1 /* crypto/sha/sha512.c */
2 /* ====================================================================
3 * Copyright (c) 2004 The OpenSSL Project. All rights reserved
4 * according to the OpenSSL license [found in ../../LICENSE].
5 * ====================================================================
7 #include <openssl/opensslconf.h>
8 #if !defined(OPENSSL_NO_SHA) && !defined(OPENSSL_NO_SHA512)
10 * IMPLEMENTATION NOTES.
12 * As you might have noticed 32-bit hash algorithms:
14 * - permit SHA_LONG to be wider than 32-bit (case on CRAY);
15 * - optimized versions implement two transform functions: one operating
16 * on [aligned] data in host byte order and one - on data in input
18 * - share common byte-order neutral collector and padding function
19 * implementations, ../md32_common.h;
21 * Neither of the above applies to this SHA-512 implementations. Reasons
22 * [in reverse order] are:
24 * - it's the only 64-bit hash algorithm for the moment of this writing,
25 * there is no need for common collector/padding implementation [yet];
26 * - by supporting only one transform function [which operates on
27 * *aligned* data in input stream byte order, big-endian in this case]
28 * we minimize burden of maintenance in two ways: a) collector/padding
29 * function is simpler; b) only one transform function to stare at;
30 * - SHA_LONG64 is required to be exactly 64-bit in order to be able to
31 * apply a number of optimizations to mitigate potential performance
32 * penalties caused by previous design decision;
36 * Implementation relies on the fact that "long long" is 64-bit on
37 * both 32- and 64-bit platforms. If some compiler vendor comes up
38 * with 128-bit long long, adjustment to sha.h would be required.
39 * As this implementation relies on 64-bit integer type, it's totally
40 * inappropriate for platforms which don't support it, most notably
42 * <appro@fy.chalmers.se>
47 #include <openssl/crypto.h>
48 #include <openssl/sha.h>
49 #include <openssl/opensslv.h>
53 const char SHA512_version[]="SHA-512" OPENSSL_VERSION_PTEXT;
55 #if defined(__i386) || defined(__i386__) || defined(_M_IX86) || \
56 defined(__x86_64) || defined(_M_AMD64) || defined(_M_X64) || \
57 defined(__s390__) || defined(__s390x__) || \
59 #define SHA512_BLOCK_CAN_MANAGE_UNALIGNED_DATA
62 int SHA384_Init (SHA512_CTX *c)
64 #if defined(SHA512_ASM) && (defined(__arm__) || defined(__arm))
65 /* maintain dword order required by assembler module */
66 unsigned int *h = (unsigned int *)c->h;
68 h[0] = 0xcbbb9d5d; h[1] = 0xc1059ed8;
69 h[2] = 0x629a292a; h[3] = 0x367cd507;
70 h[4] = 0x9159015a; h[5] = 0x3070dd17;
71 h[6] = 0x152fecd8; h[7] = 0xf70e5939;
72 h[8] = 0x67332667; h[9] = 0xffc00b31;
73 h[10] = 0x8eb44a87; h[11] = 0x68581511;
74 h[12] = 0xdb0c2e0d; h[13] = 0x64f98fa7;
75 h[14] = 0x47b5481d; h[15] = 0xbefa4fa4;
77 c->h[0]=U64(0xcbbb9d5dc1059ed8);
78 c->h[1]=U64(0x629a292a367cd507);
79 c->h[2]=U64(0x9159015a3070dd17);
80 c->h[3]=U64(0x152fecd8f70e5939);
81 c->h[4]=U64(0x67332667ffc00b31);
82 c->h[5]=U64(0x8eb44a8768581511);
83 c->h[6]=U64(0xdb0c2e0d64f98fa7);
84 c->h[7]=U64(0x47b5481dbefa4fa4);
87 c->num=0; c->md_len=SHA384_DIGEST_LENGTH;
91 int SHA512_Init (SHA512_CTX *c)
93 #if defined(SHA512_ASM) && (defined(__arm__) || defined(__arm))
94 /* maintain dword order required by assembler module */
95 unsigned int *h = (unsigned int *)c->h;
97 h[0] = 0x6a09e667; h[1] = 0xf3bcc908;
98 h[2] = 0xbb67ae85; h[3] = 0x84caa73b;
99 h[4] = 0x3c6ef372; h[5] = 0xfe94f82b;
100 h[6] = 0xa54ff53a; h[7] = 0x5f1d36f1;
101 h[8] = 0x510e527f; h[9] = 0xade682d1;
102 h[10] = 0x9b05688c; h[11] = 0x2b3e6c1f;
103 h[12] = 0x1f83d9ab; h[13] = 0xfb41bd6b;
104 h[14] = 0x5be0cd19; h[15] = 0x137e2179;
106 c->h[0]=U64(0x6a09e667f3bcc908);
107 c->h[1]=U64(0xbb67ae8584caa73b);
108 c->h[2]=U64(0x3c6ef372fe94f82b);
109 c->h[3]=U64(0xa54ff53a5f1d36f1);
110 c->h[4]=U64(0x510e527fade682d1);
111 c->h[5]=U64(0x9b05688c2b3e6c1f);
112 c->h[6]=U64(0x1f83d9abfb41bd6b);
113 c->h[7]=U64(0x5be0cd19137e2179);
116 c->num=0; c->md_len=SHA512_DIGEST_LENGTH;
123 void sha512_block_data_order (SHA512_CTX *ctx, const void *in, size_t num);
125 int SHA512_Final (unsigned char *md, SHA512_CTX *c)
127 unsigned char *p=(unsigned char *)c->u.p;
130 p[n]=0x80; /* There always is a room for one */
132 if (n > (sizeof(c->u)-16))
133 memset (p+n,0,sizeof(c->u)-n), n=0,
134 sha512_block_data_order (c,p,1);
136 memset (p+n,0,sizeof(c->u)-16-n);
138 c->u.d[SHA_LBLOCK-2] = c->Nh;
139 c->u.d[SHA_LBLOCK-1] = c->Nl;
141 p[sizeof(c->u)-1] = (unsigned char)(c->Nl);
142 p[sizeof(c->u)-2] = (unsigned char)(c->Nl>>8);
143 p[sizeof(c->u)-3] = (unsigned char)(c->Nl>>16);
144 p[sizeof(c->u)-4] = (unsigned char)(c->Nl>>24);
145 p[sizeof(c->u)-5] = (unsigned char)(c->Nl>>32);
146 p[sizeof(c->u)-6] = (unsigned char)(c->Nl>>40);
147 p[sizeof(c->u)-7] = (unsigned char)(c->Nl>>48);
148 p[sizeof(c->u)-8] = (unsigned char)(c->Nl>>56);
149 p[sizeof(c->u)-9] = (unsigned char)(c->Nh);
150 p[sizeof(c->u)-10] = (unsigned char)(c->Nh>>8);
151 p[sizeof(c->u)-11] = (unsigned char)(c->Nh>>16);
152 p[sizeof(c->u)-12] = (unsigned char)(c->Nh>>24);
153 p[sizeof(c->u)-13] = (unsigned char)(c->Nh>>32);
154 p[sizeof(c->u)-14] = (unsigned char)(c->Nh>>40);
155 p[sizeof(c->u)-15] = (unsigned char)(c->Nh>>48);
156 p[sizeof(c->u)-16] = (unsigned char)(c->Nh>>56);
159 sha512_block_data_order (c,p,1);
163 #if defined(SHA512_ASM) && (defined(__arm__) || defined(__arm))
164 /* recall assembler dword order... */
166 if (n == SHA384_DIGEST_LENGTH || n == SHA512_DIGEST_LENGTH)
168 unsigned int *h = (unsigned int *)c->h, t;
173 *(md++) = (unsigned char)(t>>24);
174 *(md++) = (unsigned char)(t>>16);
175 *(md++) = (unsigned char)(t>>8);
176 *(md++) = (unsigned char)(t);
183 /* Let compiler decide if it's appropriate to unroll... */
184 case SHA384_DIGEST_LENGTH:
185 for (n=0;n<SHA384_DIGEST_LENGTH/8;n++)
187 SHA_LONG64 t = c->h[n];
189 *(md++) = (unsigned char)(t>>56);
190 *(md++) = (unsigned char)(t>>48);
191 *(md++) = (unsigned char)(t>>40);
192 *(md++) = (unsigned char)(t>>32);
193 *(md++) = (unsigned char)(t>>24);
194 *(md++) = (unsigned char)(t>>16);
195 *(md++) = (unsigned char)(t>>8);
196 *(md++) = (unsigned char)(t);
199 case SHA512_DIGEST_LENGTH:
200 for (n=0;n<SHA512_DIGEST_LENGTH/8;n++)
202 SHA_LONG64 t = c->h[n];
204 *(md++) = (unsigned char)(t>>56);
205 *(md++) = (unsigned char)(t>>48);
206 *(md++) = (unsigned char)(t>>40);
207 *(md++) = (unsigned char)(t>>32);
208 *(md++) = (unsigned char)(t>>24);
209 *(md++) = (unsigned char)(t>>16);
210 *(md++) = (unsigned char)(t>>8);
211 *(md++) = (unsigned char)(t);
214 /* ... as well as make sure md_len is not abused. */
221 int SHA384_Final (unsigned char *md,SHA512_CTX *c)
222 { return SHA512_Final (md,c); }
224 int SHA512_Update (SHA512_CTX *c, const void *_data, size_t len)
227 unsigned char *p=c->u.p;
228 const unsigned char *data=(const unsigned char *)_data;
230 if (len==0) return 1;
232 l = (c->Nl+(((SHA_LONG64)len)<<3))&U64(0xffffffffffffffff);
233 if (l < c->Nl) c->Nh++;
234 if (sizeof(len)>=8) c->Nh+=(((SHA_LONG64)len)>>61);
239 size_t n = sizeof(c->u) - c->num;
243 memcpy (p+c->num,data,len), c->num += (unsigned int)len;
247 memcpy (p+c->num,data,n), c->num = 0;
249 sha512_block_data_order (c,p,1);
253 if (len >= sizeof(c->u))
255 #ifndef SHA512_BLOCK_CAN_MANAGE_UNALIGNED_DATA
256 if ((size_t)data%sizeof(c->u.d[0]) != 0)
257 while (len >= sizeof(c->u))
258 memcpy (p,data,sizeof(c->u)),
259 sha512_block_data_order (c,p,1),
261 data += sizeof(c->u);
264 sha512_block_data_order (c,data,len/sizeof(c->u)),
270 if (len != 0) memcpy (p,data,len), c->num = (int)len;
275 int SHA384_Update (SHA512_CTX *c, const void *data, size_t len)
276 { return SHA512_Update (c,data,len); }
278 void SHA512_Transform (SHA512_CTX *c, const unsigned char *data)
279 { sha512_block_data_order (c,data,1); }
281 unsigned char *SHA384(const unsigned char *d, size_t n, unsigned char *md)
284 static unsigned char m[SHA384_DIGEST_LENGTH];
286 if (md == NULL) md=m;
288 SHA512_Update(&c,d,n);
290 OPENSSL_cleanse(&c,sizeof(c));
294 unsigned char *SHA512(const unsigned char *d, size_t n, unsigned char *md)
297 static unsigned char m[SHA512_DIGEST_LENGTH];
299 if (md == NULL) md=m;
301 SHA512_Update(&c,d,n);
303 OPENSSL_cleanse(&c,sizeof(c));
308 static const SHA_LONG64 K512[80] = {
309 U64(0x428a2f98d728ae22),U64(0x7137449123ef65cd),
310 U64(0xb5c0fbcfec4d3b2f),U64(0xe9b5dba58189dbbc),
311 U64(0x3956c25bf348b538),U64(0x59f111f1b605d019),
312 U64(0x923f82a4af194f9b),U64(0xab1c5ed5da6d8118),
313 U64(0xd807aa98a3030242),U64(0x12835b0145706fbe),
314 U64(0x243185be4ee4b28c),U64(0x550c7dc3d5ffb4e2),
315 U64(0x72be5d74f27b896f),U64(0x80deb1fe3b1696b1),
316 U64(0x9bdc06a725c71235),U64(0xc19bf174cf692694),
317 U64(0xe49b69c19ef14ad2),U64(0xefbe4786384f25e3),
318 U64(0x0fc19dc68b8cd5b5),U64(0x240ca1cc77ac9c65),
319 U64(0x2de92c6f592b0275),U64(0x4a7484aa6ea6e483),
320 U64(0x5cb0a9dcbd41fbd4),U64(0x76f988da831153b5),
321 U64(0x983e5152ee66dfab),U64(0xa831c66d2db43210),
322 U64(0xb00327c898fb213f),U64(0xbf597fc7beef0ee4),
323 U64(0xc6e00bf33da88fc2),U64(0xd5a79147930aa725),
324 U64(0x06ca6351e003826f),U64(0x142929670a0e6e70),
325 U64(0x27b70a8546d22ffc),U64(0x2e1b21385c26c926),
326 U64(0x4d2c6dfc5ac42aed),U64(0x53380d139d95b3df),
327 U64(0x650a73548baf63de),U64(0x766a0abb3c77b2a8),
328 U64(0x81c2c92e47edaee6),U64(0x92722c851482353b),
329 U64(0xa2bfe8a14cf10364),U64(0xa81a664bbc423001),
330 U64(0xc24b8b70d0f89791),U64(0xc76c51a30654be30),
331 U64(0xd192e819d6ef5218),U64(0xd69906245565a910),
332 U64(0xf40e35855771202a),U64(0x106aa07032bbd1b8),
333 U64(0x19a4c116b8d2d0c8),U64(0x1e376c085141ab53),
334 U64(0x2748774cdf8eeb99),U64(0x34b0bcb5e19b48a8),
335 U64(0x391c0cb3c5c95a63),U64(0x4ed8aa4ae3418acb),
336 U64(0x5b9cca4f7763e373),U64(0x682e6ff3d6b2b8a3),
337 U64(0x748f82ee5defb2fc),U64(0x78a5636f43172f60),
338 U64(0x84c87814a1f0ab72),U64(0x8cc702081a6439ec),
339 U64(0x90befffa23631e28),U64(0xa4506cebde82bde9),
340 U64(0xbef9a3f7b2c67915),U64(0xc67178f2e372532b),
341 U64(0xca273eceea26619c),U64(0xd186b8c721c0c207),
342 U64(0xeada7dd6cde0eb1e),U64(0xf57d4f7fee6ed178),
343 U64(0x06f067aa72176fba),U64(0x0a637dc5a2c898a6),
344 U64(0x113f9804bef90dae),U64(0x1b710b35131c471b),
345 U64(0x28db77f523047d84),U64(0x32caab7b40c72493),
346 U64(0x3c9ebe0a15c9bebc),U64(0x431d67c49c100d4c),
347 U64(0x4cc5d4becb3e42b6),U64(0x597f299cfc657e2a),
348 U64(0x5fcb6fab3ad6faec),U64(0x6c44198c4a475817) };
351 # if defined(__GNUC__) && __GNUC__>=2 && !defined(OPENSSL_NO_ASM) && !defined(OPENSSL_NO_INLINE_ASM)
352 # if defined(__x86_64) || defined(__x86_64__)
353 # define ROTR(a,n) ({ SHA_LONG64 ret; \
358 # if !defined(B_ENDIAN)
359 # define PULL64(x) ({ SHA_LONG64 ret=*((const SHA_LONG64 *)(&(x))); \
364 # elif (defined(__i386) || defined(__i386__)) && !defined(B_ENDIAN)
365 # if defined(I386_ONLY)
366 # define PULL64(x) ({ const unsigned int *p=(const unsigned int *)(&(x));\
367 unsigned int hi=p[0],lo=p[1]; \
368 asm("xchgb %%ah,%%al;xchgb %%dh,%%dl;"\
369 "roll $16,%%eax; roll $16,%%edx; "\
370 "xchgb %%ah,%%al;xchgb %%dh,%%dl;" \
371 : "=a"(lo),"=d"(hi) \
372 : "0"(lo),"1"(hi) : "cc"); \
373 ((SHA_LONG64)hi)<<32|lo; })
375 # define PULL64(x) ({ const unsigned int *p=(const unsigned int *)(&(x));\
376 unsigned int hi=p[0],lo=p[1]; \
377 asm ("bswapl %0; bswapl %1;" \
378 : "=r"(lo),"=r"(hi) \
379 : "0"(lo),"1"(hi)); \
380 ((SHA_LONG64)hi)<<32|lo; })
382 # elif (defined(_ARCH_PPC) && defined(__64BIT__)) || defined(_ARCH_PPC64)
383 # define ROTR(a,n) ({ unsigned long ret; \
384 asm ("rotrdi %0,%1,%2" \
386 : "r"(a),"K"(n)); ret; })
388 # elif defined(_MSC_VER)
389 # if defined(_WIN64) /* applies to both IA-64 and AMD64 */
390 # pragma intrinsic(_rotr64)
391 # define ROTR(a,n) _rotr64((a),n)
393 # if defined(_M_IX86) && !defined(OPENSSL_NO_ASM) && !defined(OPENSSL_NO_INLINE_ASM)
394 # if defined(I386_ONLY)
395 static SHA_LONG64 __fastcall __pull64be(const void *x)
396 { _asm mov edx, [ecx + 0]
397 _asm mov eax, [ecx + 4]
406 static SHA_LONG64 __fastcall __pull64be(const void *x)
407 { _asm mov edx, [ecx + 0]
408 _asm mov eax, [ecx + 4]
413 # define PULL64(x) __pull64be(&(x))
415 # pragma inline_depth(0)
422 #define B(x,j) (((SHA_LONG64)(*(((const unsigned char *)(&x))+j)))<<((7-j)*8))
423 #define PULL64(x) (B(x,0)|B(x,1)|B(x,2)|B(x,3)|B(x,4)|B(x,5)|B(x,6)|B(x,7))
427 #define ROTR(x,s) (((x)>>s) | (x)<<(64-s))
430 #define Sigma0(x) (ROTR((x),28) ^ ROTR((x),34) ^ ROTR((x),39))
431 #define Sigma1(x) (ROTR((x),14) ^ ROTR((x),18) ^ ROTR((x),41))
432 #define sigma0(x) (ROTR((x),1) ^ ROTR((x),8) ^ ((x)>>7))
433 #define sigma1(x) (ROTR((x),19) ^ ROTR((x),61) ^ ((x)>>6))
435 #define Ch(x,y,z) (((x) & (y)) ^ ((~(x)) & (z)))
436 #define Maj(x,y,z) (((x) & (y)) ^ ((x) & (z)) ^ ((y) & (z)))
439 #if defined(__i386) || defined(__i386__) || defined(_M_IX86)
441 * This code should give better results on 32-bit CPU with less than
442 * ~24 registers, both size and performance wise...
444 static void sha512_block_data_order (SHA512_CTX *ctx, const void *in, size_t num)
446 const SHA_LONG64 *W=in;
448 SHA_LONG64 X[9+80],*F;
454 A = ctx->h[0]; F[1] = ctx->h[1];
455 F[2] = ctx->h[2]; F[3] = ctx->h[3];
456 E = ctx->h[4]; F[5] = ctx->h[5];
457 F[6] = ctx->h[6]; F[7] = ctx->h[7];
459 for (i=0;i<16;i++,F--)
469 T += F[7] + Sigma1(E) + Ch(E,F[5],F[6]) + K512[i];
471 A = T + Sigma0(A) + Maj(A,F[1],F[2]);
476 T = sigma0(F[8+16-1]);
477 T += sigma1(F[8+16-14]);
478 T += F[8+16] + F[8+16-9];
483 T += F[7] + Sigma1(E) + Ch(E,F[5],F[6]) + K512[i];
485 A = T + Sigma0(A) + Maj(A,F[1],F[2]);
488 ctx->h[0] += A; ctx->h[1] += F[1];
489 ctx->h[2] += F[2]; ctx->h[3] += F[3];
490 ctx->h[4] += E; ctx->h[5] += F[5];
491 ctx->h[6] += F[6]; ctx->h[7] += F[7];
497 #elif defined(OPENSSL_SMALL_FOOTPRINT)
499 static void sha512_block_data_order (SHA512_CTX *ctx, const void *in, size_t num)
501 const SHA_LONG64 *W=in;
502 SHA_LONG64 a,b,c,d,e,f,g,h,s0,s1,T1,T2;
508 a = ctx->h[0]; b = ctx->h[1]; c = ctx->h[2]; d = ctx->h[3];
509 e = ctx->h[4]; f = ctx->h[5]; g = ctx->h[6]; h = ctx->h[7];
516 T1 = X[i] = PULL64(W[i]);
518 T1 += h + Sigma1(e) + Ch(e,f,g) + K512[i];
519 T2 = Sigma0(a) + Maj(a,b,c);
520 h = g; g = f; f = e; e = d + T1;
521 d = c; c = b; b = a; a = T1 + T2;
526 s0 = X[(i+1)&0x0f]; s0 = sigma0(s0);
527 s1 = X[(i+14)&0x0f]; s1 = sigma1(s1);
529 T1 = X[i&0xf] += s0 + s1 + X[(i+9)&0xf];
530 T1 += h + Sigma1(e) + Ch(e,f,g) + K512[i];
531 T2 = Sigma0(a) + Maj(a,b,c);
532 h = g; g = f; f = e; e = d + T1;
533 d = c; c = b; b = a; a = T1 + T2;
536 ctx->h[0] += a; ctx->h[1] += b; ctx->h[2] += c; ctx->h[3] += d;
537 ctx->h[4] += e; ctx->h[5] += f; ctx->h[6] += g; ctx->h[7] += h;
545 #define ROUND_00_15(i,a,b,c,d,e,f,g,h) do { \
546 T1 += h + Sigma1(e) + Ch(e,f,g) + K512[i]; \
547 h = Sigma0(a) + Maj(a,b,c); \
548 d += T1; h += T1; } while (0)
550 #define ROUND_16_80(i,j,a,b,c,d,e,f,g,h,X) do { \
551 s0 = X[(j+1)&0x0f]; s0 = sigma0(s0); \
552 s1 = X[(j+14)&0x0f]; s1 = sigma1(s1); \
553 T1 = X[(j)&0x0f] += s0 + s1 + X[(j+9)&0x0f]; \
554 ROUND_00_15(i+j,a,b,c,d,e,f,g,h); } while (0)
556 static void sha512_block_data_order (SHA512_CTX *ctx, const void *in, size_t num)
558 const SHA_LONG64 *W=in;
559 SHA_LONG64 a,b,c,d,e,f,g,h,s0,s1,T1;
565 a = ctx->h[0]; b = ctx->h[1]; c = ctx->h[2]; d = ctx->h[3];
566 e = ctx->h[4]; f = ctx->h[5]; g = ctx->h[6]; h = ctx->h[7];
569 T1 = X[0] = W[0]; ROUND_00_15(0,a,b,c,d,e,f,g,h);
570 T1 = X[1] = W[1]; ROUND_00_15(1,h,a,b,c,d,e,f,g);
571 T1 = X[2] = W[2]; ROUND_00_15(2,g,h,a,b,c,d,e,f);
572 T1 = X[3] = W[3]; ROUND_00_15(3,f,g,h,a,b,c,d,e);
573 T1 = X[4] = W[4]; ROUND_00_15(4,e,f,g,h,a,b,c,d);
574 T1 = X[5] = W[5]; ROUND_00_15(5,d,e,f,g,h,a,b,c);
575 T1 = X[6] = W[6]; ROUND_00_15(6,c,d,e,f,g,h,a,b);
576 T1 = X[7] = W[7]; ROUND_00_15(7,b,c,d,e,f,g,h,a);
577 T1 = X[8] = W[8]; ROUND_00_15(8,a,b,c,d,e,f,g,h);
578 T1 = X[9] = W[9]; ROUND_00_15(9,h,a,b,c,d,e,f,g);
579 T1 = X[10] = W[10]; ROUND_00_15(10,g,h,a,b,c,d,e,f);
580 T1 = X[11] = W[11]; ROUND_00_15(11,f,g,h,a,b,c,d,e);
581 T1 = X[12] = W[12]; ROUND_00_15(12,e,f,g,h,a,b,c,d);
582 T1 = X[13] = W[13]; ROUND_00_15(13,d,e,f,g,h,a,b,c);
583 T1 = X[14] = W[14]; ROUND_00_15(14,c,d,e,f,g,h,a,b);
584 T1 = X[15] = W[15]; ROUND_00_15(15,b,c,d,e,f,g,h,a);
586 T1 = X[0] = PULL64(W[0]); ROUND_00_15(0,a,b,c,d,e,f,g,h);
587 T1 = X[1] = PULL64(W[1]); ROUND_00_15(1,h,a,b,c,d,e,f,g);
588 T1 = X[2] = PULL64(W[2]); ROUND_00_15(2,g,h,a,b,c,d,e,f);
589 T1 = X[3] = PULL64(W[3]); ROUND_00_15(3,f,g,h,a,b,c,d,e);
590 T1 = X[4] = PULL64(W[4]); ROUND_00_15(4,e,f,g,h,a,b,c,d);
591 T1 = X[5] = PULL64(W[5]); ROUND_00_15(5,d,e,f,g,h,a,b,c);
592 T1 = X[6] = PULL64(W[6]); ROUND_00_15(6,c,d,e,f,g,h,a,b);
593 T1 = X[7] = PULL64(W[7]); ROUND_00_15(7,b,c,d,e,f,g,h,a);
594 T1 = X[8] = PULL64(W[8]); ROUND_00_15(8,a,b,c,d,e,f,g,h);
595 T1 = X[9] = PULL64(W[9]); ROUND_00_15(9,h,a,b,c,d,e,f,g);
596 T1 = X[10] = PULL64(W[10]); ROUND_00_15(10,g,h,a,b,c,d,e,f);
597 T1 = X[11] = PULL64(W[11]); ROUND_00_15(11,f,g,h,a,b,c,d,e);
598 T1 = X[12] = PULL64(W[12]); ROUND_00_15(12,e,f,g,h,a,b,c,d);
599 T1 = X[13] = PULL64(W[13]); ROUND_00_15(13,d,e,f,g,h,a,b,c);
600 T1 = X[14] = PULL64(W[14]); ROUND_00_15(14,c,d,e,f,g,h,a,b);
601 T1 = X[15] = PULL64(W[15]); ROUND_00_15(15,b,c,d,e,f,g,h,a);
604 for (i=16;i<80;i+=16)
606 ROUND_16_80(i, 0,a,b,c,d,e,f,g,h,X);
607 ROUND_16_80(i, 1,h,a,b,c,d,e,f,g,X);
608 ROUND_16_80(i, 2,g,h,a,b,c,d,e,f,X);
609 ROUND_16_80(i, 3,f,g,h,a,b,c,d,e,X);
610 ROUND_16_80(i, 4,e,f,g,h,a,b,c,d,X);
611 ROUND_16_80(i, 5,d,e,f,g,h,a,b,c,X);
612 ROUND_16_80(i, 6,c,d,e,f,g,h,a,b,X);
613 ROUND_16_80(i, 7,b,c,d,e,f,g,h,a,X);
614 ROUND_16_80(i, 8,a,b,c,d,e,f,g,h,X);
615 ROUND_16_80(i, 9,h,a,b,c,d,e,f,g,X);
616 ROUND_16_80(i,10,g,h,a,b,c,d,e,f,X);
617 ROUND_16_80(i,11,f,g,h,a,b,c,d,e,X);
618 ROUND_16_80(i,12,e,f,g,h,a,b,c,d,X);
619 ROUND_16_80(i,13,d,e,f,g,h,a,b,c,X);
620 ROUND_16_80(i,14,c,d,e,f,g,h,a,b,X);
621 ROUND_16_80(i,15,b,c,d,e,f,g,h,a,X);
624 ctx->h[0] += a; ctx->h[1] += b; ctx->h[2] += c; ctx->h[3] += d;
625 ctx->h[4] += e; ctx->h[5] += f; ctx->h[6] += g; ctx->h[7] += h;
633 #endif /* SHA512_ASM */
635 #else /* !OPENSSL_NO_SHA512 */
637 #if defined(PEDANTIC) || defined(__DECC) || defined(OPENSSL_SYS_MACOSX)
638 static void *dummy=&dummy;
641 #endif /* !OPENSSL_NO_SHA512 */