1 /* crypto/sha/sha512.c */
2 /* ====================================================================
3 * Copyright (c) 2004 The OpenSSL Project. All rights reserved
4 * according to the OpenSSL license [found here].
5 * ====================================================================
8 /* ====================================================================
9 * Copyright (c) 1998-2007 The OpenSSL Project. All rights reserved.
11 * Redistribution and use in source and binary forms, with or without
12 * modification, are permitted provided that the following conditions
15 * 1. Redistributions of source code must retain the above copyright
16 * notice, this list of conditions and the following disclaimer.
18 * 2. Redistributions in binary form must reproduce the above copyright
19 * notice, this list of conditions and the following disclaimer in
20 * the documentation and/or other materials provided with the
23 * 3. All advertising materials mentioning features or use of this
24 * software must display the following acknowledgment:
25 * "This product includes software developed by the OpenSSL Project
26 * for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
28 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
29 * endorse or promote products derived from this software without
30 * prior written permission. For written permission, please contact
31 * openssl-core@openssl.org.
33 * 5. Products derived from this software may not be called "OpenSSL"
34 * nor may "OpenSSL" appear in their names without prior written
35 * permission of the OpenSSL Project.
37 * 6. Redistributions of any form whatsoever must retain the following
39 * "This product includes software developed by the OpenSSL Project
40 * for use in the OpenSSL Toolkit (http://www.openssl.org/)"
42 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
43 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
44 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
45 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
46 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
47 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
48 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
49 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
50 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
51 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
52 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
53 * OF THE POSSIBILITY OF SUCH DAMAGE.
54 * ====================================================================
56 * This product includes cryptographic software written by Eric Young
57 * (eay@cryptsoft.com). This product includes software written by Tim
58 * Hudson (tjh@cryptsoft.com).
62 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
63 * All rights reserved.
65 * This package is an SSL implementation written
66 * by Eric Young (eay@cryptsoft.com).
67 * The implementation was written so as to conform with Netscapes SSL.
69 * This library is free for commercial and non-commercial use as long as
70 * the following conditions are aheared to. The following conditions
71 * apply to all code found in this distribution, be it the RC4, RSA,
72 * lhash, DES, etc., code; not just the SSL code. The SSL documentation
73 * included with this distribution is covered by the same copyright terms
74 * except that the holder is Tim Hudson (tjh@cryptsoft.com).
76 * Copyright remains Eric Young's, and as such any Copyright notices in
77 * the code are not to be removed.
78 * If this package is used in a product, Eric Young should be given attribution
79 * as the author of the parts of the library used.
80 * This can be in the form of a textual message at program startup or
81 * in documentation (online or textual) provided with the package.
83 * Redistribution and use in source and binary forms, with or without
84 * modification, are permitted provided that the following conditions
86 * 1. Redistributions of source code must retain the copyright
87 * notice, this list of conditions and the following disclaimer.
88 * 2. Redistributions in binary form must reproduce the above copyright
89 * notice, this list of conditions and the following disclaimer in the
90 * documentation and/or other materials provided with the distribution.
91 * 3. All advertising materials mentioning features or use of this software
92 * must display the following acknowledgement:
93 * "This product includes cryptographic software written by
94 * Eric Young (eay@cryptsoft.com)"
95 * The word 'cryptographic' can be left out if the rouines from the library
96 * being used are not cryptographic related :-).
97 * 4. If you include any Windows specific code (or a derivative thereof) from
98 * the apps directory (application code) you must include an acknowledgement:
99 * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
101 * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
102 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
103 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
104 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
105 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
106 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
107 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
108 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
109 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
110 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
113 * The licence and distribution terms for any publically available version or
114 * derivative of this code cannot be changed. i.e. this code cannot simply be
115 * copied and put under another distribution licence
116 * [including the GNU Public Licence.]
119 © Portions copyright (c) 2010 Nokia Corporation. All rights reserved.
122 #include <openssl/opensslconf.h>
123 #if !defined(OPENSSL_NO_SHA) && !defined(OPENSSL_NO_SHA512)
125 * IMPLEMENTATION NOTES.
127 * As you might have noticed 32-bit hash algorithms:
129 * - permit SHA_LONG to be wider than 32-bit (case on CRAY);
130 * - optimized versions implement two transform functions: one operating
131 * on [aligned] data in host byte order and one - on data in input
133 * - share common byte-order neutral collector and padding function
134 * implementations, ../md32_common.h;
136 * Neither of the above applies to this SHA-512 implementations. Reasons
137 * [in reverse order] are:
139 * - it's the only 64-bit hash algorithm for the moment of this writing,
140 * there is no need for common collector/padding implementation [yet];
141 * - by supporting only one transform function [which operates on
142 * *aligned* data in input stream byte order, big-endian in this case]
143 * we minimize burden of maintenance in two ways: a) collector/padding
144 * function is simpler; b) only one transform function to stare at;
145 * - SHA_LONG64 is required to be exactly 64-bit in order to be able to
146 * apply a number of optimizations to mitigate potential performance
147 * penalties caused by previous design decision;
151 * Implementation relies on the fact that "long long" is 64-bit on
152 * both 32- and 64-bit platforms. If some compiler vendor comes up
153 * with 128-bit long long, adjustment to sha.h would be required.
154 * As this implementation relies on 64-bit integer type, it's totally
155 * inappropriate for platforms which don't support it, most notably
157 * <appro@fy.chalmers.se>
162 #include <openssl/crypto.h>
163 #include <openssl/sha.h>
164 #include <openssl/opensslv.h>
166 #include "cryptlib.h"
168 const char SHA512_version[]="SHA-512" OPENSSL_VERSION_PTEXT;
170 #if defined(_M_IX86) || defined(_M_AMD64) || defined(__i386) || defined(__x86_64)
171 #define SHA512_BLOCK_CAN_MANAGE_UNALIGNED_DATA
174 EXPORT_C int SHA384_Init (SHA512_CTX *c)
176 c->h[0]=U64(0xcbbb9d5dc1059ed8);
177 c->h[1]=U64(0x629a292a367cd507);
178 c->h[2]=U64(0x9159015a3070dd17);
179 c->h[3]=U64(0x152fecd8f70e5939);
180 c->h[4]=U64(0x67332667ffc00b31);
181 c->h[5]=U64(0x8eb44a8768581511);
182 c->h[6]=U64(0xdb0c2e0d64f98fa7);
183 c->h[7]=U64(0x47b5481dbefa4fa4);
185 c->num=0; c->md_len=SHA384_DIGEST_LENGTH;
189 EXPORT_C int SHA512_Init (SHA512_CTX *c)
191 c->h[0]=U64(0x6a09e667f3bcc908);
192 c->h[1]=U64(0xbb67ae8584caa73b);
193 c->h[2]=U64(0x3c6ef372fe94f82b);
194 c->h[3]=U64(0xa54ff53a5f1d36f1);
195 c->h[4]=U64(0x510e527fade682d1);
196 c->h[5]=U64(0x9b05688c2b3e6c1f);
197 c->h[6]=U64(0x1f83d9abfb41bd6b);
198 c->h[7]=U64(0x5be0cd19137e2179);
200 c->num=0; c->md_len=SHA512_DIGEST_LENGTH;
207 void sha512_block (SHA512_CTX *ctx, const void *in, size_t num);
209 EXPORT_C int SHA512_Final (unsigned char *md, SHA512_CTX *c)
211 unsigned char *p=(unsigned char *)c->u.p;
214 p[n]=0x80; /* There always is a room for one */
216 if (n > (sizeof(c->u)-16))
217 memset (p+n,0,sizeof(c->u)-n), n=0,
218 sha512_block (c,p,1);
220 memset (p+n,0,sizeof(c->u)-16-n);
222 c->u.d[SHA_LBLOCK-2] = c->Nh;
223 c->u.d[SHA_LBLOCK-1] = c->Nl;
225 p[sizeof(c->u)-1] = (unsigned char)(c->Nl);
226 p[sizeof(c->u)-2] = (unsigned char)(c->Nl>>8);
227 p[sizeof(c->u)-3] = (unsigned char)(c->Nl>>16);
228 p[sizeof(c->u)-4] = (unsigned char)(c->Nl>>24);
229 p[sizeof(c->u)-5] = (unsigned char)(c->Nl>>32);
230 p[sizeof(c->u)-6] = (unsigned char)(c->Nl>>40);
231 p[sizeof(c->u)-7] = (unsigned char)(c->Nl>>48);
232 p[sizeof(c->u)-8] = (unsigned char)(c->Nl>>56);
233 p[sizeof(c->u)-9] = (unsigned char)(c->Nh);
234 p[sizeof(c->u)-10] = (unsigned char)(c->Nh>>8);
235 p[sizeof(c->u)-11] = (unsigned char)(c->Nh>>16);
236 p[sizeof(c->u)-12] = (unsigned char)(c->Nh>>24);
237 p[sizeof(c->u)-13] = (unsigned char)(c->Nh>>32);
238 p[sizeof(c->u)-14] = (unsigned char)(c->Nh>>40);
239 p[sizeof(c->u)-15] = (unsigned char)(c->Nh>>48);
240 p[sizeof(c->u)-16] = (unsigned char)(c->Nh>>56);
243 sha512_block (c,p,1);
249 /* Let compiler decide if it's appropriate to unroll... */
250 case SHA384_DIGEST_LENGTH:
251 for (n=0;n<SHA384_DIGEST_LENGTH/8;n++)
253 SHA_LONG64 t = c->h[n];
255 *(md++) = (unsigned char)(t>>56);
256 *(md++) = (unsigned char)(t>>48);
257 *(md++) = (unsigned char)(t>>40);
258 *(md++) = (unsigned char)(t>>32);
259 *(md++) = (unsigned char)(t>>24);
260 *(md++) = (unsigned char)(t>>16);
261 *(md++) = (unsigned char)(t>>8);
262 *(md++) = (unsigned char)(t);
265 case SHA512_DIGEST_LENGTH:
266 for (n=0;n<SHA512_DIGEST_LENGTH/8;n++)
268 SHA_LONG64 t = c->h[n];
270 *(md++) = (unsigned char)(t>>56);
271 *(md++) = (unsigned char)(t>>48);
272 *(md++) = (unsigned char)(t>>40);
273 *(md++) = (unsigned char)(t>>32);
274 *(md++) = (unsigned char)(t>>24);
275 *(md++) = (unsigned char)(t>>16);
276 *(md++) = (unsigned char)(t>>8);
277 *(md++) = (unsigned char)(t);
280 /* ... as well as make sure md_len is not abused. */
287 EXPORT_C int SHA384_Final (unsigned char *md,SHA512_CTX *c)
288 { return SHA512_Final (md,c); }
290 EXPORT_C int SHA512_Update (SHA512_CTX *c, const void *_data, size_t len)
293 unsigned char *p=c->u.p;
294 const unsigned char *data=(const unsigned char *)_data;
296 if (len==0) return 1;
298 l = (c->Nl+(((SHA_LONG64)len)<<3))&U64(0xffffffffffffffff);
299 if (l < c->Nl) c->Nh++;
300 if (sizeof(len)>=8) c->Nh+=(((SHA_LONG64)len)>>61);
305 size_t n = sizeof(c->u) - c->num;
309 memcpy (p+c->num,data,len), c->num += len;
313 memcpy (p+c->num,data,n), c->num = 0;
315 sha512_block (c,p,1);
319 if (len >= sizeof(c->u))
321 #ifndef SHA512_BLOCK_CAN_MANAGE_UNALIGNED_DATA
322 if ((size_t)data%sizeof(c->u.d[0]) != 0)
323 while (len >= sizeof(c->u))
324 memcpy (p,data,sizeof(c->u)),
325 sha512_block (c,p,1),
327 data += sizeof(c->u);
330 sha512_block (c,data,len/sizeof(c->u)),
336 if (len != 0) memcpy (p,data,len), c->num = (int)len;
341 EXPORT_C int SHA384_Update (SHA512_CTX *c, const void *data, size_t len)
342 { return SHA512_Update (c,data,len); }
344 EXPORT_C void SHA512_Transform (SHA512_CTX *c, const unsigned char *data)
345 { sha512_block (c,data,1); }
347 EXPORT_C unsigned char *SHA384(const unsigned char *d, size_t n, unsigned char *md)
350 static unsigned char m[SHA384_DIGEST_LENGTH];
352 if (md == NULL) md=m;
354 SHA512_Update(&c,d,n);
356 OPENSSL_cleanse(&c,sizeof(c));
360 EXPORT_C unsigned char *SHA512(const unsigned char *d, size_t n, unsigned char *md)
363 static unsigned char m[SHA512_DIGEST_LENGTH];
365 if (md == NULL) md=m;
367 SHA512_Update(&c,d,n);
369 OPENSSL_cleanse(&c,sizeof(c));
374 static const SHA_LONG64 K512[80] = {
375 U64(0x428a2f98d728ae22),U64(0x7137449123ef65cd),
376 U64(0xb5c0fbcfec4d3b2f),U64(0xe9b5dba58189dbbc),
377 U64(0x3956c25bf348b538),U64(0x59f111f1b605d019),
378 U64(0x923f82a4af194f9b),U64(0xab1c5ed5da6d8118),
379 U64(0xd807aa98a3030242),U64(0x12835b0145706fbe),
380 U64(0x243185be4ee4b28c),U64(0x550c7dc3d5ffb4e2),
381 U64(0x72be5d74f27b896f),U64(0x80deb1fe3b1696b1),
382 U64(0x9bdc06a725c71235),U64(0xc19bf174cf692694),
383 U64(0xe49b69c19ef14ad2),U64(0xefbe4786384f25e3),
384 U64(0x0fc19dc68b8cd5b5),U64(0x240ca1cc77ac9c65),
385 U64(0x2de92c6f592b0275),U64(0x4a7484aa6ea6e483),
386 U64(0x5cb0a9dcbd41fbd4),U64(0x76f988da831153b5),
387 U64(0x983e5152ee66dfab),U64(0xa831c66d2db43210),
388 U64(0xb00327c898fb213f),U64(0xbf597fc7beef0ee4),
389 U64(0xc6e00bf33da88fc2),U64(0xd5a79147930aa725),
390 U64(0x06ca6351e003826f),U64(0x142929670a0e6e70),
391 U64(0x27b70a8546d22ffc),U64(0x2e1b21385c26c926),
392 U64(0x4d2c6dfc5ac42aed),U64(0x53380d139d95b3df),
393 U64(0x650a73548baf63de),U64(0x766a0abb3c77b2a8),
394 U64(0x81c2c92e47edaee6),U64(0x92722c851482353b),
395 U64(0xa2bfe8a14cf10364),U64(0xa81a664bbc423001),
396 U64(0xc24b8b70d0f89791),U64(0xc76c51a30654be30),
397 U64(0xd192e819d6ef5218),U64(0xd69906245565a910),
398 U64(0xf40e35855771202a),U64(0x106aa07032bbd1b8),
399 U64(0x19a4c116b8d2d0c8),U64(0x1e376c085141ab53),
400 U64(0x2748774cdf8eeb99),U64(0x34b0bcb5e19b48a8),
401 U64(0x391c0cb3c5c95a63),U64(0x4ed8aa4ae3418acb),
402 U64(0x5b9cca4f7763e373),U64(0x682e6ff3d6b2b8a3),
403 U64(0x748f82ee5defb2fc),U64(0x78a5636f43172f60),
404 U64(0x84c87814a1f0ab72),U64(0x8cc702081a6439ec),
405 U64(0x90befffa23631e28),U64(0xa4506cebde82bde9),
406 U64(0xbef9a3f7b2c67915),U64(0xc67178f2e372532b),
407 U64(0xca273eceea26619c),U64(0xd186b8c721c0c207),
408 U64(0xeada7dd6cde0eb1e),U64(0xf57d4f7fee6ed178),
409 U64(0x06f067aa72176fba),U64(0x0a637dc5a2c898a6),
410 U64(0x113f9804bef90dae),U64(0x1b710b35131c471b),
411 U64(0x28db77f523047d84),U64(0x32caab7b40c72493),
412 U64(0x3c9ebe0a15c9bebc),U64(0x431d67c49c100d4c),
413 U64(0x4cc5d4becb3e42b6),U64(0x597f299cfc657e2a),
414 U64(0x5fcb6fab3ad6faec),U64(0x6c44198c4a475817) };
417 # if defined(__GNUC__) && __GNUC__>=2 && !defined(OPENSSL_NO_ASM) && !defined(OPENSSL_NO_INLINE_ASM)
418 # if defined(__x86_64) || defined(__x86_64__)
419 # define PULL64(x) ({ SHA_LONG64 ret=*((const SHA_LONG64 *)(&(x))); \
428 #define B(x,j) (((SHA_LONG64)(*(((const unsigned char *)(&x))+j)))<<((7-j)*8))
429 #define PULL64(x) (B(x,0)|B(x,1)|B(x,2)|B(x,3)|B(x,4)|B(x,5)|B(x,6)|B(x,7))
433 # if defined(_MSC_VER)
434 # if defined(_WIN64) /* applies to both IA-64 and AMD64 */
435 # define ROTR(a,n) _rotr64((a),n)
437 # elif defined(__GNUC__) && __GNUC__>=2 && !defined(OPENSSL_NO_ASM) && !defined(OPENSSL_NO_INLINE_ASM)
438 # if defined(__x86_64) || defined(__x86_64__)
439 # define ROTR(a,n) ({ unsigned long ret; \
444 # elif defined(_ARCH_PPC) && defined(__64BIT__)
445 # define ROTR(a,n) ({ unsigned long ret; \
446 asm ("rotrdi %0,%1,%2" \
448 : "r"(a),"K"(n)); ret; })
454 #define ROTR(x,s) (((x)>>s) | (x)<<(64-s))
457 #define Sigma0(x) (ROTR((x),28) ^ ROTR((x),34) ^ ROTR((x),39))
458 #define Sigma1(x) (ROTR((x),14) ^ ROTR((x),18) ^ ROTR((x),41))
459 #define sigma0(x) (ROTR((x),1) ^ ROTR((x),8) ^ ((x)>>7))
460 #define sigma1(x) (ROTR((x),19) ^ ROTR((x),61) ^ ((x)>>6))
462 #define Ch(x,y,z) (((x) & (y)) ^ ((~(x)) & (z)))
463 #define Maj(x,y,z) (((x) & (y)) ^ ((x) & (z)) ^ ((y) & (z)))
465 #if defined(OPENSSL_IA32_SSE2) && !defined(OPENSSL_NO_ASM) && !defined(I386_ONLY)
466 #define GO_FOR_SSE2(ctx,in,num) do { \
467 void sha512_block_sse2(void *,const void *,size_t); \
468 if (!(OPENSSL_ia32cap_P & (1<<26))) break; \
469 sha512_block_sse2(ctx->h,in,num); return; \
473 #ifdef OPENSSL_SMALL_FOOTPRINT
475 static void sha512_block (SHA512_CTX *ctx, const void *in, size_t num)
477 const SHA_LONG64 *W=in;
478 SHA_LONG64 a,b,c,d,e,f,g,h,s0,s1,T1,T2;
483 GO_FOR_SSE2(ctx,in,num);
488 a = ctx->h[0]; b = ctx->h[1]; c = ctx->h[2]; d = ctx->h[3];
489 e = ctx->h[4]; f = ctx->h[5]; g = ctx->h[6]; h = ctx->h[7];
496 T1 = X[i] = PULL64(W[i]);
498 T1 += h + Sigma1(e) + Ch(e,f,g) + K512[i];
499 T2 = Sigma0(a) + Maj(a,b,c);
500 h = g; g = f; f = e; e = d + T1;
501 d = c; c = b; b = a; a = T1 + T2;
506 s0 = X[(i+1)&0x0f]; s0 = sigma0(s0);
507 s1 = X[(i+14)&0x0f]; s1 = sigma1(s1);
509 T1 = X[i&0xf] += s0 + s1 + X[(i+9)&0xf];
510 T1 += h + Sigma1(e) + Ch(e,f,g) + K512[i];
511 T2 = Sigma0(a) + Maj(a,b,c);
512 h = g; g = f; f = e; e = d + T1;
513 d = c; c = b; b = a; a = T1 + T2;
516 ctx->h[0] += a; ctx->h[1] += b; ctx->h[2] += c; ctx->h[3] += d;
517 ctx->h[4] += e; ctx->h[5] += f; ctx->h[6] += g; ctx->h[7] += h;
525 #define ROUND_00_15(i,a,b,c,d,e,f,g,h) do { \
526 T1 += h + Sigma1(e) + Ch(e,f,g) + K512[i]; \
527 h = Sigma0(a) + Maj(a,b,c); \
528 d += T1; h += T1; } while (0)
530 #define ROUND_16_80(i,a,b,c,d,e,f,g,h,X) do { \
531 s0 = X[(i+1)&0x0f]; s0 = sigma0(s0); \
532 s1 = X[(i+14)&0x0f]; s1 = sigma1(s1); \
533 T1 = X[(i)&0x0f] += s0 + s1 + X[(i+9)&0x0f]; \
534 ROUND_00_15(i,a,b,c,d,e,f,g,h); } while (0)
536 static void sha512_block (SHA512_CTX *ctx, const void *in, size_t num)
538 const SHA_LONG64 *W=in;
539 SHA_LONG64 a,b,c,d,e,f,g,h,s0,s1,T1;
544 GO_FOR_SSE2(ctx,in,num);
549 a = ctx->h[0]; b = ctx->h[1]; c = ctx->h[2]; d = ctx->h[3];
550 e = ctx->h[4]; f = ctx->h[5]; g = ctx->h[6]; h = ctx->h[7];
553 T1 = X[0] = W[0]; ROUND_00_15(0,a,b,c,d,e,f,g,h);
554 T1 = X[1] = W[1]; ROUND_00_15(1,h,a,b,c,d,e,f,g);
555 T1 = X[2] = W[2]; ROUND_00_15(2,g,h,a,b,c,d,e,f);
556 T1 = X[3] = W[3]; ROUND_00_15(3,f,g,h,a,b,c,d,e);
557 T1 = X[4] = W[4]; ROUND_00_15(4,e,f,g,h,a,b,c,d);
558 T1 = X[5] = W[5]; ROUND_00_15(5,d,e,f,g,h,a,b,c);
559 T1 = X[6] = W[6]; ROUND_00_15(6,c,d,e,f,g,h,a,b);
560 T1 = X[7] = W[7]; ROUND_00_15(7,b,c,d,e,f,g,h,a);
561 T1 = X[8] = W[8]; ROUND_00_15(8,a,b,c,d,e,f,g,h);
562 T1 = X[9] = W[9]; ROUND_00_15(9,h,a,b,c,d,e,f,g);
563 T1 = X[10] = W[10]; ROUND_00_15(10,g,h,a,b,c,d,e,f);
564 T1 = X[11] = W[11]; ROUND_00_15(11,f,g,h,a,b,c,d,e);
565 T1 = X[12] = W[12]; ROUND_00_15(12,e,f,g,h,a,b,c,d);
566 T1 = X[13] = W[13]; ROUND_00_15(13,d,e,f,g,h,a,b,c);
567 T1 = X[14] = W[14]; ROUND_00_15(14,c,d,e,f,g,h,a,b);
568 T1 = X[15] = W[15]; ROUND_00_15(15,b,c,d,e,f,g,h,a);
570 T1 = X[0] = PULL64(W[0]); ROUND_00_15(0,a,b,c,d,e,f,g,h);
571 T1 = X[1] = PULL64(W[1]); ROUND_00_15(1,h,a,b,c,d,e,f,g);
572 T1 = X[2] = PULL64(W[2]); ROUND_00_15(2,g,h,a,b,c,d,e,f);
573 T1 = X[3] = PULL64(W[3]); ROUND_00_15(3,f,g,h,a,b,c,d,e);
574 T1 = X[4] = PULL64(W[4]); ROUND_00_15(4,e,f,g,h,a,b,c,d);
575 T1 = X[5] = PULL64(W[5]); ROUND_00_15(5,d,e,f,g,h,a,b,c);
576 T1 = X[6] = PULL64(W[6]); ROUND_00_15(6,c,d,e,f,g,h,a,b);
577 T1 = X[7] = PULL64(W[7]); ROUND_00_15(7,b,c,d,e,f,g,h,a);
578 T1 = X[8] = PULL64(W[8]); ROUND_00_15(8,a,b,c,d,e,f,g,h);
579 T1 = X[9] = PULL64(W[9]); ROUND_00_15(9,h,a,b,c,d,e,f,g);
580 T1 = X[10] = PULL64(W[10]); ROUND_00_15(10,g,h,a,b,c,d,e,f);
581 T1 = X[11] = PULL64(W[11]); ROUND_00_15(11,f,g,h,a,b,c,d,e);
582 T1 = X[12] = PULL64(W[12]); ROUND_00_15(12,e,f,g,h,a,b,c,d);
583 T1 = X[13] = PULL64(W[13]); ROUND_00_15(13,d,e,f,g,h,a,b,c);
584 T1 = X[14] = PULL64(W[14]); ROUND_00_15(14,c,d,e,f,g,h,a,b);
585 T1 = X[15] = PULL64(W[15]); ROUND_00_15(15,b,c,d,e,f,g,h,a);
590 ROUND_16_80(i+0,a,b,c,d,e,f,g,h,X);
591 ROUND_16_80(i+1,h,a,b,c,d,e,f,g,X);
592 ROUND_16_80(i+2,g,h,a,b,c,d,e,f,X);
593 ROUND_16_80(i+3,f,g,h,a,b,c,d,e,X);
594 ROUND_16_80(i+4,e,f,g,h,a,b,c,d,X);
595 ROUND_16_80(i+5,d,e,f,g,h,a,b,c,X);
596 ROUND_16_80(i+6,c,d,e,f,g,h,a,b,X);
597 ROUND_16_80(i+7,b,c,d,e,f,g,h,a,X);
600 ctx->h[0] += a; ctx->h[1] += b; ctx->h[2] += c; ctx->h[3] += d;
601 ctx->h[4] += e; ctx->h[5] += f; ctx->h[6] += g; ctx->h[7] += h;
609 #endif /* SHA512_ASM */
611 #endif /* OPENSSL_NO_SHA512 */