• Home
  • Line#
  • Scopes#
  • Navigate#
  • Raw
  • Download
1 /* crypto/sha/sha512.c */
2 /* ====================================================================
3  * Copyright (c) 2004 The OpenSSL Project.  All rights reserved
4  * according to the OpenSSL license [found in ../../LICENSE].
5  * ====================================================================
6  */
7 #include <openssl/opensslconf.h>
8 #if !defined(OPENSSL_NO_SHA) && !defined(OPENSSL_NO_SHA512)
9 /*
10  * IMPLEMENTATION NOTES.
11  *
12  * As you might have noticed 32-bit hash algorithms:
13  *
14  * - permit SHA_LONG to be wider than 32-bit (case on CRAY);
15  * - optimized versions implement two transform functions: one operating
16  *   on [aligned] data in host byte order and one - on data in input
17  *   stream byte order;
18  * - share common byte-order neutral collector and padding function
19  *   implementations, ../md32_common.h;
20  *
21  * Neither of the above applies to this SHA-512 implementations. Reasons
22  * [in reverse order] are:
23  *
24  * - it's the only 64-bit hash algorithm for the moment of this writing,
25  *   there is no need for common collector/padding implementation [yet];
26  * - by supporting only one transform function [which operates on
27  *   *aligned* data in input stream byte order, big-endian in this case]
28  *   we minimize burden of maintenance in two ways: a) collector/padding
29  *   function is simpler; b) only one transform function to stare at;
30  * - SHA_LONG64 is required to be exactly 64-bit in order to be able to
31  *   apply a number of optimizations to mitigate potential performance
32  *   penalties caused by previous design decision;
33  *
34  * Caveat lector.
35  *
36  * Implementation relies on the fact that "long long" is 64-bit on
37  * both 32- and 64-bit platforms. If some compiler vendor comes up
38  * with 128-bit long long, adjustment to sha.h would be required.
39  * As this implementation relies on 64-bit integer type, it's totally
40  * inappropriate for platforms which don't support it, most notably
41  * 16-bit platforms.
42  *					<appro@fy.chalmers.se>
43  */
44 #include <stdlib.h>
45 #include <string.h>
46 
47 #include <openssl/crypto.h>
48 #include <openssl/sha.h>
49 #include <openssl/opensslv.h>
50 
51 #include "cryptlib.h"
52 
53 const char SHA512_version[]="SHA-512" OPENSSL_VERSION_PTEXT;
54 
55 #if defined(__i386) || defined(__i386__) || defined(_M_IX86) || \
56     defined(__x86_64) || defined(_M_AMD64) || defined(_M_X64) || \
57     defined(__s390__) || defined(__s390x__) || \
58     defined(SHA512_ASM)
59 #define SHA512_BLOCK_CAN_MANAGE_UNALIGNED_DATA
60 #endif
61 
SHA384_Init(SHA512_CTX * c)62 int SHA384_Init (SHA512_CTX *c)
63 	{
64 #if defined(SHA512_ASM) && (defined(__arm__) || defined(__arm))
65 	/* maintain dword order required by assembler module */
66 	unsigned int *h = (unsigned int *)c->h;
67 
68 	h[0]  = 0xcbbb9d5d; h[1]  = 0xc1059ed8;
69 	h[2]  = 0x629a292a; h[3]  = 0x367cd507;
70 	h[4]  = 0x9159015a; h[5]  = 0x3070dd17;
71 	h[6]  = 0x152fecd8; h[7]  = 0xf70e5939;
72 	h[8]  = 0x67332667; h[9]  = 0xffc00b31;
73 	h[10] = 0x8eb44a87; h[11] = 0x68581511;
74 	h[12] = 0xdb0c2e0d; h[13] = 0x64f98fa7;
75 	h[14] = 0x47b5481d; h[15] = 0xbefa4fa4;
76 #else
77 	c->h[0]=U64(0xcbbb9d5dc1059ed8);
78 	c->h[1]=U64(0x629a292a367cd507);
79 	c->h[2]=U64(0x9159015a3070dd17);
80 	c->h[3]=U64(0x152fecd8f70e5939);
81 	c->h[4]=U64(0x67332667ffc00b31);
82 	c->h[5]=U64(0x8eb44a8768581511);
83 	c->h[6]=U64(0xdb0c2e0d64f98fa7);
84 	c->h[7]=U64(0x47b5481dbefa4fa4);
85 #endif
86         c->Nl=0;        c->Nh=0;
87         c->num=0;       c->md_len=SHA384_DIGEST_LENGTH;
88         return 1;
89 	}
90 
SHA512_Init(SHA512_CTX * c)91 int SHA512_Init (SHA512_CTX *c)
92 	{
93 #if defined(SHA512_ASM) && (defined(__arm__) || defined(__arm))
94 	/* maintain dword order required by assembler module */
95 	unsigned int *h = (unsigned int *)c->h;
96 
97 	h[0]  = 0x6a09e667; h[1]  = 0xf3bcc908;
98 	h[2]  = 0xbb67ae85; h[3]  = 0x84caa73b;
99 	h[4]  = 0x3c6ef372; h[5]  = 0xfe94f82b;
100 	h[6]  = 0xa54ff53a; h[7]  = 0x5f1d36f1;
101 	h[8]  = 0x510e527f; h[9]  = 0xade682d1;
102 	h[10] = 0x9b05688c; h[11] = 0x2b3e6c1f;
103 	h[12] = 0x1f83d9ab; h[13] = 0xfb41bd6b;
104 	h[14] = 0x5be0cd19; h[15] = 0x137e2179;
105 #else
106 	c->h[0]=U64(0x6a09e667f3bcc908);
107 	c->h[1]=U64(0xbb67ae8584caa73b);
108 	c->h[2]=U64(0x3c6ef372fe94f82b);
109 	c->h[3]=U64(0xa54ff53a5f1d36f1);
110 	c->h[4]=U64(0x510e527fade682d1);
111 	c->h[5]=U64(0x9b05688c2b3e6c1f);
112 	c->h[6]=U64(0x1f83d9abfb41bd6b);
113 	c->h[7]=U64(0x5be0cd19137e2179);
114 #endif
115         c->Nl=0;        c->Nh=0;
116         c->num=0;       c->md_len=SHA512_DIGEST_LENGTH;
117         return 1;
118 	}
119 
120 #ifndef SHA512_ASM
121 static
122 #endif
123 void sha512_block_data_order (SHA512_CTX *ctx, const void *in, size_t num);
124 
SHA512_Final(unsigned char * md,SHA512_CTX * c)125 int SHA512_Final (unsigned char *md, SHA512_CTX *c)
126 	{
127 	unsigned char *p=(unsigned char *)c->u.p;
128 	size_t n=c->num;
129 
130 	p[n]=0x80;	/* There always is a room for one */
131 	n++;
132 	if (n > (sizeof(c->u)-16))
133 		memset (p+n,0,sizeof(c->u)-n), n=0,
134 		sha512_block_data_order (c,p,1);
135 
136 	memset (p+n,0,sizeof(c->u)-16-n);
137 #ifdef	B_ENDIAN
138 	c->u.d[SHA_LBLOCK-2] = c->Nh;
139 	c->u.d[SHA_LBLOCK-1] = c->Nl;
140 #else
141 	p[sizeof(c->u)-1]  = (unsigned char)(c->Nl);
142 	p[sizeof(c->u)-2]  = (unsigned char)(c->Nl>>8);
143 	p[sizeof(c->u)-3]  = (unsigned char)(c->Nl>>16);
144 	p[sizeof(c->u)-4]  = (unsigned char)(c->Nl>>24);
145 	p[sizeof(c->u)-5]  = (unsigned char)(c->Nl>>32);
146 	p[sizeof(c->u)-6]  = (unsigned char)(c->Nl>>40);
147 	p[sizeof(c->u)-7]  = (unsigned char)(c->Nl>>48);
148 	p[sizeof(c->u)-8]  = (unsigned char)(c->Nl>>56);
149 	p[sizeof(c->u)-9]  = (unsigned char)(c->Nh);
150 	p[sizeof(c->u)-10] = (unsigned char)(c->Nh>>8);
151 	p[sizeof(c->u)-11] = (unsigned char)(c->Nh>>16);
152 	p[sizeof(c->u)-12] = (unsigned char)(c->Nh>>24);
153 	p[sizeof(c->u)-13] = (unsigned char)(c->Nh>>32);
154 	p[sizeof(c->u)-14] = (unsigned char)(c->Nh>>40);
155 	p[sizeof(c->u)-15] = (unsigned char)(c->Nh>>48);
156 	p[sizeof(c->u)-16] = (unsigned char)(c->Nh>>56);
157 #endif
158 
159 	sha512_block_data_order (c,p,1);
160 
161 	if (md==0) return 0;
162 
163 #if defined(SHA512_ASM) && (defined(__arm__) || defined(__arm))
164 	/* recall assembler dword order... */
165 	n = c->md_len;
166 	if (n == SHA384_DIGEST_LENGTH || n == SHA512_DIGEST_LENGTH)
167 		{
168 		unsigned int *h = (unsigned int *)c->h, t;
169 
170 		for (n/=4;n;n--)
171 			{
172 			t = *(h++);
173 			*(md++) = (unsigned char)(t>>24);
174 			*(md++) = (unsigned char)(t>>16);
175 			*(md++) = (unsigned char)(t>>8);
176 			*(md++) = (unsigned char)(t);
177 			}
178 		}
179 	else	return 0;
180 #else
181 	switch (c->md_len)
182 		{
183 		/* Let compiler decide if it's appropriate to unroll... */
184 		case SHA384_DIGEST_LENGTH:
185 			for (n=0;n<SHA384_DIGEST_LENGTH/8;n++)
186 				{
187 				SHA_LONG64 t = c->h[n];
188 
189 				*(md++)	= (unsigned char)(t>>56);
190 				*(md++)	= (unsigned char)(t>>48);
191 				*(md++)	= (unsigned char)(t>>40);
192 				*(md++)	= (unsigned char)(t>>32);
193 				*(md++)	= (unsigned char)(t>>24);
194 				*(md++)	= (unsigned char)(t>>16);
195 				*(md++)	= (unsigned char)(t>>8);
196 				*(md++)	= (unsigned char)(t);
197 				}
198 			break;
199 		case SHA512_DIGEST_LENGTH:
200 			for (n=0;n<SHA512_DIGEST_LENGTH/8;n++)
201 				{
202 				SHA_LONG64 t = c->h[n];
203 
204 				*(md++)	= (unsigned char)(t>>56);
205 				*(md++)	= (unsigned char)(t>>48);
206 				*(md++)	= (unsigned char)(t>>40);
207 				*(md++)	= (unsigned char)(t>>32);
208 				*(md++)	= (unsigned char)(t>>24);
209 				*(md++)	= (unsigned char)(t>>16);
210 				*(md++)	= (unsigned char)(t>>8);
211 				*(md++)	= (unsigned char)(t);
212 				}
213 			break;
214 		/* ... as well as make sure md_len is not abused. */
215 		default:	return 0;
216 		}
217 #endif
218 	return 1;
219 	}
220 
SHA384_Final(unsigned char * md,SHA512_CTX * c)221 int SHA384_Final (unsigned char *md,SHA512_CTX *c)
222 {   return SHA512_Final (md,c);   }
223 
SHA512_Update(SHA512_CTX * c,const void * _data,size_t len)224 int SHA512_Update (SHA512_CTX *c, const void *_data, size_t len)
225 	{
226 	SHA_LONG64	l;
227 	unsigned char  *p=c->u.p;
228 	const unsigned char *data=(const unsigned char *)_data;
229 
230 	if (len==0) return  1;
231 
232 	l = (c->Nl+(((SHA_LONG64)len)<<3))&U64(0xffffffffffffffff);
233 	if (l < c->Nl)		c->Nh++;
234 	if (sizeof(len)>=8)	c->Nh+=(((SHA_LONG64)len)>>61);
235 	c->Nl=l;
236 
237 	if (c->num != 0)
238 		{
239 		size_t n = sizeof(c->u) - c->num;
240 
241 		if (len < n)
242 			{
243 			memcpy (p+c->num,data,len), c->num += (unsigned int)len;
244 			return 1;
245 			}
246 		else	{
247 			memcpy (p+c->num,data,n), c->num = 0;
248 			len-=n, data+=n;
249 			sha512_block_data_order (c,p,1);
250 			}
251 		}
252 
253 	if (len >= sizeof(c->u))
254 		{
255 #ifndef SHA512_BLOCK_CAN_MANAGE_UNALIGNED_DATA
256 		if ((size_t)data%sizeof(c->u.d[0]) != 0)
257 			while (len >= sizeof(c->u))
258 				memcpy (p,data,sizeof(c->u)),
259 				sha512_block_data_order (c,p,1),
260 				len  -= sizeof(c->u),
261 				data += sizeof(c->u);
262 		else
263 #endif
264 			sha512_block_data_order (c,data,len/sizeof(c->u)),
265 			data += len,
266 			len  %= sizeof(c->u),
267 			data -= len;
268 		}
269 
270 	if (len != 0)	memcpy (p,data,len), c->num = (int)len;
271 
272 	return 1;
273 	}
274 
SHA384_Update(SHA512_CTX * c,const void * data,size_t len)275 int SHA384_Update (SHA512_CTX *c, const void *data, size_t len)
276 {   return SHA512_Update (c,data,len);   }
277 
SHA512_Transform(SHA512_CTX * c,const unsigned char * data)278 void SHA512_Transform (SHA512_CTX *c, const unsigned char *data)
279 {   sha512_block_data_order (c,data,1);  }
280 
SHA384(const unsigned char * d,size_t n,unsigned char * md)281 unsigned char *SHA384(const unsigned char *d, size_t n, unsigned char *md)
282 	{
283 	SHA512_CTX c;
284 	static unsigned char m[SHA384_DIGEST_LENGTH];
285 
286 	if (md == NULL) md=m;
287 	SHA384_Init(&c);
288 	SHA512_Update(&c,d,n);
289 	SHA512_Final(md,&c);
290 	OPENSSL_cleanse(&c,sizeof(c));
291 	return(md);
292 	}
293 
SHA512(const unsigned char * d,size_t n,unsigned char * md)294 unsigned char *SHA512(const unsigned char *d, size_t n, unsigned char *md)
295 	{
296 	SHA512_CTX c;
297 	static unsigned char m[SHA512_DIGEST_LENGTH];
298 
299 	if (md == NULL) md=m;
300 	SHA512_Init(&c);
301 	SHA512_Update(&c,d,n);
302 	SHA512_Final(md,&c);
303 	OPENSSL_cleanse(&c,sizeof(c));
304 	return(md);
305 	}
306 
307 #ifndef SHA512_ASM
308 static const SHA_LONG64 K512[80] = {
309         U64(0x428a2f98d728ae22),U64(0x7137449123ef65cd),
310         U64(0xb5c0fbcfec4d3b2f),U64(0xe9b5dba58189dbbc),
311         U64(0x3956c25bf348b538),U64(0x59f111f1b605d019),
312         U64(0x923f82a4af194f9b),U64(0xab1c5ed5da6d8118),
313         U64(0xd807aa98a3030242),U64(0x12835b0145706fbe),
314         U64(0x243185be4ee4b28c),U64(0x550c7dc3d5ffb4e2),
315         U64(0x72be5d74f27b896f),U64(0x80deb1fe3b1696b1),
316         U64(0x9bdc06a725c71235),U64(0xc19bf174cf692694),
317         U64(0xe49b69c19ef14ad2),U64(0xefbe4786384f25e3),
318         U64(0x0fc19dc68b8cd5b5),U64(0x240ca1cc77ac9c65),
319         U64(0x2de92c6f592b0275),U64(0x4a7484aa6ea6e483),
320         U64(0x5cb0a9dcbd41fbd4),U64(0x76f988da831153b5),
321         U64(0x983e5152ee66dfab),U64(0xa831c66d2db43210),
322         U64(0xb00327c898fb213f),U64(0xbf597fc7beef0ee4),
323         U64(0xc6e00bf33da88fc2),U64(0xd5a79147930aa725),
324         U64(0x06ca6351e003826f),U64(0x142929670a0e6e70),
325         U64(0x27b70a8546d22ffc),U64(0x2e1b21385c26c926),
326         U64(0x4d2c6dfc5ac42aed),U64(0x53380d139d95b3df),
327         U64(0x650a73548baf63de),U64(0x766a0abb3c77b2a8),
328         U64(0x81c2c92e47edaee6),U64(0x92722c851482353b),
329         U64(0xa2bfe8a14cf10364),U64(0xa81a664bbc423001),
330         U64(0xc24b8b70d0f89791),U64(0xc76c51a30654be30),
331         U64(0xd192e819d6ef5218),U64(0xd69906245565a910),
332         U64(0xf40e35855771202a),U64(0x106aa07032bbd1b8),
333         U64(0x19a4c116b8d2d0c8),U64(0x1e376c085141ab53),
334         U64(0x2748774cdf8eeb99),U64(0x34b0bcb5e19b48a8),
335         U64(0x391c0cb3c5c95a63),U64(0x4ed8aa4ae3418acb),
336         U64(0x5b9cca4f7763e373),U64(0x682e6ff3d6b2b8a3),
337         U64(0x748f82ee5defb2fc),U64(0x78a5636f43172f60),
338         U64(0x84c87814a1f0ab72),U64(0x8cc702081a6439ec),
339         U64(0x90befffa23631e28),U64(0xa4506cebde82bde9),
340         U64(0xbef9a3f7b2c67915),U64(0xc67178f2e372532b),
341         U64(0xca273eceea26619c),U64(0xd186b8c721c0c207),
342         U64(0xeada7dd6cde0eb1e),U64(0xf57d4f7fee6ed178),
343         U64(0x06f067aa72176fba),U64(0x0a637dc5a2c898a6),
344         U64(0x113f9804bef90dae),U64(0x1b710b35131c471b),
345         U64(0x28db77f523047d84),U64(0x32caab7b40c72493),
346         U64(0x3c9ebe0a15c9bebc),U64(0x431d67c49c100d4c),
347         U64(0x4cc5d4becb3e42b6),U64(0x597f299cfc657e2a),
348         U64(0x5fcb6fab3ad6faec),U64(0x6c44198c4a475817) };
349 
350 #ifndef PEDANTIC
351 # if defined(__GNUC__) && __GNUC__>=2 && !defined(OPENSSL_NO_ASM) && !defined(OPENSSL_NO_INLINE_ASM)
352 #  if defined(__x86_64) || defined(__x86_64__)
353 #   define ROTR(a,n)	({ SHA_LONG64 ret;		\
354 				asm ("rorq %1,%0"	\
355 				: "=r"(ret)		\
356 				: "J"(n),"0"(a)		\
357 				: "cc"); ret;		})
358 #   if !defined(B_ENDIAN)
359 #    define PULL64(x) ({ SHA_LONG64 ret=*((const SHA_LONG64 *)(&(x)));	\
360 				asm ("bswapq	%0"		\
361 				: "=r"(ret)			\
362 				: "0"(ret)); ret;		})
363 #   endif
364 #  elif (defined(__i386) || defined(__i386__)) && !defined(B_ENDIAN)
365 #   if defined(I386_ONLY)
366 #    define PULL64(x) ({ const unsigned int *p=(const unsigned int *)(&(x));\
367 			 unsigned int hi=p[0],lo=p[1];		\
368 				asm("xchgb %%ah,%%al;xchgb %%dh,%%dl;"\
369 				    "roll $16,%%eax; roll $16,%%edx; "\
370 				    "xchgb %%ah,%%al;xchgb %%dh,%%dl;" \
371 				: "=a"(lo),"=d"(hi)		\
372 				: "0"(lo),"1"(hi) : "cc");	\
373 				((SHA_LONG64)hi)<<32|lo;	})
374 #   else
375 #    define PULL64(x) ({ const unsigned int *p=(const unsigned int *)(&(x));\
376 			 unsigned int hi=p[0],lo=p[1];		\
377 				asm ("bswapl %0; bswapl %1;"	\
378 				: "=r"(lo),"=r"(hi)		\
379 				: "0"(lo),"1"(hi));		\
380 				((SHA_LONG64)hi)<<32|lo;	})
381 #   endif
382 #  elif (defined(_ARCH_PPC) && defined(__64BIT__)) || defined(_ARCH_PPC64)
383 #   define ROTR(a,n)	({ SHA_LONG64 ret;		\
384 				asm ("rotrdi %0,%1,%2"	\
385 				: "=r"(ret)		\
386 				: "r"(a),"K"(n)); ret;	})
387 #  endif
388 # elif defined(_MSC_VER)
389 #  if defined(_WIN64)	/* applies to both IA-64 and AMD64 */
390 #   pragma intrinsic(_rotr64)
391 #   define ROTR(a,n)	_rotr64((a),n)
392 #  endif
393 #  if defined(_M_IX86) && !defined(OPENSSL_NO_ASM) && !defined(OPENSSL_NO_INLINE_ASM)
394 #   if defined(I386_ONLY)
__pull64be(const void * x)395     static SHA_LONG64 __fastcall __pull64be(const void *x)
396     {	_asm	mov	edx, [ecx + 0]
397 	_asm	mov	eax, [ecx + 4]
398 	_asm	xchg	dh,dl
399 	_asm	xchg	ah,al
400 	_asm	rol	edx,16
401 	_asm	rol	eax,16
402 	_asm	xchg	dh,dl
403 	_asm	xchg	ah,al
404     }
405 #   else
__pull64be(const void * x)406     static SHA_LONG64 __fastcall __pull64be(const void *x)
407     {	_asm	mov	edx, [ecx + 0]
408 	_asm	mov	eax, [ecx + 4]
409 	_asm	bswap	edx
410 	_asm	bswap	eax
411     }
412 #   endif
413 #   define PULL64(x) __pull64be(&(x))
414 #   if _MSC_VER<=1200
415 #    pragma inline_depth(0)
416 #   endif
417 #  endif
418 # endif
419 #endif
420 
421 #ifndef PULL64
422 #define B(x,j)    (((SHA_LONG64)(*(((const unsigned char *)(&x))+j)))<<((7-j)*8))
423 #define PULL64(x) (B(x,0)|B(x,1)|B(x,2)|B(x,3)|B(x,4)|B(x,5)|B(x,6)|B(x,7))
424 #endif
425 
426 #ifndef ROTR
427 #define ROTR(x,s)	(((x)>>s) | (x)<<(64-s))
428 #endif
429 
430 #define Sigma0(x)	(ROTR((x),28) ^ ROTR((x),34) ^ ROTR((x),39))
431 #define Sigma1(x)	(ROTR((x),14) ^ ROTR((x),18) ^ ROTR((x),41))
432 #define sigma0(x)	(ROTR((x),1)  ^ ROTR((x),8)  ^ ((x)>>7))
433 #define sigma1(x)	(ROTR((x),19) ^ ROTR((x),61) ^ ((x)>>6))
434 
435 #define Ch(x,y,z)	(((x) & (y)) ^ ((~(x)) & (z)))
436 #define Maj(x,y,z)	(((x) & (y)) ^ ((x) & (z)) ^ ((y) & (z)))
437 
438 
439 #if defined(__i386) || defined(__i386__) || defined(_M_IX86)
440 /*
441  * This code should give better results on 32-bit CPU with less than
442  * ~24 registers, both size and performance wise...
443  */
sha512_block_data_order(SHA512_CTX * ctx,const void * in,size_t num)444 static void sha512_block_data_order (SHA512_CTX *ctx, const void *in, size_t num)
445 	{
446 	const SHA_LONG64 *W=in;
447 	SHA_LONG64	A,E,T;
448 	SHA_LONG64	X[9+80],*F;
449 	int i;
450 
451 			while (num--) {
452 
453 	F    = X+80;
454 	A    = ctx->h[0];	F[1] = ctx->h[1];
455 	F[2] = ctx->h[2];	F[3] = ctx->h[3];
456 	E    = ctx->h[4];	F[5] = ctx->h[5];
457 	F[6] = ctx->h[6];	F[7] = ctx->h[7];
458 
459 	for (i=0;i<16;i++,F--)
460 		{
461 #ifdef B_ENDIAN
462 		T = W[i];
463 #else
464 		T = PULL64(W[i]);
465 #endif
466 		F[0] = A;
467 		F[4] = E;
468 		F[8] = T;
469 		T   += F[7] + Sigma1(E) + Ch(E,F[5],F[6]) + K512[i];
470 		E    = F[3] + T;
471 		A    = T + Sigma0(A) + Maj(A,F[1],F[2]);
472 		}
473 
474 	for (;i<80;i++,F--)
475 		{
476 		T    = sigma0(F[8+16-1]);
477 		T   += sigma1(F[8+16-14]);
478 		T   += F[8+16] + F[8+16-9];
479 
480 		F[0] = A;
481 		F[4] = E;
482 		F[8] = T;
483 		T   += F[7] + Sigma1(E) + Ch(E,F[5],F[6]) + K512[i];
484 		E    = F[3] + T;
485 		A    = T + Sigma0(A) + Maj(A,F[1],F[2]);
486 		}
487 
488 	ctx->h[0] += A;		ctx->h[1] += F[1];
489 	ctx->h[2] += F[2];	ctx->h[3] += F[3];
490 	ctx->h[4] += E;		ctx->h[5] += F[5];
491 	ctx->h[6] += F[6];	ctx->h[7] += F[7];
492 
493 			W+=SHA_LBLOCK;
494 			}
495 	}
496 
497 #elif defined(OPENSSL_SMALL_FOOTPRINT)
498 
sha512_block_data_order(SHA512_CTX * ctx,const void * in,size_t num)499 static void sha512_block_data_order (SHA512_CTX *ctx, const void *in, size_t num)
500 	{
501 	const SHA_LONG64 *W=in;
502 	SHA_LONG64	a,b,c,d,e,f,g,h,s0,s1,T1,T2;
503 	SHA_LONG64	X[16];
504 	int i;
505 
506 			while (num--) {
507 
508 	a = ctx->h[0];	b = ctx->h[1];	c = ctx->h[2];	d = ctx->h[3];
509 	e = ctx->h[4];	f = ctx->h[5];	g = ctx->h[6];	h = ctx->h[7];
510 
511 	for (i=0;i<16;i++)
512 		{
513 #ifdef B_ENDIAN
514 		T1 = X[i] = W[i];
515 #else
516 		T1 = X[i] = PULL64(W[i]);
517 #endif
518 		T1 += h + Sigma1(e) + Ch(e,f,g) + K512[i];
519 		T2 = Sigma0(a) + Maj(a,b,c);
520 		h = g;	g = f;	f = e;	e = d + T1;
521 		d = c;	c = b;	b = a;	a = T1 + T2;
522 		}
523 
524 	for (;i<80;i++)
525 		{
526 		s0 = X[(i+1)&0x0f];	s0 = sigma0(s0);
527 		s1 = X[(i+14)&0x0f];	s1 = sigma1(s1);
528 
529 		T1 = X[i&0xf] += s0 + s1 + X[(i+9)&0xf];
530 		T1 += h + Sigma1(e) + Ch(e,f,g) + K512[i];
531 		T2 = Sigma0(a) + Maj(a,b,c);
532 		h = g;	g = f;	f = e;	e = d + T1;
533 		d = c;	c = b;	b = a;	a = T1 + T2;
534 		}
535 
536 	ctx->h[0] += a;	ctx->h[1] += b;	ctx->h[2] += c;	ctx->h[3] += d;
537 	ctx->h[4] += e;	ctx->h[5] += f;	ctx->h[6] += g;	ctx->h[7] += h;
538 
539 			W+=SHA_LBLOCK;
540 			}
541 	}
542 
543 #else
544 
545 #define	ROUND_00_15(i,a,b,c,d,e,f,g,h)		do {	\
546 	T1 += h + Sigma1(e) + Ch(e,f,g) + K512[i];	\
547 	h = Sigma0(a) + Maj(a,b,c);			\
548 	d += T1;	h += T1;		} while (0)
549 
550 #define	ROUND_16_80(i,j,a,b,c,d,e,f,g,h,X)	do {	\
551 	s0 = X[(j+1)&0x0f];	s0 = sigma0(s0);	\
552 	s1 = X[(j+14)&0x0f];	s1 = sigma1(s1);	\
553 	T1 = X[(j)&0x0f] += s0 + s1 + X[(j+9)&0x0f];	\
554 	ROUND_00_15(i+j,a,b,c,d,e,f,g,h);		} while (0)
555 
sha512_block_data_order(SHA512_CTX * ctx,const void * in,size_t num)556 static void sha512_block_data_order (SHA512_CTX *ctx, const void *in, size_t num)
557 	{
558 	const SHA_LONG64 *W=in;
559 	SHA_LONG64	a,b,c,d,e,f,g,h,s0,s1,T1;
560 	SHA_LONG64	X[16];
561 	int i;
562 
563 			while (num--) {
564 
565 	a = ctx->h[0];	b = ctx->h[1];	c = ctx->h[2];	d = ctx->h[3];
566 	e = ctx->h[4];	f = ctx->h[5];	g = ctx->h[6];	h = ctx->h[7];
567 
568 #ifdef B_ENDIAN
569 	T1 = X[0] = W[0];	ROUND_00_15(0,a,b,c,d,e,f,g,h);
570 	T1 = X[1] = W[1];	ROUND_00_15(1,h,a,b,c,d,e,f,g);
571 	T1 = X[2] = W[2];	ROUND_00_15(2,g,h,a,b,c,d,e,f);
572 	T1 = X[3] = W[3];	ROUND_00_15(3,f,g,h,a,b,c,d,e);
573 	T1 = X[4] = W[4];	ROUND_00_15(4,e,f,g,h,a,b,c,d);
574 	T1 = X[5] = W[5];	ROUND_00_15(5,d,e,f,g,h,a,b,c);
575 	T1 = X[6] = W[6];	ROUND_00_15(6,c,d,e,f,g,h,a,b);
576 	T1 = X[7] = W[7];	ROUND_00_15(7,b,c,d,e,f,g,h,a);
577 	T1 = X[8] = W[8];	ROUND_00_15(8,a,b,c,d,e,f,g,h);
578 	T1 = X[9] = W[9];	ROUND_00_15(9,h,a,b,c,d,e,f,g);
579 	T1 = X[10] = W[10];	ROUND_00_15(10,g,h,a,b,c,d,e,f);
580 	T1 = X[11] = W[11];	ROUND_00_15(11,f,g,h,a,b,c,d,e);
581 	T1 = X[12] = W[12];	ROUND_00_15(12,e,f,g,h,a,b,c,d);
582 	T1 = X[13] = W[13];	ROUND_00_15(13,d,e,f,g,h,a,b,c);
583 	T1 = X[14] = W[14];	ROUND_00_15(14,c,d,e,f,g,h,a,b);
584 	T1 = X[15] = W[15];	ROUND_00_15(15,b,c,d,e,f,g,h,a);
585 #else
586 	T1 = X[0]  = PULL64(W[0]);	ROUND_00_15(0,a,b,c,d,e,f,g,h);
587 	T1 = X[1]  = PULL64(W[1]);	ROUND_00_15(1,h,a,b,c,d,e,f,g);
588 	T1 = X[2]  = PULL64(W[2]);	ROUND_00_15(2,g,h,a,b,c,d,e,f);
589 	T1 = X[3]  = PULL64(W[3]);	ROUND_00_15(3,f,g,h,a,b,c,d,e);
590 	T1 = X[4]  = PULL64(W[4]);	ROUND_00_15(4,e,f,g,h,a,b,c,d);
591 	T1 = X[5]  = PULL64(W[5]);	ROUND_00_15(5,d,e,f,g,h,a,b,c);
592 	T1 = X[6]  = PULL64(W[6]);	ROUND_00_15(6,c,d,e,f,g,h,a,b);
593 	T1 = X[7]  = PULL64(W[7]);	ROUND_00_15(7,b,c,d,e,f,g,h,a);
594 	T1 = X[8]  = PULL64(W[8]);	ROUND_00_15(8,a,b,c,d,e,f,g,h);
595 	T1 = X[9]  = PULL64(W[9]);	ROUND_00_15(9,h,a,b,c,d,e,f,g);
596 	T1 = X[10] = PULL64(W[10]);	ROUND_00_15(10,g,h,a,b,c,d,e,f);
597 	T1 = X[11] = PULL64(W[11]);	ROUND_00_15(11,f,g,h,a,b,c,d,e);
598 	T1 = X[12] = PULL64(W[12]);	ROUND_00_15(12,e,f,g,h,a,b,c,d);
599 	T1 = X[13] = PULL64(W[13]);	ROUND_00_15(13,d,e,f,g,h,a,b,c);
600 	T1 = X[14] = PULL64(W[14]);	ROUND_00_15(14,c,d,e,f,g,h,a,b);
601 	T1 = X[15] = PULL64(W[15]);	ROUND_00_15(15,b,c,d,e,f,g,h,a);
602 #endif
603 
604 	for (i=16;i<80;i+=16)
605 		{
606 		ROUND_16_80(i, 0,a,b,c,d,e,f,g,h,X);
607 		ROUND_16_80(i, 1,h,a,b,c,d,e,f,g,X);
608 		ROUND_16_80(i, 2,g,h,a,b,c,d,e,f,X);
609 		ROUND_16_80(i, 3,f,g,h,a,b,c,d,e,X);
610 		ROUND_16_80(i, 4,e,f,g,h,a,b,c,d,X);
611 		ROUND_16_80(i, 5,d,e,f,g,h,a,b,c,X);
612 		ROUND_16_80(i, 6,c,d,e,f,g,h,a,b,X);
613 		ROUND_16_80(i, 7,b,c,d,e,f,g,h,a,X);
614 		ROUND_16_80(i, 8,a,b,c,d,e,f,g,h,X);
615 		ROUND_16_80(i, 9,h,a,b,c,d,e,f,g,X);
616 		ROUND_16_80(i,10,g,h,a,b,c,d,e,f,X);
617 		ROUND_16_80(i,11,f,g,h,a,b,c,d,e,X);
618 		ROUND_16_80(i,12,e,f,g,h,a,b,c,d,X);
619 		ROUND_16_80(i,13,d,e,f,g,h,a,b,c,X);
620 		ROUND_16_80(i,14,c,d,e,f,g,h,a,b,X);
621 		ROUND_16_80(i,15,b,c,d,e,f,g,h,a,X);
622 		}
623 
624 	ctx->h[0] += a;	ctx->h[1] += b;	ctx->h[2] += c;	ctx->h[3] += d;
625 	ctx->h[4] += e;	ctx->h[5] += f;	ctx->h[6] += g;	ctx->h[7] += h;
626 
627 			W+=SHA_LBLOCK;
628 			}
629 	}
630 
631 #endif
632 
633 #endif /* SHA512_ASM */
634 
635 #else /* !OPENSSL_NO_SHA512 */
636 
637 #if defined(PEDANTIC) || defined(__DECC) || defined(OPENSSL_SYS_MACOSX)
638 static void *dummy=&dummy;
639 #endif
640 
641 #endif /* !OPENSSL_NO_SHA512 */
642