1 /* $OpenBSD: sha512.c,v 1.16 2021/11/09 18:40:21 bcook Exp $ */
2 /* ====================================================================
3 * Copyright (c) 2004 The OpenSSL Project. All rights reserved
4 * according to the OpenSSL license [found in ../../LICENSE].
5 * ====================================================================
6 */
7
8 #include <endian.h>
9 #include <stdlib.h>
10 #include <string.h>
11
12 #include <openssl/opensslconf.h>
13
14 #if !defined(OPENSSL_NO_SHA) && !defined(OPENSSL_NO_SHA512)
15 /*
16 * IMPLEMENTATION NOTES.
17 *
18 * As you might have noticed 32-bit hash algorithms:
19 *
20 * - permit SHA_LONG to be wider than 32-bit (case on CRAY);
21 * - optimized versions implement two transform functions: one operating
22 * on [aligned] data in host byte order and one - on data in input
23 * stream byte order;
24 * - share common byte-order neutral collector and padding function
25 * implementations, ../md32_common.h;
26 *
27 * Neither of the above applies to this SHA-512 implementations. Reasons
28 * [in reverse order] are:
29 *
30 * - it's the only 64-bit hash algorithm for the moment of this writing,
31 * there is no need for common collector/padding implementation [yet];
32 * - by supporting only one transform function [which operates on
33 * *aligned* data in input stream byte order, big-endian in this case]
34 * we minimize burden of maintenance in two ways: a) collector/padding
35 * function is simpler; b) only one transform function to stare at;
36 * - SHA_LONG64 is required to be exactly 64-bit in order to be able to
37 * apply a number of optimizations to mitigate potential performance
38 * penalties caused by previous design decision;
39 *
40 * Caveat lector.
41 *
42 * Implementation relies on the fact that "long long" is 64-bit on
43 * both 32- and 64-bit platforms. If some compiler vendor comes up
44 * with 128-bit long long, adjustment to sha.h would be required.
45 * As this implementation relies on 64-bit integer type, it's totally
46 * inappropriate for platforms which don't support it, most notably
47 * 16-bit platforms.
48 * <appro@fy.chalmers.se>
49 */
50
51 #include <openssl/crypto.h>
52 #include <openssl/opensslv.h>
53 #include <openssl/sha.h>
54
55 #if !defined(__STRICT_ALIGNMENT) || defined(SHA512_ASM)
56 #define SHA512_BLOCK_CAN_MANAGE_UNALIGNED_DATA
57 #endif
58
SHA384_Init(SHA512_CTX * c)59 int SHA384_Init(SHA512_CTX *c)
60 {
61 c->h[0]=U64(0xcbbb9d5dc1059ed8);
62 c->h[1]=U64(0x629a292a367cd507);
63 c->h[2]=U64(0x9159015a3070dd17);
64 c->h[3]=U64(0x152fecd8f70e5939);
65 c->h[4]=U64(0x67332667ffc00b31);
66 c->h[5]=U64(0x8eb44a8768581511);
67 c->h[6]=U64(0xdb0c2e0d64f98fa7);
68 c->h[7]=U64(0x47b5481dbefa4fa4);
69
70 c->Nl=0; c->Nh=0;
71 c->num=0; c->md_len=SHA384_DIGEST_LENGTH;
72 return 1;
73 }
74
SHA512_Init(SHA512_CTX * c)75 int SHA512_Init(SHA512_CTX *c)
76 {
77 c->h[0]=U64(0x6a09e667f3bcc908);
78 c->h[1]=U64(0xbb67ae8584caa73b);
79 c->h[2]=U64(0x3c6ef372fe94f82b);
80 c->h[3]=U64(0xa54ff53a5f1d36f1);
81 c->h[4]=U64(0x510e527fade682d1);
82 c->h[5]=U64(0x9b05688c2b3e6c1f);
83 c->h[6]=U64(0x1f83d9abfb41bd6b);
84 c->h[7]=U64(0x5be0cd19137e2179);
85
86 c->Nl=0; c->Nh=0;
87 c->num=0; c->md_len=SHA512_DIGEST_LENGTH;
88 return 1;
89 }
90
91 #ifndef SHA512_ASM
92 static
93 #endif
94 void sha512_block_data_order (SHA512_CTX *ctx, const void *in, size_t num);
95
SHA512_Final(unsigned char * md,SHA512_CTX * c)96 int SHA512_Final (unsigned char *md, SHA512_CTX *c)
97 {
98 unsigned char *p=(unsigned char *)c->u.p;
99 size_t n=c->num;
100
101 p[n]=0x80; /* There always is a room for one */
102 n++;
103 if (n > (sizeof(c->u)-16))
104 memset (p+n,0,sizeof(c->u)-n), n=0,
105 sha512_block_data_order (c,p,1);
106
107 memset (p+n,0,sizeof(c->u)-16-n);
108 #if BYTE_ORDER == BIG_ENDIAN
109 c->u.d[SHA_LBLOCK-2] = c->Nh;
110 c->u.d[SHA_LBLOCK-1] = c->Nl;
111 #else
112 p[sizeof(c->u)-1] = (unsigned char)(c->Nl);
113 p[sizeof(c->u)-2] = (unsigned char)(c->Nl>>8);
114 p[sizeof(c->u)-3] = (unsigned char)(c->Nl>>16);
115 p[sizeof(c->u)-4] = (unsigned char)(c->Nl>>24);
116 p[sizeof(c->u)-5] = (unsigned char)(c->Nl>>32);
117 p[sizeof(c->u)-6] = (unsigned char)(c->Nl>>40);
118 p[sizeof(c->u)-7] = (unsigned char)(c->Nl>>48);
119 p[sizeof(c->u)-8] = (unsigned char)(c->Nl>>56);
120 p[sizeof(c->u)-9] = (unsigned char)(c->Nh);
121 p[sizeof(c->u)-10] = (unsigned char)(c->Nh>>8);
122 p[sizeof(c->u)-11] = (unsigned char)(c->Nh>>16);
123 p[sizeof(c->u)-12] = (unsigned char)(c->Nh>>24);
124 p[sizeof(c->u)-13] = (unsigned char)(c->Nh>>32);
125 p[sizeof(c->u)-14] = (unsigned char)(c->Nh>>40);
126 p[sizeof(c->u)-15] = (unsigned char)(c->Nh>>48);
127 p[sizeof(c->u)-16] = (unsigned char)(c->Nh>>56);
128 #endif
129
130 sha512_block_data_order (c,p,1);
131
132 if (md==0) return 0;
133
134 switch (c->md_len)
135 {
136 /* Let compiler decide if it's appropriate to unroll... */
137 case SHA384_DIGEST_LENGTH:
138 for (n=0;n<SHA384_DIGEST_LENGTH/8;n++)
139 {
140 SHA_LONG64 t = c->h[n];
141
142 *(md++) = (unsigned char)(t>>56);
143 *(md++) = (unsigned char)(t>>48);
144 *(md++) = (unsigned char)(t>>40);
145 *(md++) = (unsigned char)(t>>32);
146 *(md++) = (unsigned char)(t>>24);
147 *(md++) = (unsigned char)(t>>16);
148 *(md++) = (unsigned char)(t>>8);
149 *(md++) = (unsigned char)(t);
150 }
151 break;
152 case SHA512_DIGEST_LENGTH:
153 for (n=0;n<SHA512_DIGEST_LENGTH/8;n++)
154 {
155 SHA_LONG64 t = c->h[n];
156
157 *(md++) = (unsigned char)(t>>56);
158 *(md++) = (unsigned char)(t>>48);
159 *(md++) = (unsigned char)(t>>40);
160 *(md++) = (unsigned char)(t>>32);
161 *(md++) = (unsigned char)(t>>24);
162 *(md++) = (unsigned char)(t>>16);
163 *(md++) = (unsigned char)(t>>8);
164 *(md++) = (unsigned char)(t);
165 }
166 break;
167 /* ... as well as make sure md_len is not abused. */
168 default: return 0;
169 }
170
171 return 1;
172 }
173
SHA384_Final(unsigned char * md,SHA512_CTX * c)174 int SHA384_Final (unsigned char *md,SHA512_CTX *c)
175 { return SHA512_Final (md,c); }
176
SHA512_Update(SHA512_CTX * c,const void * _data,size_t len)177 int SHA512_Update (SHA512_CTX *c, const void *_data, size_t len)
178 {
179 SHA_LONG64 l;
180 unsigned char *p=c->u.p;
181 const unsigned char *data=(const unsigned char *)_data;
182
183 if (len==0) return 1;
184
185 l = (c->Nl+(((SHA_LONG64)len)<<3))&U64(0xffffffffffffffff);
186 if (l < c->Nl) c->Nh++;
187 if (sizeof(len)>=8) c->Nh+=(((SHA_LONG64)len)>>61);
188 c->Nl=l;
189
190 if (c->num != 0)
191 {
192 size_t n = sizeof(c->u) - c->num;
193
194 if (len < n)
195 {
196 memcpy (p+c->num,data,len), c->num += (unsigned int)len;
197 return 1;
198 }
199 else {
200 memcpy (p+c->num,data,n), c->num = 0;
201 len-=n, data+=n;
202 sha512_block_data_order (c,p,1);
203 }
204 }
205
206 if (len >= sizeof(c->u))
207 {
208 #ifndef SHA512_BLOCK_CAN_MANAGE_UNALIGNED_DATA
209 if ((size_t)data%sizeof(c->u.d[0]) != 0)
210 while (len >= sizeof(c->u))
211 memcpy (p,data,sizeof(c->u)),
212 sha512_block_data_order (c,p,1),
213 len -= sizeof(c->u),
214 data += sizeof(c->u);
215 else
216 #endif
217 sha512_block_data_order (c,data,len/sizeof(c->u)),
218 data += len,
219 len %= sizeof(c->u),
220 data -= len;
221 }
222
223 if (len != 0) memcpy (p,data,len), c->num = (int)len;
224
225 return 1;
226 }
227
SHA384_Update(SHA512_CTX * c,const void * data,size_t len)228 int SHA384_Update (SHA512_CTX *c, const void *data, size_t len)
229 { return SHA512_Update (c,data,len); }
230
SHA512_Transform(SHA512_CTX * c,const unsigned char * data)231 void SHA512_Transform (SHA512_CTX *c, const unsigned char *data)
232 {
233 #ifndef SHA512_BLOCK_CAN_MANAGE_UNALIGNED_DATA
234 if ((size_t)data%sizeof(c->u.d[0]) != 0)
235 memcpy(c->u.p,data,sizeof(c->u.p)),
236 data = c->u.p;
237 #endif
238 sha512_block_data_order (c,data,1);
239 }
240
SHA384(const unsigned char * d,size_t n,unsigned char * md)241 unsigned char *SHA384(const unsigned char *d, size_t n, unsigned char *md)
242 {
243 SHA512_CTX c;
244 static unsigned char m[SHA384_DIGEST_LENGTH];
245
246 if (md == NULL) md=m;
247 SHA384_Init(&c);
248 SHA512_Update(&c,d,n);
249 SHA512_Final(md,&c);
250 explicit_bzero(&c,sizeof(c));
251 return(md);
252 }
253
SHA512(const unsigned char * d,size_t n,unsigned char * md)254 unsigned char *SHA512(const unsigned char *d, size_t n, unsigned char *md)
255 {
256 SHA512_CTX c;
257 static unsigned char m[SHA512_DIGEST_LENGTH];
258
259 if (md == NULL) md=m;
260 SHA512_Init(&c);
261 SHA512_Update(&c,d,n);
262 SHA512_Final(md,&c);
263 explicit_bzero(&c,sizeof(c));
264 return(md);
265 }
266
267 #ifndef SHA512_ASM
268 static const SHA_LONG64 K512[80] = {
269 U64(0x428a2f98d728ae22),U64(0x7137449123ef65cd),
270 U64(0xb5c0fbcfec4d3b2f),U64(0xe9b5dba58189dbbc),
271 U64(0x3956c25bf348b538),U64(0x59f111f1b605d019),
272 U64(0x923f82a4af194f9b),U64(0xab1c5ed5da6d8118),
273 U64(0xd807aa98a3030242),U64(0x12835b0145706fbe),
274 U64(0x243185be4ee4b28c),U64(0x550c7dc3d5ffb4e2),
275 U64(0x72be5d74f27b896f),U64(0x80deb1fe3b1696b1),
276 U64(0x9bdc06a725c71235),U64(0xc19bf174cf692694),
277 U64(0xe49b69c19ef14ad2),U64(0xefbe4786384f25e3),
278 U64(0x0fc19dc68b8cd5b5),U64(0x240ca1cc77ac9c65),
279 U64(0x2de92c6f592b0275),U64(0x4a7484aa6ea6e483),
280 U64(0x5cb0a9dcbd41fbd4),U64(0x76f988da831153b5),
281 U64(0x983e5152ee66dfab),U64(0xa831c66d2db43210),
282 U64(0xb00327c898fb213f),U64(0xbf597fc7beef0ee4),
283 U64(0xc6e00bf33da88fc2),U64(0xd5a79147930aa725),
284 U64(0x06ca6351e003826f),U64(0x142929670a0e6e70),
285 U64(0x27b70a8546d22ffc),U64(0x2e1b21385c26c926),
286 U64(0x4d2c6dfc5ac42aed),U64(0x53380d139d95b3df),
287 U64(0x650a73548baf63de),U64(0x766a0abb3c77b2a8),
288 U64(0x81c2c92e47edaee6),U64(0x92722c851482353b),
289 U64(0xa2bfe8a14cf10364),U64(0xa81a664bbc423001),
290 U64(0xc24b8b70d0f89791),U64(0xc76c51a30654be30),
291 U64(0xd192e819d6ef5218),U64(0xd69906245565a910),
292 U64(0xf40e35855771202a),U64(0x106aa07032bbd1b8),
293 U64(0x19a4c116b8d2d0c8),U64(0x1e376c085141ab53),
294 U64(0x2748774cdf8eeb99),U64(0x34b0bcb5e19b48a8),
295 U64(0x391c0cb3c5c95a63),U64(0x4ed8aa4ae3418acb),
296 U64(0x5b9cca4f7763e373),U64(0x682e6ff3d6b2b8a3),
297 U64(0x748f82ee5defb2fc),U64(0x78a5636f43172f60),
298 U64(0x84c87814a1f0ab72),U64(0x8cc702081a6439ec),
299 U64(0x90befffa23631e28),U64(0xa4506cebde82bde9),
300 U64(0xbef9a3f7b2c67915),U64(0xc67178f2e372532b),
301 U64(0xca273eceea26619c),U64(0xd186b8c721c0c207),
302 U64(0xeada7dd6cde0eb1e),U64(0xf57d4f7fee6ed178),
303 U64(0x06f067aa72176fba),U64(0x0a637dc5a2c898a6),
304 U64(0x113f9804bef90dae),U64(0x1b710b35131c471b),
305 U64(0x28db77f523047d84),U64(0x32caab7b40c72493),
306 U64(0x3c9ebe0a15c9bebc),U64(0x431d67c49c100d4c),
307 U64(0x4cc5d4becb3e42b6),U64(0x597f299cfc657e2a),
308 U64(0x5fcb6fab3ad6faec),U64(0x6c44198c4a475817) };
309
310 #if defined(__GNUC__) && __GNUC__>=2 && !defined(OPENSSL_NO_ASM) && !defined(OPENSSL_NO_INLINE_ASM)
311 # if defined(__x86_64) || defined(__x86_64__)
312 # define ROTR(a,n) ({ SHA_LONG64 ret; \
313 asm ("rorq %1,%0" \
314 : "=r"(ret) \
315 : "J"(n),"0"(a) \
316 : "cc"); ret; })
317 # define PULL64(x) ({ SHA_LONG64 ret=*((const SHA_LONG64 *)(&(x))); \
318 asm ("bswapq %0" \
319 : "=r"(ret) \
320 : "0"(ret)); ret; })
321 # elif (defined(__i386) || defined(__i386__))
322 # define PULL64(x) ({ const unsigned int *p=(const unsigned int *)(&(x));\
323 unsigned int hi=p[0],lo=p[1]; \
324 asm ("bswapl %0; bswapl %1;" \
325 : "=r"(lo),"=r"(hi) \
326 : "0"(lo),"1"(hi)); \
327 ((SHA_LONG64)hi)<<32|lo; })
328 # elif (defined(_ARCH_PPC) && defined(__64BIT__)) || defined(_ARCH_PPC64)
329 # define ROTR(a,n) ({ SHA_LONG64 ret; \
330 asm ("rotrdi %0,%1,%2" \
331 : "=r"(ret) \
332 : "r"(a),"K"(n)); ret; })
333 # endif
334 #endif
335
336 #ifndef PULL64
337 #define B(x,j) (((SHA_LONG64)(*(((const unsigned char *)(&x))+j)))<<((7-j)*8))
338 #define PULL64(x) (B(x,0)|B(x,1)|B(x,2)|B(x,3)|B(x,4)|B(x,5)|B(x,6)|B(x,7))
339 #endif
340
341 #ifndef ROTR
342 #define ROTR(x,s) (((x)>>s) | (x)<<(64-s))
343 #endif
344
345 #define Sigma0(x) (ROTR((x),28) ^ ROTR((x),34) ^ ROTR((x),39))
346 #define Sigma1(x) (ROTR((x),14) ^ ROTR((x),18) ^ ROTR((x),41))
347 #define sigma0(x) (ROTR((x),1) ^ ROTR((x),8) ^ ((x)>>7))
348 #define sigma1(x) (ROTR((x),19) ^ ROTR((x),61) ^ ((x)>>6))
349
350 #define Ch(x,y,z) (((x) & (y)) ^ ((~(x)) & (z)))
351 #define Maj(x,y,z) (((x) & (y)) ^ ((x) & (z)) ^ ((y) & (z)))
352
353
354 #if defined(__i386) || defined(__i386__) || defined(_M_IX86)
355 /*
356 * This code should give better results on 32-bit CPU with less than
357 * ~24 registers, both size and performance wise...
358 */
sha512_block_data_order(SHA512_CTX * ctx,const void * in,size_t num)359 static void sha512_block_data_order (SHA512_CTX *ctx, const void *in, size_t num)
360 {
361 const SHA_LONG64 *W=in;
362 SHA_LONG64 A,E,T;
363 SHA_LONG64 X[9+80],*F;
364 int i;
365
366 while (num--) {
367
368 F = X+80;
369 A = ctx->h[0]; F[1] = ctx->h[1];
370 F[2] = ctx->h[2]; F[3] = ctx->h[3];
371 E = ctx->h[4]; F[5] = ctx->h[5];
372 F[6] = ctx->h[6]; F[7] = ctx->h[7];
373
374 for (i=0;i<16;i++,F--)
375 {
376 T = PULL64(W[i]);
377 F[0] = A;
378 F[4] = E;
379 F[8] = T;
380 T += F[7] + Sigma1(E) + Ch(E,F[5],F[6]) + K512[i];
381 E = F[3] + T;
382 A = T + Sigma0(A) + Maj(A,F[1],F[2]);
383 }
384
385 for (;i<80;i++,F--)
386 {
387 T = sigma0(F[8+16-1]);
388 T += sigma1(F[8+16-14]);
389 T += F[8+16] + F[8+16-9];
390
391 F[0] = A;
392 F[4] = E;
393 F[8] = T;
394 T += F[7] + Sigma1(E) + Ch(E,F[5],F[6]) + K512[i];
395 E = F[3] + T;
396 A = T + Sigma0(A) + Maj(A,F[1],F[2]);
397 }
398
399 ctx->h[0] += A; ctx->h[1] += F[1];
400 ctx->h[2] += F[2]; ctx->h[3] += F[3];
401 ctx->h[4] += E; ctx->h[5] += F[5];
402 ctx->h[6] += F[6]; ctx->h[7] += F[7];
403
404 W+=SHA_LBLOCK;
405 }
406 }
407
408 #elif defined(OPENSSL_SMALL_FOOTPRINT)
409
sha512_block_data_order(SHA512_CTX * ctx,const void * in,size_t num)410 static void sha512_block_data_order (SHA512_CTX *ctx, const void *in, size_t num)
411 {
412 const SHA_LONG64 *W=in;
413 SHA_LONG64 a,b,c,d,e,f,g,h,s0,s1,T1,T2;
414 SHA_LONG64 X[16];
415 int i;
416
417 while (num--) {
418
419 a = ctx->h[0]; b = ctx->h[1]; c = ctx->h[2]; d = ctx->h[3];
420 e = ctx->h[4]; f = ctx->h[5]; g = ctx->h[6]; h = ctx->h[7];
421
422 for (i=0;i<16;i++)
423 {
424 #if BYTE_ORDER == BIG_ENDIAN
425 T1 = X[i] = W[i];
426 #else
427 T1 = X[i] = PULL64(W[i]);
428 #endif
429 T1 += h + Sigma1(e) + Ch(e,f,g) + K512[i];
430 T2 = Sigma0(a) + Maj(a,b,c);
431 h = g; g = f; f = e; e = d + T1;
432 d = c; c = b; b = a; a = T1 + T2;
433 }
434
435 for (;i<80;i++)
436 {
437 s0 = X[(i+1)&0x0f]; s0 = sigma0(s0);
438 s1 = X[(i+14)&0x0f]; s1 = sigma1(s1);
439
440 T1 = X[i&0xf] += s0 + s1 + X[(i+9)&0xf];
441 T1 += h + Sigma1(e) + Ch(e,f,g) + K512[i];
442 T2 = Sigma0(a) + Maj(a,b,c);
443 h = g; g = f; f = e; e = d + T1;
444 d = c; c = b; b = a; a = T1 + T2;
445 }
446
447 ctx->h[0] += a; ctx->h[1] += b; ctx->h[2] += c; ctx->h[3] += d;
448 ctx->h[4] += e; ctx->h[5] += f; ctx->h[6] += g; ctx->h[7] += h;
449
450 W+=SHA_LBLOCK;
451 }
452 }
453
454 #else
455
456 #define ROUND_00_15(i,a,b,c,d,e,f,g,h) do { \
457 T1 += h + Sigma1(e) + Ch(e,f,g) + K512[i]; \
458 h = Sigma0(a) + Maj(a,b,c); \
459 d += T1; h += T1; } while (0)
460
461 #define ROUND_16_80(i,j,a,b,c,d,e,f,g,h,X) do { \
462 s0 = X[(j+1)&0x0f]; s0 = sigma0(s0); \
463 s1 = X[(j+14)&0x0f]; s1 = sigma1(s1); \
464 T1 = X[(j)&0x0f] += s0 + s1 + X[(j+9)&0x0f]; \
465 ROUND_00_15(i+j,a,b,c,d,e,f,g,h); } while (0)
466
sha512_block_data_order(SHA512_CTX * ctx,const void * in,size_t num)467 static void sha512_block_data_order (SHA512_CTX *ctx, const void *in, size_t num)
468 {
469 const SHA_LONG64 *W=in;
470 SHA_LONG64 a,b,c,d,e,f,g,h,s0,s1,T1;
471 SHA_LONG64 X[16];
472 int i;
473
474 while (num--) {
475
476 a = ctx->h[0]; b = ctx->h[1]; c = ctx->h[2]; d = ctx->h[3];
477 e = ctx->h[4]; f = ctx->h[5]; g = ctx->h[6]; h = ctx->h[7];
478
479 #if BYTE_ORDER == BIG_ENDIAN
480 T1 = X[0] = W[0]; ROUND_00_15(0,a,b,c,d,e,f,g,h);
481 T1 = X[1] = W[1]; ROUND_00_15(1,h,a,b,c,d,e,f,g);
482 T1 = X[2] = W[2]; ROUND_00_15(2,g,h,a,b,c,d,e,f);
483 T1 = X[3] = W[3]; ROUND_00_15(3,f,g,h,a,b,c,d,e);
484 T1 = X[4] = W[4]; ROUND_00_15(4,e,f,g,h,a,b,c,d);
485 T1 = X[5] = W[5]; ROUND_00_15(5,d,e,f,g,h,a,b,c);
486 T1 = X[6] = W[6]; ROUND_00_15(6,c,d,e,f,g,h,a,b);
487 T1 = X[7] = W[7]; ROUND_00_15(7,b,c,d,e,f,g,h,a);
488 T1 = X[8] = W[8]; ROUND_00_15(8,a,b,c,d,e,f,g,h);
489 T1 = X[9] = W[9]; ROUND_00_15(9,h,a,b,c,d,e,f,g);
490 T1 = X[10] = W[10]; ROUND_00_15(10,g,h,a,b,c,d,e,f);
491 T1 = X[11] = W[11]; ROUND_00_15(11,f,g,h,a,b,c,d,e);
492 T1 = X[12] = W[12]; ROUND_00_15(12,e,f,g,h,a,b,c,d);
493 T1 = X[13] = W[13]; ROUND_00_15(13,d,e,f,g,h,a,b,c);
494 T1 = X[14] = W[14]; ROUND_00_15(14,c,d,e,f,g,h,a,b);
495 T1 = X[15] = W[15]; ROUND_00_15(15,b,c,d,e,f,g,h,a);
496 #else
497 T1 = X[0] = PULL64(W[0]); ROUND_00_15(0,a,b,c,d,e,f,g,h);
498 T1 = X[1] = PULL64(W[1]); ROUND_00_15(1,h,a,b,c,d,e,f,g);
499 T1 = X[2] = PULL64(W[2]); ROUND_00_15(2,g,h,a,b,c,d,e,f);
500 T1 = X[3] = PULL64(W[3]); ROUND_00_15(3,f,g,h,a,b,c,d,e);
501 T1 = X[4] = PULL64(W[4]); ROUND_00_15(4,e,f,g,h,a,b,c,d);
502 T1 = X[5] = PULL64(W[5]); ROUND_00_15(5,d,e,f,g,h,a,b,c);
503 T1 = X[6] = PULL64(W[6]); ROUND_00_15(6,c,d,e,f,g,h,a,b);
504 T1 = X[7] = PULL64(W[7]); ROUND_00_15(7,b,c,d,e,f,g,h,a);
505 T1 = X[8] = PULL64(W[8]); ROUND_00_15(8,a,b,c,d,e,f,g,h);
506 T1 = X[9] = PULL64(W[9]); ROUND_00_15(9,h,a,b,c,d,e,f,g);
507 T1 = X[10] = PULL64(W[10]); ROUND_00_15(10,g,h,a,b,c,d,e,f);
508 T1 = X[11] = PULL64(W[11]); ROUND_00_15(11,f,g,h,a,b,c,d,e);
509 T1 = X[12] = PULL64(W[12]); ROUND_00_15(12,e,f,g,h,a,b,c,d);
510 T1 = X[13] = PULL64(W[13]); ROUND_00_15(13,d,e,f,g,h,a,b,c);
511 T1 = X[14] = PULL64(W[14]); ROUND_00_15(14,c,d,e,f,g,h,a,b);
512 T1 = X[15] = PULL64(W[15]); ROUND_00_15(15,b,c,d,e,f,g,h,a);
513 #endif
514
515 for (i=16;i<80;i+=16)
516 {
517 ROUND_16_80(i, 0,a,b,c,d,e,f,g,h,X);
518 ROUND_16_80(i, 1,h,a,b,c,d,e,f,g,X);
519 ROUND_16_80(i, 2,g,h,a,b,c,d,e,f,X);
520 ROUND_16_80(i, 3,f,g,h,a,b,c,d,e,X);
521 ROUND_16_80(i, 4,e,f,g,h,a,b,c,d,X);
522 ROUND_16_80(i, 5,d,e,f,g,h,a,b,c,X);
523 ROUND_16_80(i, 6,c,d,e,f,g,h,a,b,X);
524 ROUND_16_80(i, 7,b,c,d,e,f,g,h,a,X);
525 ROUND_16_80(i, 8,a,b,c,d,e,f,g,h,X);
526 ROUND_16_80(i, 9,h,a,b,c,d,e,f,g,X);
527 ROUND_16_80(i,10,g,h,a,b,c,d,e,f,X);
528 ROUND_16_80(i,11,f,g,h,a,b,c,d,e,X);
529 ROUND_16_80(i,12,e,f,g,h,a,b,c,d,X);
530 ROUND_16_80(i,13,d,e,f,g,h,a,b,c,X);
531 ROUND_16_80(i,14,c,d,e,f,g,h,a,b,X);
532 ROUND_16_80(i,15,b,c,d,e,f,g,h,a,X);
533 }
534
535 ctx->h[0] += a; ctx->h[1] += b; ctx->h[2] += c; ctx->h[3] += d;
536 ctx->h[4] += e; ctx->h[5] += f; ctx->h[6] += g; ctx->h[7] += h;
537
538 W+=SHA_LBLOCK;
539 }
540 }
541
542 #endif
543
544 #endif /* SHA512_ASM */
545
546 #endif /* !OPENSSL_NO_SHA512 */
547