc76c51a30654be30),

    W64LIT(0xd192e819d6ef5218), W64LIT(0xd69906245565a910),

    W64LIT(0xf40e35855771202a), W64LIT(0x106aa07032bbd1b8),

    W64LIT(0x19a4c116b8d2d0c8), W64LIT(0x1e376c085141ab53),

    W64LIT(0x2748774cdf8eeb99), W64LIT(0x34b0bcb5e19b48a8),

    W64LIT(0x391c0cb3c5c95a63), W64LIT(0x4ed8aa4ae3418acb),

    W64LIT(0x5b9cca4f7763e373), W64LIT(0x682e6ff3d6b2b8a3),

    W64LIT(0x748f82ee5defb2fc), W64LIT(0x78a5636f43172f60),

    W64LIT(0x84c87814a1f0ab72), W64LIT(0x8cc702081a6439ec),

    W64LIT(0x90befffa23631e28), W64LIT(0xa4506cebde82bde9),

    W64LIT(0xbef9a3f7b2c67915), W64LIT(0xc67178f2e372532b),

    W64LIT(0xca273eceea26619c), W64LIT(0xd186b8c721c0c207),

    W64LIT(0xeada7dd6cde0eb1e), W64LIT(0xf57d4f7fee6ed178),

    W64LIT(0x06f067aa72176fba), W64LIT(0x0a637dc5a2c898a6),

    W64LIT(0x113f9804bef90dae), W64LIT(0x1b710b35131c471b),

    W64LIT(0x28db77f523047d84), W64LIT(0x32caab7b40c72493),

    W64LIT(0x3c9ebe0a15c9bebc), W64LIT(0x431d67c49c100d4c),

    W64LIT(0x4cc5d4becb3e42b6), W64LIT(0x597f299cfc657e2a),

    W64LIT(0x5fcb6fab3ad6faec), W64LIT(0x6c44198c4a475817)

};

#define blk0(i) (W[i] = sha512->buffer[i])

#define blk2(i) (\

               W[ (i)     & 15] += \

            s1(W[((i)-2)  & 15])+ \

               W[((i)-7)  & 15] + \

            s0(W[((i)-15) & 15])  \

        )

#define Ch(x,y,z)  ((z) ^ ((x) & ((y) ^ (z))))

#define Maj(x,y,z) (((x) & (y)) | ((z) & ((x) | (y))))

#define a(i) T[(0-(i)) & 7]

#define b(i) T[(1-(i)) & 7]

#define c(i) T[(2-(i)) & 7]

#define d(i) T[(3-(i)) & 7]

#define e(i) T[(4-(i)) & 7]

#define f(i) T[(5-(i)) & 7]

#define g(i) T[(6-(i)) & 7]

#define h(i) T[(7-(i)) & 7]

#define S0(x) (rotrFixed64(x,28) ^ rotrFixed64(x,34) ^ rotrFixed64(x,39))

#define S1(x) (rotrFixed64(x,14) ^ rotrFixed64(x,18) ^ rotrFixed64(x,41))

#define s0(x) (rotrFixed64(x,1)  ^ rotrFixed64(x,8)  ^ ((x)>>7))

#define s1(x) (rotrFixed64(x,19) ^ rotrFixed64(x,61) ^ ((x)>>6))

#define R(i) \

    h(i) += S1(e(i)) + Ch(e(i),f(i),g(i)) + K[(i)+j] + (j ? blk2(i) : blk0(i)); \

    d(i) += h(i); \

    h(i) += S0(a(i)) + Maj(a(i),b(i),c(i))

static int _Transform_Sha512(wc_Sha512* sha512)

{

    const word64* K = K512;

    word32 j;

    word64 T[8];

#if defined(WOLFSSL_SMALL_STACK_CACHE)

    word64* W = sha512->W;

    if (W == NULL)

        return BAD_FUNC_ARG;

#elif defined(WOLFSSL_SMALL_STACK)

    word64* W;

    W = (word64*) XMALLOC(sizeof(word64) * 16, sha512->heap, DYNAMIC_TYPE_TMP_BUFFER);

    if (W == NULL)

        return MEMORY_E;

#else

    word64 W[16];

#endif

    /* Copy digest to working vars */

    XMEMCPY(T, sha512->digest, sizeof(T));

#ifdef USE_SLOW_SHA512

    /* over twice as small, but 50% slower */

    /* 80 operations, not unrolled */

    for (j = 0; j < 80; j += 16) {

        int m;

        for (m = 0; m < 16; m++) { /* braces needed here for macros {} */

            R(m);

        }

    }

#else

    /* 80 operations, partially loop unrolled */

    for (j = 0; j < 80; j += 16) {

        R( 0); R( 1); R( 2); R( 3);

        R( 4); R( 5); R( 6); R( 7);

        R( 8); R( 9); R(10); R(11);

        R(12); R(13); R(14); R(15);

    }

#endif /* USE_SLOW_SHA512 */

    /* Add the working vars back into digest */

    sha512->digest[0] += a(0);

    sha512->digest[1] += b(0);

    sha512->digest[2] += c(0);

    sha512->digest[3] += d(0);

    sha512->digest[4] += e(0);

    sha512->digest[5] += f(0);

    sha512->digest[6] += g(0);

    sha512->digest[7] += h(0);

    /* Wipe variables */

    ForceZero(W, sizeof(word64) * 16);

    ForceZero(T, sizeof(T));

#if defined(WOLFSSL_SMALL_STACK) && !defined(WOLFSSL_SMALL_STACK_CACHE)

    XFREE(W, sha512->heap, DYNAMIC_TYPE_TMP_BUFFER);

#endif

    return 0;

}

#endif

static WC_INLINE void AddLength(wc_Sha512* sha512, word32 len)

{

    word64 tmp = sha512->loLen;

    if ( (sha512->loLen += len) < tmp)

        sha512->hiLen++;                       /* carry low to high */

}

static WC_INLINE int Sha512Update(wc_Sha512* sha512, const byte* data, word32 len)

{

    int ret = 0;

    /* do block size increments */

    byte* local = (byte*)sha512->buffer;