1 /* crypto/sha/sha512.c */
2 /* ====================================================================
3 * Copyright (c) 2004 The OpenSSL Project. All rights reserved
4 * according to the OpenSSL license [found in ../../LICENSE].
5 * ====================================================================
6 */
7 #include <openssl/opensslconf.h>
8 #if !defined(OPENSSL_NO_SHA) && !defined(OPENSSL_NO_SHA512)
9 /*
10 * IMPLEMENTATION NOTES.
11 *
12 * As you might have noticed 32-bit hash algorithms:
13 *
14 * - permit SHA_LONG to be wider than 32-bit (case on CRAY);
15 * - optimized versions implement two transform functions: one operating
16 * on [aligned] data in host byte order and one - on data in input
17 * stream byte order;
18 * - share common byte-order neutral collector and padding function
19 * implementations, ../md32_common.h;
20 *
21 * Neither of the above applies to this SHA-512 implementations. Reasons
22 * [in reverse order] are:
23 *
24 * - it's the only 64-bit hash algorithm for the moment of this writing,
25 * there is no need for common collector/padding implementation [yet];
26 * - by supporting only one transform function [which operates on
27 * *aligned* data in input stream byte order, big-endian in this case]
28 * we minimize burden of maintenance in two ways: a) collector/padding
29 * function is simpler; b) only one transform function to stare at;
30 * - SHA_LONG64 is required to be exactly 64-bit in order to be able to
31 * apply a number of optimizations to mitigate potential performance
32 * penalties caused by previous design decision;
33 *
34 * Caveat lector.
35 *
36 * Implementation relies on the fact that "long long" is 64-bit on
37 * both 32- and 64-bit platforms. If some compiler vendor comes up
38 * with 128-bit long long, adjustment to sha.h would be required.
39 * As this implementation relies on 64-bit integer type, it's totally
40 * inappropriate for platforms which don't support it, most notably
41 * 16-bit platforms.
42 * <appro@fy.chalmers.se>
43 */
44 #include <stdlib.h>
45 #include <string.h>
46
47 #include <openssl/crypto.h>
48 #include <openssl/sha.h>
49 #include <openssl/opensslv.h>
50
51 #include "cryptlib.h"
52
53 const char *SHA512_version="SHA-512" OPENSSL_VERSION_PTEXT;
54
55 #if defined(_M_IX86) || defined(_M_AMD64) || defined(__i386) || defined(__x86_64)
56 #define SHA512_BLOCK_CAN_MANAGE_UNALIGNED_DATA
57 #endif
58
SHA384_Init(SHA512_CTX * c)59 int SHA384_Init (SHA512_CTX *c)
60 {
61 c->h[0]=U64(0xcbbb9d5dc1059ed8);
62 c->h[1]=U64(0x629a292a367cd507);
63 c->h[2]=U64(0x9159015a3070dd17);
64 c->h[3]=U64(0x152fecd8f70e5939);
65 c->h[4]=U64(0x67332667ffc00b31);
66 c->h[5]=U64(0x8eb44a8768581511);
67 c->h[6]=U64(0xdb0c2e0d64f98fa7);
68 c->h[7]=U64(0x47b5481dbefa4fa4);
69 c->Nl=0; c->Nh=0;
70 c->num=0; c->md_len=SHA384_DIGEST_LENGTH;
71 return 1;
72 }
73
SHA512_Init(SHA512_CTX * c)74 int SHA512_Init (SHA512_CTX *c)
75 {
76 c->h[0]=U64(0x6a09e667f3bcc908);
77 c->h[1]=U64(0xbb67ae8584caa73b);
78 c->h[2]=U64(0x3c6ef372fe94f82b);
79 c->h[3]=U64(0xa54ff53a5f1d36f1);
80 c->h[4]=U64(0x510e527fade682d1);
81 c->h[5]=U64(0x9b05688c2b3e6c1f);
82 c->h[6]=U64(0x1f83d9abfb41bd6b);
83 c->h[7]=U64(0x5be0cd19137e2179);
84 c->Nl=0; c->Nh=0;
85 c->num=0; c->md_len=SHA512_DIGEST_LENGTH;
86 return 1;
87 }
88
89 #ifndef SHA512_ASM
90 static
91 #endif
92 void sha512_block (SHA512_CTX *ctx, const void *in, size_t num);
93
SHA512_Final(unsigned char * md,SHA512_CTX * c)94 int SHA512_Final (unsigned char *md, SHA512_CTX *c)
95 {
96 unsigned char *p=(unsigned char *)c->u.p;
97 size_t n=c->num;
98
99 p[n]=0x80; /* There always is a room for one */
100 n++;
101 if (n > (sizeof(c->u)-16))
102 memset (p+n,0,sizeof(c->u)-n), n=0,
103 sha512_block (c,p,1);
104
105 memset (p+n,0,sizeof(c->u)-16-n);
106 #ifdef B_ENDIAN
107 c->u.d[SHA_LBLOCK-2] = c->Nh;
108 c->u.d[SHA_LBLOCK-1] = c->Nl;
109 #else
110 p[sizeof(c->u)-1] = (unsigned char)(c->Nl);
111 p[sizeof(c->u)-2] = (unsigned char)(c->Nl>>8);
112 p[sizeof(c->u)-3] = (unsigned char)(c->Nl>>16);
113 p[sizeof(c->u)-4] = (unsigned char)(c->Nl>>24);
114 p[sizeof(c->u)-5] = (unsigned char)(c->Nl>>32);
115 p[sizeof(c->u)-6] = (unsigned char)(c->Nl>>40);
116 p[sizeof(c->u)-7] = (unsigned char)(c->Nl>>48);
117 p[sizeof(c->u)-8] = (unsigned char)(c->Nl>>56);
118 p[sizeof(c->u)-9] = (unsigned char)(c->Nh);
119 p[sizeof(c->u)-10] = (unsigned char)(c->Nh>>8);
120 p[sizeof(c->u)-11] = (unsigned char)(c->Nh>>16);
121 p[sizeof(c->u)-12] = (unsigned char)(c->Nh>>24);
122 p[sizeof(c->u)-13] = (unsigned char)(c->Nh>>32);
123 p[sizeof(c->u)-14] = (unsigned char)(c->Nh>>40);
124 p[sizeof(c->u)-15] = (unsigned char)(c->Nh>>48);
125 p[sizeof(c->u)-16] = (unsigned char)(c->Nh>>56);
126 #endif
127
128 sha512_block (c,p,1);
129
130 if (md==0) return 0;
131
132 switch (c->md_len)
133 {
134 /* Let compiler decide if it's appropriate to unroll... */
135 case SHA384_DIGEST_LENGTH:
136 for (n=0;n<SHA384_DIGEST_LENGTH/8;n++)
137 {
138 SHA_LONG64 t = c->h[n];
139
140 *(md++) = (unsigned char)(t>>56);
141 *(md++) = (unsigned char)(t>>48);
142 *(md++) = (unsigned char)(t>>40);
143 *(md++) = (unsigned char)(t>>32);
144 *(md++) = (unsigned char)(t>>24);
145 *(md++) = (unsigned char)(t>>16);
146 *(md++) = (unsigned char)(t>>8);
147 *(md++) = (unsigned char)(t);
148 }
149 break;
150 case SHA512_DIGEST_LENGTH:
151 for (n=0;n<SHA512_DIGEST_LENGTH/8;n++)
152 {
153 SHA_LONG64 t = c->h[n];
154
155 *(md++) = (unsigned char)(t>>56);
156 *(md++) = (unsigned char)(t>>48);
157 *(md++) = (unsigned char)(t>>40);
158 *(md++) = (unsigned char)(t>>32);
159 *(md++) = (unsigned char)(t>>24);
160 *(md++) = (unsigned char)(t>>16);
161 *(md++) = (unsigned char)(t>>8);
162 *(md++) = (unsigned char)(t);
163 }
164 break;
165 /* ... as well as make sure md_len is not abused. */
166 default: return 0;
167 }
168
169 return 1;
170 }
171
SHA384_Final(unsigned char * md,SHA512_CTX * c)172 int SHA384_Final (unsigned char *md,SHA512_CTX *c)
173 { return SHA512_Final (md,c); }
174
SHA512_Update(SHA512_CTX * c,const void * _data,size_t len)175 int SHA512_Update (SHA512_CTX *c, const void *_data, size_t len)
176 {
177 SHA_LONG64 l;
178 unsigned char *p=c->u.p;
179 const unsigned char *data=(const unsigned char *)_data;
180
181 if (len==0) return 1;
182
183 l = (c->Nl+(((SHA_LONG64)len)<<3))&U64(0xffffffffffffffff);
184 if (l < c->Nl) c->Nh++;
185 if (sizeof(len)>=8) c->Nh+=(((SHA_LONG64)len)>>61);
186 c->Nl=l;
187
188 if (c->num != 0)
189 {
190 size_t n = sizeof(c->u) - c->num;
191
192 if (len < n)
193 {
194 memcpy (p+c->num,data,len), c->num += len;
195 return 1;
196 }
197 else {
198 memcpy (p+c->num,data,n), c->num = 0;
199 len-=n, data+=n;
200 sha512_block (c,p,1);
201 }
202 }
203
204 if (len >= sizeof(c->u))
205 {
206 #ifndef SHA512_BLOCK_CAN_MANAGE_UNALIGNED_DATA
207 if ((size_t)data%sizeof(c->u.d[0]) != 0)
208 while (len >= sizeof(c->u))
209 memcpy (p,data,sizeof(c->u)),
210 sha512_block (c,p,1),
211 len -= sizeof(c->u),
212 data += sizeof(c->u);
213 else
214 #endif
215 sha512_block (c,data,len/sizeof(c->u)),
216 data += len,
217 len %= sizeof(c->u),
218 data -= len;
219 }
220
221 if (len != 0) memcpy (p,data,len), c->num = (int)len;
222
223 return 1;
224 }
225
SHA384_Update(SHA512_CTX * c,const void * data,size_t len)226 int SHA384_Update (SHA512_CTX *c, const void *data, size_t len)
227 { return SHA512_Update (c,data,len); }
228
SHA512_Transform(SHA512_CTX * c,const unsigned char * data)229 void SHA512_Transform (SHA512_CTX *c, const unsigned char *data)
230 { sha512_block (c,data,1); }
231
SHA384(const unsigned char * d,size_t n,unsigned char * md)232 unsigned char *SHA384(const unsigned char *d, size_t n, unsigned char *md)
233 {
234 SHA512_CTX c;
235 static unsigned char m[SHA384_DIGEST_LENGTH];
236
237 if (md == NULL) md=m;
238 SHA384_Init(&c);
239 SHA512_Update(&c,d,n);
240 SHA512_Final(md,&c);
241 OPENSSL_cleanse(&c,sizeof(c));
242 return(md);
243 }
244
SHA512(const unsigned char * d,size_t n,unsigned char * md)245 unsigned char *SHA512(const unsigned char *d, size_t n, unsigned char *md)
246 {
247 SHA512_CTX c;
248 static unsigned char m[SHA512_DIGEST_LENGTH];
249
250 if (md == NULL) md=m;
251 SHA512_Init(&c);
252 SHA512_Update(&c,d,n);
253 SHA512_Final(md,&c);
254 OPENSSL_cleanse(&c,sizeof(c));
255 return(md);
256 }
257
258 #ifndef SHA512_ASM
259 static const SHA_LONG64 K512[80] = {
260 U64(0x428a2f98d728ae22),U64(0x7137449123ef65cd),
261 U64(0xb5c0fbcfec4d3b2f),U64(0xe9b5dba58189dbbc),
262 U64(0x3956c25bf348b538),U64(0x59f111f1b605d019),
263 U64(0x923f82a4af194f9b),U64(0xab1c5ed5da6d8118),
264 U64(0xd807aa98a3030242),U64(0x12835b0145706fbe),
265 U64(0x243185be4ee4b28c),U64(0x550c7dc3d5ffb4e2),
266 U64(0x72be5d74f27b896f),U64(0x80deb1fe3b1696b1),
267 U64(0x9bdc06a725c71235),U64(0xc19bf174cf692694),
268 U64(0xe49b69c19ef14ad2),U64(0xefbe4786384f25e3),
269 U64(0x0fc19dc68b8cd5b5),U64(0x240ca1cc77ac9c65),
270 U64(0x2de92c6f592b0275),U64(0x4a7484aa6ea6e483),
271 U64(0x5cb0a9dcbd41fbd4),U64(0x76f988da831153b5),
272 U64(0x983e5152ee66dfab),U64(0xa831c66d2db43210),
273 U64(0xb00327c898fb213f),U64(0xbf597fc7beef0ee4),
274 U64(0xc6e00bf33da88fc2),U64(0xd5a79147930aa725),
275 U64(0x06ca6351e003826f),U64(0x142929670a0e6e70),
276 U64(0x27b70a8546d22ffc),U64(0x2e1b21385c26c926),
277 U64(0x4d2c6dfc5ac42aed),U64(0x53380d139d95b3df),
278 U64(0x650a73548baf63de),U64(0x766a0abb3c77b2a8),
279 U64(0x81c2c92e47edaee6),U64(0x92722c851482353b),
280 U64(0xa2bfe8a14cf10364),U64(0xa81a664bbc423001),
281 U64(0xc24b8b70d0f89791),U64(0xc76c51a30654be30),
282 U64(0xd192e819d6ef5218),U64(0xd69906245565a910),
283 U64(0xf40e35855771202a),U64(0x106aa07032bbd1b8),
284 U64(0x19a4c116b8d2d0c8),U64(0x1e376c085141ab53),
285 U64(0x2748774cdf8eeb99),U64(0x34b0bcb5e19b48a8),
286 U64(0x391c0cb3c5c95a63),U64(0x4ed8aa4ae3418acb),
287 U64(0x5b9cca4f7763e373),U64(0x682e6ff3d6b2b8a3),
288 U64(0x748f82ee5defb2fc),U64(0x78a5636f43172f60),
289 U64(0x84c87814a1f0ab72),U64(0x8cc702081a6439ec),
290 U64(0x90befffa23631e28),U64(0xa4506cebde82bde9),
291 U64(0xbef9a3f7b2c67915),U64(0xc67178f2e372532b),
292 U64(0xca273eceea26619c),U64(0xd186b8c721c0c207),
293 U64(0xeada7dd6cde0eb1e),U64(0xf57d4f7fee6ed178),
294 U64(0x06f067aa72176fba),U64(0x0a637dc5a2c898a6),
295 U64(0x113f9804bef90dae),U64(0x1b710b35131c471b),
296 U64(0x28db77f523047d84),U64(0x32caab7b40c72493),
297 U64(0x3c9ebe0a15c9bebc),U64(0x431d67c49c100d4c),
298 U64(0x4cc5d4becb3e42b6),U64(0x597f299cfc657e2a),
299 U64(0x5fcb6fab3ad6faec),U64(0x6c44198c4a475817) };
300
301 #ifndef PEDANTIC
302 # if defined(__GNUC__) && __GNUC__>=2 && !defined(OPENSSL_NO_ASM) && !defined(OPENSSL_NO_INLINE_ASM)
303 # if defined(__x86_64) || defined(__x86_64__)
304 # define PULL64(x) ({ SHA_LONG64 ret=*((const SHA_LONG64 *)(&(x))); \
305 asm ("bswapq %0" \
306 : "=r"(ret) \
307 : "0"(ret)); ret; })
308 # endif
309 # endif
310 #endif
311
312 #ifndef PULL64
313 #define B(x,j) (((SHA_LONG64)(*(((const unsigned char *)(&x))+j)))<<((7-j)*8))
314 #define PULL64(x) (B(x,0)|B(x,1)|B(x,2)|B(x,3)|B(x,4)|B(x,5)|B(x,6)|B(x,7))
315 #endif
316
317 #ifndef PEDANTIC
318 # if defined(_MSC_VER)
319 # if defined(_WIN64) /* applies to both IA-64 and AMD64 */
320 # define ROTR(a,n) _rotr64((a),n)
321 # endif
322 # elif defined(__GNUC__) && __GNUC__>=2 && !defined(OPENSSL_NO_ASM) && !defined(OPENSSL_NO_INLINE_ASM)
323 # if defined(__x86_64) || defined(__x86_64__)
324 # define ROTR(a,n) ({ unsigned long ret; \
325 asm ("rorq %1,%0" \
326 : "=r"(ret) \
327 : "J"(n),"0"(a) \
328 : "cc"); ret; })
329 # elif defined(_ARCH_PPC) && defined(__64BIT__)
330 # define ROTR(a,n) ({ unsigned long ret; \
331 asm ("rotrdi %0,%1,%2" \
332 : "=r"(ret) \
333 : "r"(a),"K"(n)); ret; })
334 # endif
335 # endif
336 #endif
337
338 #ifndef ROTR
339 #define ROTR(x,s) (((x)>>s) | (x)<<(64-s))
340 #endif
341
342 #define Sigma0(x) (ROTR((x),28) ^ ROTR((x),34) ^ ROTR((x),39))
343 #define Sigma1(x) (ROTR((x),14) ^ ROTR((x),18) ^ ROTR((x),41))
344 #define sigma0(x) (ROTR((x),1) ^ ROTR((x),8) ^ ((x)>>7))
345 #define sigma1(x) (ROTR((x),19) ^ ROTR((x),61) ^ ((x)>>6))
346
347 #define Ch(x,y,z) (((x) & (y)) ^ ((~(x)) & (z)))
348 #define Maj(x,y,z) (((x) & (y)) ^ ((x) & (z)) ^ ((y) & (z)))
349
350 #if defined(OPENSSL_IA32_SSE2) && !defined(OPENSSL_NO_ASM) && !defined(I386_ONLY)
351 #define GO_FOR_SSE2(ctx,in,num) do { \
352 void sha512_block_sse2(void *,const void *,size_t); \
353 if (!(OPENSSL_ia32cap_P & (1<<26))) break; \
354 sha512_block_sse2(ctx->h,in,num); return; \
355 } while (0)
356 #endif
357
358 #ifdef OPENSSL_SMALL_FOOTPRINT
359
sha512_block(SHA512_CTX * ctx,const void * in,size_t num)360 static void sha512_block (SHA512_CTX *ctx, const void *in, size_t num)
361 {
362 const SHA_LONG64 *W=in;
363 SHA_LONG64 a,b,c,d,e,f,g,h,s0,s1,T1,T2;
364 SHA_LONG64 X[16];
365 int i;
366
367 #ifdef GO_FOR_SSE2
368 GO_FOR_SSE2(ctx,in,num);
369 #endif
370
371 while (num--) {
372
373 a = ctx->h[0]; b = ctx->h[1]; c = ctx->h[2]; d = ctx->h[3];
374 e = ctx->h[4]; f = ctx->h[5]; g = ctx->h[6]; h = ctx->h[7];
375
376 for (i=0;i<16;i++)
377 {
378 #ifdef B_ENDIAN
379 T1 = X[i] = W[i];
380 #else
381 T1 = X[i] = PULL64(W[i]);
382 #endif
383 T1 += h + Sigma1(e) + Ch(e,f,g) + K512[i];
384 T2 = Sigma0(a) + Maj(a,b,c);
385 h = g; g = f; f = e; e = d + T1;
386 d = c; c = b; b = a; a = T1 + T2;
387 }
388
389 for (;i<80;i++)
390 {
391 s0 = X[(i+1)&0x0f]; s0 = sigma0(s0);
392 s1 = X[(i+14)&0x0f]; s1 = sigma1(s1);
393
394 T1 = X[i&0xf] += s0 + s1 + X[(i+9)&0xf];
395 T1 += h + Sigma1(e) + Ch(e,f,g) + K512[i];
396 T2 = Sigma0(a) + Maj(a,b,c);
397 h = g; g = f; f = e; e = d + T1;
398 d = c; c = b; b = a; a = T1 + T2;
399 }
400
401 ctx->h[0] += a; ctx->h[1] += b; ctx->h[2] += c; ctx->h[3] += d;
402 ctx->h[4] += e; ctx->h[5] += f; ctx->h[6] += g; ctx->h[7] += h;
403
404 W+=SHA_LBLOCK;
405 }
406 }
407
408 #else
409
410 #define ROUND_00_15(i,a,b,c,d,e,f,g,h) do { \
411 T1 += h + Sigma1(e) + Ch(e,f,g) + K512[i]; \
412 h = Sigma0(a) + Maj(a,b,c); \
413 d += T1; h += T1; } while (0)
414
415 #define ROUND_16_80(i,a,b,c,d,e,f,g,h,X) do { \
416 s0 = X[(i+1)&0x0f]; s0 = sigma0(s0); \
417 s1 = X[(i+14)&0x0f]; s1 = sigma1(s1); \
418 T1 = X[(i)&0x0f] += s0 + s1 + X[(i+9)&0x0f]; \
419 ROUND_00_15(i,a,b,c,d,e,f,g,h); } while (0)
420
sha512_block(SHA512_CTX * ctx,const void * in,size_t num)421 static void sha512_block (SHA512_CTX *ctx, const void *in, size_t num)
422 {
423 const SHA_LONG64 *W=in;
424 SHA_LONG64 a,b,c,d,e,f,g,h,s0,s1,T1;
425 SHA_LONG64 X[16];
426 int i;
427
428 #ifdef GO_FOR_SSE2
429 GO_FOR_SSE2(ctx,in,num);
430 #endif
431
432 while (num--) {
433
434 a = ctx->h[0]; b = ctx->h[1]; c = ctx->h[2]; d = ctx->h[3];
435 e = ctx->h[4]; f = ctx->h[5]; g = ctx->h[6]; h = ctx->h[7];
436
437 #ifdef B_ENDIAN
438 T1 = X[0] = W[0]; ROUND_00_15(0,a,b,c,d,e,f,g,h);
439 T1 = X[1] = W[1]; ROUND_00_15(1,h,a,b,c,d,e,f,g);
440 T1 = X[2] = W[2]; ROUND_00_15(2,g,h,a,b,c,d,e,f);
441 T1 = X[3] = W[3]; ROUND_00_15(3,f,g,h,a,b,c,d,e);
442 T1 = X[4] = W[4]; ROUND_00_15(4,e,f,g,h,a,b,c,d);
443 T1 = X[5] = W[5]; ROUND_00_15(5,d,e,f,g,h,a,b,c);
444 T1 = X[6] = W[6]; ROUND_00_15(6,c,d,e,f,g,h,a,b);
445 T1 = X[7] = W[7]; ROUND_00_15(7,b,c,d,e,f,g,h,a);
446 T1 = X[8] = W[8]; ROUND_00_15(8,a,b,c,d,e,f,g,h);
447 T1 = X[9] = W[9]; ROUND_00_15(9,h,a,b,c,d,e,f,g);
448 T1 = X[10] = W[10]; ROUND_00_15(10,g,h,a,b,c,d,e,f);
449 T1 = X[11] = W[11]; ROUND_00_15(11,f,g,h,a,b,c,d,e);
450 T1 = X[12] = W[12]; ROUND_00_15(12,e,f,g,h,a,b,c,d);
451 T1 = X[13] = W[13]; ROUND_00_15(13,d,e,f,g,h,a,b,c);
452 T1 = X[14] = W[14]; ROUND_00_15(14,c,d,e,f,g,h,a,b);
453 T1 = X[15] = W[15]; ROUND_00_15(15,b,c,d,e,f,g,h,a);
454 #else
455 T1 = X[0] = PULL64(W[0]); ROUND_00_15(0,a,b,c,d,e,f,g,h);
456 T1 = X[1] = PULL64(W[1]); ROUND_00_15(1,h,a,b,c,d,e,f,g);
457 T1 = X[2] = PULL64(W[2]); ROUND_00_15(2,g,h,a,b,c,d,e,f);
458 T1 = X[3] = PULL64(W[3]); ROUND_00_15(3,f,g,h,a,b,c,d,e);
459 T1 = X[4] = PULL64(W[4]); ROUND_00_15(4,e,f,g,h,a,b,c,d);
460 T1 = X[5] = PULL64(W[5]); ROUND_00_15(5,d,e,f,g,h,a,b,c);
461 T1 = X[6] = PULL64(W[6]); ROUND_00_15(6,c,d,e,f,g,h,a,b);
462 T1 = X[7] = PULL64(W[7]); ROUND_00_15(7,b,c,d,e,f,g,h,a);
463 T1 = X[8] = PULL64(W[8]); ROUND_00_15(8,a,b,c,d,e,f,g,h);
464 T1 = X[9] = PULL64(W[9]); ROUND_00_15(9,h,a,b,c,d,e,f,g);
465 T1 = X[10] = PULL64(W[10]); ROUND_00_15(10,g,h,a,b,c,d,e,f);
466 T1 = X[11] = PULL64(W[11]); ROUND_00_15(11,f,g,h,a,b,c,d,e);
467 T1 = X[12] = PULL64(W[12]); ROUND_00_15(12,e,f,g,h,a,b,c,d);
468 T1 = X[13] = PULL64(W[13]); ROUND_00_15(13,d,e,f,g,h,a,b,c);
469 T1 = X[14] = PULL64(W[14]); ROUND_00_15(14,c,d,e,f,g,h,a,b);
470 T1 = X[15] = PULL64(W[15]); ROUND_00_15(15,b,c,d,e,f,g,h,a);
471 #endif
472
473 for (i=16;i<80;i+=8)
474 {
475 ROUND_16_80(i+0,a,b,c,d,e,f,g,h,X);
476 ROUND_16_80(i+1,h,a,b,c,d,e,f,g,X);
477 ROUND_16_80(i+2,g,h,a,b,c,d,e,f,X);
478 ROUND_16_80(i+3,f,g,h,a,b,c,d,e,X);
479 ROUND_16_80(i+4,e,f,g,h,a,b,c,d,X);
480 ROUND_16_80(i+5,d,e,f,g,h,a,b,c,X);
481 ROUND_16_80(i+6,c,d,e,f,g,h,a,b,X);
482 ROUND_16_80(i+7,b,c,d,e,f,g,h,a,X);
483 }
484
485 ctx->h[0] += a; ctx->h[1] += b; ctx->h[2] += c; ctx->h[3] += d;
486 ctx->h[4] += e; ctx->h[5] += f; ctx->h[6] += g; ctx->h[7] += h;
487
488 W+=SHA_LBLOCK;
489 }
490 }
491
492 #endif
493
494 #endif /* SHA512_ASM */
495
496 #endif /* OPENSSL_NO_SHA512 */
497