crypto/sha/sha512.c

   1 /* crypto/sha/sha512.c */
   2 /* ====================================================================
   3  * Copyright (c) 2004 The OpenSSL Project.  All rights reserved
   4  * according to the OpenSSL license [found in ../../LICENSE].
   5  * ====================================================================
   6  */
   7 #if !defined(OPENSSL_NO_SHA) && !defined(OPENSSL_NO_SHA512)
   8 /*
   9  * IMPLEMENTATION NOTES.
  10  *
  11  * As you might have noticed 32-bit hash algorithms:
  12  *
  13  * - permit SHA_LONG to be wider than 32-bit (case on CRAY);
  14  * - optimized versions implement two transform functions: one operating
  15  *   on [aligned] data in host byte order and one - on data in input
  16  *   stream byte order;
  17  * - share common byte-order neutral collector and padding function
  18  *   implementations, ../md32_common.h;
  19  *
  20  * Neither of the above applies to this SHA-512 implementations. Reasons
  21  * [in reverse order] are:
  22  *
  23  * - it's the only 64-bit hash algorithm for the moment of this writing,
  24  *   there is no need for common collector/padding implementation [yet];
  25  * - by supporting only one transform function [which operates on
  26  *   *aligned* data in input stream byte order, big-endian in this case]
  27  *   we minimize burden of maintenance in two ways: a) collector/padding
  28  *   function is simpler; b) only one transform function to stare at;
  29  * - SHA_LONG64 is required to be exactly 64-bit in order to be able to
  30  *   apply a number of optimizations to mitigate potential performance
  31  *   penalties caused by previous design decision;
  32  *
  33  * Caveat lector.
  34  *
  35  * Implementation relies on the fact that "long long" is 64-bit on
  36  * both 32- and 64-bit platforms. If some compiler vendor comes up
  37  * with 128-bit long long, adjustment to sha.h would be required.
  38  * As this implementation relies on 64-bit integer type, it's totally
  39  * inappropriate for platforms which don't support it, most notably
  40  * 16-bit platforms.
  41  *                                      <appro@fy.chalmers.se>
  42  */
  43 #include <stdlib.h>
  44 #include <string.h>
  45
  46 #include <openssl/opensslconf.h>
  47 #include <openssl/crypto.h>
  48 #include <openssl/sha.h>
  49 #include <openssl/opensslv.h>
  50
  51 const char *SHA512_version="SHA-512" OPENSSL_VERSION_PTEXT;
  52
  53 #if defined(_M_IX86) || defined(_M_AMD64) || defined(__i386) || defined(__x86_64)
  54 #define SHA512_BLOCK_CAN_MANAGE_UNALIGNED_DATA
  55 #endif
  56
  57 int SHA384_Init (SHA512_CTX *c)
  58         {
  59         c->h[0]=U64(0xcbbb9d5dc1059ed8);
  60         c->h[1]=U64(0x629a292a367cd507);
  61         c->h[2]=U64(0x9159015a3070dd17);
  62         c->h[3]=U64(0x152fecd8f70e5939);
  63         c->h[4]=U64(0x67332667ffc00b31);
  64         c->h[5]=U64(0x8eb44a8768581511);
  65         c->h[6]=U64(0xdb0c2e0d64f98fa7);
  66         c->h[7]=U64(0x47b5481dbefa4fa4);
  67         c->Nl=0;        c->Nh=0;
  68         c->num=0;       c->md_len=SHA384_DIGEST_LENGTH;
  69         return 1;
  70         }
  71
  72 int SHA512_Init (SHA512_CTX *c)
  73         {
  74         c->h[0]=U64(0x6a09e667f3bcc908);
  75         c->h[1]=U64(0xbb67ae8584caa73b);
  76         c->h[2]=U64(0x3c6ef372fe94f82b);
  77         c->h[3]=U64(0xa54ff53a5f1d36f1);
  78         c->h[4]=U64(0x510e527fade682d1);
  79         c->h[5]=U64(0x9b05688c2b3e6c1f);
  80         c->h[6]=U64(0x1f83d9abfb41bd6b);
  81         c->h[7]=U64(0x5be0cd19137e2179);
  82         c->Nl=0;        c->Nh=0;
  83         c->num=0;       c->md_len=SHA512_DIGEST_LENGTH;
  84         return 1;
  85         }
  86
  87 #ifndef SHA512_ASM
  88 static
  89 #endif
  90 void sha512_block (SHA512_CTX *ctx, const void *in, size_t num);
  91
  92 int SHA512_Final (unsigned char *md, SHA512_CTX *c)
  93         {
  94         unsigned char *p=(unsigned char *)c->u.p;
  95         size_t n=c->num;
  96
  97         p[n]=0x80;      /* There always is a room for one */
  98         n++;
  99         if (n > (sizeof(c->u)-16))
 100                 memset (p+n,0,sizeof(c->u)-n), n=0,
 101                 sha512_block (c,p,1);
 102
 103         memset (p+n,0,sizeof(c->u)-16-n);
 104 #ifdef  B_ENDIAN
 105         c->u.d[SHA_LBLOCK-2] = c->Nh;
 106         c->u.d[SHA_LBLOCK-1] = c->Nl;
 107 #else
 108         p[sizeof(c->u)-1]  = (unsigned char)(c->Nl);
 109         p[sizeof(c->u)-2]  = (unsigned char)(c->Nl>>8);
 110         p[sizeof(c->u)-3]  = (unsigned char)(c->Nl>>16);
 111         p[sizeof(c->u)-4]  = (unsigned char)(c->Nl>>24);
 112         p[sizeof(c->u)-5]  = (unsigned char)(c->Nl>>32);
 113         p[sizeof(c->u)-6]  = (unsigned char)(c->Nl>>40);
 114         p[sizeof(c->u)-7]  = (unsigned char)(c->Nl>>48);
 115         p[sizeof(c->u)-8]  = (unsigned char)(c->Nl>>56);
 116         p[sizeof(c->u)-9]  = (unsigned char)(c->Nh);
 117         p[sizeof(c->u)-10] = (unsigned char)(c->Nh>>8);
 118         p[sizeof(c->u)-11] = (unsigned char)(c->Nh>>16);
 119         p[sizeof(c->u)-12] = (unsigned char)(c->Nh>>24);
 120         p[sizeof(c->u)-13] = (unsigned char)(c->Nh>>32);
 121         p[sizeof(c->u)-14] = (unsigned char)(c->Nh>>40);
 122         p[sizeof(c->u)-15] = (unsigned char)(c->Nh>>48);
 123         p[sizeof(c->u)-16] = (unsigned char)(c->Nh>>56);
 124 #endif
 125
 126         sha512_block (c,p,1);
 127
 128         if (md==0) return 0;
 129
 130         switch (c->md_len)
 131                 {
 132                 /* Let compiler decide if it's appropriate to unroll... */
 133                 case SHA384_DIGEST_LENGTH:
 134                         for (n=0;n<SHA384_DIGEST_LENGTH/8;n++)
 135                                 {
 136                                 SHA_LONG64 t = c->h[n];
 137
 138                                 *(md++) = (unsigned char)(t>>56);
 139                                 *(md++) = (unsigned char)(t>>48);
 140                                 *(md++) = (unsigned char)(t>>40);
 141                                 *(md++) = (unsigned char)(t>>32);
 142                                 *(md++) = (unsigned char)(t>>24);
 143                                 *(md++) = (unsigned char)(t>>16);
 144                                 *(md++) = (unsigned char)(t>>8);
 145                                 *(md++) = (unsigned char)(t);
 146                                 }
 147                         break;
 148                 case SHA512_DIGEST_LENGTH:
 149                         for (n=0;n<SHA512_DIGEST_LENGTH/8;n++)
 150                                 {
 151                                 SHA_LONG64 t = c->h[n];
 152
 153                                 *(md++) = (unsigned char)(t>>56);
 154                                 *(md++) = (unsigned char)(t>>48);
 155                                 *(md++) = (unsigned char)(t>>40);
 156                                 *(md++) = (unsigned char)(t>>32);
 157                                 *(md++) = (unsigned char)(t>>24);
 158                                 *(md++) = (unsigned char)(t>>16);
 159                                 *(md++) = (unsigned char)(t>>8);
 160                                 *(md++) = (unsigned char)(t);
 161                                 }
 162                         break;
 163                 /* ... as well as make sure md_len is not abused. */
 164                 default:        return 0;
 165                 }
 166
 167         return 1;
 168         }
 169
 170 int SHA384_Final (unsigned char *md,SHA512_CTX *c)
 171 {   return SHA512_Final (md,c);   }
 172
 173 int SHA512_Update (SHA512_CTX *c, const void *_data, size_t len)
 174         {
 175         SHA_LONG64      l;
 176         unsigned char  *p=c->u.p;
 177         const unsigned char *data=(const unsigned char *)_data;
 178
 179         if (len==0) return  1;
 180
 181         l = (c->Nl+(((SHA_LONG64)len)<<3))&U64(0xffffffffffffffff);
 182         if (l < c->Nl)          c->Nh++;
 183         if (sizeof(len)>=8)     c->Nh+=(((SHA_LONG64)len)>>61);
 184         c->Nl=l;
 185
 186         if (c->num != 0)
 187                 {
 188                 size_t n = sizeof(c->u) - c->num;
 189
 190                 if (len < n)
 191                         {
 192                         memcpy (p+c->num,data,len), c->num += len;
 193                         return 1;
 194                         }
 195                 else    {
 196                         memcpy (p+c->num,data,n), c->num = 0;
 197                         len-=n, data+=n;
 198                         sha512_block (c,p,1);
 199                         }
 200                 }
 201
 202         if (len >= sizeof(c->u))
 203                 {
 204 #ifndef SHA512_BLOCK_CAN_MANAGE_UNALIGNED_DATA
 205                 if ((size_t)data%sizeof(c->u.d[0]) != 0)
 206                         while (len >= sizeof(c->u))
 207                                 memcpy (p,data,sizeof(c->u)),
 208                                 sha512_block (c,p,1),
 209                                 len  -= sizeof(c->u),
 210                                 data += sizeof(c->u);
 211                 else
 212 #endif
 213                         sha512_block (c,data,len/sizeof(c->u)),
 214                         data += len,
 215                         len  %= sizeof(c->u),
 216                         data -= len;
 217                 }
 218
 219         if (len != 0)   memcpy (p,data,len), c->num = (int)len;
 220
 221         return 1;
 222         }
 223
 224 int SHA384_Update (SHA512_CTX *c, const void *data, size_t len)
 225 {   return SHA512_Update (c,data,len);   }
 226
 227 void SHA512_Transform (SHA512_CTX *c, const unsigned char *data)
 228 {   sha512_block (c,data,1);  }
 229
 230 unsigned char *SHA384(const unsigned char *d, size_t n, unsigned char *md)
 231         {
 232         SHA512_CTX c;
 233         static unsigned char m[SHA384_DIGEST_LENGTH];
 234
 235         if (md == NULL) md=m;
 236         SHA384_Init(&c);
 237         SHA512_Update(&c,d,n);
 238         SHA512_Final(md,&c);
 239         OPENSSL_cleanse(&c,sizeof(c));
 240         return(md);
 241         }
 242
 243 unsigned char *SHA512(const unsigned char *d, size_t n, unsigned char *md)
 244         {
 245         SHA512_CTX c;
 246         static unsigned char m[SHA512_DIGEST_LENGTH];
 247
 248         if (md == NULL) md=m;
 249         SHA512_Init(&c);
 250         SHA512_Update(&c,d,n);
 251         SHA512_Final(md,&c);
 252         OPENSSL_cleanse(&c,sizeof(c));
 253         return(md);
 254         }
 255
 256 #ifndef SHA512_ASM
 257 static const SHA_LONG64 K512[80] = {
 258         U64(0x428a2f98d728ae22),U64(0x7137449123ef65cd),
 259         U64(0xb5c0fbcfec4d3b2f),U64(0xe9b5dba58189dbbc),
 260         U64(0x3956c25bf348b538),U64(0x59f111f1b605d019),
 261         U64(0x923f82a4af194f9b),U64(0xab1c5ed5da6d8118),
 262         U64(0xd807aa98a3030242),U64(0x12835b0145706fbe),
 263         U64(0x243185be4ee4b28c),U64(0x550c7dc3d5ffb4e2),
 264         U64(0x72be5d74f27b896f),U64(0x80deb1fe3b1696b1),
 265         U64(0x9bdc06a725c71235),U64(0xc19bf174cf692694),
 266         U64(0xe49b69c19ef14ad2),U64(0xefbe4786384f25e3),
 267         U64(0x0fc19dc68b8cd5b5),U64(0x240ca1cc77ac9c65),
 268         U64(0x2de92c6f592b0275),U64(0x4a7484aa6ea6e483),
 269         U64(0x5cb0a9dcbd41fbd4),U64(0x76f988da831153b5),
 270         U64(0x983e5152ee66dfab),U64(0xa831c66d2db43210),
 271         U64(0xb00327c898fb213f),U64(0xbf597fc7beef0ee4),
 272         U64(0xc6e00bf33da88fc2),U64(0xd5a79147930aa725),
 273         U64(0x06ca6351e003826f),U64(0x142929670a0e6e70),
 274         U64(0x27b70a8546d22ffc),U64(0x2e1b21385c26c926),
 275         U64(0x4d2c6dfc5ac42aed),U64(0x53380d139d95b3df),
 276         U64(0x650a73548baf63de),U64(0x766a0abb3c77b2a8),
 277         U64(0x81c2c92e47edaee6),U64(0x92722c851482353b),
 278         U64(0xa2bfe8a14cf10364),U64(0xa81a664bbc423001),
 279         U64(0xc24b8b70d0f89791),U64(0xc76c51a30654be30),
 280         U64(0xd192e819d6ef5218),U64(0xd69906245565a910),
 281         U64(0xf40e35855771202a),U64(0x106aa07032bbd1b8),
 282         U64(0x19a4c116b8d2d0c8),U64(0x1e376c085141ab53),
 283         U64(0x2748774cdf8eeb99),U64(0x34b0bcb5e19b48a8),
 284         U64(0x391c0cb3c5c95a63),U64(0x4ed8aa4ae3418acb),
 285         U64(0x5b9cca4f7763e373),U64(0x682e6ff3d6b2b8a3),
 286         U64(0x748f82ee5defb2fc),U64(0x78a5636f43172f60),
 287         U64(0x84c87814a1f0ab72),U64(0x8cc702081a6439ec),
 288         U64(0x90befffa23631e28),U64(0xa4506cebde82bde9),
 289         U64(0xbef9a3f7b2c67915),U64(0xc67178f2e372532b),
 290         U64(0xca273eceea26619c),U64(0xd186b8c721c0c207),
 291         U64(0xeada7dd6cde0eb1e),U64(0xf57d4f7fee6ed178),
 292         U64(0x06f067aa72176fba),U64(0x0a637dc5a2c898a6),
 293         U64(0x113f9804bef90dae),U64(0x1b710b35131c471b),
 294         U64(0x28db77f523047d84),U64(0x32caab7b40c72493),
 295         U64(0x3c9ebe0a15c9bebc),U64(0x431d67c49c100d4c),
 296         U64(0x4cc5d4becb3e42b6),U64(0x597f299cfc657e2a),
 297         U64(0x5fcb6fab3ad6faec),U64(0x6c44198c4a475817) };
 298
 299 #ifndef PEDANTIC
 300 # if defined(__GNUC__) && __GNUC__>=2 && !defined(OPENSSL_NO_ASM) && !defined(OPENSSL_NO_INLINE_ASM)
 301 #  if defined(__x86_64) || defined(__x86_64__)
 302 #   define PULL64(x) ({ SHA_LONG64 ret=*((const SHA_LONG64 *)(&(x)));   \
 303                                 asm ("bswapq    %0"             \
 304                                 : "=r"(ret)                     \
 305                                 : "0"(ret)); ret;               })
 306 #  endif
 307 # endif
 308 #endif
 309
 310 #ifndef PULL64
 311 #define B(x,j)    (((SHA_LONG64)(*(((const unsigned char *)(&x))+j)))<<((7-j)*8))
 312 #define PULL64(x) (B(x,0)|B(x,1)|B(x,2)|B(x,3)|B(x,4)|B(x,5)|B(x,6)|B(x,7))
 313 #endif
 314
 315 #ifndef PEDANTIC
 316 # if defined(_MSC_VER)
 317 #  if defined(_WIN64)   /* applies to both IA-64 and AMD64 */
 318 #   define ROTR(a,n)    _rotr64((a),n)
 319 #  endif
 320 # elif defined(__GNUC__) && __GNUC__>=2 && !defined(OPENSSL_NO_ASM) && !defined(OPENSSL_NO_INLINE_ASM)
 321 #  if defined(__x86_64) || defined(__x86_64__)
 322 #   define ROTR(a,n)    ({ unsigned long ret;           \
 323                                 asm ("rorq %1,%0"       \
 324                                 : "=r"(ret)             \
 325                                 : "J"(n),"0"(a)         \
 326                                 : "cc"); ret;           })
 327 #  elif defined(_ARCH_PPC) && defined(__64BIT__)
 328 #   define ROTR(a,n)    ({ unsigned long ret;           \
 329                                 asm ("rotrdi %0,%1,%2"  \
 330                                 : "=r"(ret)             \
 331                                 : "r"(a),"K"(n)); ret;  })
 332 #  endif
 333 # endif
 334 #endif
 335
 336 #ifndef ROTR
 337 #define ROTR(x,s)       (((x)>>s) | (x)<<(64-s))
 338 #endif
 339
 340 #define Sigma0(x)       (ROTR((x),28) ^ ROTR((x),34) ^ ROTR((x),39))
 341 #define Sigma1(x)       (ROTR((x),14) ^ ROTR((x),18) ^ ROTR((x),41))
 342 #define sigma0(x)       (ROTR((x),1)  ^ ROTR((x),8)  ^ ((x)>>7))
 343 #define sigma1(x)       (ROTR((x),19) ^ ROTR((x),61) ^ ((x)>>6))
 344
 345 #define Ch(x,y,z)       (((x) & (y)) ^ ((~(x)) & (z)))
 346 #define Maj(x,y,z)      (((x) & (y)) ^ ((x) & (z)) ^ ((y) & (z)))
 347
 348 #if defined(OPENSSL_IA32_SSE2) && !defined(OPENSSL_NO_ASM) && !defined(I386_ONLY)
 349 #define GO_FOR_SSE2(ctx,in,num)         do {            \
 350         extern int      OPENSSL_ia32cap;                \
 351         void            sha512_block_sse2(void *,const void *,size_t);  \
 352         if (!(OPENSSL_ia32cap & (1<<26))) break;        \
 353         sha512_block_sse2(ctx->h,in,num); return;       \
 354                                         } while (0)
 355 #endif
 356
 357 #ifdef OPENSSL_SMALL_FOOTPRINT
 358
 359 static void sha512_block (SHA512_CTX *ctx, const void *in, size_t num)
 360         {
 361         const SHA_LONG64 *W=in;
 362         SHA_LONG64      a,b,c,d,e,f,g,h,s0,s1,T1,T2;
 363         SHA_LONG64      X[16];
 364         int i;
 365
 366 #ifdef GO_FOR_SSE2
 367         GO_FOR_SSE2(ctx,in,num);
 368 #endif
 369
 370                         while (num--) {
 371
 372         a = ctx->h[0];  b = ctx->h[1];  c = ctx->h[2];  d = ctx->h[3];
 373         e = ctx->h[4];  f = ctx->h[5];  g = ctx->h[6];  h = ctx->h[7];
 374
 375         for (i=0;i<16;i++)
 376                 {
 377 #ifdef B_ENDIAN
 378                 T1 = X[i] = W[i];
 379 #else
 380                 T1 = X[i] = PULL64(W[i]);
 381 #endif
 382                 T1 += h + Sigma1(e) + Ch(e,f,g) + K512[i];
 383                 T2 = Sigma0(a) + Maj(a,b,c);
 384                 h = g;  g = f;  f = e;  e = d + T1;
 385                 d = c;  c = b;  b = a;  a = T1 + T2;
 386                 }
 387
 388         for (;i<80;i++)
 389                 {
 390                 s0 = X[(i+1)&0x0f];     s0 = sigma0(s0);
 391                 s1 = X[(i+14)&0x0f];    s1 = sigma1(s1);
 392
 393                 T1 = X[i&0xf] += s0 + s1 + X[(i+9)&0xf];
 394                 T1 += h + Sigma1(e) + Ch(e,f,g) + K512[i];
 395                 T2 = Sigma0(a) + Maj(a,b,c);
 396                 h = g;  g = f;  f = e;  e = d + T1;
 397                 d = c;  c = b;  b = a;  a = T1 + T2;
 398                 }
 399
 400         ctx->h[0] += a; ctx->h[1] += b; ctx->h[2] += c; ctx->h[3] += d;
 401         ctx->h[4] += e; ctx->h[5] += f; ctx->h[6] += g; ctx->h[7] += h;
 402
 403                         W+=SHA_LBLOCK;
 404                         }
 405         }
 406
 407 #else
 408
 409 #define ROUND_00_15(i,a,b,c,d,e,f,g,h)          do {    \
 410         T1 += h + Sigma1(e) + Ch(e,f,g) + K512[i];      \
 411         h = Sigma0(a) + Maj(a,b,c);                     \
 412         d += T1;        h += T1;                } while (0)
 413
 414 #define ROUND_16_80(i,a,b,c,d,e,f,g,h,X)        do {    \
 415         s0 = X[(i+1)&0x0f];     s0 = sigma0(s0);        \
 416         s1 = X[(i+14)&0x0f];    s1 = sigma1(s1);        \
 417         T1 = X[(i)&0x0f] += s0 + s1 + X[(i+9)&0x0f];    \
 418         ROUND_00_15(i,a,b,c,d,e,f,g,h);         } while (0)
 419
 420 static void sha512_block (SHA512_CTX *ctx, const void *in, size_t num)
 421         {
 422         const SHA_LONG64 *W=in;
 423         SHA_LONG64      a,b,c,d,e,f,g,h,s0,s1,T1;
 424         SHA_LONG64      X[16];
 425         int i;
 426
 427 #ifdef GO_FOR_SSE2
 428         GO_FOR_SSE2(ctx,in,num);
 429 #endif
 430
 431                         while (num--) {
 432
 433         a = ctx->h[0];  b = ctx->h[1];  c = ctx->h[2];  d = ctx->h[3];
 434         e = ctx->h[4];  f = ctx->h[5];  g = ctx->h[6];  h = ctx->h[7];
 435
 436 #ifdef B_ENDIAN
 437         T1 = X[0] = W[0];       ROUND_00_15(0,a,b,c,d,e,f,g,h);
 438         T1 = X[1] = W[1];       ROUND_00_15(1,h,a,b,c,d,e,f,g);
 439         T1 = X[2] = W[2];       ROUND_00_15(2,g,h,a,b,c,d,e,f);
 440         T1 = X[3] = W[3];       ROUND_00_15(3,f,g,h,a,b,c,d,e);
 441         T1 = X[4] = W[4];       ROUND_00_15(4,e,f,g,h,a,b,c,d);
 442         T1 = X[5] = W[5];       ROUND_00_15(5,d,e,f,g,h,a,b,c);
 443         T1 = X[6] = W[6];       ROUND_00_15(6,c,d,e,f,g,h,a,b);
 444         T1 = X[7] = W[7];       ROUND_00_15(7,b,c,d,e,f,g,h,a);
 445         T1 = X[8] = W[8];       ROUND_00_15(8,a,b,c,d,e,f,g,h);
 446         T1 = X[9] = W[9];       ROUND_00_15(9,h,a,b,c,d,e,f,g);
 447         T1 = X[10] = W[10];     ROUND_00_15(10,g,h,a,b,c,d,e,f);
 448         T1 = X[11] = W[11];     ROUND_00_15(11,f,g,h,a,b,c,d,e);
 449         T1 = X[12] = W[12];     ROUND_00_15(12,e,f,g,h,a,b,c,d);
 450         T1 = X[13] = W[13];     ROUND_00_15(13,d,e,f,g,h,a,b,c);
 451         T1 = X[14] = W[14];     ROUND_00_15(14,c,d,e,f,g,h,a,b);
 452         T1 = X[15] = W[15];     ROUND_00_15(15,b,c,d,e,f,g,h,a);
 453 #else
 454         T1 = X[0]  = PULL64(W[0]);      ROUND_00_15(0,a,b,c,d,e,f,g,h);
 455         T1 = X[1]  = PULL64(W[1]);      ROUND_00_15(1,h,a,b,c,d,e,f,g);
 456         T1 = X[2]  = PULL64(W[2]);      ROUND_00_15(2,g,h,a,b,c,d,e,f);
 457         T1 = X[3]  = PULL64(W[3]);      ROUND_00_15(3,f,g,h,a,b,c,d,e);
 458         T1 = X[4]  = PULL64(W[4]);      ROUND_00_15(4,e,f,g,h,a,b,c,d);
 459         T1 = X[5]  = PULL64(W[5]);      ROUND_00_15(5,d,e,f,g,h,a,b,c);
 460         T1 = X[6]  = PULL64(W[6]);      ROUND_00_15(6,c,d,e,f,g,h,a,b);
 461         T1 = X[7]  = PULL64(W[7]);      ROUND_00_15(7,b,c,d,e,f,g,h,a);
 462         T1 = X[8]  = PULL64(W[8]);      ROUND_00_15(8,a,b,c,d,e,f,g,h);
 463         T1 = X[9]  = PULL64(W[9]);      ROUND_00_15(9,h,a,b,c,d,e,f,g);
 464         T1 = X[10] = PULL64(W[10]);     ROUND_00_15(10,g,h,a,b,c,d,e,f);
 465         T1 = X[11] = PULL64(W[11]);     ROUND_00_15(11,f,g,h,a,b,c,d,e);
 466         T1 = X[12] = PULL64(W[12]);     ROUND_00_15(12,e,f,g,h,a,b,c,d);
 467         T1 = X[13] = PULL64(W[13]);     ROUND_00_15(13,d,e,f,g,h,a,b,c);
 468         T1 = X[14] = PULL64(W[14]);     ROUND_00_15(14,c,d,e,f,g,h,a,b);
 469         T1 = X[15] = PULL64(W[15]);     ROUND_00_15(15,b,c,d,e,f,g,h,a);
 470 #endif
 471
 472         for (i=16;i<80;i+=8)
 473                 {
 474                 ROUND_16_80(i+0,a,b,c,d,e,f,g,h,X);
 475                 ROUND_16_80(i+1,h,a,b,c,d,e,f,g,X);
 476                 ROUND_16_80(i+2,g,h,a,b,c,d,e,f,X);
 477                 ROUND_16_80(i+3,f,g,h,a,b,c,d,e,X);
 478                 ROUND_16_80(i+4,e,f,g,h,a,b,c,d,X);
 479                 ROUND_16_80(i+5,d,e,f,g,h,a,b,c,X);
 480                 ROUND_16_80(i+6,c,d,e,f,g,h,a,b,X);
 481                 ROUND_16_80(i+7,b,c,d,e,f,g,h,a,X);
 482                 }
 483
 484         ctx->h[0] += a; ctx->h[1] += b; ctx->h[2] += c; ctx->h[3] += d;
 485         ctx->h[4] += e; ctx->h[5] += f; ctx->h[6] += g; ctx->h[7] += h;
 486
 487                         W+=SHA_LBLOCK;
 488                         }
 489         }
 490
 491 #endif
 492
 493 #endif /* SHA512_ASM */
 494
 495 #endif /* OPENSSL_NO_SHA512 */