GCC Code Coverage Report
Directory: ./ Exec Total Coverage
File: lib/libcrypto/crypto/../../libssl/src/crypto/sha/sha512.c Lines: 92 108 85.2 %
Date: 2016-12-06 Branches: 19 27 70.4 %

Line Branch Exec Source
1
/* $OpenBSD: sha512.c,v 1.14 2015/09/10 15:56:26 jsing Exp $ */
2
/* ====================================================================
3
 * Copyright (c) 2004 The OpenSSL Project.  All rights reserved
4
 * according to the OpenSSL license [found in ../../LICENSE].
5
 * ====================================================================
6
 */
7
8
#include <machine/endian.h>
9
10
#include <stdlib.h>
11
#include <string.h>
12
13
#include <openssl/opensslconf.h>
14
15
#if !defined(OPENSSL_NO_SHA) && !defined(OPENSSL_NO_SHA512)
16
/*
17
 * IMPLEMENTATION NOTES.
18
 *
19
 * As you might have noticed 32-bit hash algorithms:
20
 *
21
 * - permit SHA_LONG to be wider than 32-bit (case on CRAY);
22
 * - optimized versions implement two transform functions: one operating
23
 *   on [aligned] data in host byte order and one - on data in input
24
 *   stream byte order;
25
 * - share common byte-order neutral collector and padding function
26
 *   implementations, ../md32_common.h;
27
 *
28
 * Neither of the above applies to this SHA-512 implementations. Reasons
29
 * [in reverse order] are:
30
 *
31
 * - it's the only 64-bit hash algorithm for the moment of this writing,
32
 *   there is no need for common collector/padding implementation [yet];
33
 * - by supporting only one transform function [which operates on
34
 *   *aligned* data in input stream byte order, big-endian in this case]
35
 *   we minimize burden of maintenance in two ways: a) collector/padding
36
 *   function is simpler; b) only one transform function to stare at;
37
 * - SHA_LONG64 is required to be exactly 64-bit in order to be able to
38
 *   apply a number of optimizations to mitigate potential performance
39
 *   penalties caused by previous design decision;
40
 *
41
 * Caveat lector.
42
 *
43
 * Implementation relies on the fact that "long long" is 64-bit on
44
 * both 32- and 64-bit platforms. If some compiler vendor comes up
45
 * with 128-bit long long, adjustment to sha.h would be required.
46
 * As this implementation relies on 64-bit integer type, it's totally
47
 * inappropriate for platforms which don't support it, most notably
48
 * 16-bit platforms.
49
 *					<appro@fy.chalmers.se>
50
 */
51
52
#include <openssl/crypto.h>
53
#include <openssl/opensslv.h>
54
#include <openssl/sha.h>
55
56
#if !defined(__STRICT_ALIGNMENT) || defined(SHA512_ASM)
57
#define SHA512_BLOCK_CAN_MANAGE_UNALIGNED_DATA
58
#endif
59
60
int SHA384_Init(SHA512_CTX *c)
61
7
	{
62
7
	c->h[0]=U64(0xcbbb9d5dc1059ed8);
63
7
	c->h[1]=U64(0x629a292a367cd507);
64
7
	c->h[2]=U64(0x9159015a3070dd17);
65
7
	c->h[3]=U64(0x152fecd8f70e5939);
66
7
	c->h[4]=U64(0x67332667ffc00b31);
67
7
	c->h[5]=U64(0x8eb44a8768581511);
68
7
	c->h[6]=U64(0xdb0c2e0d64f98fa7);
69
7
	c->h[7]=U64(0x47b5481dbefa4fa4);
70
71
7
        c->Nl=0;        c->Nh=0;
72
7
        c->num=0;       c->md_len=SHA384_DIGEST_LENGTH;
73
7
        return 1;
74
	}
75
76
int SHA512_Init(SHA512_CTX *c)
77
17
	{
78
17
	c->h[0]=U64(0x6a09e667f3bcc908);
79
17
	c->h[1]=U64(0xbb67ae8584caa73b);
80
17
	c->h[2]=U64(0x3c6ef372fe94f82b);
81
17
	c->h[3]=U64(0xa54ff53a5f1d36f1);
82
17
	c->h[4]=U64(0x510e527fade682d1);
83
17
	c->h[5]=U64(0x9b05688c2b3e6c1f);
84
17
	c->h[6]=U64(0x1f83d9abfb41bd6b);
85
17
	c->h[7]=U64(0x5be0cd19137e2179);
86
87
17
        c->Nl=0;        c->Nh=0;
88
17
        c->num=0;       c->md_len=SHA512_DIGEST_LENGTH;
89
17
        return 1;
90
	}
91
92
#ifndef SHA512_ASM
93
static
94
#endif
95
void sha512_block_data_order (SHA512_CTX *ctx, const void *in, size_t num);
96
97
int SHA512_Final (unsigned char *md, SHA512_CTX *c)
98
24596
	{
99
24596
	unsigned char *p=(unsigned char *)c->u.p;
100
24596
	size_t n=c->num;
101
102
24596
	p[n]=0x80;	/* There always is a room for one */
103
24596
	n++;
104
24596
	if (n > (sizeof(c->u)-16))
105
4
		memset (p+n,0,sizeof(c->u)-n), n=0,
106
		sha512_block_data_order (c,p,1);
107
108
24596
	memset (p+n,0,sizeof(c->u)-16-n);
109
#if BYTE_ORDER == BIG_ENDIAN
110
	c->u.d[SHA_LBLOCK-2] = c->Nh;
111
	c->u.d[SHA_LBLOCK-1] = c->Nl;
112
#else
113
24596
	p[sizeof(c->u)-1]  = (unsigned char)(c->Nl);
114
24596
	p[sizeof(c->u)-2]  = (unsigned char)(c->Nl>>8);
115
24596
	p[sizeof(c->u)-3]  = (unsigned char)(c->Nl>>16);
116
24596
	p[sizeof(c->u)-4]  = (unsigned char)(c->Nl>>24);
117
24596
	p[sizeof(c->u)-5]  = (unsigned char)(c->Nl>>32);
118
24596
	p[sizeof(c->u)-6]  = (unsigned char)(c->Nl>>40);
119
24596
	p[sizeof(c->u)-7]  = (unsigned char)(c->Nl>>48);
120
24596
	p[sizeof(c->u)-8]  = (unsigned char)(c->Nl>>56);
121
24596
	p[sizeof(c->u)-9]  = (unsigned char)(c->Nh);
122
24596
	p[sizeof(c->u)-10] = (unsigned char)(c->Nh>>8);
123
24596
	p[sizeof(c->u)-11] = (unsigned char)(c->Nh>>16);
124
24596
	p[sizeof(c->u)-12] = (unsigned char)(c->Nh>>24);
125
24596
	p[sizeof(c->u)-13] = (unsigned char)(c->Nh>>32);
126
24596
	p[sizeof(c->u)-14] = (unsigned char)(c->Nh>>40);
127
24596
	p[sizeof(c->u)-15] = (unsigned char)(c->Nh>>48);
128
24596
	p[sizeof(c->u)-16] = (unsigned char)(c->Nh>>56);
129
#endif
130
131
24596
	sha512_block_data_order (c,p,1);
132
133
24596
	if (md==0) return 0;
134
135
24596
	switch (c->md_len)
136
		{
137
		/* Let compiler decide if it's appropriate to unroll... */
138
		case SHA384_DIGEST_LENGTH:
139
49
			for (n=0;n<SHA384_DIGEST_LENGTH/8;n++)
140
				{
141
42
				SHA_LONG64 t = c->h[n];
142
143
42
				*(md++)	= (unsigned char)(t>>56);
144
42
				*(md++)	= (unsigned char)(t>>48);
145
42
				*(md++)	= (unsigned char)(t>>40);
146
42
				*(md++)	= (unsigned char)(t>>32);
147
42
				*(md++)	= (unsigned char)(t>>24);
148
42
				*(md++)	= (unsigned char)(t>>16);
149
42
				*(md++)	= (unsigned char)(t>>8);
150
42
				*(md++)	= (unsigned char)(t);
151
				}
152
			break;
153
		case SHA512_DIGEST_LENGTH:
154
221301
			for (n=0;n<SHA512_DIGEST_LENGTH/8;n++)
155
				{
156
196712
				SHA_LONG64 t = c->h[n];
157
158
196712
				*(md++)	= (unsigned char)(t>>56);
159
196712
				*(md++)	= (unsigned char)(t>>48);
160
196712
				*(md++)	= (unsigned char)(t>>40);
161
196712
				*(md++)	= (unsigned char)(t>>32);
162
196712
				*(md++)	= (unsigned char)(t>>24);
163
196712
				*(md++)	= (unsigned char)(t>>16);
164
196712
				*(md++)	= (unsigned char)(t>>8);
165
196712
				*(md++)	= (unsigned char)(t);
166
				}
167
			break;
168
		/* ... as well as make sure md_len is not abused. */
169
		default:	return 0;
170
		}
171
172
24596
	return 1;
173
	}
174
175
int SHA384_Final (unsigned char *md,SHA512_CTX *c)
176
{   return SHA512_Final (md,c);   }
177
178
int SHA512_Update (SHA512_CTX *c, const void *_data, size_t len)
179
43711
	{
180
	SHA_LONG64	l;
181
43711
	unsigned char  *p=c->u.p;
182
43711
	const unsigned char *data=(const unsigned char *)_data;
183
184
43711
	if (len==0) return  1;
185
186
43711
	l = (c->Nl+(((SHA_LONG64)len)<<3))&U64(0xffffffffffffffff);
187
43711
	if (l < c->Nl)		c->Nh++;
188
43711
	if (sizeof(len)>=8)	c->Nh+=(((SHA_LONG64)len)>>61);
189
43711
	c->Nl=l;
190
191
43711
	if (c->num != 0)
192
		{
193
10425
		size_t n = sizeof(c->u) - c->num;
194
195
10425
		if (len < n)
196
			{
197
7
			memcpy (p+c->num,data,len), c->num += (unsigned int)len;
198
7
			return 1;
199
			}
200
		else	{
201
10418
			memcpy (p+c->num,data,n), c->num = 0;
202
10418
			len-=n, data+=n;
203
10418
			sha512_block_data_order (c,p,1);
204
			}
205
		}
206
207
43704
	if (len >= sizeof(c->u))
208
		{
209
#ifndef SHA512_BLOCK_CAN_MANAGE_UNALIGNED_DATA
210
		if ((size_t)data%sizeof(c->u.d[0]) != 0)
211
			while (len >= sizeof(c->u))
212
				memcpy (p,data,sizeof(c->u)),
213
				sha512_block_data_order (c,p,1),
214
				len  -= sizeof(c->u),
215
				data += sizeof(c->u);
216
		else
217
#endif
218
3484
			sha512_block_data_order (c,data,len/sizeof(c->u)),
219
			data += len,
220
			len  %= sizeof(c->u),
221
			data -= len;
222
		}
223
224
43704
	if (len != 0)	memcpy (p,data,len), c->num = (int)len;
225
226
43704
	return 1;
227
	}
228
229
int SHA384_Update (SHA512_CTX *c, const void *data, size_t len)
230
{   return SHA512_Update (c,data,len);   }
231
232
void SHA512_Transform (SHA512_CTX *c, const unsigned char *data)
233
	{
234
#ifndef SHA512_BLOCK_CAN_MANAGE_UNALIGNED_DATA
235
	if ((size_t)data%sizeof(c->u.d[0]) != 0)
236
		memcpy(c->u.p,data,sizeof(c->u.p)),
237
		data = c->u.p;
238
#endif
239
	sha512_block_data_order (c,data,1);
240
	}
241
242
unsigned char *SHA384(const unsigned char *d, size_t n, unsigned char *md)
243
	{
244
	SHA512_CTX c;
245
	static unsigned char m[SHA384_DIGEST_LENGTH];
246
247
	if (md == NULL) md=m;
248
	SHA384_Init(&c);
249
	SHA512_Update(&c,d,n);
250
	SHA512_Final(md,&c);
251
	explicit_bzero(&c,sizeof(c));
252
	return(md);
253
	}
254
255
unsigned char *SHA512(const unsigned char *d, size_t n, unsigned char *md)
256
	{
257
	SHA512_CTX c;
258
	static unsigned char m[SHA512_DIGEST_LENGTH];
259
260
	if (md == NULL) md=m;
261
	SHA512_Init(&c);
262
	SHA512_Update(&c,d,n);
263
	SHA512_Final(md,&c);
264
	explicit_bzero(&c,sizeof(c));
265
	return(md);
266
	}
267
268
#ifndef SHA512_ASM
269
static const SHA_LONG64 K512[80] = {
270
        U64(0x428a2f98d728ae22),U64(0x7137449123ef65cd),
271
        U64(0xb5c0fbcfec4d3b2f),U64(0xe9b5dba58189dbbc),
272
        U64(0x3956c25bf348b538),U64(0x59f111f1b605d019),
273
        U64(0x923f82a4af194f9b),U64(0xab1c5ed5da6d8118),
274
        U64(0xd807aa98a3030242),U64(0x12835b0145706fbe),
275
        U64(0x243185be4ee4b28c),U64(0x550c7dc3d5ffb4e2),
276
        U64(0x72be5d74f27b896f),U64(0x80deb1fe3b1696b1),
277
        U64(0x9bdc06a725c71235),U64(0xc19bf174cf692694),
278
        U64(0xe49b69c19ef14ad2),U64(0xefbe4786384f25e3),
279
        U64(0x0fc19dc68b8cd5b5),U64(0x240ca1cc77ac9c65),
280
        U64(0x2de92c6f592b0275),U64(0x4a7484aa6ea6e483),
281
        U64(0x5cb0a9dcbd41fbd4),U64(0x76f988da831153b5),
282
        U64(0x983e5152ee66dfab),U64(0xa831c66d2db43210),
283
        U64(0xb00327c898fb213f),U64(0xbf597fc7beef0ee4),
284
        U64(0xc6e00bf33da88fc2),U64(0xd5a79147930aa725),
285
        U64(0x06ca6351e003826f),U64(0x142929670a0e6e70),
286
        U64(0x27b70a8546d22ffc),U64(0x2e1b21385c26c926),
287
        U64(0x4d2c6dfc5ac42aed),U64(0x53380d139d95b3df),
288
        U64(0x650a73548baf63de),U64(0x766a0abb3c77b2a8),
289
        U64(0x81c2c92e47edaee6),U64(0x92722c851482353b),
290
        U64(0xa2bfe8a14cf10364),U64(0xa81a664bbc423001),
291
        U64(0xc24b8b70d0f89791),U64(0xc76c51a30654be30),
292
        U64(0xd192e819d6ef5218),U64(0xd69906245565a910),
293
        U64(0xf40e35855771202a),U64(0x106aa07032bbd1b8),
294
        U64(0x19a4c116b8d2d0c8),U64(0x1e376c085141ab53),
295
        U64(0x2748774cdf8eeb99),U64(0x34b0bcb5e19b48a8),
296
        U64(0x391c0cb3c5c95a63),U64(0x4ed8aa4ae3418acb),
297
        U64(0x5b9cca4f7763e373),U64(0x682e6ff3d6b2b8a3),
298
        U64(0x748f82ee5defb2fc),U64(0x78a5636f43172f60),
299
        U64(0x84c87814a1f0ab72),U64(0x8cc702081a6439ec),
300
        U64(0x90befffa23631e28),U64(0xa4506cebde82bde9),
301
        U64(0xbef9a3f7b2c67915),U64(0xc67178f2e372532b),
302
        U64(0xca273eceea26619c),U64(0xd186b8c721c0c207),
303
        U64(0xeada7dd6cde0eb1e),U64(0xf57d4f7fee6ed178),
304
        U64(0x06f067aa72176fba),U64(0x0a637dc5a2c898a6),
305
        U64(0x113f9804bef90dae),U64(0x1b710b35131c471b),
306
        U64(0x28db77f523047d84),U64(0x32caab7b40c72493),
307
        U64(0x3c9ebe0a15c9bebc),U64(0x431d67c49c100d4c),
308
        U64(0x4cc5d4becb3e42b6),U64(0x597f299cfc657e2a),
309
        U64(0x5fcb6fab3ad6faec),U64(0x6c44198c4a475817) };
310
311
#if defined(__GNUC__) && __GNUC__>=2 && !defined(OPENSSL_NO_ASM) && !defined(OPENSSL_NO_INLINE_ASM)
312
# if defined(__x86_64) || defined(__x86_64__)
313
#  define ROTR(a,n)	({ SHA_LONG64 ret;		\
314
				asm ("rorq %1,%0"	\
315
				: "=r"(ret)		\
316
				: "J"(n),"0"(a)		\
317
				: "cc"); ret;		})
318
#   define PULL64(x) ({ SHA_LONG64 ret=*((const SHA_LONG64 *)(&(x)));	\
319
				asm ("bswapq	%0"		\
320
				: "=r"(ret)			\
321
				: "0"(ret)); ret;		})
322
# elif (defined(__i386) || defined(__i386__))
323
#  if defined(I386_ONLY)
324
#   define PULL64(x) ({ const unsigned int *p=(const unsigned int *)(&(x));\
325
			 unsigned int hi=p[0],lo=p[1];		\
326
				asm("xchgb %%ah,%%al;xchgb %%dh,%%dl;"\
327
				    "roll $16,%%eax; roll $16,%%edx; "\
328
				    "xchgb %%ah,%%al;xchgb %%dh,%%dl;" \
329
				: "=a"(lo),"=d"(hi)		\
330
				: "0"(lo),"1"(hi) : "cc");	\
331
				((SHA_LONG64)hi)<<32|lo;	})
332
#  else
333
#   define PULL64(x) ({ const unsigned int *p=(const unsigned int *)(&(x));\
334
			 unsigned int hi=p[0],lo=p[1];		\
335
				asm ("bswapl %0; bswapl %1;"	\
336
				: "=r"(lo),"=r"(hi)		\
337
				: "0"(lo),"1"(hi));		\
338
				((SHA_LONG64)hi)<<32|lo;	})
339
#  endif
340
# elif (defined(_ARCH_PPC) && defined(__64BIT__)) || defined(_ARCH_PPC64)
341
#  define ROTR(a,n)	({ SHA_LONG64 ret;		\
342
				asm ("rotrdi %0,%1,%2"	\
343
				: "=r"(ret)		\
344
				: "r"(a),"K"(n)); ret;	})
345
# endif
346
#endif
347
348
#ifndef PULL64
349
#define B(x,j)    (((SHA_LONG64)(*(((const unsigned char *)(&x))+j)))<<((7-j)*8))
350
#define PULL64(x) (B(x,0)|B(x,1)|B(x,2)|B(x,3)|B(x,4)|B(x,5)|B(x,6)|B(x,7))
351
#endif
352
353
#ifndef ROTR
354
#define ROTR(x,s)	(((x)>>s) | (x)<<(64-s))
355
#endif
356
357
#define Sigma0(x)	(ROTR((x),28) ^ ROTR((x),34) ^ ROTR((x),39))
358
#define Sigma1(x)	(ROTR((x),14) ^ ROTR((x),18) ^ ROTR((x),41))
359
#define sigma0(x)	(ROTR((x),1)  ^ ROTR((x),8)  ^ ((x)>>7))
360
#define sigma1(x)	(ROTR((x),19) ^ ROTR((x),61) ^ ((x)>>6))
361
362
#define Ch(x,y,z)	(((x) & (y)) ^ ((~(x)) & (z)))
363
#define Maj(x,y,z)	(((x) & (y)) ^ ((x) & (z)) ^ ((y) & (z)))
364
365
366
#if defined(__i386) || defined(__i386__) || defined(_M_IX86)
367
/*
368
 * This code should give better results on 32-bit CPU with less than
369
 * ~24 registers, both size and performance wise...
370
 */
371
static void sha512_block_data_order (SHA512_CTX *ctx, const void *in, size_t num)
372
	{
373
	const SHA_LONG64 *W=in;
374
	SHA_LONG64	A,E,T;
375
	SHA_LONG64	X[9+80],*F;
376
	int i;
377
378
			while (num--) {
379
380
	F    = X+80;
381
	A    = ctx->h[0];	F[1] = ctx->h[1];
382
	F[2] = ctx->h[2];	F[3] = ctx->h[3];
383
	E    = ctx->h[4];	F[5] = ctx->h[5];
384
	F[6] = ctx->h[6];	F[7] = ctx->h[7];
385
386
	for (i=0;i<16;i++,F--)
387
		{
388
		T = PULL64(W[i]);
389
		F[0] = A;
390
		F[4] = E;
391
		F[8] = T;
392
		T   += F[7] + Sigma1(E) + Ch(E,F[5],F[6]) + K512[i];
393
		E    = F[3] + T;
394
		A    = T + Sigma0(A) + Maj(A,F[1],F[2]);
395
		}
396
397
	for (;i<80;i++,F--)
398
		{
399
		T    = sigma0(F[8+16-1]);
400
		T   += sigma1(F[8+16-14]);
401
		T   += F[8+16] + F[8+16-9];
402
403
		F[0] = A;
404
		F[4] = E;
405
		F[8] = T;
406
		T   += F[7] + Sigma1(E) + Ch(E,F[5],F[6]) + K512[i];
407
		E    = F[3] + T;
408
		A    = T + Sigma0(A) + Maj(A,F[1],F[2]);
409
		}
410
411
	ctx->h[0] += A;		ctx->h[1] += F[1];
412
	ctx->h[2] += F[2];	ctx->h[3] += F[3];
413
	ctx->h[4] += E;		ctx->h[5] += F[5];
414
	ctx->h[6] += F[6];	ctx->h[7] += F[7];
415
416
			W+=SHA_LBLOCK;
417
			}
418
	}
419
420
#elif defined(OPENSSL_SMALL_FOOTPRINT)
421
422
static void sha512_block_data_order (SHA512_CTX *ctx, const void *in, size_t num)
423
	{
424
	const SHA_LONG64 *W=in;
425
	SHA_LONG64	a,b,c,d,e,f,g,h,s0,s1,T1,T2;
426
	SHA_LONG64	X[16];
427
	int i;
428
429
			while (num--) {
430
431
	a = ctx->h[0];	b = ctx->h[1];	c = ctx->h[2];	d = ctx->h[3];
432
	e = ctx->h[4];	f = ctx->h[5];	g = ctx->h[6];	h = ctx->h[7];
433
434
	for (i=0;i<16;i++)
435
		{
436
#if BYTE_ORDER == BIG_ENDIAN
437
		T1 = X[i] = W[i];
438
#else
439
		T1 = X[i] = PULL64(W[i]);
440
#endif
441
		T1 += h + Sigma1(e) + Ch(e,f,g) + K512[i];
442
		T2 = Sigma0(a) + Maj(a,b,c);
443
		h = g;	g = f;	f = e;	e = d + T1;
444
		d = c;	c = b;	b = a;	a = T1 + T2;
445
		}
446
447
	for (;i<80;i++)
448
		{
449
		s0 = X[(i+1)&0x0f];	s0 = sigma0(s0);
450
		s1 = X[(i+14)&0x0f];	s1 = sigma1(s1);
451
452
		T1 = X[i&0xf] += s0 + s1 + X[(i+9)&0xf];
453
		T1 += h + Sigma1(e) + Ch(e,f,g) + K512[i];
454
		T2 = Sigma0(a) + Maj(a,b,c);
455
		h = g;	g = f;	f = e;	e = d + T1;
456
		d = c;	c = b;	b = a;	a = T1 + T2;
457
		}
458
459
	ctx->h[0] += a;	ctx->h[1] += b;	ctx->h[2] += c;	ctx->h[3] += d;
460
	ctx->h[4] += e;	ctx->h[5] += f;	ctx->h[6] += g;	ctx->h[7] += h;
461
462
			W+=SHA_LBLOCK;
463
			}
464
	}
465
466
#else
467
468
#define	ROUND_00_15(i,a,b,c,d,e,f,g,h)		do {	\
469
	T1 += h + Sigma1(e) + Ch(e,f,g) + K512[i];	\
470
	h = Sigma0(a) + Maj(a,b,c);			\
471
	d += T1;	h += T1;		} while (0)
472
473
#define	ROUND_16_80(i,j,a,b,c,d,e,f,g,h,X)	do {	\
474
	s0 = X[(j+1)&0x0f];	s0 = sigma0(s0);	\
475
	s1 = X[(j+14)&0x0f];	s1 = sigma1(s1);	\
476
	T1 = X[(j)&0x0f] += s0 + s1 + X[(j+9)&0x0f];	\
477
	ROUND_00_15(i+j,a,b,c,d,e,f,g,h);		} while (0)
478
479
static void sha512_block_data_order (SHA512_CTX *ctx, const void *in, size_t num)
480
	{
481
	const SHA_LONG64 *W=in;
482
	SHA_LONG64	a,b,c,d,e,f,g,h,s0,s1,T1;
483
	SHA_LONG64	X[16];
484
	int i;
485
486
			while (num--) {
487
488
	a = ctx->h[0];	b = ctx->h[1];	c = ctx->h[2];	d = ctx->h[3];
489
	e = ctx->h[4];	f = ctx->h[5];	g = ctx->h[6];	h = ctx->h[7];
490
491
#if BYTE_ORDER == BIG_ENDIAN
492
	T1 = X[0] = W[0];	ROUND_00_15(0,a,b,c,d,e,f,g,h);
493
	T1 = X[1] = W[1];	ROUND_00_15(1,h,a,b,c,d,e,f,g);
494
	T1 = X[2] = W[2];	ROUND_00_15(2,g,h,a,b,c,d,e,f);
495
	T1 = X[3] = W[3];	ROUND_00_15(3,f,g,h,a,b,c,d,e);
496
	T1 = X[4] = W[4];	ROUND_00_15(4,e,f,g,h,a,b,c,d);
497
	T1 = X[5] = W[5];	ROUND_00_15(5,d,e,f,g,h,a,b,c);
498
	T1 = X[6] = W[6];	ROUND_00_15(6,c,d,e,f,g,h,a,b);
499
	T1 = X[7] = W[7];	ROUND_00_15(7,b,c,d,e,f,g,h,a);
500
	T1 = X[8] = W[8];	ROUND_00_15(8,a,b,c,d,e,f,g,h);
501
	T1 = X[9] = W[9];	ROUND_00_15(9,h,a,b,c,d,e,f,g);
502
	T1 = X[10] = W[10];	ROUND_00_15(10,g,h,a,b,c,d,e,f);
503
	T1 = X[11] = W[11];	ROUND_00_15(11,f,g,h,a,b,c,d,e);
504
	T1 = X[12] = W[12];	ROUND_00_15(12,e,f,g,h,a,b,c,d);
505
	T1 = X[13] = W[13];	ROUND_00_15(13,d,e,f,g,h,a,b,c);
506
	T1 = X[14] = W[14];	ROUND_00_15(14,c,d,e,f,g,h,a,b);
507
	T1 = X[15] = W[15];	ROUND_00_15(15,b,c,d,e,f,g,h,a);
508
#else
509
	T1 = X[0]  = PULL64(W[0]);	ROUND_00_15(0,a,b,c,d,e,f,g,h);
510
	T1 = X[1]  = PULL64(W[1]);	ROUND_00_15(1,h,a,b,c,d,e,f,g);
511
	T1 = X[2]  = PULL64(W[2]);	ROUND_00_15(2,g,h,a,b,c,d,e,f);
512
	T1 = X[3]  = PULL64(W[3]);	ROUND_00_15(3,f,g,h,a,b,c,d,e);
513
	T1 = X[4]  = PULL64(W[4]);	ROUND_00_15(4,e,f,g,h,a,b,c,d);
514
	T1 = X[5]  = PULL64(W[5]);	ROUND_00_15(5,d,e,f,g,h,a,b,c);
515
	T1 = X[6]  = PULL64(W[6]);	ROUND_00_15(6,c,d,e,f,g,h,a,b);
516
	T1 = X[7]  = PULL64(W[7]);	ROUND_00_15(7,b,c,d,e,f,g,h,a);
517
	T1 = X[8]  = PULL64(W[8]);	ROUND_00_15(8,a,b,c,d,e,f,g,h);
518
	T1 = X[9]  = PULL64(W[9]);	ROUND_00_15(9,h,a,b,c,d,e,f,g);
519
	T1 = X[10] = PULL64(W[10]);	ROUND_00_15(10,g,h,a,b,c,d,e,f);
520
	T1 = X[11] = PULL64(W[11]);	ROUND_00_15(11,f,g,h,a,b,c,d,e);
521
	T1 = X[12] = PULL64(W[12]);	ROUND_00_15(12,e,f,g,h,a,b,c,d);
522
	T1 = X[13] = PULL64(W[13]);	ROUND_00_15(13,d,e,f,g,h,a,b,c);
523
	T1 = X[14] = PULL64(W[14]);	ROUND_00_15(14,c,d,e,f,g,h,a,b);
524
	T1 = X[15] = PULL64(W[15]);	ROUND_00_15(15,b,c,d,e,f,g,h,a);
525
#endif
526
527
	for (i=16;i<80;i+=16)
528
		{
529
		ROUND_16_80(i, 0,a,b,c,d,e,f,g,h,X);
530
		ROUND_16_80(i, 1,h,a,b,c,d,e,f,g,X);
531
		ROUND_16_80(i, 2,g,h,a,b,c,d,e,f,X);
532
		ROUND_16_80(i, 3,f,g,h,a,b,c,d,e,X);
533
		ROUND_16_80(i, 4,e,f,g,h,a,b,c,d,X);
534
		ROUND_16_80(i, 5,d,e,f,g,h,a,b,c,X);
535
		ROUND_16_80(i, 6,c,d,e,f,g,h,a,b,X);
536
		ROUND_16_80(i, 7,b,c,d,e,f,g,h,a,X);
537
		ROUND_16_80(i, 8,a,b,c,d,e,f,g,h,X);
538
		ROUND_16_80(i, 9,h,a,b,c,d,e,f,g,X);
539
		ROUND_16_80(i,10,g,h,a,b,c,d,e,f,X);
540
		ROUND_16_80(i,11,f,g,h,a,b,c,d,e,X);
541
		ROUND_16_80(i,12,e,f,g,h,a,b,c,d,X);
542
		ROUND_16_80(i,13,d,e,f,g,h,a,b,c,X);
543
		ROUND_16_80(i,14,c,d,e,f,g,h,a,b,X);
544
		ROUND_16_80(i,15,b,c,d,e,f,g,h,a,X);
545
		}
546
547
	ctx->h[0] += a;	ctx->h[1] += b;	ctx->h[2] += c;	ctx->h[3] += d;
548
	ctx->h[4] += e;	ctx->h[5] += f;	ctx->h[6] += g;	ctx->h[7] += h;
549
550
			W+=SHA_LBLOCK;
551
			}
552
	}
553
554
#endif
555
556
#endif /* SHA512_ASM */
557
558
#endif /* !OPENSSL_NO_SHA512 */