crypto/sha/sha512.c

   1 /* crypto/sha/sha512.c */
   2 /* ====================================================================
   3  * Copyright (c) 2004 The OpenSSL Project.  All rights reserved
   4  * according to the OpenSSL license [found in ../../LICENSE].
   5  * ====================================================================
   6  */
   7 #include <openssl/opensslconf.h>
   8 #if !defined(OPENSSL_NO_SHA) && !defined(OPENSSL_NO_SHA512)
   9 /*
  10  * IMPLEMENTATION NOTES.
  11  *
  12  * As you might have noticed 32-bit hash algorithms:
  13  *
  14  * - permit SHA_LONG to be wider than 32-bit (case on CRAY);
  15  * - optimized versions implement two transform functions: one operating
  16  *   on [aligned] data in host byte order and one - on data in input
  17  *   stream byte order;
  18  * - share common byte-order neutral collector and padding function
  19  *   implementations, ../md32_common.h;
  20  *
  21  * Neither of the above applies to this SHA-512 implementations. Reasons
  22  * [in reverse order] are:
  23  *
  24  * - it's the only 64-bit hash algorithm for the moment of this writing,
  25  *   there is no need for common collector/padding implementation [yet];
  26  * - by supporting only one transform function [which operates on
  27  *   *aligned* data in input stream byte order, big-endian in this case]
  28  *   we minimize burden of maintenance in two ways: a) collector/padding
  29  *   function is simpler; b) only one transform function to stare at;
  30  * - SHA_LONG64 is required to be exactly 64-bit in order to be able to
  31  *   apply a number of optimizations to mitigate potential performance
  32  *   penalties caused by previous design decision;
  33  *
  34  * Caveat lector.
  35  *
  36  * Implementation relies on the fact that "long long" is 64-bit on
  37  * both 32- and 64-bit platforms. If some compiler vendor comes up
  38  * with 128-bit long long, adjustment to sha.h would be required.
  39  * As this implementation relies on 64-bit integer type, it's totally
  40  * inappropriate for platforms which don't support it, most notably
  41  * 16-bit platforms.
  42  *                                      <appro@fy.chalmers.se>
  43  */
  44 #include <stdlib.h>
  45 #include <string.h>
  46
  47 #include <openssl/crypto.h>
  48 #include <openssl/sha.h>
  49 #include <openssl/opensslv.h>
  50
  51 #include "cryptlib.h"
  52
  53 const char SHA512_version[]="SHA-512" OPENSSL_VERSION_PTEXT;
  54
  55 #if defined(__i386) || defined(__i386__) || defined(_M_IX86) || \
  56     defined(__x86_64) || defined(_M_AMD64) || defined(_M_X64) || \
  57     defined(__s390__) || defined(__s390x__) || \
  58     defined(__aarch64__) || \
  59     defined(SHA512_ASM)
  60 #define SHA512_BLOCK_CAN_MANAGE_UNALIGNED_DATA
  61 #endif
  62
  63 int SHA384_Init (SHA512_CTX *c)
  64         {
  65         c->h[0]=U64(0xcbbb9d5dc1059ed8);
  66         c->h[1]=U64(0x629a292a367cd507);
  67         c->h[2]=U64(0x9159015a3070dd17);
  68         c->h[3]=U64(0x152fecd8f70e5939);
  69         c->h[4]=U64(0x67332667ffc00b31);
  70         c->h[5]=U64(0x8eb44a8768581511);
  71         c->h[6]=U64(0xdb0c2e0d64f98fa7);
  72         c->h[7]=U64(0x47b5481dbefa4fa4);
  73
  74         c->Nl=0;        c->Nh=0;
  75         c->num=0;       c->md_len=SHA384_DIGEST_LENGTH;
  76         return 1;
  77         }
  78
  79 int SHA512_Init (SHA512_CTX *c)
  80         {
  81         c->h[0]=U64(0x6a09e667f3bcc908);
  82         c->h[1]=U64(0xbb67ae8584caa73b);
  83         c->h[2]=U64(0x3c6ef372fe94f82b);
  84         c->h[3]=U64(0xa54ff53a5f1d36f1);
  85         c->h[4]=U64(0x510e527fade682d1);
  86         c->h[5]=U64(0x9b05688c2b3e6c1f);
  87         c->h[6]=U64(0x1f83d9abfb41bd6b);
  88         c->h[7]=U64(0x5be0cd19137e2179);
  89
  90         c->Nl=0;        c->Nh=0;
  91         c->num=0;       c->md_len=SHA512_DIGEST_LENGTH;
  92         return 1;
  93         }
  94
  95 #ifndef SHA512_ASM
  96 static
  97 #endif
  98 void sha512_block_data_order (SHA512_CTX *ctx, const void *in, size_t num);
  99
 100 int SHA512_Final (unsigned char *md, SHA512_CTX *c)
 101         {
 102         unsigned char *p=(unsigned char *)c->u.p;
 103         size_t n=c->num;
 104
 105         p[n]=0x80;      /* There always is a room for one */
 106         n++;
 107         if (n > (sizeof(c->u)-16))
 108                 memset (p+n,0,sizeof(c->u)-n), n=0,
 109                 sha512_block_data_order (c,p,1);
 110
 111         memset (p+n,0,sizeof(c->u)-16-n);
 112 #ifdef  B_ENDIAN
 113         c->u.d[SHA_LBLOCK-2] = c->Nh;
 114         c->u.d[SHA_LBLOCK-1] = c->Nl;
 115 #else
 116         p[sizeof(c->u)-1]  = (unsigned char)(c->Nl);
 117         p[sizeof(c->u)-2]  = (unsigned char)(c->Nl>>8);
 118         p[sizeof(c->u)-3]  = (unsigned char)(c->Nl>>16);
 119         p[sizeof(c->u)-4]  = (unsigned char)(c->Nl>>24);
 120         p[sizeof(c->u)-5]  = (unsigned char)(c->Nl>>32);
 121         p[sizeof(c->u)-6]  = (unsigned char)(c->Nl>>40);
 122         p[sizeof(c->u)-7]  = (unsigned char)(c->Nl>>48);
 123         p[sizeof(c->u)-8]  = (unsigned char)(c->Nl>>56);
 124         p[sizeof(c->u)-9]  = (unsigned char)(c->Nh);
 125         p[sizeof(c->u)-10] = (unsigned char)(c->Nh>>8);
 126         p[sizeof(c->u)-11] = (unsigned char)(c->Nh>>16);
 127         p[sizeof(c->u)-12] = (unsigned char)(c->Nh>>24);
 128         p[sizeof(c->u)-13] = (unsigned char)(c->Nh>>32);
 129         p[sizeof(c->u)-14] = (unsigned char)(c->Nh>>40);
 130         p[sizeof(c->u)-15] = (unsigned char)(c->Nh>>48);
 131         p[sizeof(c->u)-16] = (unsigned char)(c->Nh>>56);
 132 #endif
 133
 134         sha512_block_data_order (c,p,1);
 135
 136         if (md==0) return 0;
 137
 138         switch (c->md_len)
 139                 {
 140                 /* Let compiler decide if it's appropriate to unroll... */
 141                 case SHA384_DIGEST_LENGTH:
 142                         for (n=0;n<SHA384_DIGEST_LENGTH/8;n++)
 143                                 {
 144                                 SHA_LONG64 t = c->h[n];
 145
 146                                 *(md++) = (unsigned char)(t>>56);
 147                                 *(md++) = (unsigned char)(t>>48);
 148                                 *(md++) = (unsigned char)(t>>40);
 149                                 *(md++) = (unsigned char)(t>>32);
 150                                 *(md++) = (unsigned char)(t>>24);
 151                                 *(md++) = (unsigned char)(t>>16);
 152                                 *(md++) = (unsigned char)(t>>8);
 153                                 *(md++) = (unsigned char)(t);
 154                                 }
 155                         break;
 156                 case SHA512_DIGEST_LENGTH:
 157                         for (n=0;n<SHA512_DIGEST_LENGTH/8;n++)
 158                                 {
 159                                 SHA_LONG64 t = c->h[n];
 160
 161                                 *(md++) = (unsigned char)(t>>56);
 162                                 *(md++) = (unsigned char)(t>>48);
 163                                 *(md++) = (unsigned char)(t>>40);
 164                                 *(md++) = (unsigned char)(t>>32);
 165                                 *(md++) = (unsigned char)(t>>24);
 166                                 *(md++) = (unsigned char)(t>>16);
 167                                 *(md++) = (unsigned char)(t>>8);
 168                                 *(md++) = (unsigned char)(t);
 169                                 }
 170                         break;
 171                 /* ... as well as make sure md_len is not abused. */
 172                 default:        return 0;
 173                 }
 174
 175         return 1;
 176         }
 177
 178 int SHA384_Final (unsigned char *md,SHA512_CTX *c)
 179 {   return SHA512_Final (md,c);   }
 180
 181 int SHA512_Update (SHA512_CTX *c, const void *_data, size_t len)
 182         {
 183         SHA_LONG64      l;
 184         unsigned char  *p=c->u.p;
 185         const unsigned char *data=(const unsigned char *)_data;
 186
 187         if (len==0) return  1;
 188
 189         l = (c->Nl+(((SHA_LONG64)len)<<3))&U64(0xffffffffffffffff);
 190         if (l < c->Nl)          c->Nh++;
 191         if (sizeof(len)>=8)     c->Nh+=(((SHA_LONG64)len)>>61);
 192         c->Nl=l;
 193
 194         if (c->num != 0)
 195                 {
 196                 size_t n = sizeof(c->u) - c->num;
 197
 198                 if (len < n)
 199                         {
 200                         memcpy (p+c->num,data,len), c->num += (unsigned int)len;
 201                         return 1;
 202                         }
 203                 else    {
 204                         memcpy (p+c->num,data,n), c->num = 0;
 205                         len-=n, data+=n;
 206                         sha512_block_data_order (c,p,1);
 207                         }
 208                 }
 209
 210         if (len >= sizeof(c->u))
 211                 {
 212 #ifndef SHA512_BLOCK_CAN_MANAGE_UNALIGNED_DATA
 213                 if ((size_t)data%sizeof(c->u.d[0]) != 0)
 214                         while (len >= sizeof(c->u))
 215                                 memcpy (p,data,sizeof(c->u)),
 216                                 sha512_block_data_order (c,p,1),
 217                                 len  -= sizeof(c->u),
 218                                 data += sizeof(c->u);
 219                 else
 220 #endif
 221                         sha512_block_data_order (c,data,len/sizeof(c->u)),
 222                         data += len,
 223                         len  %= sizeof(c->u),
 224                         data -= len;
 225                 }
 226
 227         if (len != 0)   memcpy (p,data,len), c->num = (int)len;
 228
 229         return 1;
 230         }
 231
 232 int SHA384_Update (SHA512_CTX *c, const void *data, size_t len)
 233 {   return SHA512_Update (c,data,len);   }
 234
 235 void SHA512_Transform (SHA512_CTX *c, const unsigned char *data)
 236         {
 237 #ifndef SHA512_BLOCK_CAN_MANAGE_UNALIGNED_DATA
 238         if ((size_t)data%sizeof(c->u.d[0]) != 0)
 239                 memcpy(c->u.p,data,sizeof(c->u.p)),
 240                 data = c->u.p;
 241 #endif
 242         sha512_block_data_order (c,data,1);
 243         }
 244
 245 unsigned char *SHA384(const unsigned char *d, size_t n, unsigned char *md)
 246         {
 247         SHA512_CTX c;
 248         static unsigned char m[SHA384_DIGEST_LENGTH];
 249
 250         if (md == NULL) md=m;
 251         SHA384_Init(&c);
 252         SHA512_Update(&c,d,n);
 253         SHA512_Final(md,&c);
 254         OPENSSL_cleanse(&c,sizeof(c));
 255         return(md);
 256         }
 257
 258 unsigned char *SHA512(const unsigned char *d, size_t n, unsigned char *md)
 259         {
 260         SHA512_CTX c;
 261         static unsigned char m[SHA512_DIGEST_LENGTH];
 262
 263         if (md == NULL) md=m;
 264         SHA512_Init(&c);
 265         SHA512_Update(&c,d,n);
 266         SHA512_Final(md,&c);
 267         OPENSSL_cleanse(&c,sizeof(c));
 268         return(md);
 269         }
 270
 271 #ifndef SHA512_ASM
 272 static const SHA_LONG64 K512[80] = {
 273         U64(0x428a2f98d728ae22),U64(0x7137449123ef65cd),
 274         U64(0xb5c0fbcfec4d3b2f),U64(0xe9b5dba58189dbbc),
 275         U64(0x3956c25bf348b538),U64(0x59f111f1b605d019),
 276         U64(0x923f82a4af194f9b),U64(0xab1c5ed5da6d8118),
 277         U64(0xd807aa98a3030242),U64(0x12835b0145706fbe),
 278         U64(0x243185be4ee4b28c),U64(0x550c7dc3d5ffb4e2),
 279         U64(0x72be5d74f27b896f),U64(0x80deb1fe3b1696b1),
 280         U64(0x9bdc06a725c71235),U64(0xc19bf174cf692694),
 281         U64(0xe49b69c19ef14ad2),U64(0xefbe4786384f25e3),
 282         U64(0x0fc19dc68b8cd5b5),U64(0x240ca1cc77ac9c65),
 283         U64(0x2de92c6f592b0275),U64(0x4a7484aa6ea6e483),
 284         U64(0x5cb0a9dcbd41fbd4),U64(0x76f988da831153b5),
 285         U64(0x983e5152ee66dfab),U64(0xa831c66d2db43210),
 286         U64(0xb00327c898fb213f),U64(0xbf597fc7beef0ee4),
 287         U64(0xc6e00bf33da88fc2),U64(0xd5a79147930aa725),
 288         U64(0x06ca6351e003826f),U64(0x142929670a0e6e70),
 289         U64(0x27b70a8546d22ffc),U64(0x2e1b21385c26c926),
 290         U64(0x4d2c6dfc5ac42aed),U64(0x53380d139d95b3df),
 291         U64(0x650a73548baf63de),U64(0x766a0abb3c77b2a8),
 292         U64(0x81c2c92e47edaee6),U64(0x92722c851482353b),
 293         U64(0xa2bfe8a14cf10364),U64(0xa81a664bbc423001),
 294         U64(0xc24b8b70d0f89791),U64(0xc76c51a30654be30),
 295         U64(0xd192e819d6ef5218),U64(0xd69906245565a910),
 296         U64(0xf40e35855771202a),U64(0x106aa07032bbd1b8),
 297         U64(0x19a4c116b8d2d0c8),U64(0x1e376c085141ab53),
 298         U64(0x2748774cdf8eeb99),U64(0x34b0bcb5e19b48a8),
 299         U64(0x391c0cb3c5c95a63),U64(0x4ed8aa4ae3418acb),
 300         U64(0x5b9cca4f7763e373),U64(0x682e6ff3d6b2b8a3),
 301         U64(0x748f82ee5defb2fc),U64(0x78a5636f43172f60),
 302         U64(0x84c87814a1f0ab72),U64(0x8cc702081a6439ec),
 303         U64(0x90befffa23631e28),U64(0xa4506cebde82bde9),
 304         U64(0xbef9a3f7b2c67915),U64(0xc67178f2e372532b),
 305         U64(0xca273eceea26619c),U64(0xd186b8c721c0c207),
 306         U64(0xeada7dd6cde0eb1e),U64(0xf57d4f7fee6ed178),
 307         U64(0x06f067aa72176fba),U64(0x0a637dc5a2c898a6),
 308         U64(0x113f9804bef90dae),U64(0x1b710b35131c471b),
 309         U64(0x28db77f523047d84),U64(0x32caab7b40c72493),
 310         U64(0x3c9ebe0a15c9bebc),U64(0x431d67c49c100d4c),
 311         U64(0x4cc5d4becb3e42b6),U64(0x597f299cfc657e2a),
 312         U64(0x5fcb6fab3ad6faec),U64(0x6c44198c4a475817) };
 313
 314 #ifndef PEDANTIC
 315 # if defined(__GNUC__) && __GNUC__>=2 && !defined(OPENSSL_NO_ASM) && !defined(OPENSSL_NO_INLINE_ASM)
 316 #  if defined(__x86_64) || defined(__x86_64__)
 317 #   define ROTR(a,n)    ({ SHA_LONG64 ret;              \
 318                                 asm ("rorq %1,%0"       \
 319                                 : "=r"(ret)             \
 320                                 : "J"(n),"0"(a)         \
 321                                 : "cc"); ret;           })
 322 #   if !defined(B_ENDIAN)
 323 #    define PULL64(x) ({ SHA_LONG64 ret=*((const SHA_LONG64 *)(&(x)));  \
 324                                 asm ("bswapq    %0"             \
 325                                 : "=r"(ret)                     \
 326                                 : "0"(ret)); ret;               })
 327 #   endif
 328 #  elif (defined(__i386) || defined(__i386__)) && !defined(B_ENDIAN)
 329 #   if defined(I386_ONLY)
 330 #    define PULL64(x) ({ const unsigned int *p=(const unsigned int *)(&(x));\
 331                          unsigned int hi=p[0],lo=p[1];          \
 332                                 asm("xchgb %%ah,%%al;xchgb %%dh,%%dl;"\
 333                                     "roll $16,%%eax; roll $16,%%edx; "\
 334                                     "xchgb %%ah,%%al;xchgb %%dh,%%dl;" \
 335                                 : "=a"(lo),"=d"(hi)             \
 336                                 : "0"(lo),"1"(hi) : "cc");      \
 337                                 ((SHA_LONG64)hi)<<32|lo;        })
 338 #   else
 339 #    define PULL64(x) ({ const unsigned int *p=(const unsigned int *)(&(x));\
 340                          unsigned int hi=p[0],lo=p[1];          \
 341                                 asm ("bswapl %0; bswapl %1;"    \
 342                                 : "=r"(lo),"=r"(hi)             \
 343                                 : "0"(lo),"1"(hi));             \
 344                                 ((SHA_LONG64)hi)<<32|lo;        })
 345 #   endif
 346 #  elif (defined(_ARCH_PPC) && defined(__64BIT__)) || defined(_ARCH_PPC64)
 347 #   define ROTR(a,n)    ({ SHA_LONG64 ret;              \
 348                                 asm ("rotrdi %0,%1,%2"  \
 349                                 : "=r"(ret)             \
 350                                 : "r"(a),"K"(n)); ret;  })
 351 #  elif defined(__aarch64__)
 352 #   define ROTR(a,n)    ({ SHA_LONG64 ret;              \
 353                                 asm ("ror %0,%1,%2"     \
 354                                 : "=r"(ret)             \
 355                                 : "r"(a),"I"(n)); ret;  })
 356 #   if  defined(__BYTE_ORDER__) && defined(__ORDER_LITTLE_ENDIAN__) && \
 357         __BYTE_ORDER__==__ORDER_LITTLE_ENDIAN__
 358 #    define PULL64(x)   ({ SHA_LONG64 ret;                      \
 359                                 asm ("rev       %0,%1"          \
 360                                 : "=r"(ret)                     \
 361                                 : "r"(*((const SHA_LONG64 *)(&(x))))); ret;             })
 362 #   endif
 363 #  endif
 364 # elif defined(_MSC_VER)
 365 #  if defined(_WIN64)   /* applies to both IA-64 and AMD64 */
 366 #   pragma intrinsic(_rotr64)
 367 #   define ROTR(a,n)    _rotr64((a),n)
 368 #  endif
 369 #  if defined(_M_IX86) && !defined(OPENSSL_NO_ASM) && !defined(OPENSSL_NO_INLINE_ASM)
 370 #   if defined(I386_ONLY)
 371     static SHA_LONG64 __fastcall __pull64be(const void *x)
 372     {   _asm    mov     edx, [ecx + 0]
 373         _asm    mov     eax, [ecx + 4]
 374         _asm    xchg    dh,dl
 375         _asm    xchg    ah,al
 376         _asm    rol     edx,16
 377         _asm    rol     eax,16
 378         _asm    xchg    dh,dl
 379         _asm    xchg    ah,al
 380     }
 381 #   else
 382     static SHA_LONG64 __fastcall __pull64be(const void *x)
 383     {   _asm    mov     edx, [ecx + 0]
 384         _asm    mov     eax, [ecx + 4]
 385         _asm    bswap   edx
 386         _asm    bswap   eax
 387     }
 388 #   endif
 389 #   define PULL64(x) __pull64be(&(x))
 390 #   if _MSC_VER<=1200
 391 #    pragma inline_depth(0)
 392 #   endif
 393 #  endif
 394 # endif
 395 #endif
 396
 397 #ifndef PULL64
 398 #define B(x,j)    (((SHA_LONG64)(*(((const unsigned char *)(&x))+j)))<<((7-j)*8))
 399 #define PULL64(x) (B(x,0)|B(x,1)|B(x,2)|B(x,3)|B(x,4)|B(x,5)|B(x,6)|B(x,7))
 400 #endif
 401
 402 #ifndef ROTR
 403 #define ROTR(x,s)       (((x)>>s) | (x)<<(64-s))
 404 #endif
 405
 406 #define Sigma0(x)       (ROTR((x),28) ^ ROTR((x),34) ^ ROTR((x),39))
 407 #define Sigma1(x)       (ROTR((x),14) ^ ROTR((x),18) ^ ROTR((x),41))
 408 #define sigma0(x)       (ROTR((x),1)  ^ ROTR((x),8)  ^ ((x)>>7))
 409 #define sigma1(x)       (ROTR((x),19) ^ ROTR((x),61) ^ ((x)>>6))
 410
 411 #define Ch(x,y,z)       (((x) & (y)) ^ ((~(x)) & (z)))
 412 #define Maj(x,y,z)      (((x) & (y)) ^ ((x) & (z)) ^ ((y) & (z)))
 413
 414
 415 #if defined(__i386) || defined(__i386__) || defined(_M_IX86)
 416 /*
 417  * This code should give better results on 32-bit CPU with less than
 418  * ~24 registers, both size and performance wise...
 419  */
 420 static void sha512_block_data_order (SHA512_CTX *ctx, const void *in, size_t num)
 421         {
 422         const SHA_LONG64 *W=in;
 423         SHA_LONG64      A,E,T;
 424         SHA_LONG64      X[9+80],*F;
 425         int i;
 426
 427                         while (num--) {
 428
 429         F    = X+80;
 430         A    = ctx->h[0];       F[1] = ctx->h[1];
 431         F[2] = ctx->h[2];       F[3] = ctx->h[3];
 432         E    = ctx->h[4];       F[5] = ctx->h[5];
 433         F[6] = ctx->h[6];       F[7] = ctx->h[7];
 434
 435         for (i=0;i<16;i++,F--)
 436                 {
 437 #ifdef B_ENDIAN
 438                 T = W[i];
 439 #else
 440                 T = PULL64(W[i]);
 441 #endif
 442                 F[0] = A;
 443                 F[4] = E;
 444                 F[8] = T;
 445                 T   += F[7] + Sigma1(E) + Ch(E,F[5],F[6]) + K512[i];
 446                 E    = F[3] + T;
 447                 A    = T + Sigma0(A) + Maj(A,F[1],F[2]);
 448                 }
 449
 450         for (;i<80;i++,F--)
 451                 {
 452                 T    = sigma0(F[8+16-1]);
 453                 T   += sigma1(F[8+16-14]);
 454                 T   += F[8+16] + F[8+16-9];
 455
 456                 F[0] = A;
 457                 F[4] = E;
 458                 F[8] = T;
 459                 T   += F[7] + Sigma1(E) + Ch(E,F[5],F[6]) + K512[i];
 460                 E    = F[3] + T;
 461                 A    = T + Sigma0(A) + Maj(A,F[1],F[2]);
 462                 }
 463
 464         ctx->h[0] += A;         ctx->h[1] += F[1];
 465         ctx->h[2] += F[2];      ctx->h[3] += F[3];
 466         ctx->h[4] += E;         ctx->h[5] += F[5];
 467         ctx->h[6] += F[6];      ctx->h[7] += F[7];
 468
 469                         W+=SHA_LBLOCK;
 470                         }
 471         }
 472
 473 #elif defined(OPENSSL_SMALL_FOOTPRINT)
 474
 475 static void sha512_block_data_order (SHA512_CTX *ctx, const void *in, size_t num)
 476         {
 477         const SHA_LONG64 *W=in;
 478         SHA_LONG64      a,b,c,d,e,f,g,h,s0,s1,T1,T2;
 479         SHA_LONG64      X[16];
 480         int i;
 481
 482                         while (num--) {
 483
 484         a = ctx->h[0];  b = ctx->h[1];  c = ctx->h[2];  d = ctx->h[3];
 485         e = ctx->h[4];  f = ctx->h[5];  g = ctx->h[6];  h = ctx->h[7];
 486
 487         for (i=0;i<16;i++)
 488                 {
 489 #ifdef B_ENDIAN
 490                 T1 = X[i] = W[i];
 491 #else
 492                 T1 = X[i] = PULL64(W[i]);
 493 #endif
 494                 T1 += h + Sigma1(e) + Ch(e,f,g) + K512[i];
 495                 T2 = Sigma0(a) + Maj(a,b,c);
 496                 h = g;  g = f;  f = e;  e = d + T1;
 497                 d = c;  c = b;  b = a;  a = T1 + T2;
 498                 }
 499
 500         for (;i<80;i++)
 501                 {
 502                 s0 = X[(i+1)&0x0f];     s0 = sigma0(s0);
 503                 s1 = X[(i+14)&0x0f];    s1 = sigma1(s1);
 504
 505                 T1 = X[i&0xf] += s0 + s1 + X[(i+9)&0xf];
 506                 T1 += h + Sigma1(e) + Ch(e,f,g) + K512[i];
 507                 T2 = Sigma0(a) + Maj(a,b,c);
 508                 h = g;  g = f;  f = e;  e = d + T1;
 509                 d = c;  c = b;  b = a;  a = T1 + T2;
 510                 }
 511
 512         ctx->h[0] += a; ctx->h[1] += b; ctx->h[2] += c; ctx->h[3] += d;
 513         ctx->h[4] += e; ctx->h[5] += f; ctx->h[6] += g; ctx->h[7] += h;
 514
 515                         W+=SHA_LBLOCK;
 516                         }
 517         }
 518
 519 #else
 520
 521 #define ROUND_00_15(i,a,b,c,d,e,f,g,h)          do {    \
 522         T1 += h + Sigma1(e) + Ch(e,f,g) + K512[i];      \
 523         h = Sigma0(a) + Maj(a,b,c);                     \
 524         d += T1;        h += T1;                } while (0)
 525
 526 #define ROUND_16_80(i,j,a,b,c,d,e,f,g,h,X)      do {    \
 527         s0 = X[(j+1)&0x0f];     s0 = sigma0(s0);        \
 528         s1 = X[(j+14)&0x0f];    s1 = sigma1(s1);        \
 529         T1 = X[(j)&0x0f] += s0 + s1 + X[(j+9)&0x0f];    \
 530         ROUND_00_15(i+j,a,b,c,d,e,f,g,h);               } while (0)
 531
 532 static void sha512_block_data_order (SHA512_CTX *ctx, const void *in, size_t num)
 533         {
 534         const SHA_LONG64 *W=in;
 535         SHA_LONG64      a,b,c,d,e,f,g,h,s0,s1,T1;
 536         SHA_LONG64      X[16];
 537         int i;
 538
 539                         while (num--) {
 540
 541         a = ctx->h[0];  b = ctx->h[1];  c = ctx->h[2];  d = ctx->h[3];
 542         e = ctx->h[4];  f = ctx->h[5];  g = ctx->h[6];  h = ctx->h[7];
 543
 544 #ifdef B_ENDIAN
 545         T1 = X[0] = W[0];       ROUND_00_15(0,a,b,c,d,e,f,g,h);
 546         T1 = X[1] = W[1];       ROUND_00_15(1,h,a,b,c,d,e,f,g);
 547         T1 = X[2] = W[2];       ROUND_00_15(2,g,h,a,b,c,d,e,f);
 548         T1 = X[3] = W[3];       ROUND_00_15(3,f,g,h,a,b,c,d,e);
 549         T1 = X[4] = W[4];       ROUND_00_15(4,e,f,g,h,a,b,c,d);
 550         T1 = X[5] = W[5];       ROUND_00_15(5,d,e,f,g,h,a,b,c);
 551         T1 = X[6] = W[6];       ROUND_00_15(6,c,d,e,f,g,h,a,b);
 552         T1 = X[7] = W[7];       ROUND_00_15(7,b,c,d,e,f,g,h,a);
 553         T1 = X[8] = W[8];       ROUND_00_15(8,a,b,c,d,e,f,g,h);
 554         T1 = X[9] = W[9];       ROUND_00_15(9,h,a,b,c,d,e,f,g);
 555         T1 = X[10] = W[10];     ROUND_00_15(10,g,h,a,b,c,d,e,f);
 556         T1 = X[11] = W[11];     ROUND_00_15(11,f,g,h,a,b,c,d,e);
 557         T1 = X[12] = W[12];     ROUND_00_15(12,e,f,g,h,a,b,c,d);
 558         T1 = X[13] = W[13];     ROUND_00_15(13,d,e,f,g,h,a,b,c);
 559         T1 = X[14] = W[14];     ROUND_00_15(14,c,d,e,f,g,h,a,b);
 560         T1 = X[15] = W[15];     ROUND_00_15(15,b,c,d,e,f,g,h,a);
 561 #else
 562         T1 = X[0]  = PULL64(W[0]);      ROUND_00_15(0,a,b,c,d,e,f,g,h);
 563         T1 = X[1]  = PULL64(W[1]);      ROUND_00_15(1,h,a,b,c,d,e,f,g);
 564         T1 = X[2]  = PULL64(W[2]);      ROUND_00_15(2,g,h,a,b,c,d,e,f);
 565         T1 = X[3]  = PULL64(W[3]);      ROUND_00_15(3,f,g,h,a,b,c,d,e);
 566         T1 = X[4]  = PULL64(W[4]);      ROUND_00_15(4,e,f,g,h,a,b,c,d);
 567         T1 = X[5]  = PULL64(W[5]);      ROUND_00_15(5,d,e,f,g,h,a,b,c);
 568         T1 = X[6]  = PULL64(W[6]);      ROUND_00_15(6,c,d,e,f,g,h,a,b);
 569         T1 = X[7]  = PULL64(W[7]);      ROUND_00_15(7,b,c,d,e,f,g,h,a);
 570         T1 = X[8]  = PULL64(W[8]);      ROUND_00_15(8,a,b,c,d,e,f,g,h);
 571         T1 = X[9]  = PULL64(W[9]);      ROUND_00_15(9,h,a,b,c,d,e,f,g);
 572         T1 = X[10] = PULL64(W[10]);     ROUND_00_15(10,g,h,a,b,c,d,e,f);
 573         T1 = X[11] = PULL64(W[11]);     ROUND_00_15(11,f,g,h,a,b,c,d,e);
 574         T1 = X[12] = PULL64(W[12]);     ROUND_00_15(12,e,f,g,h,a,b,c,d);
 575         T1 = X[13] = PULL64(W[13]);     ROUND_00_15(13,d,e,f,g,h,a,b,c);
 576         T1 = X[14] = PULL64(W[14]);     ROUND_00_15(14,c,d,e,f,g,h,a,b);
 577         T1 = X[15] = PULL64(W[15]);     ROUND_00_15(15,b,c,d,e,f,g,h,a);
 578 #endif
 579
 580         for (i=16;i<80;i+=16)
 581                 {
 582                 ROUND_16_80(i, 0,a,b,c,d,e,f,g,h,X);
 583                 ROUND_16_80(i, 1,h,a,b,c,d,e,f,g,X);
 584                 ROUND_16_80(i, 2,g,h,a,b,c,d,e,f,X);
 585                 ROUND_16_80(i, 3,f,g,h,a,b,c,d,e,X);
 586                 ROUND_16_80(i, 4,e,f,g,h,a,b,c,d,X);
 587                 ROUND_16_80(i, 5,d,e,f,g,h,a,b,c,X);
 588                 ROUND_16_80(i, 6,c,d,e,f,g,h,a,b,X);
 589                 ROUND_16_80(i, 7,b,c,d,e,f,g,h,a,X);
 590                 ROUND_16_80(i, 8,a,b,c,d,e,f,g,h,X);
 591                 ROUND_16_80(i, 9,h,a,b,c,d,e,f,g,X);
 592                 ROUND_16_80(i,10,g,h,a,b,c,d,e,f,X);
 593                 ROUND_16_80(i,11,f,g,h,a,b,c,d,e,X);
 594                 ROUND_16_80(i,12,e,f,g,h,a,b,c,d,X);
 595                 ROUND_16_80(i,13,d,e,f,g,h,a,b,c,X);
 596                 ROUND_16_80(i,14,c,d,e,f,g,h,a,b,X);
 597                 ROUND_16_80(i,15,b,c,d,e,f,g,h,a,X);
 598                 }
 599
 600         ctx->h[0] += a; ctx->h[1] += b; ctx->h[2] += c; ctx->h[3] += d;
 601         ctx->h[4] += e; ctx->h[5] += f; ctx->h[6] += g; ctx->h[7] += h;
 602
 603                         W+=SHA_LBLOCK;
 604                         }
 605         }
 606
 607 #endif
 608
 609 #endif /* SHA512_ASM */
 610
 611 #else /* !OPENSSL_NO_SHA512 */
 612
 613 #if defined(PEDANTIC) || defined(__DECC) || defined(OPENSSL_SYS_MACOSX)
 614 static void *dummy=&dummy;
 615 #endif
 616
 617 #endif /* !OPENSSL_NO_SHA512 */