/src/wolfssl-sp-math/wolfcrypt/src/sha512.c

Source
/* sha512.c
 *
 * Copyright (C) 2006-2026 wolfSSL Inc.
 *
 * This file is part of wolfSSL.
 *
 * wolfSSL is free software; you can redistribute it and/or modify
 * it under the terms of the GNU General Public License as published by
 * the Free Software Foundation; either version 3 of the License, or
 * (at your option) any later version.
 *
 * wolfSSL is distributed in the hope that it will be useful,
 * but WITHOUT ANY WARRANTY; without even the implied warranty of
 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 * GNU General Public License for more details.
 *
 * You should have received a copy of the GNU General Public License
 * along with this program; if not, write to the Free Software
 * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1335, USA
 */

/*
 * SHA-512/384 Build Options:
 *
 * Core:
 * WOLFSSL_SHA512:           Enable SHA-512 support                default: off
 * WOLFSSL_SHA384:           Enable SHA-384 support                default: off
 * WOLFSSL_NOSHA512_224:     Disable SHA-512/224 variant           default: off
 * WOLFSSL_NOSHA512_256:     Disable SHA-512/256 variant           default: off
 *
 * Performance:
 * USE_SLOW_SHA512:          Disable SHA-512 loop unrolling        default: off
 * USE_SLOW_SHA2:            Disable SHA-2 loop unrolling          default: off
 * WOLFSSL_HASH_FLAGS:       Enable hash flags for state tracking  default: off
 * WOLFSSL_HASH_KEEP:        Keep hash input data for reuse        default: off
 * WOLFSSL_SMALL_STACK_CACHE: Cache hash state on small stack      default: off
 * WC_NO_INTERNAL_FUNCTION_POINTERS: Disable internal func ptrs   default: off
 *
 * Hardware Acceleration (SHA-512-specific):
 * WC_ASYNC_ENABLE_SHA512:   Enable async SHA-512 operations       default: off
 * WC_ASYNC_ENABLE_SHA384:   Enable async SHA-384 operations       default: off
 * WOLFSSL_KCAPI_HASH:       Linux kernel crypto API for hashing  default: off
 * WOLFSSL_SE050_HASH:       SE050 hardware hashing               default: off
 * WOLFSSL_SILABS_SHA384:    Silicon Labs SHA-384 acceleration    default: off
 * WOLFSSL_SILABS_SHA512:    Silicon Labs SHA-512 acceleration    default: off
 * NO_IMX6_CAAM_HASH:        Disable i.MX6 CAAM hash             default: off
 * NO_WOLFSSL_ESP32_CRYPT_HASH: Disable ESP32 hash acceleration   default: off
 * WOLFSSL_ARMASM_CRYPTO_SHA512: ARM crypto SHA-512 instructions  default: off
 * STM32_HASH_SHA384:        STM32 hardware SHA-384               default: off
 * STM32_HASH_SHA512:        STM32 hardware SHA-512               default: off
 * WOLFSSL_SHA512_HASHTYPE:  SHA-512 hash type for hw dispatch    default: off
 * MAX3266X_SHA:             MAX3266X hardware SHA                 default: off
 * PSOC6_HASH_SHA2:          PSoC6 hardware SHA-2                 default: off
 * WOLFSSL_RENESAS_RSIP:     Renesas RSIP SHA acceleration        default: off
 */

#include <wolfssl/wolfcrypt/libwolfssl_sources.h>

#if (defined(WOLFSSL_SHA512) || defined(WOLFSSL_SHA384)) && \
    !defined(WOLFSSL_RISCV_ASM)

/* determine if we are using Espressif SHA hardware acceleration */
#undef WOLFSSL_USE_ESP32_CRYPT_HASH_HW
#if defined(WOLFSSL_ESP32_CRYPT) && !defined(NO_WOLFSSL_ESP32_CRYPT_HASH)
    #include "sdkconfig.h"
    /* Define a single keyword for simplicity & readability.
     *
     * By default the HW acceleration is on for ESP32 Chipsets,
     * but individual components can be turned off. See user_settings.h
     */
    #define TAG "wc_sha_512"
    #define WOLFSSL_USE_ESP32_CRYPT_HASH_HW
#else
    #undef WOLFSSL_USE_ESP32_CRYPT_HASH_HW
#endif

#if defined(HAVE_FIPS) && defined(HAVE_FIPS_VERSION) && (HAVE_FIPS_VERSION >= 2)
    /* set NO_WRAPPERS before headers, use direct internal f()s not wrappers */
    #define FIPS_NO_WRAPPERS

    #ifdef USE_WINDOWS_API
        #pragma code_seg(".fipsA$m")
        #pragma const_seg(".fipsB$m")
    #endif
#endif

#include <wolfssl/wolfcrypt/sha512.h>
#include <wolfssl/wolfcrypt/cpuid.h>
#include <wolfssl/wolfcrypt/hash.h>

#ifdef WOLF_CRYPTO_CB
    #include <wolfssl/wolfcrypt/cryptocb.h>
#endif

#ifdef WOLFSSL_IMXRT1170_CAAM
    #include <wolfssl/wolfcrypt/port/caam/wolfcaam_fsl_nxp.h>
#endif

/* deprecated USE_SLOW_SHA2 (replaced with USE_SLOW_SHA512) */
#if defined(USE_SLOW_SHA2) && !defined(USE_SLOW_SHA512)
    #define USE_SLOW_SHA512
#endif

#ifdef NO_INLINE
    #include <wolfssl/wolfcrypt/misc.h>
#else
    #define WOLFSSL_MISC_INCLUDED
    #include <wolfcrypt/src/misc.c>
#endif

#if FIPS_VERSION3_GE(6,0,0)
    const unsigned int wolfCrypt_FIPS_sha512_ro_sanity[2] =
                                                     { 0x1a2b3c4d, 0x00000015 };
    int wolfCrypt_FIPS_SHA512_sanity(void)
    {
        return 0;
    }
#endif


#if defined(WOLFSSL_SE050) && defined(WOLFSSL_SE050_HASH)
    #include <wolfssl/wolfcrypt/port/nxp/se050_port.h>
#endif

#if defined(MAX3266X_SHA)
    /* Already brought in by sha512.h */
    /* #include <wolfssl/wolfcrypt/port/maxim/max3266x.h> */
#endif

#if defined(WOLFSSL_PSOC6_CRYPTO)
    #include <wolfssl/wolfcrypt/port/cypress/psoc6_crypto.h>
#endif

#if defined(WOLFSSL_X86_64_BUILD) && defined(USE_INTEL_SPEEDUP)
    #if defined(__GNUC__) && ((__GNUC__ < 4) || \
                              (__GNUC__ == 4 && __GNUC_MINOR__ <= 8))
        #undef  NO_AVX2_SUPPORT
        #define NO_AVX2_SUPPORT
    #endif
    #if defined(__clang__) && ((__clang_major__ < 3) || \
                               (__clang_major__ == 3 && __clang_minor__ <= 5))
        #define NO_AVX2_SUPPORT
    #elif defined(__clang__) && defined(NO_AVX2_SUPPORT)
        #undef NO_AVX2_SUPPORT
    #endif

    #define HAVE_INTEL_AVX1
    #ifndef NO_AVX2_SUPPORT
        #define HAVE_INTEL_AVX2
    #endif
#endif

#if defined(HAVE_INTEL_AVX1)
    /* #define DEBUG_XMM  */
#endif

#if defined(HAVE_INTEL_AVX2)
    #define HAVE_INTEL_RORX
    /* #define DEBUG_YMM  */
#endif

#if defined(WOLFSSL_IMX6_CAAM) && !defined(NO_IMX6_CAAM_HASH) && \
    !defined(WOLFSSL_QNX_CAAM)
    /* functions defined in wolfcrypt/src/port/caam/caam_sha.c */

#elif defined(WOLFSSL_SILABS_SHA512)
    /* functions defined in wolfcrypt/src/port/silabs/silabs_hash.c */

#elif defined(WOLFSSL_KCAPI_HASH)
    /* functions defined in wolfcrypt/src/port/kcapi/kcapi_hash.c */

#elif defined(WOLFSSL_RENESAS_RSIP) && \
     !defined(NO_WOLFSSL_RENESAS_FSPSM_HASH)
    /* functions defined in wolfcrypt/src/port/Renesas/renesas_fspsm_sha.c */

#elif defined(MAX3266X_SHA)
    /* Functions defined in wolfcrypt/src/port/maxim/max3266x.c */

#elif defined(WOLFSSL_SE050) && defined(WOLFSSL_SE050_HASH)
    int wc_InitSha512(wc_Sha512* sha512)
    {
        if (sha512 == NULL)
            return BAD_FUNC_ARG;
        return se050_hash_init(&sha512->se050Ctx, NULL);
    }
    int wc_InitSha512_ex(wc_Sha512* sha512, void* heap, int devId)
    {
        if (sha512 == NULL) {
            return BAD_FUNC_ARG;
        }
        (void)devId;
        return se050_hash_init(&sha512->se050Ctx, heap);
    }
    int wc_Sha512Update(wc_Sha512* sha512, const byte* data, word32 len)
    {
        if (sha512 == NULL) {
            return BAD_FUNC_ARG;
        }
        if (data == NULL && len == 0) {
            /* valid, but do nothing */
            return 0;
        }
        if (data == NULL) {
            return BAD_FUNC_ARG;
        }

        return se050_hash_update(&sha512->se050Ctx, data, len);
    }
    int wc_Sha512Final(wc_Sha512* sha512, byte* hash)
    {
        int ret = 0;
        int devId = INVALID_DEVID;
        if (sha512 == NULL) {
            return BAD_FUNC_ARG;
        }
    #ifdef WOLF_CRYPTO_CB
        devId = sha512->devId;
    #endif
        ret = se050_hash_final(&sha512->se050Ctx, hash, WC_SHA512_DIGEST_SIZE,
                               kAlgorithm_SSS_SHA512);
        return ret;
    }
    int wc_Sha512FinalRaw(wc_Sha512* sha512, byte* hash)
    {
        int ret = 0;
        int devId = INVALID_DEVID;
        if (sha512 == NULL) {
            return BAD_FUNC_ARG;
        }
    #ifdef WOLF_CRYPTO_CB
        devId = sha512->devId;
    #endif
        ret = se050_hash_final(&sha512->se050Ctx, hash, WC_SHA512_DIGEST_SIZE,
                               kAlgorithm_SSS_SHA512);
        return ret;
    }
    void wc_Sha512Free(wc_Sha512* sha512)
    {
        se050_hash_free(&sha512->se050Ctx);
    }
#elif defined(STM32_HASH_SHA512)

    /* Supports CubeMX HAL or Standard Peripheral Library */

    int wc_InitSha512_ex(wc_Sha512* sha512, void* heap, int devId)
    {
        if (sha512 == NULL)
            return BAD_FUNC_ARG;

        (void)devId;
        (void)heap;

        XMEMSET(sha512, 0, sizeof(wc_Sha512));
        wc_Stm32_Hash_Init(&sha512->stmCtx);
        return 0;
    }

    int wc_Sha512Update(wc_Sha512* sha512, const byte* data, word32 len)
    {
        int ret = 0;

        if (sha512 == NULL) {
            return BAD_FUNC_ARG;
        }
        if (data == NULL && len == 0) {
            /* valid, but do nothing */
            return 0;
        }
        if (data == NULL) {
            return BAD_FUNC_ARG;
        }

        ret = wolfSSL_CryptHwMutexLock();
        if (ret == 0) {
            ret = wc_Stm32_Hash_Update(&sha512->stmCtx,
                HASH_ALGOSELECTION_SHA512, data, len, WC_SHA512_BLOCK_SIZE);
            wolfSSL_CryptHwMutexUnLock();
        }
        return ret;
    }

    int wc_Sha512Final(wc_Sha512* sha512, byte* hash)
    {
        int ret = 0;

        if (sha512 == NULL || hash == NULL) {
            return BAD_FUNC_ARG;
        }

        ret = wolfSSL_CryptHwMutexLock();
        if (ret == 0) {
            ret = wc_Stm32_Hash_Final(&sha512->stmCtx,
                HASH_ALGOSELECTION_SHA512, hash, WC_SHA512_DIGEST_SIZE);
            wolfSSL_CryptHwMutexUnLock();
        }

        (void)wc_InitSha512(sha512); /* reset state */

        return ret;
    }
#elif defined(PSOC6_HASH_SHA2)
    /* Functions defined in wolfcrypt/src/port/cypress/psoc6_crypto.c */

#else

#ifdef WOLFSSL_SHA512

#if (defined(WOLFSSL_X86_64_BUILD) && defined(USE_INTEL_SPEEDUP) && \
     (defined(HAVE_INTEL_AVX1) || defined(HAVE_INTEL_AVX2))) || \
    defined(WOLFSSL_ARMASM)
#ifdef WC_C_DYNAMIC_FALLBACK
    #define SHA512_SETTRANSFORM_ARGS int *sha_method
#else
    #define SHA512_SETTRANSFORM_ARGS void
#endif
static void Sha512_SetTransform(SHA512_SETTRANSFORM_ARGS);
#endif

static int InitSha512(wc_Sha512* sha512)
{
    if (sha512 == NULL)
        return BAD_FUNC_ARG;

    sha512->digest[0] = W64LIT(0x6a09e667f3bcc908);
    sha512->digest[1] = W64LIT(0xbb67ae8584caa73b);
    sha512->digest[2] = W64LIT(0x3c6ef372fe94f82b);
    sha512->digest[3] = W64LIT(0xa54ff53a5f1d36f1);
    sha512->digest[4] = W64LIT(0x510e527fade682d1);
    sha512->digest[5] = W64LIT(0x9b05688c2b3e6c1f);
    sha512->digest[6] = W64LIT(0x1f83d9abfb41bd6b);
    sha512->digest[7] = W64LIT(0x5be0cd19137e2179);

    sha512->buffLen = 0;
    sha512->loLen   = 0;
    sha512->hiLen   = 0;

#if (defined(WOLFSSL_X86_64_BUILD) && defined(USE_INTEL_SPEEDUP) && \
     (defined(HAVE_INTEL_AVX1) || defined(HAVE_INTEL_AVX2))) || \
    defined(WOLFSSL_ARMASM)
#ifdef WC_C_DYNAMIC_FALLBACK
    sha512->sha_method = 0;
    Sha512_SetTransform(&sha512->sha_method);
#else
    Sha512_SetTransform();
#endif
#endif

#if defined(WOLFSSL_USE_ESP32_CRYPT_HASH_HW) && \
   !defined(NO_WOLFSSL_ESP32_CRYPT_HASH_SHA512)

    /* HW needs to be carefully initialized, taking into account soft copy.
    ** If already in use; copy may revert to SW as needed. */
    esp_sha_init(&(sha512->ctx), WC_HASH_TYPE_SHA512);
#endif

#ifdef WOLFSSL_HASH_FLAGS
    sha512->flags = 0;
#endif
#if defined(WOLFSSL_SHA512_HASHTYPE)
    sha512->hashType = WC_HASH_TYPE_SHA512;
#endif /* WOLFSSL_SHA512_HASHTYPE */
    return 0;
}

#if !defined(WOLFSSL_NOSHA512_224) && \
   (!defined(HAVE_FIPS) || FIPS_VERSION_GE(5, 3)) && !defined(HAVE_SELFTEST)

/**
 * Initialize given wc_Sha512 structure with value specific to sha512/224.
 * Note that sha512/224 has different initial hash value from sha512.
 * The initial hash value consists of eight 64bit words. They are given
 * in FIPS180-4.
 */
static int InitSha512_224(wc_Sha512* sha512)
{
    if (sha512 == NULL)
        return BAD_FUNC_ARG;

    sha512->digest[0] = W64LIT(0x8c3d37c819544da2);
    sha512->digest[1] = W64LIT(0x73e1996689dcd4d6);
    sha512->digest[2] = W64LIT(0x1dfab7ae32ff9c82);
    sha512->digest[3] = W64LIT(0x679dd514582f9fcf);
    sha512->digest[4] = W64LIT(0x0f6d2b697bd44da8);
    sha512->digest[5] = W64LIT(0x77e36f7304c48942);
    sha512->digest[6] = W64LIT(0x3f9d85a86a1d36c8);
    sha512->digest[7] = W64LIT(0x1112e6ad91d692a1);

    sha512->buffLen = 0;
    sha512->loLen   = 0;
    sha512->hiLen   = 0;

#if (defined(WOLFSSL_X86_64_BUILD) && defined(USE_INTEL_SPEEDUP) && \
     (defined(HAVE_INTEL_AVX1) || defined(HAVE_INTEL_AVX2))) || \
    defined(WOLFSSL_ARMASM)
#ifdef WC_C_DYNAMIC_FALLBACK
    sha512->sha_method = 0;
    Sha512_SetTransform(&sha512->sha_method);
#else
    Sha512_SetTransform();
#endif
#endif

#if defined(WOLFSSL_USE_ESP32_CRYPT_HASH_HW) && \
   !defined(NO_WOLFSSL_ESP32_CRYPT_HASH_SHA512)
    /* HW needs to be carefully initialized, taking into account soft copy.
    ** If already in use; copy may revert to SW as needed.
    **
    ** Note for original ESP32, there's no HW for SHA512/224
    */
    esp_sha_init(&(sha512->ctx), WC_HASH_TYPE_SHA512_224);
#endif

#ifdef WOLFSSL_HASH_FLAGS
    sha512->flags = 0;
#endif
#if defined(WOLFSSL_SHA512_HASHTYPE)
    sha512->hashType = WC_HASH_TYPE_SHA512_224;
#endif /* WOLFSSL_SHA512_HASHTYPE */
    return 0;
}
#endif /* !WOLFSSL_NOSHA512_224 && !FIPS ... */

#if !defined(WOLFSSL_NOSHA512_256) && \
   (!defined(HAVE_FIPS) || FIPS_VERSION_GE(5, 3)) && !defined(HAVE_SELFTEST)
/**
 * Initialize given wc_Sha512 structure with value specific to sha512/256.
 * Note that sha512/256 has different initial hash value from sha512.
 * The initial hash value consists of eight 64bit words. They are given
 * in FIPS180-4.
 */
static int InitSha512_256(wc_Sha512* sha512)
{
    if (sha512 == NULL)
        return BAD_FUNC_ARG;

    sha512->digest[0] = W64LIT(0x22312194fc2bf72c);
    sha512->digest[1] = W64LIT(0x9f555fa3c84c64c2);
    sha512->digest[2] = W64LIT(0x2393b86b6f53b151);
    sha512->digest[3] = W64LIT(0x963877195940eabd);
    sha512->digest[4] = W64LIT(0x96283ee2a88effe3);
    sha512->digest[5] = W64LIT(0xbe5e1e2553863992);
    sha512->digest[6] = W64LIT(0x2b0199fc2c85b8aa);
    sha512->digest[7] = W64LIT(0x0eb72ddc81c52ca2);

    sha512->buffLen = 0;
    sha512->loLen   = 0;
    sha512->hiLen   = 0;

#if (defined(WOLFSSL_X86_64_BUILD) && defined(USE_INTEL_SPEEDUP) && \
     (defined(HAVE_INTEL_AVX1) || defined(HAVE_INTEL_AVX2))) || \
    defined(WOLFSSL_ARMASM)
#ifdef WC_C_DYNAMIC_FALLBACK
    sha512->sha_method = 0;
    Sha512_SetTransform(&sha512->sha_method);
#else
    Sha512_SetTransform();
#endif
#endif

#if defined(WOLFSSL_USE_ESP32_CRYPT_HASH_HW) && \
   !defined(NO_WOLFSSL_ESP32_CRYPT_HASH_SHA512)
    /* HW needs to be carefully initialized, taking into account soft copy.
    ** If already in use; copy may revert to SW as needed.
    **
    ** Note for original ESP32, there's no HW for SHA512/2256.
    */
    esp_sha_init(&(sha512->ctx), WC_HASH_TYPE_SHA512_256);
#endif

#ifdef WOLFSSL_HASH_FLAGS
    sha512->flags = 0;
#endif
#if defined(WOLFSSL_SHA512_HASHTYPE)
    sha512->hashType = WC_HASH_TYPE_SHA512_256;
#endif /* WOLFSSL_SHA512_HASHTYPE */
    return 0;
}
#endif /* !WOLFSSL_NOSHA512_256 && !FIPS... */

#endif /* WOLFSSL_SHA512 */

/* Hardware Acceleration */
#if defined(WOLFSSL_X86_64_BUILD) && defined(USE_INTEL_SPEEDUP) && \
    (defined(HAVE_INTEL_AVX1) || defined(HAVE_INTEL_AVX2))

    /*****
    Intel AVX1/AVX2 Macro Control Structure

    #if defined(HAVE_INTEL_SPEEDUP)
        #define HAVE_INTEL_AVX1
        #define HAVE_INTEL_AVX2
    #endif

    int InitSha512(wc_Sha512* sha512) {
         Save/Recover XMM, YMM
         ...

         Check Intel AVX cpuid flags
    }

    #if defined(HAVE_INTEL_AVX1)|| defined(HAVE_INTEL_AVX2)
      Transform_Sha512_AVX1(); # Function prototype
      Transform_Sha512_AVX2(); #
    #endif

      _Transform_Sha512() {     # Native Transform Function body

      }

      int Sha512Update() {
         Save/Recover XMM, YMM
         ...
      }

      int Sha512Final() {
         Save/Recover XMM, YMM
         ...
      }


    #if defined(HAVE_INTEL_AVX1)

       XMM Instructions/INLINE asm Definitions

    #endif

    #if defined(HAVE_INTEL_AVX2)

       YMM Instructions/INLINE asm Definitions

    #endif

    #if defined(HAVE_INTEL_AVX1)

      int Transform_Sha512_AVX1() {
          Stitched Message Sched/Round
      }

    #endif

    #if defined(HAVE_INTEL_AVX2)

      int Transform_Sha512_AVX2() {
          Stitched Message Sched/Round
      }
    #endif

    */


    /* Each platform needs to query info type 1 from cpuid to see if aesni is
     * supported. Also, let's setup a macro for proper linkage w/o ABI conflicts
     */

#ifdef __cplusplus
    extern "C" {
#endif

    #if defined(HAVE_INTEL_AVX1)
        extern int Transform_Sha512_AVX1(wc_Sha512 *sha512);
        extern int Transform_Sha512_AVX1_Len(wc_Sha512 *sha512, word32 len);
    #endif
    #if defined(HAVE_INTEL_AVX2)
        extern int Transform_Sha512_AVX2(wc_Sha512 *sha512);
        extern int Transform_Sha512_AVX2_Len(wc_Sha512 *sha512, word32 len);
        #if defined(HAVE_INTEL_RORX)
            extern int Transform_Sha512_AVX1_RORX(wc_Sha512 *sha512);
            extern int Transform_Sha512_AVX1_RORX_Len(wc_Sha512 *sha512,
                                                      word32 len);
            extern int Transform_Sha512_AVX2_RORX(wc_Sha512 *sha512);
            extern int Transform_Sha512_AVX2_RORX_Len(wc_Sha512 *sha512,
                                                      word32 len);
        #endif
    #endif

#ifdef __cplusplus
    }  /* extern "C" */
#endif

    static cpuid_flags_t intel_flags = WC_CPUID_INITIALIZER;

#if defined(WC_C_DYNAMIC_FALLBACK) && !defined(WC_NO_INTERNAL_FUNCTION_POINTERS)
    #define WC_NO_INTERNAL_FUNCTION_POINTERS
#endif

    static int _Transform_Sha512(wc_Sha512 *sha512);

#ifdef WC_NO_INTERNAL_FUNCTION_POINTERS

    enum sha_methods { SHA512_UNSET = 0, SHA512_AVX1, SHA512_AVX2,
                       SHA512_AVX1_RORX, SHA512_AVX2_RORX, SHA512_C };

#ifndef WC_C_DYNAMIC_FALLBACK
    /* note that all write access to this static variable must be idempotent,
     * as arranged by Sha512_SetTransform(), else it will be susceptible to
     * data races.
     */
    static enum sha_methods sha_method = SHA512_UNSET;
#endif

    static void Sha512_SetTransform(SHA512_SETTRANSFORM_ARGS)
    {
    #ifdef WC_C_DYNAMIC_FALLBACK
        #define SHA_METHOD (*sha_method)
    #else
        #define SHA_METHOD sha_method
    #endif
        if (SHA_METHOD != SHA512_UNSET)
            return;

    #ifdef WC_C_DYNAMIC_FALLBACK
        if (! CAN_SAVE_VECTOR_REGISTERS()) {
            SHA_METHOD = SHA512_C;
            return;
        }
    #endif

        cpuid_get_flags_ex(&intel_flags);

    #if defined(HAVE_INTEL_AVX2)
        if (IS_INTEL_AVX2(intel_flags)) {
        #ifdef HAVE_INTEL_RORX
            if (IS_INTEL_BMI2(intel_flags)) {
                SHA_METHOD = SHA512_AVX2_RORX;
            }
            else
        #endif
            {
                SHA_METHOD = SHA512_AVX2;
            }
        }
        else
    #endif
    #if defined(HAVE_INTEL_AVX1)
        if (IS_INTEL_AVX1(intel_flags)) {
        #ifdef HAVE_INTEL_RORX
            if (IS_INTEL_BMI2(intel_flags)) {
                SHA_METHOD = SHA512_AVX1_RORX;
            }
            else
        #endif
            {
                SHA_METHOD = SHA512_AVX1;
            }
        }
        else
    #endif
        {
            SHA_METHOD = SHA512_C;
        }
    #undef SHA_METHOD
    }

    static WC_INLINE int Transform_Sha512(wc_Sha512 *sha512) {
    #ifdef WC_C_DYNAMIC_FALLBACK
        #define SHA_METHOD (sha512->sha_method)
    #else
        #define SHA_METHOD sha_method
    #endif
        int ret;
        if (SHA_METHOD == SHA512_C)
            return _Transform_Sha512(sha512);
        SAVE_VECTOR_REGISTERS(return _svr_ret;);
        switch (SHA_METHOD) {
        case SHA512_AVX2:
            ret = Transform_Sha512_AVX2(sha512);
            break;
        case SHA512_AVX2_RORX:
            ret = Transform_Sha512_AVX2_RORX(sha512);
            break;
        case SHA512_AVX1:
            ret = Transform_Sha512_AVX1(sha512);
            break;
        case SHA512_AVX1_RORX:
            ret = Transform_Sha512_AVX1_RORX(sha512);
            break;
        case SHA512_C:
        case SHA512_UNSET:
        default:
            ret = _Transform_Sha512(sha512);
            break;
        }
        RESTORE_VECTOR_REGISTERS();
        return ret;
    #undef SHA_METHOD
    }

    static WC_INLINE int Transform_Sha512_Len(wc_Sha512 *sha512, word32 len) {
    #ifdef WC_C_DYNAMIC_FALLBACK
        #define SHA_METHOD (sha512->sha_method)
    #else
        #define SHA_METHOD sha_method
    #endif
        int ret;
        SAVE_VECTOR_REGISTERS(return _svr_ret;);
        switch (SHA_METHOD) {
        case SHA512_AVX2:
            ret = Transform_Sha512_AVX2_Len(sha512, len);
            break;
        case SHA512_AVX2_RORX:
            ret = Transform_Sha512_AVX2_RORX_Len(sha512, len);
            break;
        case SHA512_AVX1:
            ret = Transform_Sha512_AVX1_Len(sha512, len);
            break;
        case SHA512_AVX1_RORX:
            ret = Transform_Sha512_AVX1_RORX_Len(sha512, len);
            break;
        case SHA512_C:
        case SHA512_UNSET:
        default:
            ret = 0;
            break;
        }
        RESTORE_VECTOR_REGISTERS();
        return ret;
    #undef SHA_METHOD
    }

#else /* !WC_NO_INTERNAL_FUNCTION_POINTERS */

    static int (*Transform_Sha512_p)(wc_Sha512* sha512) = _Transform_Sha512;
    static int (*Transform_Sha512_Len_p)(wc_Sha512* sha512, word32 len) = NULL;
    static int transform_check = 0;
    static int Transform_Sha512_is_vectorized = 0;

    static WC_INLINE int Transform_Sha512(wc_Sha512 *sha512) {
        int ret;
    #ifdef WOLFSSL_USE_SAVE_VECTOR_REGISTERS
        if (Transform_Sha512_is_vectorized)
            SAVE_VECTOR_REGISTERS(return _svr_ret;);
    #endif
        ret = (*Transform_Sha512_p)(sha512);
    #ifdef WOLFSSL_USE_SAVE_VECTOR_REGISTERS
        if (Transform_Sha512_is_vectorized)
            RESTORE_VECTOR_REGISTERS();
    #endif
        return ret;
    }
    static WC_INLINE int Transform_Sha512_Len(wc_Sha512 *sha512, word32 len) {
        int ret;
    #ifdef WOLFSSL_USE_SAVE_VECTOR_REGISTERS
        if (Transform_Sha512_is_vectorized)
            SAVE_VECTOR_REGISTERS(return _svr_ret;);
    #endif
        ret = (*Transform_Sha512_Len_p)(sha512, len);
    #ifdef WOLFSSL_USE_SAVE_VECTOR_REGISTERS
        if (Transform_Sha512_is_vectorized)
            RESTORE_VECTOR_REGISTERS();
    #endif
        return ret;
    }

    static void Sha512_SetTransform(void)
    {
        if (transform_check)
            return;

        cpuid_get_flags_ex(&intel_flags);

    #if defined(HAVE_INTEL_AVX2)
        if (IS_INTEL_AVX2(intel_flags)) {
        #ifdef HAVE_INTEL_RORX
            if (IS_INTEL_BMI2(intel_flags)) {
                Transform_Sha512_p = Transform_Sha512_AVX2_RORX;
                Transform_Sha512_Len_p = Transform_Sha512_AVX2_RORX_Len;
                Transform_Sha512_is_vectorized = 1;
            }
            else
        #endif
            {
                Transform_Sha512_p = Transform_Sha512_AVX2;
                Transform_Sha512_Len_p = Transform_Sha512_AVX2_Len;
                Transform_Sha512_is_vectorized = 1;
            }
        }
        else
    #endif
    #if defined(HAVE_INTEL_AVX1)
        if (IS_INTEL_AVX1(intel_flags)) {
        #ifdef HAVE_INTEL_RORX
            if (IS_INTEL_BMI2(intel_flags)) {
                Transform_Sha512_p = Transform_Sha512_AVX1_RORX;
                Transform_Sha512_Len_p = Transform_Sha512_AVX1_RORX_Len;
                Transform_Sha512_is_vectorized = 1;
            }
            else
        #endif
            {
                Transform_Sha512_p = Transform_Sha512_AVX1;
                Transform_Sha512_Len_p = Transform_Sha512_AVX1_Len;
                Transform_Sha512_is_vectorized = 1;
            }
        }
        else
    #endif
        {
            Transform_Sha512_p = _Transform_Sha512;
            Transform_Sha512_Len_p = NULL;
            Transform_Sha512_is_vectorized = 0;
        }

        transform_check = 1;
    }

#endif /* !WC_NO_INTERNAL_FUNCTION_POINTERS */

#elif defined(WOLFSSL_ARMASM)

#if defined(__aarch64__) && defined(WOLFSSL_ARMASM_NO_NEON)
#error "No SHA-512 implementation."
#endif

static int transform_check = 0;
#if defined(__aarch64__) && defined(WOLFSSL_ARMASM_CRYPTO_SHA512)
static word32 cpuid_flags = 0;
static int cpuid_flags_set = 0;
#endif

#if defined(__aarch64__) && defined(WOLFSSL_ARMASM_CRYPTO_SHA512)
static void Transform_Sha512_crypto(wc_Sha512* sha512, const byte* data)
{
    Transform_Sha512_Len_crypto(sha512, data, WC_SHA512_BLOCK_SIZE);
}
#endif
#if !defined(WOLFSSL_ARMASM_THUMB2) && !defined(WOLFSSL_ARMASM_NO_NEON)
static void Transform_Sha512_neon(wc_Sha512* sha512, const byte* data)
{
    Transform_Sha512_Len_neon(sha512, data, WC_SHA512_BLOCK_SIZE);
}
#endif
#if defined(WOLFSSL_ARMASM_THUMB2) || defined(WOLFSSL_ARMASM_NO_NEON)
static void Transform_Sha512_base(wc_Sha512* sha512, const byte* data)
{
    Transform_Sha512_Len_base(sha512, data, WC_SHA512_BLOCK_SIZE);
}
#endif

static void (*Transform_Sha512_p)(wc_Sha512* sha512, const byte* data) = NULL;
static void (*Transform_Sha512_Len_p)(wc_Sha512* sha512, const byte* data,
    word32 len) = NULL;

static WC_INLINE int Transform_Sha512(wc_Sha512 *sha512, const byte* data)
{
    (*Transform_Sha512_p)(sha512, data);
    return 0;
}
static WC_INLINE int Transform_Sha512_Len(wc_Sha512 *sha512, const byte* data,
    word32 len)
{
    (*Transform_Sha512_Len_p)(sha512, data, len);
    return 0;
}

static void Sha512_SetTransform(void)
{
    if (transform_check)
        return;

#if defined(__aarch64__) && defined(WOLFSSL_ARMASM_CRYPTO_SHA512)
    if (!cpuid_flags_set) {
        cpuid_flags = cpuid_get_flags();
        cpuid_flags_set = 1;
    }
#endif

#if defined(__aarch64__) && defined(WOLFSSL_ARMASM_CRYPTO_SHA512)
    if (IS_AARCH64_SHA512(cpuid_flags)) {
        Transform_Sha512_p = Transform_Sha512_crypto;
        Transform_Sha512_Len_p = Transform_Sha512_Len_crypto;
    }
    else
#endif
#if !defined(WOLFSSL_ARMASM_THUMB2) && !defined(WOLFSSL_ARMASM_NO_NEON)
    {
        Transform_Sha512_p = Transform_Sha512_neon;
        Transform_Sha512_Len_p = Transform_Sha512_Len_neon;
    }
#else
    {
        Transform_Sha512_p = Transform_Sha512_base;
        Transform_Sha512_Len_p = Transform_Sha512_Len_base;
    }
#endif

    transform_check = 1;
}

#else
    #define Transform_Sha512(sha512) _Transform_Sha512(sha512)

#endif

#ifdef WOLFSSL_SHA512

static int InitSha512_Family(wc_Sha512* sha512, void* heap, int devId,
                             int (*initfp)(wc_Sha512*))
{
    int ret = 0;

    if (sha512 == NULL) {
        return BAD_FUNC_ARG;
    }

    XMEMSET(sha512, 0, sizeof(*sha512));

    sha512->heap = heap;
#ifdef WOLFSSL_SMALL_STACK_CACHE
    /* This allocation combines the customary W buffer used by
     * _Transform_Sha512() with additional buffer space used by
     * wc_Sha512Transform().
     */
    sha512->W = (word64 *)XMALLOC((sizeof(word64) * 16) + WC_SHA512_BLOCK_SIZE,
                                  sha512->heap, DYNAMIC_TYPE_DIGEST);
    if (sha512->W == NULL)
        return MEMORY_E;
#endif
#ifdef WOLF_CRYPTO_CB
    sha512->devId = devId;
    sha512->devCtx = NULL;
#endif

#ifdef WOLFSSL_HASH_KEEP
    sha512->msg  = NULL;
    sha512->len  = 0;
    sha512->used = 0;
#endif

    /* call the initialization function pointed to by initfp */
    ret = initfp(sha512);

#if defined(WOLFSSL_ASYNC_CRYPT) && defined(WC_ASYNC_ENABLE_SHA512)
    if (ret == 0) {
        ret = wolfAsync_DevCtxInit(&sha512->asyncDev,
                        WOLFSSL_ASYNC_MARKER_SHA512, sha512->heap, devId);
    }
#else
    (void)devId;
#endif /* WOLFSSL_ASYNC_CRYPT */
#ifdef WOLFSSL_IMXRT1170_CAAM
    if (ret == 0)
        ret = wc_CAAM_HashInit(&sha512->hndl, &sha512->ctx, WC_HASH_TYPE_SHA512);
#endif

#ifdef WOLFSSL_SMALL_STACK_CACHE
    if (ret != 0) {
        XFREE(sha512->W, sha512->heap, DYNAMIC_TYPE_DIGEST);
        sha512->W = NULL;
    }
#endif

    return ret;
} /* InitSha512_Family */

int wc_InitSha512_ex(wc_Sha512* sha512, void* heap, int devId)
{
#if defined(WOLFSSL_USE_ESP32_CRYPT_HASH_HW) && \
   !defined(NO_WOLFSSL_ESP32_CRYPT_HASH_SHA512)
    if (sha512->ctx.mode != ESP32_SHA_INIT) {
        ESP_LOGV(TAG, "Set ctx mode from prior value: "
                      "%d", sha512->ctx.mode);
    }
    /* We know this is a fresh, uninitialized item, so set to INIT */
    sha512->ctx.mode = ESP32_SHA_INIT;
#endif


    return InitSha512_Family(sha512, heap, devId, InitSha512);
}

#if !defined(WOLFSSL_NOSHA512_224) && \
   (!defined(HAVE_FIPS) || FIPS_VERSION_GE(5, 3)) && !defined(HAVE_SELFTEST)
int wc_InitSha512_224_ex(wc_Sha512* sha512, void* heap, int devId)
{
#if defined(WOLFSSL_USE_ESP32_CRYPT_HASH_HW) && \
   !defined(NO_WOLFSSL_ESP32_CRYPT_HASH_SHA512)
    /* No SHA512/224 HW support is available, set to SW. */
    sha512->ctx.mode = ESP32_SHA_SW; /* no SHA224 HW, so always SW */
#endif
    return InitSha512_Family(sha512, heap, devId, InitSha512_224);
}
#endif /* !WOLFSSL_NOSHA512_224 ... */

#if !defined(WOLFSSL_NOSHA512_256) && \
   (!defined(HAVE_FIPS) || FIPS_VERSION_GE(5, 3)) && !defined(HAVE_SELFTEST)
int wc_InitSha512_256_ex(wc_Sha512* sha512, void* heap, int devId)
{
#if defined(WOLFSSL_USE_ESP32_CRYPT_HASH_HW) && \
   !defined(NO_WOLFSSL_ESP32_CRYPT_HASH_SHA512)
    /* No SHA512/256 HW support is available on ESP32, set to SW. */
    sha512->ctx.mode = ESP32_SHA_SW;
#endif
    return InitSha512_Family(sha512, heap, devId, InitSha512_256);
}
#endif /* !WOLFSSL_NOSHA512_256 ... */

#endif /* WOLFSSL_SHA512 */

#ifndef WOLFSSL_ARMASM

static const word64 K512[80] = {
    W64LIT(0x428a2f98d728ae22), W64LIT(0x7137449123ef65cd),
    W64LIT(0xb5c0fbcfec4d3b2f), W64LIT(0xe9b5dba58189dbbc),
    W64LIT(0x3956c25bf348b538), W64LIT(0x59f111f1b605d019),
    W64LIT(0x923f82a4af194f9b), W64LIT(0xab1c5ed5da6d8118),
    W64LIT(0xd807aa98a3030242), W64LIT(0x12835b0145706fbe),
    W64LIT(0x243185be4ee4b28c), W64LIT(0x550c7dc3d5ffb4e2),
    W64LIT(0x72be5d74f27b896f), W64LIT(0x80deb1fe3b1696b1),
    W64LIT(0x9bdc06a725c71235), W64LIT(0xc19bf174cf692694),
    W64LIT(0xe49b69c19ef14ad2), W64LIT(0xefbe4786384f25e3),
    W64LIT(0x0fc19dc68b8cd5b5), W64LIT(0x240ca1cc77ac9c65),
    W64LIT(0x2de92c6f592b0275), W64LIT(0x4a7484aa6ea6e483),
    W64LIT(0x5cb0a9dcbd41fbd4), W64LIT(0x76f988da831153b5),
    W64LIT(0x983e5152ee66dfab), W64LIT(0xa831c66d2db43210),
    W64LIT(0xb00327c898fb213f), W64LIT(0xbf597fc7beef0ee4),
    W64LIT(0xc6e00bf33da88fc2), W64LIT(0xd5a79147930aa725),
    W64LIT(0x06ca6351e003826f), W64LIT(0x142929670a0e6e70),
    W64LIT(0x27b70a8546d22ffc), W64LIT(0x2e1b21385c26c926),
    W64LIT(0x4d2c6dfc5ac42aed), W64LIT(0x53380d139d95b3df),
    W64LIT(0x650a73548baf63de), W64LIT(0x766a0abb3c77b2a8),
    W64LIT(0x81c2c92e47edaee6), W64LIT(0x92722c851482353b),
    W64LIT(0xa2bfe8a14cf10364), W64LIT(0xa81a664bbc423001),
    W64LIT(0xc24b8b70d0f89791), W64LIT(0xc76c51a30654be30),
    W64LIT(0xd192e819d6ef5218), W64LIT(0xd69906245565a910),
    W64LIT(0xf40e35855771202a), W64LIT(0x106aa07032bbd1b8),
    W64LIT(0x19a4c116b8d2d0c8), W64LIT(0x1e376c085141ab53),
    W64LIT(0x2748774cdf8eeb99), W64LIT(0x34b0bcb5e19b48a8),
    W64LIT(0x391c0cb3c5c95a63), W64LIT(0x4ed8aa4ae3418acb),
    W64LIT(0x5b9cca4f7763e373), W64LIT(0x682e6ff3d6b2b8a3),
    W64LIT(0x748f82ee5defb2fc), W64LIT(0x78a5636f43172f60),
    W64LIT(0x84c87814a1f0ab72), W64LIT(0x8cc702081a6439ec),
    W64LIT(0x90befffa23631e28), W64LIT(0xa4506cebde82bde9),
    W64LIT(0xbef9a3f7b2c67915), W64LIT(0xc67178f2e372532b),
    W64LIT(0xca273eceea26619c), W64LIT(0xd186b8c721c0c207),
    W64LIT(0xeada7dd6cde0eb1e), W64LIT(0xf57d4f7fee6ed178),
    W64LIT(0x06f067aa72176fba), W64LIT(0x0a637dc5a2c898a6),
    W64LIT(0x113f9804bef90dae), W64LIT(0x1b710b35131c471b),
    W64LIT(0x28db77f523047d84), W64LIT(0x32caab7b40c72493),
    W64LIT(0x3c9ebe0a15c9bebc), W64LIT(0x431d67c49c100d4c),
    W64LIT(0x4cc5d4becb3e42b6), W64LIT(0x597f299cfc657e2a),
    W64LIT(0x5fcb6fab3ad6faec), W64LIT(0x6c44198c4a475817)
};

#define blk0(i) (W[i] = sha512->buffer[i])

#define blk2(i) (\
               W[ (i)     & 15] += \
            s1(W[((i)-2)  & 15])+ \
               W[((i)-7)  & 15] + \
            s0(W[((i)-15) & 15])  \
        )

#define Ch(x,y,z)  ((z) ^ ((x) & ((y) ^ (z))))
#define Maj(x,y,z) (((x) & (y)) | ((z) & ((x) | (y))))

#define a(i) T[(0-(i)) & 7]
#define b(i) T[(1-(i)) & 7]
#define c(i) T[(2-(i)) & 7]
#define d(i) T[(3-(i)) & 7]
#define e(i) T[(4-(i)) & 7]
#define f(i) T[(5-(i)) & 7]
#define g(i) T[(6-(i)) & 7]
#define h(i) T[(7-(i)) & 7]

#define S0(x) (rotrFixed64(x,28) ^ rotrFixed64(x,34) ^ rotrFixed64(x,39))
#define S1(x) (rotrFixed64(x,14) ^ rotrFixed64(x,18) ^ rotrFixed64(x,41))
#define s0(x) (rotrFixed64(x,1)  ^ rotrFixed64(x,8)  ^ ((x)>>7))
#define s1(x) (rotrFixed64(x,19) ^ rotrFixed64(x,61) ^ ((x)>>6))

#define R(i) \
    h(i) += S1(e(i)) + Ch(e(i),f(i),g(i)) + K[(i)+j] + (j ? blk2(i) : blk0(i)); \
    d(i) += h(i); \
    h(i) += S0(a(i)) + Maj(a(i),b(i),c(i))

static int _Transform_Sha512(wc_Sha512* sha512)
{
    const word64* K = K512;
    word32 j;
    word64 T[8];

#if defined(WOLFSSL_SMALL_STACK_CACHE)
    word64* W = sha512->W;
    if (W == NULL)
        return BAD_FUNC_ARG;
#elif defined(WOLFSSL_SMALL_STACK)
    word64* W;
    W = (word64*) XMALLOC(sizeof(word64) * 16, sha512->heap, DYNAMIC_TYPE_TMP_BUFFER);
    if (W == NULL)
        return MEMORY_E;
#else
    word64 W[16];
#endif

    /* Copy digest to working vars */
    XMEMCPY(T, sha512->digest, sizeof(T));

#ifdef USE_SLOW_SHA512
    /* over twice as small, but 50% slower */
    /* 80 operations, not unrolled */
    for (j = 0; j < 80; j += 16) {
        int m;
        for (m = 0; m < 16; m++) { /* braces needed here for macros {} */
            R(m);
        }
    }
#else
    /* 80 operations, partially loop unrolled */
    for (j = 0; j < 80; j += 16) {
        R( 0); R( 1); R( 2); R( 3);
        R( 4); R( 5); R( 6); R( 7);
        R( 8); R( 9); R(10); R(11);
        R(12); R(13); R(14); R(15);
    }
#endif /* USE_SLOW_SHA512 */

    /* Add the working vars back into digest */
    sha512->digest[0] += a(0);
    sha512->digest[1] += b(0);
    sha512->digest[2] += c(0);
    sha512->digest[3] += d(0);
    sha512->digest[4] += e(0);
    sha512->digest[5] += f(0);
    sha512->digest[6] += g(0);
    sha512->digest[7] += h(0);

    /* Wipe variables */
    ForceZero(W, sizeof(word64) * 16);
    ForceZero(T, sizeof(T));

#if defined(WOLFSSL_SMALL_STACK) && !defined(WOLFSSL_SMALL_STACK_CACHE)
    XFREE(W, sha512->heap, DYNAMIC_TYPE_TMP_BUFFER);
#endif

    return 0;
}
#endif


static WC_INLINE void AddLength(wc_Sha512* sha512, word32 len)
{
    word64 tmp = sha512->loLen;
    if ( (sha512->loLen += len) < tmp)
        sha512->hiLen++;                       /* carry low to high */
}

static WC_INLINE int Sha512Update(wc_Sha512* sha512, const byte* data, word32 len)
{
    int ret = 0;
    /* do block size increments */
    byte* local = (byte*)sha512->buffer;

    /* check that internal buffLen is valid */
    if (sha512->buffLen >= WC_SHA512_BLOCK_SIZE)
        return BUFFER_E;

    if (len == 0)
        return 0;

    AddLength(sha512, len);

    if (sha512->buffLen > 0) {
        word32 add = min(len, WC_SHA512_BLOCK_SIZE - sha512->buffLen);
        if (add > 0) {
            XMEMCPY(&local[sha512->buffLen], data, add);

            sha512->buffLen += add;
            data            += add;
            len             -= add;
        }

        if (sha512->buffLen == WC_SHA512_BLOCK_SIZE) {
    #if defined(LITTLE_ENDIAN_ORDER)
        #if defined(WOLFSSL_X86_64_BUILD) && defined(USE_INTEL_SPEEDUP) && \
            (defined(HAVE_INTEL_AVX1) || defined(HAVE_INTEL_AVX2))
            #ifdef WC_C_DYNAMIC_FALLBACK
            if (sha512->sha_method == SHA512_C)
            #else
            if (!IS_INTEL_AVX1(intel_flags) && !IS_INTEL_AVX2(intel_flags))
            #endif
        #endif
            {
        #if (!defined(WOLFSSL_ESP32_CRYPT) || \
              defined(NO_WOLFSSL_ESP32_CRYPT_HASH) || \
              defined(NO_WOLFSSL_ESP32_CRYPT_HASH_SHA512)) && \
             !defined(WOLFSSL_ARMASM)
                ByteReverseWords64(sha512->buffer, sha512->buffer,
                                                         WC_SHA512_BLOCK_SIZE);
        #endif
            }
    #endif
    #ifdef WOLFSSL_ARMASM
            Transform_Sha512(sha512, (const byte*)sha512->buffer);
    #elif !defined(WOLFSSL_ESP32_CRYPT) || \
           defined(NO_WOLFSSL_ESP32_CRYPT_HASH) || \
           defined(NO_WOLFSSL_ESP32_CRYPT_HASH_SHA512)
            ret = Transform_Sha512(sha512);
    #else
            if (sha512->ctx.mode == ESP32_SHA_INIT) {
                esp_sha_try_hw_lock(&sha512->ctx);
            }
            if (sha512->ctx.mode == ESP32_SHA_SW) {
                ByteReverseWords64(sha512->buffer, sha512->buffer,
                                                         WC_SHA512_BLOCK_SIZE);
                ret = Transform_Sha512(sha512);
            }
            else {
                ret = esp_sha512_process(sha512);
            }
    #endif
            if (ret == 0)
                sha512->buffLen = 0;
            else
                len = 0;
        }
    }

#if defined(WOLFSSL_ARMASM)
    if (len >= WC_SHA512_BLOCK_SIZE) {
        word32 blocksLen = len & ~((word32)WC_SHA512_BLOCK_SIZE-1);

        Transform_Sha512_Len(sha512, data, blocksLen);
        data += blocksLen;
        len  -= blocksLen;
    }
#else
#if (defined(WOLFSSL_X86_64_BUILD) && defined(USE_INTEL_SPEEDUP) && \
     (defined(HAVE_INTEL_AVX1) || defined(HAVE_INTEL_AVX2)))

    #ifdef WC_C_DYNAMIC_FALLBACK
    if (sha512->sha_method != SHA512_C)
    #elif defined(WC_NO_INTERNAL_FUNCTION_POINTERS)
    if (sha_method != SHA512_C)
    #else
    if (Transform_Sha512_Len_p != NULL)
    #endif

    {
        word32 blocksLen = len & ~((word32)WC_SHA512_BLOCK_SIZE-1);

        if (blocksLen > 0) {
            sha512->data = data;
            /* Byte reversal performed in function if required. */
            Transform_Sha512_Len(sha512, blocksLen);
            data += blocksLen;
            len  -= blocksLen;
        }
    }
    else
#endif
#if !defined(LITTLE_ENDIAN_ORDER) || (defined(WOLFSSL_X86_64_BUILD) && \
        defined(USE_INTEL_SPEEDUP) && (defined(HAVE_INTEL_AVX1) || \
        defined(HAVE_INTEL_AVX2)))
    {
        while (len >= WC_SHA512_BLOCK_SIZE) {
            XMEMCPY(local, data, WC_SHA512_BLOCK_SIZE);

            data += WC_SHA512_BLOCK_SIZE;
            len  -= WC_SHA512_BLOCK_SIZE;

        #if defined(WOLFSSL_X86_64_BUILD) && defined(USE_INTEL_SPEEDUP) && \
            (defined(HAVE_INTEL_AVX1) || defined(HAVE_INTEL_AVX2))
            #ifdef WC_C_DYNAMIC_FALLBACK
            if (sha512->sha_method == SHA512_C)
            #else
            if (!IS_INTEL_AVX1(intel_flags) && !IS_INTEL_AVX2(intel_flags))
            #endif
            {
                ByteReverseWords64(sha512->buffer, sha512->buffer,
                                                          WC_SHA512_BLOCK_SIZE);
            }
        #endif
            /* Byte reversal performed in function if required. */
            ret = Transform_Sha512(sha512);
            if (ret != 0)
                break;
        }
    }
#else
    {
        while (len >= WC_SHA512_BLOCK_SIZE) {
            XMEMCPY(local, data, WC_SHA512_BLOCK_SIZE);

            data += WC_SHA512_BLOCK_SIZE;
            len  -= WC_SHA512_BLOCK_SIZE;
    #if !defined(WOLFSSL_ESP32_CRYPT) || \
         defined(NO_WOLFSSL_ESP32_CRYPT_HASH) || \
         defined(NO_WOLFSSL_ESP32_CRYPT_HASH_SHA512)
            ByteReverseWords64(sha512->buffer, sha512->buffer,
                                                       WC_SHA512_BLOCK_SIZE);
    #endif
    #if !defined(WOLFSSL_ESP32_CRYPT) || \
         defined(NO_WOLFSSL_ESP32_CRYPT_HASH) || \
         defined(NO_WOLFSSL_ESP32_CRYPT_HASH_SHA512)
            ret = Transform_Sha512(sha512);
    #else
            if(sha512->ctx.mode == ESP32_SHA_INIT) {
                esp_sha_try_hw_lock(&sha512->ctx);
            }
            if (sha512->ctx.mode == ESP32_SHA_SW) {
                ByteReverseWords64(sha512->buffer, sha512->buffer,
                                                          WC_SHA512_BLOCK_SIZE);
                ret = Transform_Sha512(sha512);
            }
            else {
                ret = esp_sha512_process(sha512);
            }
    #endif
            if (ret != 0)
                break;
        } /* while (len >= WC_SHA512_BLOCK_SIZE) */
    }
#endif
#endif

    if (ret == 0 && len > 0) {
        XMEMCPY(local, data, len);
        sha512->buffLen = len;
    }

    return ret;
}

#ifdef WOLFSSL_SHA512

int wc_Sha512Update(wc_Sha512* sha512, const byte* data, word32 len)
{
    if (sha512 == NULL) {
        return BAD_FUNC_ARG;
    }
    if (data == NULL && len == 0) {
        /* valid, but do nothing */
        return 0;
    }
    if (data == NULL) {
        return BAD_FUNC_ARG;
    }

#ifdef WOLF_CRYPTO_CB
    #ifndef WOLF_CRYPTO_CB_FIND
    if (sha512->devId != INVALID_DEVID)
    #endif
    {
        int ret = wc_CryptoCb_Sha512Hash(sha512, data, len, NULL, 0);
        if (ret != WC_NO_ERR_TRACE(CRYPTOCB_UNAVAILABLE))
            return ret;
        /* fall-through when unavailable */
    }
#endif
#if defined(WOLFSSL_ASYNC_CRYPT) && defined(WC_ASYNC_ENABLE_SHA512)
    if (sha512->asyncDev.marker == WOLFSSL_ASYNC_MARKER_SHA512) {
    #if defined(HAVE_INTEL_QA)
        return IntelQaSymSha512(&sha512->asyncDev, NULL, data, len);
    #endif
    }
#endif /* WOLFSSL_ASYNC_CRYPT */

    return Sha512Update(sha512, data, len);
}

#endif /* WOLFSSL_SHA512 */

#endif /* WOLFSSL_IMX6_CAAM || WOLFSSL_SILABS_SHA512 */


#if defined(WOLFSSL_KCAPI_HASH)
    /* functions defined in wolfcrypt/src/port/kcapi/kcapi_hash.c */
#elif defined(WOLFSSL_RENESAS_RSIP) && \
   !defined(NO_WOLFSSL_RENESAS_FSPSM_HASH)
    /* functions defined in wolfcrypt/src/port/renesas/renesas_fspsm_sha.c */
#elif defined(WOLFSSL_SE050) && defined(WOLFSSL_SE050_HASH)

#elif defined(MAX3266X_SHA)
    /* Functions defined in wolfcrypt/src/port/maxim/max3266x.c */
#elif defined(STM32_HASH_SHA512)
#elif defined(PSOC6_HASH_SHA2)
#else

static WC_INLINE int Sha512Final(wc_Sha512* sha512)
{
#ifndef WOLFSSL_ARMASM
    int ret;
#endif
    byte* local;

    if (sha512 == NULL) {
        return BAD_FUNC_ARG;
    }

    local = (byte*)sha512->buffer;

    /* we'll add a 0x80 byte at the end,
    ** so make sure we have appropriate buffer length. */
    if (sha512->buffLen > WC_SHA512_BLOCK_SIZE - 1) {
        return BAD_STATE_E;
    } /* buffLen check */

    local[sha512->buffLen++] = 0x80;  /* add 1 */

    /* pad with zeros */
    if (sha512->buffLen > WC_SHA512_PAD_SIZE) {
        if (sha512->buffLen < WC_SHA512_BLOCK_SIZE ) {
            XMEMSET(&local[sha512->buffLen], 0,
                WC_SHA512_BLOCK_SIZE - sha512->buffLen);
        }

        sha512->buffLen += WC_SHA512_BLOCK_SIZE - sha512->buffLen;
#if defined(LITTLE_ENDIAN_ORDER)
    #if defined(WOLFSSL_X86_64_BUILD) && defined(USE_INTEL_SPEEDUP) && \
        (defined(HAVE_INTEL_AVX1) || defined(HAVE_INTEL_AVX2))
        #ifdef WC_C_DYNAMIC_FALLBACK
        if (sha512->sha_method == SHA512_C)
        #else
        if (!IS_INTEL_AVX1(intel_flags) && !IS_INTEL_AVX2(intel_flags))
        #endif
    #endif
        {

        #if (!defined(WOLFSSL_ESP32_CRYPT) || \
              defined(NO_WOLFSSL_ESP32_CRYPT_HASH) || \
              defined(NO_WOLFSSL_ESP32_CRYPT_HASH_SHA512)) && \
             !defined(WOLFSSL_ARMASM)
            ByteReverseWords64(sha512->buffer,sha512->buffer,
                                                         WC_SHA512_BLOCK_SIZE);
        #endif
        }

#endif /* LITTLE_ENDIAN_ORDER */
#ifdef WOLFSSL_ARMASM
        Transform_Sha512(sha512, (const byte*)sha512->buffer);
#else
    #if defined(WOLFSSL_USE_ESP32_CRYPT_HASH_HW) && \
       !defined(NO_WOLFSSL_ESP32_CRYPT_HASH_SHA512)
        if (sha512->ctx.mode == ESP32_SHA_INIT) {
            esp_sha_try_hw_lock(&sha512->ctx);
        }
        if (sha512->ctx.mode == ESP32_SHA_SW) {
            ByteReverseWords64(sha512->buffer,sha512->buffer,
                                                         WC_SHA512_BLOCK_SIZE);
            ret = Transform_Sha512(sha512);
        }
        else {
            ret = esp_sha512_process(sha512);
        }
    #else
        ret = Transform_Sha512(sha512);
    #endif
        if (ret != 0) {
            return ret;
        }
#endif

        sha512->buffLen = 0;
    } /* (sha512->buffLen > WC_SHA512_PAD_SIZE) pad with zeros */

    XMEMSET(&local[sha512->buffLen], 0, WC_SHA512_PAD_SIZE - sha512->buffLen);

    /* put lengths in bits */
    sha512->hiLen = (sha512->loLen >> (8 * sizeof(sha512->loLen) - 3)) +
                                                         (sha512->hiLen << 3);
    sha512->loLen = sha512->loLen << 3;

    /* store lengths */
#if defined(LITTLE_ENDIAN_ORDER)
    #if defined(WOLFSSL_X86_64_BUILD) && defined(USE_INTEL_SPEEDUP) && \
        (defined(HAVE_INTEL_AVX1) || defined(HAVE_INTEL_AVX2))
        #ifdef WC_C_DYNAMIC_FALLBACK
        if (sha512->sha_method == SHA512_C)
        #else
        if (!IS_INTEL_AVX1(intel_flags) && !IS_INTEL_AVX2(intel_flags))
        #endif
    #endif
    #if (!defined(WOLFSSL_ESP32_CRYPT) || \
          defined(NO_WOLFSSL_ESP32_CRYPT_HASH) || \
          defined(NO_WOLFSSL_ESP32_CRYPT_HASH_SHA512)) && \
         !defined(WOLFSSL_ARMASM)
            ByteReverseWords64(sha512->buffer, sha512->buffer, WC_SHA512_PAD_SIZE);
    #endif
#endif
    /* ! length ordering dependent on digest endian type ! */

#if !defined(WOLFSSL_ESP32_CRYPT) || \
     defined(NO_WOLFSSL_ESP32_CRYPT_HASH) || \
     defined(NO_WOLFSSL_ESP32_CRYPT_HASH_SHA512)
    sha512->buffer[WC_SHA512_BLOCK_SIZE / sizeof(word64) - 2] = sha512->hiLen;
    sha512->buffer[WC_SHA512_BLOCK_SIZE / sizeof(word64) - 1] = sha512->loLen;
#endif

#if defined(WOLFSSL_X86_64_BUILD) && defined(USE_INTEL_SPEEDUP) && \
    (defined(HAVE_INTEL_AVX1) || defined(HAVE_INTEL_AVX2))
    #ifdef WC_C_DYNAMIC_FALLBACK
    if (sha512->sha_method != SHA512_C)
    #else
    if (IS_INTEL_AVX1(intel_flags) || IS_INTEL_AVX2(intel_flags))
    #endif
    {
        ByteReverseWords64(&(sha512->buffer[WC_SHA512_BLOCK_SIZE / sizeof(word64) - 2]),
                           &(sha512->buffer[WC_SHA512_BLOCK_SIZE / sizeof(word64) - 2]),
                           WC_SHA512_BLOCK_SIZE - WC_SHA512_PAD_SIZE);
    }
#elif defined(WOLFSSL_ARMASM)
    #define SHA512_PAD_LEN_64  (WC_SHA512_PAD_SIZE / sizeof(word64))
    {
        ByteReverseWords64(&(sha512->buffer[SHA512_PAD_LEN_64]),
                           &(sha512->buffer[SHA512_PAD_LEN_64]),
                           WC_SHA512_BLOCK_SIZE - WC_SHA512_PAD_SIZE);
    }
#endif

#ifdef WOLFSSL_ARMASM
    Transform_Sha512(sha512, (const byte*)sha512->buffer);
#else
#if !defined(WOLFSSL_ESP32_CRYPT) || \
      defined(NO_WOLFSSL_ESP32_CRYPT_HASH) || \
      defined(NO_WOLFSSL_ESP32_CRYPT_HASH_SHA512)
    ret = Transform_Sha512(sha512);
#else
    if(sha512->ctx.mode == ESP32_SHA_INIT) {
        /* typically for tiny block: first = last */
        esp_sha_try_hw_lock(&sha512->ctx);
    }
    if (sha512->ctx.mode == ESP32_SHA_SW) {
        ByteReverseWords64(sha512->buffer,
                           sha512->buffer,
                           WC_SHA512_BLOCK_SIZE);
        sha512->buffer[WC_SHA512_BLOCK_SIZE / sizeof(word64) - 2] = sha512->hiLen;
        sha512->buffer[WC_SHA512_BLOCK_SIZE / sizeof(word64) - 1] = sha512->loLen;
        ret = Transform_Sha512(sha512);
    }
    else {
        ret = esp_sha512_digest_process(sha512, 1);
    }
#endif

    if (ret != 0)
        return ret;
#endif

    #ifdef LITTLE_ENDIAN_ORDER
        ByteReverseWords64(sha512->digest, sha512->digest,
            WC_SHA512_DIGEST_SIZE);
    #endif


    return 0;
}

#endif /* WOLFSSL_KCAPI_HASH */

#ifdef WOLFSSL_SHA512

#if defined(WOLFSSL_KCAPI_HASH)
    /* functions defined in wolfcrypt/src/port/kcapi/kcapi_hash.c */
#elif defined(WOLFSSL_SE050) && defined(WOLFSSL_SE050_HASH)

#elif defined(WOLFSSL_RENESAS_RSIP) && \
     !defined(NO_WOLFSSL_RENESAS_FSPSM_HASH)
    /* functions defined in wolfcrypt/src/port/Renesas/renesas_fspsm_sha.c */

#elif defined(MAX3266X_SHA)
    /* Functions defined in wolfcrypt/src/port/maxim/max3266x.c */
#elif defined(STM32_HASH_SHA512)
#elif defined(PSOC6_HASH_SHA2)
#elif defined(WOLFSSL_SILABS_SHA512)
#else

static int Sha512FinalRaw(wc_Sha512* sha512, byte* hash, word32 digestSz)
{
    if (sha512 == NULL || hash == NULL) {
        return BAD_FUNC_ARG;
    }

#ifdef LITTLE_ENDIAN_ORDER
    if ((digestSz & 0x7) == 0)
        ByteReverseWords64((word64 *)hash, sha512->digest, digestSz);
    else {
        ByteReverseWords64(sha512->digest, sha512->digest,
                           WC_SHA512_DIGEST_SIZE);
        XMEMCPY(hash, sha512->digest, digestSz);
    }
#else
    XMEMCPY(hash, sha512->digest, digestSz);
#endif

    return 0;
}

int wc_Sha512FinalRaw(wc_Sha512* sha512, byte* hash)
{
    return Sha512FinalRaw(sha512, hash, WC_SHA512_DIGEST_SIZE);
}

static int Sha512_Family_Final(wc_Sha512* sha512, byte* hash, size_t digestSz,
                               int (*initfp)(wc_Sha512*))
{
    int ret;

    if (sha512 == NULL || hash == NULL) {
        return BAD_FUNC_ARG;
    }

#ifdef WOLF_CRYPTO_CB
    #ifndef WOLF_CRYPTO_CB_FIND
    if (sha512->devId != INVALID_DEVID)
    #endif
    {
        ret = wc_CryptoCb_Sha512Hash(sha512, NULL, 0, hash, digestSz);
        if (ret != WC_NO_ERR_TRACE(CRYPTOCB_UNAVAILABLE)) {
            return ret;
        }
        /* fall-through when unavailable */
    }
#endif
#if defined(WOLFSSL_ASYNC_CRYPT) && defined(WC_ASYNC_ENABLE_SHA512)
    if (sha512->asyncDev.marker == WOLFSSL_ASYNC_MARKER_SHA512) {
    #if defined(HAVE_INTEL_QA)
        return IntelQaSymSha512(&sha512->asyncDev, hash, NULL, digestSz);
    #endif
    }
#endif /* WOLFSSL_ASYNC_CRYPT */

    ret = Sha512Final(sha512);
    if (ret != 0)
        return ret;

    XMEMCPY(hash, sha512->digest, digestSz);

    /* initialize Sha512 structure for the next use */
    return initfp(sha512);
}

#ifndef STM32_HASH_SHA512
int wc_Sha512Final(wc_Sha512* sha512, byte* hash)
{
    return Sha512_Family_Final(sha512, hash, WC_SHA512_DIGEST_SIZE, InitSha512);
}
#endif

#endif /* WOLFSSL_KCAPI_HASH */

#if defined(MAX3266X_SHA)
    /* Functions defined in wolfcrypt/src/port/maxim/max3266x.c */

#else
#if !defined(WOLFSSL_SE050) || !defined(WOLFSSL_SE050_HASH)
int wc_InitSha512(wc_Sha512* sha512)
{
    int devId = INVALID_DEVID;

#ifdef WOLF_CRYPTO_CB
    devId = wc_CryptoCb_DefaultDevID();
#endif
    return wc_InitSha512_ex(sha512, NULL, devId);
}

void wc_Sha512Free(wc_Sha512* sha512)
{
#if defined(WOLF_CRYPTO_CB) && defined(WOLF_CRYPTO_CB_FREE)
    int ret = 0;
#endif

    if (sha512 == NULL)
        return;

#if defined(WOLF_CRYPTO_CB) && defined(WOLF_CRYPTO_CB_FREE)
    #ifndef WOLF_CRYPTO_CB_FIND
    if (sha512->devId != INVALID_DEVID)
    #endif
    {
        ret = wc_CryptoCb_Free(sha512->devId, WC_ALGO_TYPE_HASH,
                         WC_HASH_TYPE_SHA512, 0, (void*)sha512);
        /* If they want the standard free, they can call it themselves */
        /* via their callback setting devId to INVALID_DEVID */
        /* otherwise assume the callback handled it */
        if (ret != WC_NO_ERR_TRACE(CRYPTOCB_UNAVAILABLE))
            return;
        /* fall-through when unavailable */
    }

    /* silence compiler warning */
    (void)ret;

#endif /* WOLF_CRYPTO_CB && WOLF_CRYPTO_CB_FREE */

#if defined(WOLFSSL_ESP32) && \
    !defined(NO_WOLFSSL_ESP32_CRYPT_HASH)  && \
    !defined(NO_WOLFSSL_ESP32_CRYPT_HASH_SHA512)
    esp_sha_release_unfinished_lock(&sha512->ctx);
#endif

#ifdef WOLFSSL_SMALL_STACK_CACHE
    if (sha512->W != NULL) {
        ForceZero(sha512->W, (sizeof(word64) * 16) + WC_SHA512_BLOCK_SIZE);
        XFREE(sha512->W, sha512->heap, DYNAMIC_TYPE_TMP_BUFFER);
        sha512->W = NULL;
    }
#endif

#if defined(WOLFSSL_KCAPI_HASH)
    KcapiHashFree(&sha512->kcapi);
#endif

#if defined(WOLFSSL_HASH_KEEP) ||\
   (defined(WOLFSSL_RENESAS_RSIP) && (WOLFSSL_RENESAS_RZFSP_VER >= 220))
    if (sha512->msg != NULL) {
        ForceZero(sha512->msg, sha512->len);
        XFREE(sha512->msg, sha512->heap, DYNAMIC_TYPE_TMP_BUFFER);
        sha512->msg = NULL;
    }
#endif


#if defined(WOLFSSL_ASYNC_CRYPT) && defined(WC_ASYNC_ENABLE_SHA512)
    wolfAsync_DevCtxFree(&sha512->asyncDev, WOLFSSL_ASYNC_MARKER_SHA512);
#endif /* WOLFSSL_ASYNC_CRYPT */

#if defined(PSOC6_HASH_SHA2)
    wc_Psoc6_Sha_Free();
#endif

    ForceZero(sha512, sizeof(*sha512));
}
#endif

#if (defined(OPENSSL_EXTRA) || defined(HAVE_CURL)) \
    && !defined(WOLFSSL_KCAPI_HASH)
/* Apply SHA512 transformation to the data                */
/* @param sha  a pointer to wc_Sha512 structure           */
/* @param data data to be applied SHA512 transformation   */
/* @return 0 on successful, otherwise non-zero on failure */
int wc_Sha512Transform(wc_Sha512* sha, const unsigned char* data)
{
    int ret;
    /* back up buffer */
    WC_DECLARE_VAR(buffer, word64, WC_SHA512_BLOCK_SIZE  / sizeof(word64),
        0);

    /* sanity check */
    if (sha == NULL || data == NULL) {
        return BAD_FUNC_ARG;
    }


#if defined(WOLFSSL_SMALL_STACK_CACHE)
    if (sha->W == NULL)
        return BAD_FUNC_ARG;
    /* Skip over the initial `W' buffer at the start (used by
     * _Transform_Sha512()).
     */
    buffer = sha->W + 16;
#elif defined(WOLFSSL_SMALL_STACK)
    buffer = (word64*)XMALLOC(WC_SHA512_BLOCK_SIZE, sha->heap,
        DYNAMIC_TYPE_TMP_BUFFER);
    if (buffer == NULL)
        return MEMORY_E;
#endif

#if defined(LITTLE_ENDIAN_ORDER)
#if defined(WOLFSSL_X86_64_BUILD) && defined(USE_INTEL_SPEEDUP) && \
    (defined(HAVE_INTEL_AVX1) || defined(HAVE_INTEL_AVX2))
    #ifdef WC_C_DYNAMIC_FALLBACK
    if (sha->sha_method == SHA512_C)
    #else
    if (!IS_INTEL_AVX1(intel_flags) && !IS_INTEL_AVX2(intel_flags))
    #endif
#endif
    {
        ByteReverseWords64((word64*)data, (word64*)data,
                                                WC_SHA512_BLOCK_SIZE);
    }
#endif /* LITTLE_ENDIAN_ORDER */

#if defined(WOLFSSL_ARMASM)
    ByteReverseWords64(buffer, (word64*)data, WC_SHA512_BLOCK_SIZE);
    Transform_Sha512(sha, (const byte*)buffer);
    ret = 0;
#else
    XMEMCPY(buffer, sha->buffer, WC_SHA512_BLOCK_SIZE);
    XMEMCPY(sha->buffer, data, WC_SHA512_BLOCK_SIZE);

    ret = Transform_Sha512(sha);

    XMEMCPY(sha->buffer, buffer, WC_SHA512_BLOCK_SIZE);
#endif
#if defined(WOLFSSL_SMALL_STACK) && !defined(WOLFSSL_SMALL_STACK_CACHE)
    ForceZero(buffer, WC_SHA512_BLOCK_SIZE);
    XFREE(buffer, sha->heap, DYNAMIC_TYPE_TMP_BUFFER);
#endif
    return ret;
}
#endif /* OPENSSL_EXTRA */
#endif /* WOLFSSL_SHA512 */
#endif /* !WOLFSSL_SE050 || !WOLFSSL_SE050_HASH */


/* -------------------------------------------------------------------------- */
/* SHA384 */
/* -------------------------------------------------------------------------- */
#ifdef WOLFSSL_SHA384

#if defined(WOLFSSL_IMX6_CAAM) && !defined(NO_IMX6_CAAM_HASH) && \
    !defined(WOLFSSL_QNX_CAAM)
    /* functions defined in wolfcrypt/src/port/caam/caam_sha.c */
#elif defined(WOLFSSL_SE050) && defined(WOLFSSL_SE050_HASH)
    int wc_InitSha384_ex(wc_Sha384* sha384, void* heap, int devId)
    {
        if (sha384 == NULL) {
            return BAD_FUNC_ARG;
        }
        (void)devId;
        return se050_hash_init(&sha384->se050Ctx, heap);
    }
    int wc_Sha384Update(wc_Sha384* sha384, const byte* data, word32 len)
    {
        if (sha384 == NULL) {
            return BAD_FUNC_ARG;
        }
        if (data == NULL && len == 0) {
            /* valid, but do nothing */
            return 0;
        }
        if (data == NULL) {
            return BAD_FUNC_ARG;
        }

        return se050_hash_update(&sha384->se050Ctx, data, len);

    }
    int wc_Sha384Final(wc_Sha384* sha384, byte* hash)
    {
        int ret = 0;
        ret = se050_hash_final(&sha384->se050Ctx, hash, WC_SHA384_DIGEST_SIZE,
                               kAlgorithm_SSS_SHA384);
        return ret;
    }

#elif defined(WOLFSSL_SILABS_SHA384)
    /* functions defined in wolfcrypt/src/port/silabs/silabs_hash.c */

#elif defined(WOLFSSL_KCAPI_HASH)
    /* functions defined in wolfcrypt/src/port/kcapi/kcapi_hash.c */

#elif defined(WOLFSSL_RENESAS_RSIP) && \
     !defined(NO_WOLFSSL_RENESAS_FSPSM_HASH)
    /* functions defined in wolfcrypt/src/port/Renesas/renesas_fspsm_sha.c */

#elif defined(MAX3266X_SHA)
    /* Functions defined in wolfcrypt/src/port/maxim/max3266x.c */
#elif defined(STM32_HASH_SHA384)

    int wc_InitSha384_ex(wc_Sha384* sha384, void* heap, int devId)
    {
        if (sha384 == NULL)
            return BAD_FUNC_ARG;

        (void)devId;
        (void)heap;

        XMEMSET(sha384, 0, sizeof(wc_Sha384));
        wc_Stm32_Hash_Init(&sha384->stmCtx);
        return 0;
    }

    int wc_Sha384Update(wc_Sha384* sha384, const byte* data, word32 len)
    {
        int ret = 0;

        if (sha384 == NULL) {
            return BAD_FUNC_ARG;
        }
        if (data == NULL && len == 0) {
            /* valid, but do nothing */
            return 0;
        }
        if (data == NULL) {
            return BAD_FUNC_ARG;
        }

        ret = wolfSSL_CryptHwMutexLock();
        if (ret == 0) {
            ret = wc_Stm32_Hash_Update(&sha384->stmCtx,
                HASH_ALGOSELECTION_SHA384, data, len, WC_SHA384_BLOCK_SIZE);
            wolfSSL_CryptHwMutexUnLock();
        }
        return ret;
    }

    int wc_Sha384Final(wc_Sha384* sha384, byte* hash)
    {
        int ret = 0;

        if (sha384 == NULL || hash == NULL) {
            return BAD_FUNC_ARG;
        }

        ret = wolfSSL_CryptHwMutexLock();
        if (ret == 0) {
            ret = wc_Stm32_Hash_Final(&sha384->stmCtx,
                HASH_ALGOSELECTION_SHA384, hash, WC_SHA384_DIGEST_SIZE);
            wolfSSL_CryptHwMutexUnLock();
        }

        (void)wc_InitSha384(sha384); /* reset state */

        return ret;
    }

#elif defined(PSOC6_HASH_SHA2)
    /* implemented in wolfcrypt/src/port/cypress/psoc6_crypto.c */

#else

static int InitSha384(wc_Sha384* sha384)
{
    if (sha384 == NULL) {
        return BAD_FUNC_ARG;
    }

#ifdef WOLFSSL_SMALL_STACK_CACHE
    if (sha384->W == NULL) {
        /* This allocation combines the customary W buffer used by
         * _Transform_Sha512() with additional buffer space used by
         * wc_Sha512Transform().
         */
        sha384->W = (word64 *)XMALLOC((sizeof(word64) * 16) + WC_SHA512_BLOCK_SIZE,
                                      sha384->heap, DYNAMIC_TYPE_DIGEST);
        if (sha384->W == NULL)
            return MEMORY_E;
    }
#endif

    sha384->digest[0] = W64LIT(0xcbbb9d5dc1059ed8);
    sha384->digest[1] = W64LIT(0x629a292a367cd507);
    sha384->digest[2] = W64LIT(0x9159015a3070dd17);
    sha384->digest[3] = W64LIT(0x152fecd8f70e5939);
    sha384->digest[4] = W64LIT(0x67332667ffc00b31);
    sha384->digest[5] = W64LIT(0x8eb44a8768581511);
    sha384->digest[6] = W64LIT(0xdb0c2e0d64f98fa7);
    sha384->digest[7] = W64LIT(0x47b5481dbefa4fa4);

    sha384->buffLen = 0;
    sha384->loLen   = 0;
    sha384->hiLen   = 0;

#if (defined(WOLFSSL_X86_64_BUILD) && defined(USE_INTEL_SPEEDUP) && \
     (defined(HAVE_INTEL_AVX1) || defined(HAVE_INTEL_AVX2))) || \
    defined(WOLFSSL_ARMASM)
#ifdef WC_C_DYNAMIC_FALLBACK
    sha384->sha_method = 0;
    Sha512_SetTransform(&sha384->sha_method);
#else
    Sha512_SetTransform();
#endif
#endif

#if defined(WOLFSSL_USE_ESP32_CRYPT_HASH_HW)  && \
   !defined(NO_WOLFSSL_ESP32_CRYPT_HASH_SHA384)
    /* HW needs to be carefully initialized, taking into account soft copy.
    ** If already in use; copy may revert to SW as needed. */
    esp_sha_init(&(sha384->ctx), WC_HASH_TYPE_SHA384);
#endif

#ifdef WOLFSSL_HASH_FLAGS
    sha384->flags = 0;
#endif

#ifdef HAVE_ARIA
    sha384->hSession = NULL;
#endif

#ifdef WOLFSSL_HASH_KEEP
    sha384->msg  = NULL;
    sha384->len  = 0;
    sha384->used = 0;
#endif

    return 0;
}

int wc_Sha384Update(wc_Sha384* sha384, const byte* data, word32 len)
{

    if (sha384 == NULL) {
        return BAD_FUNC_ARG;
    }
    if (data == NULL && len == 0) {
        /* valid, but do nothing */
        return 0;
    }
    if (data == NULL) {
        return BAD_FUNC_ARG;
    }

#ifdef WOLF_CRYPTO_CB
    #ifndef WOLF_CRYPTO_CB_FIND
    if (sha384->devId != INVALID_DEVID)
    #endif
    {
        int ret = wc_CryptoCb_Sha384Hash(sha384, data, len, NULL);
        if (ret != WC_NO_ERR_TRACE(CRYPTOCB_UNAVAILABLE))
            return ret;
        /* fall-through when unavailable */
    }
#endif
#if defined(WOLFSSL_ASYNC_CRYPT) && defined(WC_ASYNC_ENABLE_SHA384)
    if (sha384->asyncDev.marker == WOLFSSL_ASYNC_MARKER_SHA384) {
    #if defined(HAVE_INTEL_QA)
        return IntelQaSymSha384(&sha384->asyncDev, NULL, data, len);
    #endif
    }
#endif /* WOLFSSL_ASYNC_CRYPT */

    return Sha512Update((wc_Sha512*)sha384, data, len);
}


int wc_Sha384FinalRaw(wc_Sha384* sha384, byte* hash)
{
    if (sha384 == NULL || hash == NULL) {
        return BAD_FUNC_ARG;
    }

#ifdef LITTLE_ENDIAN_ORDER
    ByteReverseWords64((word64 *)hash, sha384->digest, WC_SHA384_DIGEST_SIZE);
#else
    XMEMCPY(hash, sha384->digest, WC_SHA384_DIGEST_SIZE);
#endif

    return 0;
}

int wc_Sha384Final(wc_Sha384* sha384, byte* hash)
{
    int ret;

    if (sha384 == NULL || hash == NULL) {
        return BAD_FUNC_ARG;
    }

#ifdef WOLF_CRYPTO_CB
    #ifndef WOLF_CRYPTO_CB_FIND
    if (sha384->devId != INVALID_DEVID)
    #endif
    {
        ret = wc_CryptoCb_Sha384Hash(sha384, NULL, 0, hash);
        if (ret != WC_NO_ERR_TRACE(CRYPTOCB_UNAVAILABLE))
            return ret;
        /* fall-through when unavailable */
    }
#endif
#if defined(WOLFSSL_ASYNC_CRYPT) && defined(WC_ASYNC_ENABLE_SHA384)
    if (sha384->asyncDev.marker == WOLFSSL_ASYNC_MARKER_SHA384) {
    #if defined(HAVE_INTEL_QA)
        return IntelQaSymSha384(&sha384->asyncDev, hash, NULL,
                                            WC_SHA384_DIGEST_SIZE);
    #endif
    }
#endif /* WOLFSSL_ASYNC_CRYPT */

    ret = Sha512Final((wc_Sha512*)sha384);
    if (ret != 0)
        return ret;

    XMEMCPY(hash, sha384->digest, WC_SHA384_DIGEST_SIZE);

    return InitSha384(sha384);  /* reset state */
}

int wc_InitSha384_ex(wc_Sha384* sha384, void* heap, int devId)
{
    int ret;

    if (sha384 == NULL) {
        return BAD_FUNC_ARG;
    }

    sha384->heap = heap;
#ifdef WOLFSSL_SMALL_STACK_CACHE
    sha384->W = NULL;
#endif
#ifdef WOLF_CRYPTO_CB
    sha384->devId = devId;
    sha384->devCtx = NULL;
#endif
#if defined(WOLFSSL_USE_ESP32_CRYPT_HASH_HW)  && \
   !defined(NO_WOLFSSL_ESP32_CRYPT_HASH_SHA384)
    if (sha384->ctx.mode != ESP32_SHA_INIT) {
        ESP_LOGV(TAG, "Set ctx mode from prior value: "
                           "%d", sha384->ctx.mode);
    }
    /* We know this is a fresh, uninitialized item, so set to INIT */
    sha384->ctx.mode = ESP32_SHA_INIT;
#endif


    ret = InitSha384(sha384);
    if (ret != 0) {
        return ret;
    }

#if defined(WOLFSSL_ASYNC_CRYPT) && defined(WC_ASYNC_ENABLE_SHA384)
    ret = wolfAsync_DevCtxInit(&sha384->asyncDev, WOLFSSL_ASYNC_MARKER_SHA384,
                                                           sha384->heap, devId);
#else
    (void)devId;
#endif /* WOLFSSL_ASYNC_CRYPT */
#ifdef WOLFSSL_IMXRT1170_CAAM
     ret = wc_CAAM_HashInit(&sha384->hndl, &sha384->ctx, WC_HASH_TYPE_SHA384);
#endif
    return ret;
}

#endif /* WOLFSSL_IMX6_CAAM || WOLFSSL_SILABS_SHA384 || WOLFSSL_KCAPI_HASH */

#if defined(MAX3266X_SHA)
    /* Functions defined in wolfcrypt/src/port/maxim/max3266x.c */

#else
int wc_InitSha384(wc_Sha384* sha384)
{
    int devId = INVALID_DEVID;

#ifdef WOLF_CRYPTO_CB
    devId = wc_CryptoCb_DefaultDevID();
#endif
    return wc_InitSha384_ex(sha384, NULL, devId);
}

void wc_Sha384Free(wc_Sha384* sha384)
{
#if defined(WOLF_CRYPTO_CB) && defined(WOLF_CRYPTO_CB_FREE)
    int ret = 0;
#endif

    if (sha384 == NULL)
        return;

#if defined(WOLF_CRYPTO_CB) && defined(WOLF_CRYPTO_CB_FREE)
    #ifndef WOLF_CRYPTO_CB_FIND
    if (sha384->devId != INVALID_DEVID)
    #endif
    {
        ret = wc_CryptoCb_Free(sha384->devId, WC_ALGO_TYPE_HASH,
                         WC_HASH_TYPE_SHA384, 0, (void*)sha384);
        /* If they want the standard free, they can call it themselves */
        /* via their callback setting devId to INVALID_DEVID */
        /* otherwise assume the callback handled it */
        if (ret != WC_NO_ERR_TRACE(CRYPTOCB_UNAVAILABLE))
            return;
        /* fall-through when unavailable */
    }

    /* silence compiler warning */
    (void)ret;

#endif /* WOLF_CRYPTO_CB && WOLF_CRYPTO_CB_FREE */

#if defined(WOLFSSL_ESP32) && !defined(NO_WOLFSSL_ESP32_CRYPT_HASH)  && \
   !defined(NO_WOLFSSL_ESP32_CRYPT_HASH_SHA384)
    esp_sha_release_unfinished_lock(&sha384->ctx);
#endif

#ifdef WOLFSSL_SMALL_STACK_CACHE
    if (sha384->W != NULL) {
        ForceZero(sha384->W, (sizeof(word64) * 16) + WC_SHA512_BLOCK_SIZE);
        XFREE(sha384->W, sha384->heap, DYNAMIC_TYPE_TMP_BUFFER);
        sha384->W = NULL;
    }
#endif

#if defined(WOLFSSL_KCAPI_HASH)
    KcapiHashFree(&sha384->kcapi);
#endif

#if defined(WOLFSSL_HASH_KEEP) || \
   (defined(WOLFSSL_RENESAS_RSIP) && (WOLFSSL_RENESAS_RZFSP_VER >= 220))
    if (sha384->msg != NULL) {
        ForceZero(sha384->msg, sha384->len);
        XFREE(sha384->msg, sha384->heap, DYNAMIC_TYPE_TMP_BUFFER);
        sha384->msg = NULL;
    }
#endif

#if defined(WOLFSSL_SE050) && defined(WOLFSSL_SE050_HASH)
    se050_hash_free(&sha384->se050Ctx);
#endif

#if defined(WOLFSSL_ASYNC_CRYPT) && defined(WC_ASYNC_ENABLE_SHA384)
    wolfAsync_DevCtxFree(&sha384->asyncDev, WOLFSSL_ASYNC_MARKER_SHA384);
#endif /* WOLFSSL_ASYNC_CRYPT */

#ifdef HAVE_ARIA
    if (sha384->hSession != NULL) {
        MC_CloseSession(sha384->hSession);
        sha384->hSession = NULL;
    }
#endif


    ForceZero(sha384, sizeof(*sha384));
}

#endif
#endif /* WOLFSSL_SHA384 */

#ifdef WOLFSSL_SHA512

#if defined(WOLFSSL_KCAPI_HASH)
    /* functions defined in wolfcrypt/src/port/kcapi/kcapi_hash.c */

#elif defined(WOLFSSL_RENESAS_RSIP) && \
     !defined(NO_WOLFSSL_RENESAS_FSPSM_HASH)
    /* functions defined in wolfcrypt/src/port/Renesas/renesas_fspsm_sha.c */

#elif defined(MAX3266X_SHA)
    /* Functions defined in wolfcrypt/src/port/maxim/max3266x.c */

#else

static int Sha512_Family_GetHash(wc_Sha512* sha512, byte* hash,
                                 int (*finalfp)(wc_Sha512*, byte*))
{
    int ret;
    WC_DECLARE_VAR(tmpSha512, wc_Sha512, 1, 0);

    if (sha512 == NULL || hash == NULL) {
        return BAD_FUNC_ARG;
    }

    WC_CALLOC_VAR_EX(tmpSha512, wc_Sha512, 1, NULL, DYNAMIC_TYPE_TMP_BUFFER,
        return MEMORY_E);

    /* copy this sha512 into tmpSha */
    ret = wc_Sha512Copy(sha512, tmpSha512);
    if (ret == 0) {
        ret = finalfp(tmpSha512, hash);
        wc_Sha512Free(tmpSha512);
    }

    WC_FREE_VAR_EX(tmpSha512, NULL, DYNAMIC_TYPE_TMP_BUFFER);

    return ret;
}

int wc_Sha512GetHash(wc_Sha512* sha512, byte* hash)
{
    return Sha512_Family_GetHash(sha512, hash, wc_Sha512Final);
}

int wc_Sha512Copy(wc_Sha512* src, wc_Sha512* dst)
{
    int ret = 0;

    if (src == NULL || dst == NULL) {
        return BAD_FUNC_ARG;
    }

#if defined(WOLF_CRYPTO_CB) && defined(WOLF_CRYPTO_CB_COPY)
    #ifndef WOLF_CRYPTO_CB_FIND
    if (src->devId != INVALID_DEVID)
    #endif
    {
        /* Cast the source and destination to be void to keep the abstraction */
        ret = wc_CryptoCb_Copy(src->devId, WC_ALGO_TYPE_HASH,
                               WC_HASH_TYPE_SHA512, (void*)src, (void*)dst);
        if (ret != WC_NO_ERR_TRACE(CRYPTOCB_UNAVAILABLE))
            return ret;
        /* fall-through when unavailable */
    }
    ret = 0; /* Reset ret to 0 to avoid returning the callback error code */
#endif /* WOLF_CRYPTO_CB && WOLF_CRYPTO_CB_COPY */

    /* Free dst resources before copy to prevent memory leaks (e.g., msg
     * buffer, W cache, hardware contexts). XMEMCPY overwrites dst. */
    wc_Sha512Free(dst);
    XMEMCPY(dst, src, sizeof(wc_Sha512));
#ifdef WOLFSSL_SMALL_STACK_CACHE
    /* This allocation combines the customary W buffer used by
     * _Transform_Sha512() with additional buffer space used by
     * wc_Sha512Transform().
     */
    dst->W = (word64 *)XMALLOC((sizeof(word64) * 16) + WC_SHA512_BLOCK_SIZE,
                               dst->heap, DYNAMIC_TYPE_DIGEST);
    if (dst->W == NULL) {
        XMEMSET(dst, 0, sizeof(wc_Sha512));
        return MEMORY_E;
    }
#endif

#if defined(WOLFSSL_SILABS_SE_ACCEL) && defined(WOLFSSL_SILABS_SE_ACCEL_3) && \
    defined(WOLFSSL_SILABS_SHA512)
    dst->silabsCtx.hash_ctx.cmd_ctx = &dst->silabsCtx.cmd_ctx;
    dst->silabsCtx.hash_ctx.hash_type_ctx = &dst->silabsCtx.hash_type_ctx;
#endif

#if defined(WOLFSSL_ASYNC_CRYPT) && defined(WC_ASYNC_ENABLE_SHA512)
    ret = wolfAsync_DevCopy(&src->asyncDev, &dst->asyncDev);
#endif

#if defined(WOLFSSL_USE_ESP32_CRYPT_HASH_HW) && \
   !defined(NO_WOLFSSL_ESP32_CRYPT_HASH_SHA512)
    #if defined(CONFIG_IDF_TARGET_ESP32)
    if (ret == 0) {
        ret = esp_sha512_ctx_copy(src, dst);
    }
    #elif defined(CONFIG_IDF_TARGET_ESP32C2) || \
          defined(CONFIG_IDF_TARGET_ESP8684) || \
          defined(CONFIG_IDF_TARGET_ESP32C3) || \
          defined(CONFIG_IDF_TARGET_ESP32C6)
        ESP_LOGV(TAG, "No SHA-512 HW on the ESP32-C3");

    #elif defined(CONFIG_IDF_TARGET_ESP32S2) || \
          defined(CONFIG_IDF_TARGET_ESP32S3)
        if (ret == 0) {
            ret = esp_sha512_ctx_copy(src, dst);
        }
    #else
        ESP_LOGW(TAG, "No SHA384 HW or not yet implemented for %s",
                       CONFIG_IDF_TARGET);
    #endif

#endif /* WOLFSSL_USE_ESP32_CRYPT_HASH_HW */

#ifdef WOLFSSL_HASH_FLAGS
     dst->flags |= WC_HASH_FLAG_ISCOPY;
#endif

#if defined(WOLFSSL_HASH_KEEP)
    if (src->msg != NULL) {
        dst->msg = (byte*)XMALLOC(src->len, dst->heap, DYNAMIC_TYPE_TMP_BUFFER);
        if (dst->msg == NULL)
            return MEMORY_E;
        XMEMCPY(dst->msg, src->msg, src->len);
    }
#endif


#if defined(PSOC6_HASH_SHA2)
    wc_Psoc6_Sha1_Sha2_Init(dst, WC_PSOC6_SHA512, 0);
#endif

    return ret;
}

#endif /* WOLFSSL_KCAPI_HASH */

#ifdef WOLFSSL_HASH_FLAGS
int wc_Sha512SetFlags(wc_Sha512* sha512, word32 flags)
{
    if (sha512) {
        sha512->flags = flags;
    }
    return 0;
}
int wc_Sha512GetFlags(wc_Sha512* sha512, word32* flags)
{
    if (sha512 && flags) {
        *flags = sha512->flags;
    }
    return 0;
}
#endif /* WOLFSSL_HASH_FLAGS */

#if !defined(WOLFSSL_NOSHA512_224) && \
   (!defined(HAVE_FIPS) || FIPS_VERSION_GE(5, 3)) && !defined(HAVE_SELFTEST)

#if defined(STM32_HASH_SHA512_224)

int wc_InitSha512_224_ex(wc_Sha512* sha512, void* heap, int devId)
{
    if (sha512 == NULL)
        return BAD_FUNC_ARG;

    (void)devId;
    (void)heap;

    XMEMSET(sha512, 0, sizeof(wc_Sha512));
    wc_Stm32_Hash_Init(&sha512->stmCtx);
    return 0;
}

int wc_Sha512_224Update(wc_Sha512* sha512, const byte* data, word32 len)
{
    int ret = 0;

    if (sha512 == NULL) {
        return BAD_FUNC_ARG;
    }
    if (data == NULL && len == 0) {
        /* valid, but do nothing */
        return 0;
    }
    if (data == NULL) {
        return BAD_FUNC_ARG;
    }

    ret = wolfSSL_CryptHwMutexLock();
    if (ret == 0) {
        ret = wc_Stm32_Hash_Update(&sha512->stmCtx,
            HASH_ALGOSELECTION_SHA512_224, data, len, WC_SHA512_224_BLOCK_SIZE);
        wolfSSL_CryptHwMutexUnLock();
    }
    return ret;
}

int wc_Sha512_224Final(wc_Sha512* sha512, byte* hash)
{
    int ret = 0;

    if (sha512 == NULL || hash == NULL) {
        return BAD_FUNC_ARG;
    }

    ret = wolfSSL_CryptHwMutexLock();
    if (ret == 0) {
        ret = wc_Stm32_Hash_Final(&sha512->stmCtx,
            HASH_ALGOSELECTION_SHA512_224, hash, WC_SHA512_224_DIGEST_SIZE);
        wolfSSL_CryptHwMutexUnLock();
    }

    (void)wc_InitSha512_224(sha512); /* reset state */

    return ret;
}
#elif defined(PSOC6_HASH_SHA2)
    /* functions defined in wolfcrypt/src/port/cypress/psoc6_crypto.c */
#endif
int wc_InitSha512_224(wc_Sha512* sha)
{
    return wc_InitSha512_224_ex(sha, NULL, INVALID_DEVID);
}
#if !defined(STM32_HASH_SHA512_224) && !defined(PSOC6_HASH_SHA2)
int wc_Sha512_224Update(wc_Sha512* sha, const byte* data, word32 len)
{
    return wc_Sha512Update(sha, data, len);
}
#endif
#if defined(WOLFSSL_KCAPI_HASH)
    /* functions defined in wolfcrypt/src/port/kcapi/kcapi_hash.c */
#elif defined(WOLFSSL_RENESAS_RSIP) && \
     !defined(NO_WOLFSSL_RENESAS_FSPSM_HASH)
    /* functions defined in wolfcrypt/src/port/Renesas/renesas_fspsm_sha.c */

#elif defined(WOLFSSL_SE050) && defined(WOLFSSL_SE050_HASH)
#elif defined(STM32_HASH_SHA512_224)
#elif defined(PSOC6_HASH_SHA2)
    /* functions defined in wolfcrypt/src/port/cypress/psoc6_crypto.c */

#else
int wc_Sha512_224FinalRaw(wc_Sha512* sha, byte* hash)
{
    return Sha512FinalRaw(sha, hash, WC_SHA512_224_DIGEST_SIZE);
}

int wc_Sha512_224Final(wc_Sha512* sha512, byte* hash)
{
    return Sha512_Family_Final(sha512, hash, WC_SHA512_224_DIGEST_SIZE,
                               InitSha512_224);
}
#endif /* else none of the above: WOLFSSL_KCAPI_HASH, WOLFSSL_SE050 */

void wc_Sha512_224Free(wc_Sha512* sha)
{
    wc_Sha512Free(sha);
}

#if defined(WOLFSSL_KCAPI_HASH)
    /* functions defined in wolfcrypt/src/port/kcapi/kcapi_hash.c */
#elif defined(WOLFSSL_SE050) && defined(WOLFSSL_SE050_HASH)

#elif defined(WOLFSSL_RENESAS_RSIP) && \
     !defined(NO_WOLFSSL_RENESAS_FSPSM_HASH)
    /* functions defined in wolfcrypt/src/port/Renesas/renesas_fspsm_sha.c */

#else
int wc_Sha512_224GetHash(wc_Sha512* sha512, byte* hash)
{
    return Sha512_Family_GetHash(sha512, hash, wc_Sha512_224Final);
}

int wc_Sha512_224Copy(wc_Sha512* src, wc_Sha512* dst)
{
    return wc_Sha512Copy(src, dst);
}
#endif /* else none of the above: WOLFSSL_KCAPI_HASH, WOLFSSL_SE050 */

#ifdef WOLFSSL_HASH_FLAGS
int wc_Sha512_224SetFlags(wc_Sha512* sha, word32 flags)
{
    return wc_Sha512SetFlags(sha, flags);
}
int wc_Sha512_224GetFlags(wc_Sha512* sha, word32* flags)
{
    return wc_Sha512GetFlags(sha, flags);
}
#endif /* WOLFSSL_HASH_FLAGS */

#if defined(OPENSSL_EXTRA) || defined(HAVE_CURL)
int wc_Sha512_224Transform(wc_Sha512* sha, const unsigned char* data)
{
    return wc_Sha512Transform(sha, data);
}
#endif /* OPENSSL_EXTRA */


#endif /* !WOLFSSL_NOSHA512_224 && !FIPS ... */

#if !defined(WOLFSSL_NOSHA512_256) && \
   (!defined(HAVE_FIPS) || FIPS_VERSION_GE(5, 3)) && !defined(HAVE_SELFTEST)
#if defined(STM32_HASH_SHA512_256)

    int wc_InitSha512_256_ex(wc_Sha512* sha512, void* heap, int devId)
    {
        if (sha512 == NULL)
            return BAD_FUNC_ARG;

        (void)devId;
        (void)heap;

        XMEMSET(sha512, 0, sizeof(wc_Sha512));
        wc_Stm32_Hash_Init(&sha512->stmCtx);
        return 0;
    }

    int wc_Sha512_256Update(wc_Sha512* sha512, const byte* data, word32 len)
    {
        int ret = 0;

        if (sha512 == NULL) {
            return BAD_FUNC_ARG;
        }
        if (data == NULL && len == 0) {
            /* valid, but do nothing */
            return 0;
        }
        if (data == NULL) {
            return BAD_FUNC_ARG;
        }

        ret = wolfSSL_CryptHwMutexLock();
        if (ret == 0) {
            ret = wc_Stm32_Hash_Update(&sha512->stmCtx,
                HASH_ALGOSELECTION_SHA512_256, data, len, WC_SHA512_256_BLOCK_SIZE);
            wolfSSL_CryptHwMutexUnLock();
        }
        return ret;
    }

    int wc_Sha512_256Final(wc_Sha512* sha512, byte* hash)
    {
        int ret = 0;

        if (sha512 == NULL || hash == NULL) {
            return BAD_FUNC_ARG;
        }

        ret = wolfSSL_CryptHwMutexLock();
        if (ret == 0) {
            ret = wc_Stm32_Hash_Final(&sha512->stmCtx,
                HASH_ALGOSELECTION_SHA512_256, hash, WC_SHA512_256_DIGEST_SIZE);
            wolfSSL_CryptHwMutexUnLock();
        }

        (void)wc_InitSha512_256(sha512); /* reset state */

        return ret;
    }
#elif defined(PSOC6_HASH_SHA2)
    /* functions defined in wolfcrypt/src/port/cypress/psoc6_crypto.c */
#endif
int wc_InitSha512_256(wc_Sha512* sha)
{
    return wc_InitSha512_256_ex(sha, NULL, INVALID_DEVID);
}
#if !defined(STM32_HASH_SHA512_256) && !defined(PSOC6_HASH_SHA2)
int wc_Sha512_256Update(wc_Sha512* sha, const byte* data, word32 len)
{
    return wc_Sha512Update(sha, data, len);
}
#endif
#if defined(WOLFSSL_KCAPI_HASH)
    /* functions defined in wolfcrypt/src/port/kcapi/kcapi_hash.c */
#elif defined(WOLFSSL_RENESAS_RSIP) && \
     !defined(NO_WOLFSSL_RENESAS_FSPSM_HASH)
    /* functions defined in wolfcrypt/src/port/Renesas/renesas_fspsm_sha.c */

#elif defined(WOLFSSL_SE050) && defined(WOLFSSL_SE050_HASH)
#elif defined(STM32_HASH_SHA512_256)
#elif defined(PSOC6_HASH_SHA2)
    /* functions defined in wolfcrypt/src/port/cypress/psoc6_crypto.c */
#else
int wc_Sha512_256FinalRaw(wc_Sha512* sha, byte* hash)
{
    return Sha512FinalRaw(sha, hash, WC_SHA512_256_DIGEST_SIZE);
}

int wc_Sha512_256Final(wc_Sha512* sha512, byte* hash)
{
    return Sha512_Family_Final(sha512, hash, WC_SHA512_256_DIGEST_SIZE,
                               InitSha512_256);
}
#endif

void wc_Sha512_256Free(wc_Sha512* sha)
{
    wc_Sha512Free(sha);
}

#if defined(WOLFSSL_KCAPI_HASH)
    /* functions defined in wolfcrypt/src/port/kcapi/kcapi_hash.c */
#elif defined(WOLFSSL_RENESAS_RSIP) && \
     !defined(NO_WOLFSSL_RENESAS_FSPSM_HASH)
    /* functions defined in wolfcrypt/src/port/Renesas/renesas_fspsm_sha.c */

#else
int wc_Sha512_256GetHash(wc_Sha512* sha512, byte* hash)
{
    return Sha512_Family_GetHash(sha512, hash, wc_Sha512_256Final);
}
int wc_Sha512_256Copy(wc_Sha512* src, wc_Sha512* dst)
{
    return wc_Sha512Copy(src, dst);
}
#endif

#ifdef WOLFSSL_HASH_FLAGS
int wc_Sha512_256SetFlags(wc_Sha512* sha, word32 flags)
{
    return wc_Sha512SetFlags(sha, flags);
}
int wc_Sha512_256GetFlags(wc_Sha512* sha, word32* flags)
{
    return wc_Sha512GetFlags(sha, flags);
}
#endif /* WOLFSSL_HASH_FLAGS */

#if defined(OPENSSL_EXTRA) || defined(HAVE_CURL)
int wc_Sha512_256Transform(wc_Sha512* sha, const unsigned char* data)
{
    return wc_Sha512Transform(sha, data);
}
#endif /* OPENSSL_EXTRA */


#endif /* !WOLFSSL_NOSHA512_256 && !FIPS ... */

#endif /* WOLFSSL_SHA512 */

#ifdef WOLFSSL_SHA384

#if defined(WOLFSSL_KCAPI_HASH)
    /* functions defined in wolfcrypt/src/port/kcapi/kcapi_hash.c */
#elif defined(WOLFSSL_RENESAS_RSIP) && \
     !defined(NO_WOLFSSL_RENESAS_FSPSM_HASH)
    /* functions defined in wolfcrypt/src/port/renesas/renesas_fspsm_sha.c */
#elif defined(MAX3266X_SHA)
    /* Functions defined in wolfcrypt/src/port/maxim/max3266x.c */

#else

int wc_Sha384GetHash(wc_Sha384* sha384, byte* hash)
{
    int ret;
    WC_DECLARE_VAR(tmpSha384, wc_Sha384, 1, 0);

    if (sha384 == NULL || hash == NULL) {
        return BAD_FUNC_ARG;
    }

    WC_CALLOC_VAR_EX(tmpSha384, wc_Sha384, 1, NULL, DYNAMIC_TYPE_TMP_BUFFER,
        return MEMORY_E);

    /* copy this sha384 into tmpSha */
    ret = wc_Sha384Copy(sha384, tmpSha384);
    if (ret == 0) {
        ret = wc_Sha384Final(tmpSha384, hash);
        wc_Sha384Free(tmpSha384);
    }

    WC_FREE_VAR_EX(tmpSha384, NULL, DYNAMIC_TYPE_TMP_BUFFER);

    return ret;
}

int wc_Sha384Copy(wc_Sha384* src, wc_Sha384* dst)
{
    int ret = 0;

    if (src == NULL || dst == NULL) {
        return BAD_FUNC_ARG;
    }

#if defined(WOLF_CRYPTO_CB) && defined(WOLF_CRYPTO_CB_COPY)
    #ifndef WOLF_CRYPTO_CB_FIND
    if (src->devId != INVALID_DEVID)
    #endif
    {
        /* Cast the source and destination to be void to keep the abstraction */
        ret = wc_CryptoCb_Copy(src->devId, WC_ALGO_TYPE_HASH,
                               WC_HASH_TYPE_SHA384, (void*)src, (void*)dst);
        if (ret != WC_NO_ERR_TRACE(CRYPTOCB_UNAVAILABLE))
            return ret;
        /* fall-through when unavailable */
    }
    ret = 0; /* Reset ret to 0 to avoid returning the callback error code */
#endif /* WOLF_CRYPTO_CB && WOLF_CRYPTO_CB_COPY */

    /* Free dst resources before copy to prevent memory leaks (e.g., msg
     * buffer, W cache, hardware contexts). XMEMCPY overwrites dst. */
    wc_Sha384Free(dst);
    XMEMCPY(dst, src, sizeof(wc_Sha384));

#ifdef WOLFSSL_SMALL_STACK_CACHE
    /* This allocation combines the customary W buffer used by
     * _Transform_Sha512() with additional buffer space used by
     * wc_Sha512Transform().
     */
    dst->W = (word64 *)XMALLOC((sizeof(word64) * 16) + WC_SHA384_BLOCK_SIZE,
                               dst->heap, DYNAMIC_TYPE_DIGEST);
    if (dst->W == NULL) {
        XMEMSET(dst, 0, sizeof(wc_Sha384));
        return MEMORY_E;
    }
#endif

#if defined(WOLFSSL_SILABS_SE_ACCEL) && defined(WOLFSSL_SILABS_SE_ACCEL_3) && \
    defined(WOLFSSL_SILABS_SHA384)
    dst->silabsCtx.hash_ctx.cmd_ctx = &dst->silabsCtx.cmd_ctx;
    dst->silabsCtx.hash_ctx.hash_type_ctx = &dst->silabsCtx.hash_type_ctx;
#endif

#if defined(WOLFSSL_ASYNC_CRYPT) && defined(WC_ASYNC_ENABLE_SHA384)
    ret = wolfAsync_DevCopy(&src->asyncDev, &dst->asyncDev);
#endif

#if defined(WOLFSSL_USE_ESP32_CRYPT_HASH_HW) && \
   !defined(NO_WOLFSSL_ESP32_CRYPT_HASH_SHA384)
    #if defined(CONFIG_IDF_TARGET_ESP32)
        esp_sha384_ctx_copy(src, dst);
    #elif defined(CONFIG_IDF_TARGET_ESP32C2) || \
          defined(CONFIG_IDF_TARGET_ESP8684) || \
          defined(CONFIG_IDF_TARGET_ESP32C3) || \
          defined(CONFIG_IDF_TARGET_ESP32C6)
        ESP_LOGV(TAG, "No SHA-384 HW on the ESP32-C3");
    #elif defined(CONFIG_IDF_TARGET_ESP32S2) || \
          defined(CONFIG_IDF_TARGET_ESP32S3)
        esp_sha384_ctx_copy(src, dst);
    #else
        ESP_LOGW(TAG, "No SHA384 HW or not yet implemented for %s",
                       CONFIG_IDF_TARGET);
    #endif
#endif

#ifdef HAVE_ARIA
    dst->hSession = NULL;
    if((src->hSession != NULL) && (MC_CopySession(src->hSession, &(dst->hSession)) != MC_OK)) {
        return MEMORY_E;
    }
#endif

#ifdef WOLFSSL_HASH_FLAGS
     dst->flags |= WC_HASH_FLAG_ISCOPY;
#endif

#if defined(WOLFSSL_HASH_KEEP)
    if (src->msg != NULL) {
        dst->msg = (byte*)XMALLOC(src->len, dst->heap, DYNAMIC_TYPE_TMP_BUFFER);
        if (dst->msg == NULL)
            return MEMORY_E;
        XMEMCPY(dst->msg, src->msg, src->len);
    }
#endif


#if defined(PSOC6_HASH_SHA2)
    wc_Psoc6_Sha1_Sha2_Init(dst, WC_PSOC6_SHA384, 0);
#endif

    return ret;
}

#endif /* WOLFSSL_KCAPI_HASH */

#ifdef WOLFSSL_HASH_FLAGS
int wc_Sha384SetFlags(wc_Sha384* sha384, word32 flags)
{
    if (sha384) {
        sha384->flags = flags;
    }
    return 0;
}
int wc_Sha384GetFlags(wc_Sha384* sha384, word32* flags)
{
    if (sha384 && flags) {
        *flags = sha384->flags;
    }
    return 0;
}
#endif

#endif /* WOLFSSL_SHA384 */

#ifdef WOLFSSL_HASH_KEEP
/* Some hardware have issues with update, this function stores the data to be
 * hashed into an array. Once ready, the Final operation is called on all of the
 * data to be hashed at once.
 * returns 0 on success
 */
int wc_Sha512_Grow(wc_Sha512* sha512, const byte* in, int inSz)
{
    return _wc_Hash_Grow(&(sha512->msg), &(sha512->used), &(sha512->len), in,
                        inSz, sha512->heap);
}
#ifdef WOLFSSL_SHA384
int wc_Sha384_Grow(wc_Sha384* sha384, const byte* in, int inSz)
{
    return _wc_Hash_Grow(&(sha384->msg), &(sha384->used), &(sha384->len), in,
                        inSz, sha384->heap);
}
#endif /* WOLFSSL_SHA384 */
#endif /* WOLFSSL_HASH_KEEP */
#endif /* WOLFSSL_SHA512 || WOLFSSL_SHA384 */

Coverage Report

Created: 2026-04-05 07:22