Head

GCC Code Coverage Report

Directory:	./		Exec	Total	Coverage
File:	lib/libcrypto/crypto/../../libssl/src/crypto/sha/sha512.c	Lines:	92	108	85.2 %
Date:	2016-12-06	Branches:	19	27	70.4 %


/* $OpenBSD: sha512.c,v 1.14 2015/09/10 15:56:26 jsing Exp $ */
/* ====================================================================
 * Copyright (c) 2004 The OpenSSL Project.  All rights reserved
 * according to the OpenSSL license [found in ../../LICENSE].
 * ====================================================================
 */

#include <machine/endian.h>

#include <stdlib.h>
#include <string.h>

#include <openssl/opensslconf.h>

#if !defined(OPENSSL_NO_SHA) && !defined(OPENSSL_NO_SHA512)
/*
 * IMPLEMENTATION NOTES.
 *
 * As you might have noticed 32-bit hash algorithms:
 *
 * - permit SHA_LONG to be wider than 32-bit (case on CRAY);
 * - optimized versions implement two transform functions: one operating
 *   on [aligned] data in host byte order and one - on data in input
 *   stream byte order;
 * - share common byte-order neutral collector and padding function
 *   implementations, ../md32_common.h;
 *
 * Neither of the above applies to this SHA-512 implementations. Reasons
 * [in reverse order] are:
 *
 * - it's the only 64-bit hash algorithm for the moment of this writing,
 *   there is no need for common collector/padding implementation [yet];
 * - by supporting only one transform function [which operates on
 *   *aligned* data in input stream byte order, big-endian in this case]
 *   we minimize burden of maintenance in two ways: a) collector/padding
 *   function is simpler; b) only one transform function to stare at;
 * - SHA_LONG64 is required to be exactly 64-bit in order to be able to
 *   apply a number of optimizations to mitigate potential performance
 *   penalties caused by previous design decision;
 *
 * Caveat lector.
 *
 * Implementation relies on the fact that "long long" is 64-bit on
 * both 32- and 64-bit platforms. If some compiler vendor comes up
 * with 128-bit long long, adjustment to sha.h would be required.
 * As this implementation relies on 64-bit integer type, it's totally
 * inappropriate for platforms which don't support it, most notably
 * 16-bit platforms.
 *					<appro@fy.chalmers.se>
 */

#include <openssl/crypto.h>
#include <openssl/opensslv.h>
#include <openssl/sha.h>

#if !defined(__STRICT_ALIGNMENT) || defined(SHA512_ASM)
#define SHA512_BLOCK_CAN_MANAGE_UNALIGNED_DATA
#endif

int SHA384_Init(SHA512_CTX *c)
	{
	c->h[0]=U64(0xcbbb9d5dc1059ed8);
	c->h[1]=U64(0x629a292a367cd507);
	c->h[2]=U64(0x9159015a3070dd17);
	c->h[3]=U64(0x152fecd8f70e5939);
	c->h[4]=U64(0x67332667ffc00b31);
	c->h[5]=U64(0x8eb44a8768581511);
	c->h[6]=U64(0xdb0c2e0d64f98fa7);
	c->h[7]=U64(0x47b5481dbefa4fa4);

        c->Nl=0;        c->Nh=0;
        c->num=0;       c->md_len=SHA384_DIGEST_LENGTH;
        return 1;
	}

int SHA512_Init(SHA512_CTX *c)
	{
	c->h[0]=U64(0x6a09e667f3bcc908);
	c->h[1]=U64(0xbb67ae8584caa73b);
	c->h[2]=U64(0x3c6ef372fe94f82b);
	c->h[3]=U64(0xa54ff53a5f1d36f1);
	c->h[4]=U64(0x510e527fade682d1);
	c->h[5]=U64(0x9b05688c2b3e6c1f);
	c->h[6]=U64(0x1f83d9abfb41bd6b);
	c->h[7]=U64(0x5be0cd19137e2179);

        c->Nl=0;        c->Nh=0;
        c->num=0;       c->md_len=SHA512_DIGEST_LENGTH;
        return 1;
	}

#ifndef SHA512_ASM
static
#endif
void sha512_block_data_order (SHA512_CTX *ctx, const void *in, size_t num);

int SHA512_Final (unsigned char *md, SHA512_CTX *c)
	{
	unsigned char *p=(unsigned char *)c->u.p;
	size_t n=c->num;

	p[n]=0x80;	/* There always is a room for one */
	n++;
	if (n > (sizeof(c->u)-16))
		memset (p+n,0,sizeof(c->u)-n), n=0,
		sha512_block_data_order (c,p,1);

	memset (p+n,0,sizeof(c->u)-16-n);
#if BYTE_ORDER == BIG_ENDIAN
	c->u.d[SHA_LBLOCK-2] = c->Nh;
	c->u.d[SHA_LBLOCK-1] = c->Nl;
#else
	p[sizeof(c->u)-1]  = (unsigned char)(c->Nl);
	p[sizeof(c->u)-2]  = (unsigned char)(c->Nl>>8);
	p[sizeof(c->u)-3]  = (unsigned char)(c->Nl>>16);
	p[sizeof(c->u)-4]  = (unsigned char)(c->Nl>>24);
	p[sizeof(c->u)-5]  = (unsigned char)(c->Nl>>32);
	p[sizeof(c->u)-6]  = (unsigned char)(c->Nl>>40);
	p[sizeof(c->u)-7]  = (unsigned char)(c->Nl>>48);
	p[sizeof(c->u)-8]  = (unsigned char)(c->Nl>>56);
	p[sizeof(c->u)-9]  = (unsigned char)(c->Nh);
	p[sizeof(c->u)-10] = (unsigned char)(c->Nh>>8);
	p[sizeof(c->u)-11] = (unsigned char)(c->Nh>>16);
	p[sizeof(c->u)-12] = (unsigned char)(c->Nh>>24);
	p[sizeof(c->u)-13] = (unsigned char)(c->Nh>>32);
	p[sizeof(c->u)-14] = (unsigned char)(c->Nh>>40);
	p[sizeof(c->u)-15] = (unsigned char)(c->Nh>>48);
	p[sizeof(c->u)-16] = (unsigned char)(c->Nh>>56);
#endif

	sha512_block_data_order (c,p,1);

	if (md==0) return 0;

	switch (c->md_len)
		{
		/* Let compiler decide if it's appropriate to unroll... */
		case SHA384_DIGEST_LENGTH:
			for (n=0;n<SHA384_DIGEST_LENGTH/8;n++)
				{
				SHA_LONG64 t = c->h[n];

				*(md++)	= (unsigned char)(t>>56);
				*(md++)	= (unsigned char)(t>>48);
				*(md++)	= (unsigned char)(t>>40);
				*(md++)	= (unsigned char)(t>>32);
				*(md++)	= (unsigned char)(t>>24);
				*(md++)	= (unsigned char)(t>>16);
				*(md++)	= (unsigned char)(t>>8);
				*(md++)	= (unsigned char)(t);
				}
			break;
		case SHA512_DIGEST_LENGTH:
			for (n=0;n<SHA512_DIGEST_LENGTH/8;n++)
				{
				SHA_LONG64 t = c->h[n];

				*(md++)	= (unsigned char)(t>>56);
				*(md++)	= (unsigned char)(t>>48);
				*(md++)	= (unsigned char)(t>>40);
				*(md++)	= (unsigned char)(t>>32);
				*(md++)	= (unsigned char)(t>>24);
				*(md++)	= (unsigned char)(t>>16);
				*(md++)	= (unsigned char)(t>>8);
				*(md++)	= (unsigned char)(t);
				}
			break;
		/* ... as well as make sure md_len is not abused. */
		default:	return 0;
		}

	return 1;
	}

int SHA384_Final (unsigned char *md,SHA512_CTX *c)
{   return SHA512_Final (md,c);   }

int SHA512_Update (SHA512_CTX *c, const void *_data, size_t len)
	{
	SHA_LONG64	l;
	unsigned char  *p=c->u.p;
	const unsigned char *data=(const unsigned char *)_data;

	if (len==0) return  1;

	l = (c->Nl+(((SHA_LONG64)len)<<3))&U64(0xffffffffffffffff);
	if (l < c->Nl)		c->Nh++;
	if (sizeof(len)>=8)	c->Nh+=(((SHA_LONG64)len)>>61);
	c->Nl=l;

	if (c->num != 0)
		{
		size_t n = sizeof(c->u) - c->num;

		if (len < n)
			{
			memcpy (p+c->num,data,len), c->num += (unsigned int)len;
			return 1;
			}
		else	{
			memcpy (p+c->num,data,n), c->num = 0;
			len-=n, data+=n;
			sha512_block_data_order (c,p,1);
			}
		}

	if (len >= sizeof(c->u))
		{
#ifndef SHA512_BLOCK_CAN_MANAGE_UNALIGNED_DATA
		if ((size_t)data%sizeof(c->u.d[0]) != 0)
			while (len >= sizeof(c->u))
				memcpy (p,data,sizeof(c->u)),
				sha512_block_data_order (c,p,1),
				len  -= sizeof(c->u),
				data += sizeof(c->u);
		else
#endif
			sha512_block_data_order (c,data,len/sizeof(c->u)),
			data += len,
			len  %= sizeof(c->u),
			data -= len;
		}

	if (len != 0)	memcpy (p,data,len), c->num = (int)len;

	return 1;
	}

int SHA384_Update (SHA512_CTX *c, const void *data, size_t len)
{   return SHA512_Update (c,data,len);   }

void SHA512_Transform (SHA512_CTX *c, const unsigned char *data)
	{
#ifndef SHA512_BLOCK_CAN_MANAGE_UNALIGNED_DATA
	if ((size_t)data%sizeof(c->u.d[0]) != 0)
		memcpy(c->u.p,data,sizeof(c->u.p)),
		data = c->u.p;
#endif
	sha512_block_data_order (c,data,1);
	}

unsigned char *SHA384(const unsigned char *d, size_t n, unsigned char *md)
	{
	SHA512_CTX c;
	static unsigned char m[SHA384_DIGEST_LENGTH];

	if (md == NULL) md=m;
	SHA384_Init(&c);
	SHA512_Update(&c,d,n);
	SHA512_Final(md,&c);
	explicit_bzero(&c,sizeof(c));
	return(md);
	}

unsigned char *SHA512(const unsigned char *d, size_t n, unsigned char *md)
	{
	SHA512_CTX c;
	static unsigned char m[SHA512_DIGEST_LENGTH];

	if (md == NULL) md=m;
	SHA512_Init(&c);
	SHA512_Update(&c,d,n);
	SHA512_Final(md,&c);
	explicit_bzero(&c,sizeof(c));
	return(md);
	}

#ifndef SHA512_ASM
static const SHA_LONG64 K512[80] = {
        U64(0x428a2f98d728ae22),U64(0x7137449123ef65cd),
        U64(0xb5c0fbcfec4d3b2f),U64(0xe9b5dba58189dbbc),
        U64(0x3956c25bf348b538),U64(0x59f111f1b605d019),
        U64(0x923f82a4af194f9b),U64(0xab1c5ed5da6d8118),
        U64(0xd807aa98a3030242),U64(0x12835b0145706fbe),
        U64(0x243185be4ee4b28c),U64(0x550c7dc3d5ffb4e2),
        U64(0x72be5d74f27b896f),U64(0x80deb1fe3b1696b1),
        U64(0x9bdc06a725c71235),U64(0xc19bf174cf692694),
        U64(0xe49b69c19ef14ad2),U64(0xefbe4786384f25e3),
        U64(0x0fc19dc68b8cd5b5),U64(0x240ca1cc77ac9c65),
        U64(0x2de92c6f592b0275),U64(0x4a7484aa6ea6e483),
        U64(0x5cb0a9dcbd41fbd4),U64(0x76f988da831153b5),
        U64(0x983e5152ee66dfab),U64(0xa831c66d2db43210),
        U64(0xb00327c898fb213f),U64(0xbf597fc7beef0ee4),
        U64(0xc6e00bf33da88fc2),U64(0xd5a79147930aa725),
        U64(0x06ca6351e003826f),U64(0x142929670a0e6e70),
        U64(0x27b70a8546d22ffc),U64(0x2e1b21385c26c926),
        U64(0x4d2c6dfc5ac42aed),U64(0x53380d139d95b3df),
        U64(0x650a73548baf63de),U64(0x766a0abb3c77b2a8),
        U64(0x81c2c92e47edaee6),U64(0x92722c851482353b),
        U64(0xa2bfe8a14cf10364),U64(0xa81a664bbc423001),
        U64(0xc24b8b70d0f89791),U64(0xc76c51a30654be30),
        U64(0xd192e819d6ef5218),U64(0xd69906245565a910),
        U64(0xf40e35855771202a),U64(0x106aa07032bbd1b8),
        U64(0x19a4c116b8d2d0c8),U64(0x1e376c085141ab53),
        U64(0x2748774cdf8eeb99),U64(0x34b0bcb5e19b48a8),
        U64(0x391c0cb3c5c95a63),U64(0x4ed8aa4ae3418acb),
        U64(0x5b9cca4f7763e373),U64(0x682e6ff3d6b2b8a3),
        U64(0x748f82ee5defb2fc),U64(0x78a5636f43172f60),
        U64(0x84c87814a1f0ab72),U64(0x8cc702081a6439ec),
        U64(0x90befffa23631e28),U64(0xa4506cebde82bde9),
        U64(0xbef9a3f7b2c67915),U64(0xc67178f2e372532b),
        U64(0xca273eceea26619c),U64(0xd186b8c721c0c207),
        U64(0xeada7dd6cde0eb1e),U64(0xf57d4f7fee6ed178),
        U64(0x06f067aa72176fba),U64(0x0a637dc5a2c898a6),
        U64(0x113f9804bef90dae),U64(0x1b710b35131c471b),
        U64(0x28db77f523047d84),U64(0x32caab7b40c72493),
        U64(0x3c9ebe0a15c9bebc),U64(0x431d67c49c100d4c),
        U64(0x4cc5d4becb3e42b6),U64(0x597f299cfc657e2a),
        U64(0x5fcb6fab3ad6faec),U64(0x6c44198c4a475817) };

#if defined(__GNUC__) && __GNUC__>=2 && !defined(OPENSSL_NO_ASM) && !defined(OPENSSL_NO_INLINE_ASM)
# if defined(__x86_64) || defined(__x86_64__)
#  define ROTR(a,n)	({ SHA_LONG64 ret;		\
				asm ("rorq %1,%0"	\
				: "=r"(ret)		\
				: "J"(n),"0"(a)		\
				: "cc"); ret;		})
#   define PULL64(x) ({ SHA_LONG64 ret=*((const SHA_LONG64 *)(&(x)));	\
				asm ("bswapq	%0"		\
				: "=r"(ret)			\
				: "0"(ret)); ret;		})
# elif (defined(__i386) || defined(__i386__))
#  if defined(I386_ONLY)
#   define PULL64(x) ({ const unsigned int *p=(const unsigned int *)(&(x));\
			 unsigned int hi=p[0],lo=p[1];		\
				asm("xchgb %%ah,%%al;xchgb %%dh,%%dl;"\
				    "roll $16,%%eax; roll $16,%%edx; "\
				    "xchgb %%ah,%%al;xchgb %%dh,%%dl;" \
				: "=a"(lo),"=d"(hi)		\
				: "0"(lo),"1"(hi) : "cc");	\
				((SHA_LONG64)hi)<<32|lo;	})
#  else
#   define PULL64(x) ({ const unsigned int *p=(const unsigned int *)(&(x));\
			 unsigned int hi=p[0],lo=p[1];		\
				asm ("bswapl %0; bswapl %1;"	\
				: "=r"(lo),"=r"(hi)		\
				: "0"(lo),"1"(hi));		\
				((SHA_LONG64)hi)<<32|lo;	})
#  endif
# elif (defined(_ARCH_PPC) && defined(__64BIT__)) || defined(_ARCH_PPC64)
#  define ROTR(a,n)	({ SHA_LONG64 ret;		\
				asm ("rotrdi %0,%1,%2"	\
				: "=r"(ret)		\
				: "r"(a),"K"(n)); ret;	})
# endif
#endif

#ifndef PULL64
#define B(x,j)    (((SHA_LONG64)(*(((const unsigned char *)(&x))+j)))<<((7-j)*8))
#define PULL64(x) (B(x,0)|B(x,1)|B(x,2)|B(x,3)|B(x,4)|B(x,5)|B(x,6)|B(x,7))
#endif

#ifndef ROTR
#define ROTR(x,s)	(((x)>>s) | (x)<<(64-s))
#endif

#define Sigma0(x)	(ROTR((x),28) ^ ROTR((x),34) ^ ROTR((x),39))
#define Sigma1(x)	(ROTR((x),14) ^ ROTR((x),18) ^ ROTR((x),41))
#define sigma0(x)	(ROTR((x),1)  ^ ROTR((x),8)  ^ ((x)>>7))
#define sigma1(x)	(ROTR((x),19) ^ ROTR((x),61) ^ ((x)>>6))

#define Ch(x,y,z)	(((x) & (y)) ^ ((~(x)) & (z)))
#define Maj(x,y,z)	(((x) & (y)) ^ ((x) & (z)) ^ ((y) & (z)))


#if defined(__i386) || defined(__i386__) || defined(_M_IX86)
/*
 * This code should give better results on 32-bit CPU with less than
 * ~24 registers, both size and performance wise...
 */
static void sha512_block_data_order (SHA512_CTX *ctx, const void *in, size_t num)
	{
	const SHA_LONG64 *W=in;
	SHA_LONG64	A,E,T;
	SHA_LONG64	X[9+80],*F;
	int i;

			while (num--) {

	F    = X+80;
	A    = ctx->h[0];	F[1] = ctx->h[1];
	F[2] = ctx->h[2];	F[3] = ctx->h[3];
	E    = ctx->h[4];	F[5] = ctx->h[5];
	F[6] = ctx->h[6];	F[7] = ctx->h[7];

	for (i=0;i<16;i++,F--)
		{
		T = PULL64(W[i]);
		F[0] = A;
		F[4] = E;
		F[8] = T;
		T   += F[7] + Sigma1(E) + Ch(E,F[5],F[6]) + K512[i];
		E    = F[3] + T;
		A    = T + Sigma0(A) + Maj(A,F[1],F[2]);
		}

	for (;i<80;i++,F--)
		{
		T    = sigma0(F[8+16-1]);
		T   += sigma1(F[8+16-14]);
		T   += F[8+16] + F[8+16-9];

		F[0] = A;
		F[4] = E;
		F[8] = T;
		T   += F[7] + Sigma1(E) + Ch(E,F[5],F[6]) + K512[i];
		E    = F[3] + T;
		A    = T + Sigma0(A) + Maj(A,F[1],F[2]);
		}

	ctx->h[0] += A;		ctx->h[1] += F[1];
	ctx->h[2] += F[2];	ctx->h[3] += F[3];
	ctx->h[4] += E;		ctx->h[5] += F[5];
	ctx->h[6] += F[6];	ctx->h[7] += F[7];

			W+=SHA_LBLOCK;
			}
	}

#elif defined(OPENSSL_SMALL_FOOTPRINT)

static void sha512_block_data_order (SHA512_CTX *ctx, const void *in, size_t num)
	{
	const SHA_LONG64 *W=in;
	SHA_LONG64	a,b,c,d,e,f,g,h,s0,s1,T1,T2;
	SHA_LONG64	X[16];
	int i;

			while (num--) {

	a = ctx->h[0];	b = ctx->h[1];	c = ctx->h[2];	d = ctx->h[3];
	e = ctx->h[4];	f = ctx->h[5];	g = ctx->h[6];	h = ctx->h[7];

	for (i=0;i<16;i++)
		{
#if BYTE_ORDER == BIG_ENDIAN
		T1 = X[i] = W[i];
#else
		T1 = X[i] = PULL64(W[i]);
#endif
		T1 += h + Sigma1(e) + Ch(e,f,g) + K512[i];
		T2 = Sigma0(a) + Maj(a,b,c);
		h = g;	g = f;	f = e;	e = d + T1;
		d = c;	c = b;	b = a;	a = T1 + T2;
		}

	for (;i<80;i++)
		{
		s0 = X[(i+1)&0x0f];	s0 = sigma0(s0);
		s1 = X[(i+14)&0x0f];	s1 = sigma1(s1);

		T1 = X[i&0xf] += s0 + s1 + X[(i+9)&0xf];
		T1 += h + Sigma1(e) + Ch(e,f,g) + K512[i];
		T2 = Sigma0(a) + Maj(a,b,c);
		h = g;	g = f;	f = e;	e = d + T1;
		d = c;	c = b;	b = a;	a = T1 + T2;
		}

	ctx->h[0] += a;	ctx->h[1] += b;	ctx->h[2] += c;	ctx->h[3] += d;
	ctx->h[4] += e;	ctx->h[5] += f;	ctx->h[6] += g;	ctx->h[7] += h;

			W+=SHA_LBLOCK;
			}
	}

#else

#define	ROUND_00_15(i,a,b,c,d,e,f,g,h)		do {	\
	T1 += h + Sigma1(e) + Ch(e,f,g) + K512[i];	\
	h = Sigma0(a) + Maj(a,b,c);			\
	d += T1;	h += T1;		} while (0)

#define	ROUND_16_80(i,j,a,b,c,d,e,f,g,h,X)	do {	\
	s0 = X[(j+1)&0x0f];	s0 = sigma0(s0);	\
	s1 = X[(j+14)&0x0f];	s1 = sigma1(s1);	\
	T1 = X[(j)&0x0f] += s0 + s1 + X[(j+9)&0x0f];	\
	ROUND_00_15(i+j,a,b,c,d,e,f,g,h);		} while (0)

static void sha512_block_data_order (SHA512_CTX *ctx, const void *in, size_t num)
	{
	const SHA_LONG64 *W=in;
	SHA_LONG64	a,b,c,d,e,f,g,h,s0,s1,T1;
	SHA_LONG64	X[16];
	int i;

			while (num--) {

	a = ctx->h[0];	b = ctx->h[1];	c = ctx->h[2];	d = ctx->h[3];
	e = ctx->h[4];	f = ctx->h[5];	g = ctx->h[6];	h = ctx->h[7];

#if BYTE_ORDER == BIG_ENDIAN
	T1 = X[0] = W[0];	ROUND_00_15(0,a,b,c,d,e,f,g,h);
	T1 = X[1] = W[1];	ROUND_00_15(1,h,a,b,c,d,e,f,g);
	T1 = X[2] = W[2];	ROUND_00_15(2,g,h,a,b,c,d,e,f);
	T1 = X[3] = W[3];	ROUND_00_15(3,f,g,h,a,b,c,d,e);
	T1 = X[4] = W[4];	ROUND_00_15(4,e,f,g,h,a,b,c,d);
	T1 = X[5] = W[5];	ROUND_00_15(5,d,e,f,g,h,a,b,c);
	T1 = X[6] = W[6];	ROUND_00_15(6,c,d,e,f,g,h,a,b);
	T1 = X[7] = W[7];	ROUND_00_15(7,b,c,d,e,f,g,h,a);
	T1 = X[8] = W[8];	ROUND_00_15(8,a,b,c,d,e,f,g,h);
	T1 = X[9] = W[9];	ROUND_00_15(9,h,a,b,c,d,e,f,g);
	T1 = X[10] = W[10];	ROUND_00_15(10,g,h,a,b,c,d,e,f);
	T1 = X[11] = W[11];	ROUND_00_15(11,f,g,h,a,b,c,d,e);
	T1 = X[12] = W[12];	ROUND_00_15(12,e,f,g,h,a,b,c,d);
	T1 = X[13] = W[13];	ROUND_00_15(13,d,e,f,g,h,a,b,c);
	T1 = X[14] = W[14];	ROUND_00_15(14,c,d,e,f,g,h,a,b);
	T1 = X[15] = W[15];	ROUND_00_15(15,b,c,d,e,f,g,h,a);
#else
	T1 = X[0]  = PULL64(W[0]);	ROUND_00_15(0,a,b,c,d,e,f,g,h);
	T1 = X[1]  = PULL64(W[1]);	ROUND_00_15(1,h,a,b,c,d,e,f,g);
	T1 = X[2]  = PULL64(W[2]);	ROUND_00_15(2,g,h,a,b,c,d,e,f);
	T1 = X[3]  = PULL64(W[3]);	ROUND_00_15(3,f,g,h,a,b,c,d,e);
	T1 = X[4]  = PULL64(W[4]);	ROUND_00_15(4,e,f,g,h,a,b,c,d);
	T1 = X[5]  = PULL64(W[5]);	ROUND_00_15(5,d,e,f,g,h,a,b,c);
	T1 = X[6]  = PULL64(W[6]);	ROUND_00_15(6,c,d,e,f,g,h,a,b);
	T1 = X[7]  = PULL64(W[7]);	ROUND_00_15(7,b,c,d,e,f,g,h,a);
	T1 = X[8]  = PULL64(W[8]);	ROUND_00_15(8,a,b,c,d,e,f,g,h);
	T1 = X[9]  = PULL64(W[9]);	ROUND_00_15(9,h,a,b,c,d,e,f,g);
	T1 = X[10] = PULL64(W[10]);	ROUND_00_15(10,g,h,a,b,c,d,e,f);
	T1 = X[11] = PULL64(W[11]);	ROUND_00_15(11,f,g,h,a,b,c,d,e);
	T1 = X[12] = PULL64(W[12]);	ROUND_00_15(12,e,f,g,h,a,b,c,d);
	T1 = X[13] = PULL64(W[13]);	ROUND_00_15(13,d,e,f,g,h,a,b,c);
	T1 = X[14] = PULL64(W[14]);	ROUND_00_15(14,c,d,e,f,g,h,a,b);
	T1 = X[15] = PULL64(W[15]);	ROUND_00_15(15,b,c,d,e,f,g,h,a);
#endif

	for (i=16;i<80;i+=16)
		{
		ROUND_16_80(i, 0,a,b,c,d,e,f,g,h,X);
		ROUND_16_80(i, 1,h,a,b,c,d,e,f,g,X);
		ROUND_16_80(i, 2,g,h,a,b,c,d,e,f,X);
		ROUND_16_80(i, 3,f,g,h,a,b,c,d,e,X);
		ROUND_16_80(i, 4,e,f,g,h,a,b,c,d,X);
		ROUND_16_80(i, 5,d,e,f,g,h,a,b,c,X);
		ROUND_16_80(i, 6,c,d,e,f,g,h,a,b,X);
		ROUND_16_80(i, 7,b,c,d,e,f,g,h,a,X);
		ROUND_16_80(i, 8,a,b,c,d,e,f,g,h,X);
		ROUND_16_80(i, 9,h,a,b,c,d,e,f,g,X);
		ROUND_16_80(i,10,g,h,a,b,c,d,e,f,X);
		ROUND_16_80(i,11,f,g,h,a,b,c,d,e,X);
		ROUND_16_80(i,12,e,f,g,h,a,b,c,d,X);
		ROUND_16_80(i,13,d,e,f,g,h,a,b,c,X);
		ROUND_16_80(i,14,c,d,e,f,g,h,a,b,X);
		ROUND_16_80(i,15,b,c,d,e,f,g,h,a,X);
		}

	ctx->h[0] += a;	ctx->h[1] += b;	ctx->h[2] += c;	ctx->h[3] += d;
	ctx->h[4] += e;	ctx->h[5] += f;	ctx->h[6] += g;	ctx->h[7] += h;

			W+=SHA_LBLOCK;
			}
	}

#endif

#endif /* SHA512_ASM */

#endif /* !OPENSSL_NO_SHA512 */


Generated by: GCOVR (Version 3.3)

Line	Branch	Exec	Source
1			/* $OpenBSD: sha512.c,v 1.14 2015/09/10 15:56:26 jsing Exp $ */
2			/* ====================================================================
3			* Copyright (c) 2004 The OpenSSL Project. All rights reserved
4			* according to the OpenSSL license [found in ../../LICENSE].
5			* ====================================================================
6			*/
7
8			#include <machine/endian.h>
9
10			#include <stdlib.h>
11			#include <string.h>
12
13			#include <openssl/opensslconf.h>
14
15			#if !defined(OPENSSL_NO_SHA) && !defined(OPENSSL_NO_SHA512)
16			/*
17			* IMPLEMENTATION NOTES.
18			*
19			* As you might have noticed 32-bit hash algorithms:
20			*
21			* - permit SHA_LONG to be wider than 32-bit (case on CRAY);
22			* - optimized versions implement two transform functions: one operating
23			* on [aligned] data in host byte order and one - on data in input
24			* stream byte order;
25			* - share common byte-order neutral collector and padding function
26			* implementations, ../md32_common.h;
27			*
28			* Neither of the above applies to this SHA-512 implementations. Reasons
29			* [in reverse order] are:
30			*
31			* - it's the only 64-bit hash algorithm for the moment of this writing,
32			* there is no need for common collector/padding implementation [yet];
33			* - by supporting only one transform function [which operates on
34			* aligned data in input stream byte order, big-endian in this case]
35			* we minimize burden of maintenance in two ways: a) collector/padding
36			* function is simpler; b) only one transform function to stare at;
37			* - SHA_LONG64 is required to be exactly 64-bit in order to be able to
38			* apply a number of optimizations to mitigate potential performance
39			* penalties caused by previous design decision;
40			*
41			* Caveat lector.
42			*
43			* Implementation relies on the fact that "long long" is 64-bit on
44			* both 32- and 64-bit platforms. If some compiler vendor comes up
45			* with 128-bit long long, adjustment to sha.h would be required.
46			* As this implementation relies on 64-bit integer type, it's totally
47			* inappropriate for platforms which don't support it, most notably
48			* 16-bit platforms.
49			* <appro@fy.chalmers.se>
50			*/
51
52			#include <openssl/crypto.h>
53			#include <openssl/opensslv.h>
54			#include <openssl/sha.h>
55
56			#if !defined(__STRICT_ALIGNMENT) \|\| defined(SHA512_ASM)
57			#define SHA512_BLOCK_CAN_MANAGE_UNALIGNED_DATA
58			#endif
59
60			int SHA384_Init(SHA512_CTX *c)
61		7	{
62		7	c->h[0]=U64(0xcbbb9d5dc1059ed8);
63		7	c->h[1]=U64(0x629a292a367cd507);
64		7	c->h[2]=U64(0x9159015a3070dd17);
65		7	c->h[3]=U64(0x152fecd8f70e5939);
66		7	c->h[4]=U64(0x67332667ffc00b31);
67		7	c->h[5]=U64(0x8eb44a8768581511);
68		7	c->h[6]=U64(0xdb0c2e0d64f98fa7);
69		7	c->h[7]=U64(0x47b5481dbefa4fa4);
70
71		7	c->Nl=0; c->Nh=0;
72		7	c->num=0; c->md_len=SHA384_DIGEST_LENGTH;
73		7	return 1;
74			}
75
76			int SHA512_Init(SHA512_CTX *c)
77		17	{
78		17	c->h[0]=U64(0x6a09e667f3bcc908);
79		17	c->h[1]=U64(0xbb67ae8584caa73b);
80		17	c->h[2]=U64(0x3c6ef372fe94f82b);
81		17	c->h[3]=U64(0xa54ff53a5f1d36f1);
82		17	c->h[4]=U64(0x510e527fade682d1);
83		17	c->h[5]=U64(0x9b05688c2b3e6c1f);
84		17	c->h[6]=U64(0x1f83d9abfb41bd6b);
85		17	c->h[7]=U64(0x5be0cd19137e2179);
86
87		17	c->Nl=0; c->Nh=0;
88		17	c->num=0; c->md_len=SHA512_DIGEST_LENGTH;
89		17	return 1;
90			}
91
92			#ifndef SHA512_ASM
93			static
94			#endif
95			void sha512_block_data_order (SHA512_CTX ctx, const void in, size_t num);
96
97			int SHA512_Final (unsigned char md, SHA512_CTX c)
98		24596	{
99		24596	unsigned char p=(unsigned char )c->u.p;
100		24596	size_t n=c->num;
101
102		24596	p[n]=0x80; /* There always is a room for one */
103		24596	n++;
104	✓✓	24596	if (n > (sizeof(c->u)-16))
105		4	memset (p+n,0,sizeof(c->u)-n), n=0,
106			sha512_block_data_order (c,p,1);
107
108		24596	memset (p+n,0,sizeof(c->u)-16-n);
109			#if BYTE_ORDER == BIG_ENDIAN
110			c->u.d[SHA_LBLOCK-2] = c->Nh;
111			c->u.d[SHA_LBLOCK-1] = c->Nl;
112			#else
113		24596	p[sizeof(c->u)-1] = (unsigned char)(c->Nl);
114		24596	p[sizeof(c->u)-2] = (unsigned char)(c->Nl>>8);
115		24596	p[sizeof(c->u)-3] = (unsigned char)(c->Nl>>16);
116		24596	p[sizeof(c->u)-4] = (unsigned char)(c->Nl>>24);
117		24596	p[sizeof(c->u)-5] = (unsigned char)(c->Nl>>32);
118		24596	p[sizeof(c->u)-6] = (unsigned char)(c->Nl>>40);
119		24596	p[sizeof(c->u)-7] = (unsigned char)(c->Nl>>48);
120		24596	p[sizeof(c->u)-8] = (unsigned char)(c->Nl>>56);
121		24596	p[sizeof(c->u)-9] = (unsigned char)(c->Nh);
122		24596	p[sizeof(c->u)-10] = (unsigned char)(c->Nh>>8);
123		24596	p[sizeof(c->u)-11] = (unsigned char)(c->Nh>>16);
124		24596	p[sizeof(c->u)-12] = (unsigned char)(c->Nh>>24);
125		24596	p[sizeof(c->u)-13] = (unsigned char)(c->Nh>>32);
126		24596	p[sizeof(c->u)-14] = (unsigned char)(c->Nh>>40);
127		24596	p[sizeof(c->u)-15] = (unsigned char)(c->Nh>>48);
128		24596	p[sizeof(c->u)-16] = (unsigned char)(c->Nh>>56);
129			#endif
130
131		24596	sha512_block_data_order (c,p,1);
132
133	✗✓	24596	if (md==0) return 0;
134
135	✓✓✗	24596	switch (c->md_len)
136			{
137			/* Let compiler decide if it's appropriate to unroll... */
138			case SHA384_DIGEST_LENGTH:
139	✓✓	49	for (n=0;n<SHA384_DIGEST_LENGTH/8;n++)
140			{
141		42	SHA_LONG64 t = c->h[n];
142
143		42	*(md++) = (unsigned char)(t>>56);
144		42	*(md++) = (unsigned char)(t>>48);
145		42	*(md++) = (unsigned char)(t>>40);
146		42	*(md++) = (unsigned char)(t>>32);
147		42	*(md++) = (unsigned char)(t>>24);
148		42	*(md++) = (unsigned char)(t>>16);
149		42	*(md++) = (unsigned char)(t>>8);
150		42	*(md++) = (unsigned char)(t);
151			}
152			break;
153			case SHA512_DIGEST_LENGTH:
154	✓✓	221301	for (n=0;n<SHA512_DIGEST_LENGTH/8;n++)
155			{
156		196712	SHA_LONG64 t = c->h[n];
157
158		196712	*(md++) = (unsigned char)(t>>56);
159		196712	*(md++) = (unsigned char)(t>>48);
160		196712	*(md++) = (unsigned char)(t>>40);
161		196712	*(md++) = (unsigned char)(t>>32);
162		196712	*(md++) = (unsigned char)(t>>24);
163		196712	*(md++) = (unsigned char)(t>>16);
164		196712	*(md++) = (unsigned char)(t>>8);
165		196712	*(md++) = (unsigned char)(t);
166			}
167			break;
168			/* ... as well as make sure md_len is not abused. */
169			default: return 0;
170			}
171
172		24596	return 1;
173			}
174
175			int SHA384_Final (unsigned char md,SHA512_CTX c)
176			{ return SHA512_Final (md,c); }
177
178			int SHA512_Update (SHA512_CTX c, const void _data, size_t len)
179		43711	{
180			SHA_LONG64 l;
181		43711	unsigned char *p=c->u.p;
182		43711	const unsigned char data=(const unsigned char )_data;
183
184	✗✓	43711	if (len==0) return 1;
185
186		43711	l = (c->Nl+(((SHA_LONG64)len)<<3))&U64(0xffffffffffffffff);
187	✗✓	43711	if (l < c->Nl) c->Nh++;
188		43711	if (sizeof(len)>=8) c->Nh+=(((SHA_LONG64)len)>>61);
189		43711	c->Nl=l;
190
191	✓✓	43711	if (c->num != 0)
192			{
193		10425	size_t n = sizeof(c->u) - c->num;
194
195	✓✓	10425	if (len < n)
196			{
197		7	memcpy (p+c->num,data,len), c->num += (unsigned int)len;
198		7	return 1;
199			}
200			else {
201		10418	memcpy (p+c->num,data,n), c->num = 0;
202		10418	len-=n, data+=n;
203		10418	sha512_block_data_order (c,p,1);
204			}
205			}
206
207	✓✓	43704	if (len >= sizeof(c->u))
208			{
209			#ifndef SHA512_BLOCK_CAN_MANAGE_UNALIGNED_DATA
210			if ((size_t)data%sizeof(c->u.d[0]) != 0)
211			while (len >= sizeof(c->u))
212			memcpy (p,data,sizeof(c->u)),
213			sha512_block_data_order (c,p,1),
214			len -= sizeof(c->u),
215			data += sizeof(c->u);
216			else
217			#endif
218		3484	sha512_block_data_order (c,data,len/sizeof(c->u)),
219			data += len,
220			len %= sizeof(c->u),
221			data -= len;
222			}
223
224	✓✓	43704	if (len != 0) memcpy (p,data,len), c->num = (int)len;
225
226		43704	return 1;
227			}
228
229			int SHA384_Update (SHA512_CTX c, const void data, size_t len)
230			{ return SHA512_Update (c,data,len); }
231
232			void SHA512_Transform (SHA512_CTX c, const unsigned char data)
233			{
234			#ifndef SHA512_BLOCK_CAN_MANAGE_UNALIGNED_DATA
235			if ((size_t)data%sizeof(c->u.d[0]) != 0)
236			memcpy(c->u.p,data,sizeof(c->u.p)),
237			data = c->u.p;
238			#endif
239			sha512_block_data_order (c,data,1);
240			}
241
242			unsigned char SHA384(const unsigned char d, size_t n, unsigned char *md)
243			{
244			SHA512_CTX c;
245			static unsigned char m[SHA384_DIGEST_LENGTH];
246
247			if (md == NULL) md=m;
248			SHA384_Init(&c);
249			SHA512_Update(&c,d,n);
250			SHA512_Final(md,&c);
251			explicit_bzero(&c,sizeof(c));
252			return(md);
253			}
254
255			unsigned char SHA512(const unsigned char d, size_t n, unsigned char *md)
256			{
257			SHA512_CTX c;
258			static unsigned char m[SHA512_DIGEST_LENGTH];
259
260			if (md == NULL) md=m;
261			SHA512_Init(&c);
262			SHA512_Update(&c,d,n);
263			SHA512_Final(md,&c);
264			explicit_bzero(&c,sizeof(c));
265			return(md);
266			}
267
268			#ifndef SHA512_ASM
269			static const SHA_LONG64 K512[80] = {
270			U64(0x428a2f98d728ae22),U64(0x7137449123ef65cd),
271			U64(0xb5c0fbcfec4d3b2f),U64(0xe9b5dba58189dbbc),
272			U64(0x3956c25bf348b538),U64(0x59f111f1b605d019),
273			U64(0x923f82a4af194f9b),U64(0xab1c5ed5da6d8118),
274			U64(0xd807aa98a3030242),U64(0x12835b0145706fbe),
275			U64(0x243185be4ee4b28c),U64(0x550c7dc3d5ffb4e2),
276			U64(0x72be5d74f27b896f),U64(0x80deb1fe3b1696b1),
277			U64(0x9bdc06a725c71235),U64(0xc19bf174cf692694),
278			U64(0xe49b69c19ef14ad2),U64(0xefbe4786384f25e3),
279			U64(0x0fc19dc68b8cd5b5),U64(0x240ca1cc77ac9c65),
280			U64(0x2de92c6f592b0275),U64(0x4a7484aa6ea6e483),
281			U64(0x5cb0a9dcbd41fbd4),U64(0x76f988da831153b5),
282			U64(0x983e5152ee66dfab),U64(0xa831c66d2db43210),
283			U64(0xb00327c898fb213f),U64(0xbf597fc7beef0ee4),
284			U64(0xc6e00bf33da88fc2),U64(0xd5a79147930aa725),
285			U64(0x06ca6351e003826f),U64(0x142929670a0e6e70),
286			U64(0x27b70a8546d22ffc),U64(0x2e1b21385c26c926),
287			U64(0x4d2c6dfc5ac42aed),U64(0x53380d139d95b3df),
288			U64(0x650a73548baf63de),U64(0x766a0abb3c77b2a8),
289			U64(0x81c2c92e47edaee6),U64(0x92722c851482353b),
290			U64(0xa2bfe8a14cf10364),U64(0xa81a664bbc423001),
291			U64(0xc24b8b70d0f89791),U64(0xc76c51a30654be30),
292			U64(0xd192e819d6ef5218),U64(0xd69906245565a910),
293			U64(0xf40e35855771202a),U64(0x106aa07032bbd1b8),
294			U64(0x19a4c116b8d2d0c8),U64(0x1e376c085141ab53),
295			U64(0x2748774cdf8eeb99),U64(0x34b0bcb5e19b48a8),
296			U64(0x391c0cb3c5c95a63),U64(0x4ed8aa4ae3418acb),
297			U64(0x5b9cca4f7763e373),U64(0x682e6ff3d6b2b8a3),
298			U64(0x748f82ee5defb2fc),U64(0x78a5636f43172f60),
299			U64(0x84c87814a1f0ab72),U64(0x8cc702081a6439ec),
300			U64(0x90befffa23631e28),U64(0xa4506cebde82bde9),
301			U64(0xbef9a3f7b2c67915),U64(0xc67178f2e372532b),
302			U64(0xca273eceea26619c),U64(0xd186b8c721c0c207),
303			U64(0xeada7dd6cde0eb1e),U64(0xf57d4f7fee6ed178),
304			U64(0x06f067aa72176fba),U64(0x0a637dc5a2c898a6),
305			U64(0x113f9804bef90dae),U64(0x1b710b35131c471b),
306			U64(0x28db77f523047d84),U64(0x32caab7b40c72493),
307			U64(0x3c9ebe0a15c9bebc),U64(0x431d67c49c100d4c),
308			U64(0x4cc5d4becb3e42b6),U64(0x597f299cfc657e2a),
309			U64(0x5fcb6fab3ad6faec),U64(0x6c44198c4a475817) };
310
311			#if defined(__GNUC__) && __GNUC__>=2 && !defined(OPENSSL_NO_ASM) && !defined(OPENSSL_NO_INLINE_ASM)
312			# if defined(__x86_64) \|\| defined(__x86_64__)
313			# define ROTR(a,n) ({ SHA_LONG64 ret; \
314			asm ("rorq %1,%0" \
315			: "=r"(ret) \
316			: "J"(n),"0"(a) \
317			: "cc"); ret; })
318			# define PULL64(x) ({ SHA_LONG64 ret=((const SHA_LONG64 )(&(x))); \
319			asm ("bswapq %0" \
320			: "=r"(ret) \
321			: "0"(ret)); ret; })
322			# elif (defined(__i386) \|\| defined(__i386__))
323			# if defined(I386_ONLY)
324			# define PULL64(x) ({ const unsigned int p=(const unsigned int )(&(x));\
325			unsigned int hi=p[0],lo=p[1]; \
326			asm("xchgb %%ah,%%al;xchgb %%dh,%%dl;"\
327			"roll $16,%%eax; roll $16,%%edx; "\
328			"xchgb %%ah,%%al;xchgb %%dh,%%dl;" \
329			: "=a"(lo),"=d"(hi) \
330			: "0"(lo),"1"(hi) : "cc"); \
331			((SHA_LONG64)hi)<<32\|lo; })
332			# else
333			# define PULL64(x) ({ const unsigned int p=(const unsigned int )(&(x));\
334			unsigned int hi=p[0],lo=p[1]; \
335			asm ("bswapl %0; bswapl %1;" \
336			: "=r"(lo),"=r"(hi) \
337			: "0"(lo),"1"(hi)); \
338			((SHA_LONG64)hi)<<32\|lo; })
339			# endif
340			# elif (defined(_ARCH_PPC) && defined(__64BIT__)) \|\| defined(_ARCH_PPC64)
341			# define ROTR(a,n) ({ SHA_LONG64 ret; \
342			asm ("rotrdi %0,%1,%2" \
343			: "=r"(ret) \
344			: "r"(a),"K"(n)); ret; })
345			# endif
346			#endif
347
348			#ifndef PULL64
349			#define B(x,j) (((SHA_LONG64)((((const unsigned char )(&x))+j)))<<((7-j)*8))
350			#define PULL64(x) (B(x,0)\|B(x,1)\|B(x,2)\|B(x,3)\|B(x,4)\|B(x,5)\|B(x,6)\|B(x,7))
351			#endif
352
353			#ifndef ROTR
354			#define ROTR(x,s) (((x)>>s) \| (x)<<(64-s))
355			#endif
356
357			#define Sigma0(x) (ROTR((x),28) ^ ROTR((x),34) ^ ROTR((x),39))
358			#define Sigma1(x) (ROTR((x),14) ^ ROTR((x),18) ^ ROTR((x),41))
359			#define sigma0(x) (ROTR((x),1) ^ ROTR((x),8) ^ ((x)>>7))
360			#define sigma1(x) (ROTR((x),19) ^ ROTR((x),61) ^ ((x)>>6))
361
362			#define Ch(x,y,z) (((x) & (y)) ^ ((~(x)) & (z)))
363			#define Maj(x,y,z) (((x) & (y)) ^ ((x) & (z)) ^ ((y) & (z)))
364
365
366			#if defined(__i386) \|\| defined(__i386__) \|\| defined(_M_IX86)
367			/*
368			* This code should give better results on 32-bit CPU with less than
369			* ~24 registers, both size and performance wise...
370			*/
371			static void sha512_block_data_order (SHA512_CTX ctx, const void in, size_t num)
372			{
373			const SHA_LONG64 *W=in;
374			SHA_LONG64 A,E,T;
375			SHA_LONG64 X[9+80],*F;
376			int i;
377
378			while (num--) {
379
380			F = X+80;
381			A = ctx->h[0]; F[1] = ctx->h[1];
382			F[2] = ctx->h[2]; F[3] = ctx->h[3];
383			E = ctx->h[4]; F[5] = ctx->h[5];
384			F[6] = ctx->h[6]; F[7] = ctx->h[7];
385
386			for (i=0;i<16;i++,F--)
387			{
388			T = PULL64(W[i]);
389			F[0] = A;
390			F[4] = E;
391			F[8] = T;
392			T += F[7] + Sigma1(E) + Ch(E,F[5],F[6]) + K512[i];
393			E = F[3] + T;
394			A = T + Sigma0(A) + Maj(A,F[1],F[2]);
395			}
396
397			for (;i<80;i++,F--)
398			{
399			T = sigma0(F[8+16-1]);
400			T += sigma1(F[8+16-14]);
401			T += F[8+16] + F[8+16-9];
402
403			F[0] = A;
404			F[4] = E;
405			F[8] = T;
406			T += F[7] + Sigma1(E) + Ch(E,F[5],F[6]) + K512[i];
407			E = F[3] + T;
408			A = T + Sigma0(A) + Maj(A,F[1],F[2]);
409			}
410
411			ctx->h[0] += A; ctx->h[1] += F[1];
412			ctx->h[2] += F[2]; ctx->h[3] += F[3];
413			ctx->h[4] += E; ctx->h[5] += F[5];
414			ctx->h[6] += F[6]; ctx->h[7] += F[7];
415
416			W+=SHA_LBLOCK;
417			}
418			}
419
420			#elif defined(OPENSSL_SMALL_FOOTPRINT)
421
422			static void sha512_block_data_order (SHA512_CTX ctx, const void in, size_t num)
423			{
424			const SHA_LONG64 *W=in;
425			SHA_LONG64 a,b,c,d,e,f,g,h,s0,s1,T1,T2;
426			SHA_LONG64 X[16];
427			int i;
428
429			while (num--) {
430
431			a = ctx->h[0]; b = ctx->h[1]; c = ctx->h[2]; d = ctx->h[3];
432			e = ctx->h[4]; f = ctx->h[5]; g = ctx->h[6]; h = ctx->h[7];
433
434			for (i=0;i<16;i++)
435			{
436			#if BYTE_ORDER == BIG_ENDIAN
437			T1 = X[i] = W[i];
438			#else
439			T1 = X[i] = PULL64(W[i]);
440			#endif
441			T1 += h + Sigma1(e) + Ch(e,f,g) + K512[i];
442			T2 = Sigma0(a) + Maj(a,b,c);
443			h = g; g = f; f = e; e = d + T1;
444			d = c; c = b; b = a; a = T1 + T2;
445			}
446
447			for (;i<80;i++)
448			{
449			s0 = X[(i+1)&0x0f]; s0 = sigma0(s0);
450			s1 = X[(i+14)&0x0f]; s1 = sigma1(s1);
451
452			T1 = X[i&0xf] += s0 + s1 + X[(i+9)&0xf];
453			T1 += h + Sigma1(e) + Ch(e,f,g) + K512[i];
454			T2 = Sigma0(a) + Maj(a,b,c);
455			h = g; g = f; f = e; e = d + T1;
456			d = c; c = b; b = a; a = T1 + T2;
457			}
458
459			ctx->h[0] += a; ctx->h[1] += b; ctx->h[2] += c; ctx->h[3] += d;
460			ctx->h[4] += e; ctx->h[5] += f; ctx->h[6] += g; ctx->h[7] += h;
461
462			W+=SHA_LBLOCK;
463			}
464			}
465
466			#else
467
468			#define ROUND_00_15(i,a,b,c,d,e,f,g,h) do { \
469			T1 += h + Sigma1(e) + Ch(e,f,g) + K512[i]; \
470			h = Sigma0(a) + Maj(a,b,c); \
471			d += T1; h += T1; } while (0)
472
473			#define ROUND_16_80(i,j,a,b,c,d,e,f,g,h,X) do { \
474			s0 = X[(j+1)&0x0f]; s0 = sigma0(s0); \
475			s1 = X[(j+14)&0x0f]; s1 = sigma1(s1); \
476			T1 = X[(j)&0x0f] += s0 + s1 + X[(j+9)&0x0f]; \
477			ROUND_00_15(i+j,a,b,c,d,e,f,g,h); } while (0)
478
479			static void sha512_block_data_order (SHA512_CTX ctx, const void in, size_t num)
480			{
481			const SHA_LONG64 *W=in;
482			SHA_LONG64 a,b,c,d,e,f,g,h,s0,s1,T1;
483			SHA_LONG64 X[16];
484			int i;
485
486			while (num--) {
487
488			a = ctx->h[0]; b = ctx->h[1]; c = ctx->h[2]; d = ctx->h[3];
489			e = ctx->h[4]; f = ctx->h[5]; g = ctx->h[6]; h = ctx->h[7];
490
491			#if BYTE_ORDER == BIG_ENDIAN
492			T1 = X[0] = W[0]; ROUND_00_15(0,a,b,c,d,e,f,g,h);
493			T1 = X[1] = W[1]; ROUND_00_15(1,h,a,b,c,d,e,f,g);
494			T1 = X[2] = W[2]; ROUND_00_15(2,g,h,a,b,c,d,e,f);
495			T1 = X[3] = W[3]; ROUND_00_15(3,f,g,h,a,b,c,d,e);
496			T1 = X[4] = W[4]; ROUND_00_15(4,e,f,g,h,a,b,c,d);
497			T1 = X[5] = W[5]; ROUND_00_15(5,d,e,f,g,h,a,b,c);
498			T1 = X[6] = W[6]; ROUND_00_15(6,c,d,e,f,g,h,a,b);
499			T1 = X[7] = W[7]; ROUND_00_15(7,b,c,d,e,f,g,h,a);
500			T1 = X[8] = W[8]; ROUND_00_15(8,a,b,c,d,e,f,g,h);
501			T1 = X[9] = W[9]; ROUND_00_15(9,h,a,b,c,d,e,f,g);
502			T1 = X[10] = W[10]; ROUND_00_15(10,g,h,a,b,c,d,e,f);
503			T1 = X[11] = W[11]; ROUND_00_15(11,f,g,h,a,b,c,d,e);
504			T1 = X[12] = W[12]; ROUND_00_15(12,e,f,g,h,a,b,c,d);
505			T1 = X[13] = W[13]; ROUND_00_15(13,d,e,f,g,h,a,b,c);
506			T1 = X[14] = W[14]; ROUND_00_15(14,c,d,e,f,g,h,a,b);
507			T1 = X[15] = W[15]; ROUND_00_15(15,b,c,d,e,f,g,h,a);
508			#else
509			T1 = X[0] = PULL64(W[0]); ROUND_00_15(0,a,b,c,d,e,f,g,h);
510			T1 = X[1] = PULL64(W[1]); ROUND_00_15(1,h,a,b,c,d,e,f,g);
511			T1 = X[2] = PULL64(W[2]); ROUND_00_15(2,g,h,a,b,c,d,e,f);
512			T1 = X[3] = PULL64(W[3]); ROUND_00_15(3,f,g,h,a,b,c,d,e);
513			T1 = X[4] = PULL64(W[4]); ROUND_00_15(4,e,f,g,h,a,b,c,d);
514			T1 = X[5] = PULL64(W[5]); ROUND_00_15(5,d,e,f,g,h,a,b,c);
515			T1 = X[6] = PULL64(W[6]); ROUND_00_15(6,c,d,e,f,g,h,a,b);
516			T1 = X[7] = PULL64(W[7]); ROUND_00_15(7,b,c,d,e,f,g,h,a);
517			T1 = X[8] = PULL64(W[8]); ROUND_00_15(8,a,b,c,d,e,f,g,h);
518			T1 = X[9] = PULL64(W[9]); ROUND_00_15(9,h,a,b,c,d,e,f,g);
519			T1 = X[10] = PULL64(W[10]); ROUND_00_15(10,g,h,a,b,c,d,e,f);
520			T1 = X[11] = PULL64(W[11]); ROUND_00_15(11,f,g,h,a,b,c,d,e);
521			T1 = X[12] = PULL64(W[12]); ROUND_00_15(12,e,f,g,h,a,b,c,d);
522			T1 = X[13] = PULL64(W[13]); ROUND_00_15(13,d,e,f,g,h,a,b,c);
523			T1 = X[14] = PULL64(W[14]); ROUND_00_15(14,c,d,e,f,g,h,a,b);
524			T1 = X[15] = PULL64(W[15]); ROUND_00_15(15,b,c,d,e,f,g,h,a);
525			#endif
526
527			for (i=16;i<80;i+=16)
528			{
529			ROUND_16_80(i, 0,a,b,c,d,e,f,g,h,X);
530			ROUND_16_80(i, 1,h,a,b,c,d,e,f,g,X);
531			ROUND_16_80(i, 2,g,h,a,b,c,d,e,f,X);
532			ROUND_16_80(i, 3,f,g,h,a,b,c,d,e,X);
533			ROUND_16_80(i, 4,e,f,g,h,a,b,c,d,X);
534			ROUND_16_80(i, 5,d,e,f,g,h,a,b,c,X);
535			ROUND_16_80(i, 6,c,d,e,f,g,h,a,b,X);
536			ROUND_16_80(i, 7,b,c,d,e,f,g,h,a,X);
537			ROUND_16_80(i, 8,a,b,c,d,e,f,g,h,X);
538			ROUND_16_80(i, 9,h,a,b,c,d,e,f,g,X);
539			ROUND_16_80(i,10,g,h,a,b,c,d,e,f,X);
540			ROUND_16_80(i,11,f,g,h,a,b,c,d,e,X);
541			ROUND_16_80(i,12,e,f,g,h,a,b,c,d,X);
542			ROUND_16_80(i,13,d,e,f,g,h,a,b,c,X);
543			ROUND_16_80(i,14,c,d,e,f,g,h,a,b,X);
544			ROUND_16_80(i,15,b,c,d,e,f,g,h,a,X);
545			}
546
547			ctx->h[0] += a; ctx->h[1] += b; ctx->h[2] += c; ctx->h[3] += d;
548			ctx->h[4] += e; ctx->h[5] += f; ctx->h[6] += g; ctx->h[7] += h;
549
550			W+=SHA_LBLOCK;
551			}
552			}
553
554			#endif
555
556			#endif /* SHA512_ASM */
557
558			#endif /* !OPENSSL_NO_SHA512 */