/src/libressl/crypto/sha/sha512.c
Line | Count | Source (jump to first uncovered line) |
1 | | /* $OpenBSD: sha512.c,v 1.16 2021/11/09 18:40:21 bcook Exp $ */ |
2 | | /* ==================================================================== |
3 | | * Copyright (c) 2004 The OpenSSL Project. All rights reserved |
4 | | * according to the OpenSSL license [found in ../../LICENSE]. |
5 | | * ==================================================================== |
6 | | */ |
7 | | |
8 | | #include <endian.h> |
9 | | #include <stdlib.h> |
10 | | #include <string.h> |
11 | | |
12 | | #include <openssl/opensslconf.h> |
13 | | |
14 | | #if !defined(OPENSSL_NO_SHA) && !defined(OPENSSL_NO_SHA512) |
15 | | /* |
16 | | * IMPLEMENTATION NOTES. |
17 | | * |
18 | | * As you might have noticed 32-bit hash algorithms: |
19 | | * |
20 | | * - permit SHA_LONG to be wider than 32-bit (case on CRAY); |
21 | | * - optimized versions implement two transform functions: one operating |
22 | | * on [aligned] data in host byte order and one - on data in input |
23 | | * stream byte order; |
24 | | * - share common byte-order neutral collector and padding function |
25 | | * implementations, ../md32_common.h; |
26 | | * |
27 | | * Neither of the above applies to this SHA-512 implementations. Reasons |
28 | | * [in reverse order] are: |
29 | | * |
30 | | * - it's the only 64-bit hash algorithm for the moment of this writing, |
31 | | * there is no need for common collector/padding implementation [yet]; |
32 | | * - by supporting only one transform function [which operates on |
33 | | * *aligned* data in input stream byte order, big-endian in this case] |
34 | | * we minimize burden of maintenance in two ways: a) collector/padding |
35 | | * function is simpler; b) only one transform function to stare at; |
36 | | * - SHA_LONG64 is required to be exactly 64-bit in order to be able to |
37 | | * apply a number of optimizations to mitigate potential performance |
38 | | * penalties caused by previous design decision; |
39 | | * |
40 | | * Caveat lector. |
41 | | * |
42 | | * Implementation relies on the fact that "long long" is 64-bit on |
43 | | * both 32- and 64-bit platforms. If some compiler vendor comes up |
44 | | * with 128-bit long long, adjustment to sha.h would be required. |
45 | | * As this implementation relies on 64-bit integer type, it's totally |
46 | | * inappropriate for platforms which don't support it, most notably |
47 | | * 16-bit platforms. |
48 | | * <appro@fy.chalmers.se> |
49 | | */ |
50 | | |
51 | | #include <openssl/crypto.h> |
52 | | #include <openssl/opensslv.h> |
53 | | #include <openssl/sha.h> |
54 | | |
55 | | #if !defined(__STRICT_ALIGNMENT) || defined(SHA512_ASM) |
56 | | #define SHA512_BLOCK_CAN_MANAGE_UNALIGNED_DATA |
57 | | #endif |
58 | | |
59 | | int SHA384_Init(SHA512_CTX *c) |
60 | 0 | { |
61 | 0 | c->h[0]=U64(0xcbbb9d5dc1059ed8); |
62 | 0 | c->h[1]=U64(0x629a292a367cd507); |
63 | 0 | c->h[2]=U64(0x9159015a3070dd17); |
64 | 0 | c->h[3]=U64(0x152fecd8f70e5939); |
65 | 0 | c->h[4]=U64(0x67332667ffc00b31); |
66 | 0 | c->h[5]=U64(0x8eb44a8768581511); |
67 | 0 | c->h[6]=U64(0xdb0c2e0d64f98fa7); |
68 | 0 | c->h[7]=U64(0x47b5481dbefa4fa4); |
69 | |
|
70 | 0 | c->Nl=0; c->Nh=0; |
71 | 0 | c->num=0; c->md_len=SHA384_DIGEST_LENGTH; |
72 | 0 | return 1; |
73 | 0 | } |
74 | | |
75 | | int SHA512_Init(SHA512_CTX *c) |
76 | 0 | { |
77 | 0 | c->h[0]=U64(0x6a09e667f3bcc908); |
78 | 0 | c->h[1]=U64(0xbb67ae8584caa73b); |
79 | 0 | c->h[2]=U64(0x3c6ef372fe94f82b); |
80 | 0 | c->h[3]=U64(0xa54ff53a5f1d36f1); |
81 | 0 | c->h[4]=U64(0x510e527fade682d1); |
82 | 0 | c->h[5]=U64(0x9b05688c2b3e6c1f); |
83 | 0 | c->h[6]=U64(0x1f83d9abfb41bd6b); |
84 | 0 | c->h[7]=U64(0x5be0cd19137e2179); |
85 | |
|
86 | 0 | c->Nl=0; c->Nh=0; |
87 | 0 | c->num=0; c->md_len=SHA512_DIGEST_LENGTH; |
88 | 0 | return 1; |
89 | 0 | } |
90 | | |
91 | | #ifndef SHA512_ASM |
92 | | static |
93 | | #endif |
94 | | void sha512_block_data_order (SHA512_CTX *ctx, const void *in, size_t num); |
95 | | |
96 | | int SHA512_Final (unsigned char *md, SHA512_CTX *c) |
97 | 0 | { |
98 | 0 | unsigned char *p=(unsigned char *)c->u.p; |
99 | 0 | size_t n=c->num; |
100 | |
|
101 | 0 | p[n]=0x80; /* There always is a room for one */ |
102 | 0 | n++; |
103 | 0 | if (n > (sizeof(c->u)-16)) |
104 | 0 | memset (p+n,0,sizeof(c->u)-n), n=0, |
105 | 0 | sha512_block_data_order (c,p,1); |
106 | |
|
107 | 0 | memset (p+n,0,sizeof(c->u)-16-n); |
108 | | #if BYTE_ORDER == BIG_ENDIAN |
109 | | c->u.d[SHA_LBLOCK-2] = c->Nh; |
110 | | c->u.d[SHA_LBLOCK-1] = c->Nl; |
111 | | #else |
112 | 0 | p[sizeof(c->u)-1] = (unsigned char)(c->Nl); |
113 | 0 | p[sizeof(c->u)-2] = (unsigned char)(c->Nl>>8); |
114 | 0 | p[sizeof(c->u)-3] = (unsigned char)(c->Nl>>16); |
115 | 0 | p[sizeof(c->u)-4] = (unsigned char)(c->Nl>>24); |
116 | 0 | p[sizeof(c->u)-5] = (unsigned char)(c->Nl>>32); |
117 | 0 | p[sizeof(c->u)-6] = (unsigned char)(c->Nl>>40); |
118 | 0 | p[sizeof(c->u)-7] = (unsigned char)(c->Nl>>48); |
119 | 0 | p[sizeof(c->u)-8] = (unsigned char)(c->Nl>>56); |
120 | 0 | p[sizeof(c->u)-9] = (unsigned char)(c->Nh); |
121 | 0 | p[sizeof(c->u)-10] = (unsigned char)(c->Nh>>8); |
122 | 0 | p[sizeof(c->u)-11] = (unsigned char)(c->Nh>>16); |
123 | 0 | p[sizeof(c->u)-12] = (unsigned char)(c->Nh>>24); |
124 | 0 | p[sizeof(c->u)-13] = (unsigned char)(c->Nh>>32); |
125 | 0 | p[sizeof(c->u)-14] = (unsigned char)(c->Nh>>40); |
126 | 0 | p[sizeof(c->u)-15] = (unsigned char)(c->Nh>>48); |
127 | 0 | p[sizeof(c->u)-16] = (unsigned char)(c->Nh>>56); |
128 | 0 | #endif |
129 | |
|
130 | 0 | sha512_block_data_order (c,p,1); |
131 | |
|
132 | 0 | if (md==0) return 0; |
133 | | |
134 | 0 | switch (c->md_len) |
135 | 0 | { |
136 | | /* Let compiler decide if it's appropriate to unroll... */ |
137 | 0 | case SHA384_DIGEST_LENGTH: |
138 | 0 | for (n=0;n<SHA384_DIGEST_LENGTH/8;n++) |
139 | 0 | { |
140 | 0 | SHA_LONG64 t = c->h[n]; |
141 | |
|
142 | 0 | *(md++) = (unsigned char)(t>>56); |
143 | 0 | *(md++) = (unsigned char)(t>>48); |
144 | 0 | *(md++) = (unsigned char)(t>>40); |
145 | 0 | *(md++) = (unsigned char)(t>>32); |
146 | 0 | *(md++) = (unsigned char)(t>>24); |
147 | 0 | *(md++) = (unsigned char)(t>>16); |
148 | 0 | *(md++) = (unsigned char)(t>>8); |
149 | 0 | *(md++) = (unsigned char)(t); |
150 | 0 | } |
151 | 0 | break; |
152 | 0 | case SHA512_DIGEST_LENGTH: |
153 | 0 | for (n=0;n<SHA512_DIGEST_LENGTH/8;n++) |
154 | 0 | { |
155 | 0 | SHA_LONG64 t = c->h[n]; |
156 | |
|
157 | 0 | *(md++) = (unsigned char)(t>>56); |
158 | 0 | *(md++) = (unsigned char)(t>>48); |
159 | 0 | *(md++) = (unsigned char)(t>>40); |
160 | 0 | *(md++) = (unsigned char)(t>>32); |
161 | 0 | *(md++) = (unsigned char)(t>>24); |
162 | 0 | *(md++) = (unsigned char)(t>>16); |
163 | 0 | *(md++) = (unsigned char)(t>>8); |
164 | 0 | *(md++) = (unsigned char)(t); |
165 | 0 | } |
166 | 0 | break; |
167 | | /* ... as well as make sure md_len is not abused. */ |
168 | 0 | default: return 0; |
169 | 0 | } |
170 | | |
171 | 0 | return 1; |
172 | 0 | } |
173 | | |
174 | | int SHA384_Final (unsigned char *md,SHA512_CTX *c) |
175 | 0 | { return SHA512_Final (md,c); } |
176 | | |
177 | | int SHA512_Update (SHA512_CTX *c, const void *_data, size_t len) |
178 | 0 | { |
179 | 0 | SHA_LONG64 l; |
180 | 0 | unsigned char *p=c->u.p; |
181 | 0 | const unsigned char *data=(const unsigned char *)_data; |
182 | |
|
183 | 0 | if (len==0) return 1; |
184 | | |
185 | 0 | l = (c->Nl+(((SHA_LONG64)len)<<3))&U64(0xffffffffffffffff); |
186 | 0 | if (l < c->Nl) c->Nh++; |
187 | 0 | if (sizeof(len)>=8) c->Nh+=(((SHA_LONG64)len)>>61); |
188 | 0 | c->Nl=l; |
189 | |
|
190 | 0 | if (c->num != 0) |
191 | 0 | { |
192 | 0 | size_t n = sizeof(c->u) - c->num; |
193 | |
|
194 | 0 | if (len < n) |
195 | 0 | { |
196 | 0 | memcpy (p+c->num,data,len), c->num += (unsigned int)len; |
197 | 0 | return 1; |
198 | 0 | } |
199 | 0 | else { |
200 | 0 | memcpy (p+c->num,data,n), c->num = 0; |
201 | 0 | len-=n, data+=n; |
202 | 0 | sha512_block_data_order (c,p,1); |
203 | 0 | } |
204 | 0 | } |
205 | | |
206 | 0 | if (len >= sizeof(c->u)) |
207 | 0 | { |
208 | | #ifndef SHA512_BLOCK_CAN_MANAGE_UNALIGNED_DATA |
209 | | if ((size_t)data%sizeof(c->u.d[0]) != 0) |
210 | | while (len >= sizeof(c->u)) |
211 | | memcpy (p,data,sizeof(c->u)), |
212 | | sha512_block_data_order (c,p,1), |
213 | | len -= sizeof(c->u), |
214 | | data += sizeof(c->u); |
215 | | else |
216 | | #endif |
217 | 0 | sha512_block_data_order (c,data,len/sizeof(c->u)), |
218 | 0 | data += len, |
219 | 0 | len %= sizeof(c->u), |
220 | 0 | data -= len; |
221 | 0 | } |
222 | |
|
223 | 0 | if (len != 0) memcpy (p,data,len), c->num = (int)len; |
224 | |
|
225 | 0 | return 1; |
226 | 0 | } |
227 | | |
228 | | int SHA384_Update (SHA512_CTX *c, const void *data, size_t len) |
229 | 0 | { return SHA512_Update (c,data,len); } |
230 | | |
231 | | void SHA512_Transform (SHA512_CTX *c, const unsigned char *data) |
232 | 0 | { |
233 | | #ifndef SHA512_BLOCK_CAN_MANAGE_UNALIGNED_DATA |
234 | | if ((size_t)data%sizeof(c->u.d[0]) != 0) |
235 | | memcpy(c->u.p,data,sizeof(c->u.p)), |
236 | | data = c->u.p; |
237 | | #endif |
238 | 0 | sha512_block_data_order (c,data,1); |
239 | 0 | } |
240 | | |
241 | | unsigned char *SHA384(const unsigned char *d, size_t n, unsigned char *md) |
242 | 0 | { |
243 | 0 | SHA512_CTX c; |
244 | 0 | static unsigned char m[SHA384_DIGEST_LENGTH]; |
245 | |
|
246 | 0 | if (md == NULL) md=m; |
247 | 0 | SHA384_Init(&c); |
248 | 0 | SHA512_Update(&c,d,n); |
249 | 0 | SHA512_Final(md,&c); |
250 | 0 | explicit_bzero(&c,sizeof(c)); |
251 | 0 | return(md); |
252 | 0 | } |
253 | | |
254 | | unsigned char *SHA512(const unsigned char *d, size_t n, unsigned char *md) |
255 | 0 | { |
256 | 0 | SHA512_CTX c; |
257 | 0 | static unsigned char m[SHA512_DIGEST_LENGTH]; |
258 | |
|
259 | 0 | if (md == NULL) md=m; |
260 | 0 | SHA512_Init(&c); |
261 | 0 | SHA512_Update(&c,d,n); |
262 | 0 | SHA512_Final(md,&c); |
263 | 0 | explicit_bzero(&c,sizeof(c)); |
264 | 0 | return(md); |
265 | 0 | } |
266 | | |
267 | | #ifndef SHA512_ASM |
268 | | static const SHA_LONG64 K512[80] = { |
269 | | U64(0x428a2f98d728ae22),U64(0x7137449123ef65cd), |
270 | | U64(0xb5c0fbcfec4d3b2f),U64(0xe9b5dba58189dbbc), |
271 | | U64(0x3956c25bf348b538),U64(0x59f111f1b605d019), |
272 | | U64(0x923f82a4af194f9b),U64(0xab1c5ed5da6d8118), |
273 | | U64(0xd807aa98a3030242),U64(0x12835b0145706fbe), |
274 | | U64(0x243185be4ee4b28c),U64(0x550c7dc3d5ffb4e2), |
275 | | U64(0x72be5d74f27b896f),U64(0x80deb1fe3b1696b1), |
276 | | U64(0x9bdc06a725c71235),U64(0xc19bf174cf692694), |
277 | | U64(0xe49b69c19ef14ad2),U64(0xefbe4786384f25e3), |
278 | | U64(0x0fc19dc68b8cd5b5),U64(0x240ca1cc77ac9c65), |
279 | | U64(0x2de92c6f592b0275),U64(0x4a7484aa6ea6e483), |
280 | | U64(0x5cb0a9dcbd41fbd4),U64(0x76f988da831153b5), |
281 | | U64(0x983e5152ee66dfab),U64(0xa831c66d2db43210), |
282 | | U64(0xb00327c898fb213f),U64(0xbf597fc7beef0ee4), |
283 | | U64(0xc6e00bf33da88fc2),U64(0xd5a79147930aa725), |
284 | | U64(0x06ca6351e003826f),U64(0x142929670a0e6e70), |
285 | | U64(0x27b70a8546d22ffc),U64(0x2e1b21385c26c926), |
286 | | U64(0x4d2c6dfc5ac42aed),U64(0x53380d139d95b3df), |
287 | | U64(0x650a73548baf63de),U64(0x766a0abb3c77b2a8), |
288 | | U64(0x81c2c92e47edaee6),U64(0x92722c851482353b), |
289 | | U64(0xa2bfe8a14cf10364),U64(0xa81a664bbc423001), |
290 | | U64(0xc24b8b70d0f89791),U64(0xc76c51a30654be30), |
291 | | U64(0xd192e819d6ef5218),U64(0xd69906245565a910), |
292 | | U64(0xf40e35855771202a),U64(0x106aa07032bbd1b8), |
293 | | U64(0x19a4c116b8d2d0c8),U64(0x1e376c085141ab53), |
294 | | U64(0x2748774cdf8eeb99),U64(0x34b0bcb5e19b48a8), |
295 | | U64(0x391c0cb3c5c95a63),U64(0x4ed8aa4ae3418acb), |
296 | | U64(0x5b9cca4f7763e373),U64(0x682e6ff3d6b2b8a3), |
297 | | U64(0x748f82ee5defb2fc),U64(0x78a5636f43172f60), |
298 | | U64(0x84c87814a1f0ab72),U64(0x8cc702081a6439ec), |
299 | | U64(0x90befffa23631e28),U64(0xa4506cebde82bde9), |
300 | | U64(0xbef9a3f7b2c67915),U64(0xc67178f2e372532b), |
301 | | U64(0xca273eceea26619c),U64(0xd186b8c721c0c207), |
302 | | U64(0xeada7dd6cde0eb1e),U64(0xf57d4f7fee6ed178), |
303 | | U64(0x06f067aa72176fba),U64(0x0a637dc5a2c898a6), |
304 | | U64(0x113f9804bef90dae),U64(0x1b710b35131c471b), |
305 | | U64(0x28db77f523047d84),U64(0x32caab7b40c72493), |
306 | | U64(0x3c9ebe0a15c9bebc),U64(0x431d67c49c100d4c), |
307 | | U64(0x4cc5d4becb3e42b6),U64(0x597f299cfc657e2a), |
308 | | U64(0x5fcb6fab3ad6faec),U64(0x6c44198c4a475817) }; |
309 | | |
310 | | #if defined(__GNUC__) && __GNUC__>=2 && !defined(OPENSSL_NO_ASM) && !defined(OPENSSL_NO_INLINE_ASM) |
311 | | # if defined(__x86_64) || defined(__x86_64__) |
312 | | # define ROTR(a,n) ({ SHA_LONG64 ret; \ |
313 | | asm ("rorq %1,%0" \ |
314 | | : "=r"(ret) \ |
315 | | : "J"(n),"0"(a) \ |
316 | | : "cc"); ret; }) |
317 | | # define PULL64(x) ({ SHA_LONG64 ret=*((const SHA_LONG64 *)(&(x))); \ |
318 | | asm ("bswapq %0" \ |
319 | | : "=r"(ret) \ |
320 | | : "0"(ret)); ret; }) |
321 | | # elif (defined(__i386) || defined(__i386__)) |
322 | | # define PULL64(x) ({ const unsigned int *p=(const unsigned int *)(&(x));\ |
323 | | unsigned int hi=p[0],lo=p[1]; \ |
324 | | asm ("bswapl %0; bswapl %1;" \ |
325 | | : "=r"(lo),"=r"(hi) \ |
326 | | : "0"(lo),"1"(hi)); \ |
327 | | ((SHA_LONG64)hi)<<32|lo; }) |
328 | | # elif (defined(_ARCH_PPC) && defined(__64BIT__)) || defined(_ARCH_PPC64) |
329 | | # define ROTR(a,n) ({ SHA_LONG64 ret; \ |
330 | | asm ("rotrdi %0,%1,%2" \ |
331 | | : "=r"(ret) \ |
332 | | : "r"(a),"K"(n)); ret; }) |
333 | | # endif |
334 | | #endif |
335 | | |
336 | | #ifndef PULL64 |
337 | | #define B(x,j) (((SHA_LONG64)(*(((const unsigned char *)(&x))+j)))<<((7-j)*8)) |
338 | | #define PULL64(x) (B(x,0)|B(x,1)|B(x,2)|B(x,3)|B(x,4)|B(x,5)|B(x,6)|B(x,7)) |
339 | | #endif |
340 | | |
341 | | #ifndef ROTR |
342 | | #define ROTR(x,s) (((x)>>s) | (x)<<(64-s)) |
343 | | #endif |
344 | | |
345 | | #define Sigma0(x) (ROTR((x),28) ^ ROTR((x),34) ^ ROTR((x),39)) |
346 | | #define Sigma1(x) (ROTR((x),14) ^ ROTR((x),18) ^ ROTR((x),41)) |
347 | | #define sigma0(x) (ROTR((x),1) ^ ROTR((x),8) ^ ((x)>>7)) |
348 | | #define sigma1(x) (ROTR((x),19) ^ ROTR((x),61) ^ ((x)>>6)) |
349 | | |
350 | | #define Ch(x,y,z) (((x) & (y)) ^ ((~(x)) & (z))) |
351 | | #define Maj(x,y,z) (((x) & (y)) ^ ((x) & (z)) ^ ((y) & (z))) |
352 | | |
353 | | |
354 | | #if defined(__i386) || defined(__i386__) || defined(_M_IX86) |
355 | | /* |
356 | | * This code should give better results on 32-bit CPU with less than |
357 | | * ~24 registers, both size and performance wise... |
358 | | */ |
359 | | static void sha512_block_data_order (SHA512_CTX *ctx, const void *in, size_t num) |
360 | | { |
361 | | const SHA_LONG64 *W=in; |
362 | | SHA_LONG64 A,E,T; |
363 | | SHA_LONG64 X[9+80],*F; |
364 | | int i; |
365 | | |
366 | | while (num--) { |
367 | | |
368 | | F = X+80; |
369 | | A = ctx->h[0]; F[1] = ctx->h[1]; |
370 | | F[2] = ctx->h[2]; F[3] = ctx->h[3]; |
371 | | E = ctx->h[4]; F[5] = ctx->h[5]; |
372 | | F[6] = ctx->h[6]; F[7] = ctx->h[7]; |
373 | | |
374 | | for (i=0;i<16;i++,F--) |
375 | | { |
376 | | T = PULL64(W[i]); |
377 | | F[0] = A; |
378 | | F[4] = E; |
379 | | F[8] = T; |
380 | | T += F[7] + Sigma1(E) + Ch(E,F[5],F[6]) + K512[i]; |
381 | | E = F[3] + T; |
382 | | A = T + Sigma0(A) + Maj(A,F[1],F[2]); |
383 | | } |
384 | | |
385 | | for (;i<80;i++,F--) |
386 | | { |
387 | | T = sigma0(F[8+16-1]); |
388 | | T += sigma1(F[8+16-14]); |
389 | | T += F[8+16] + F[8+16-9]; |
390 | | |
391 | | F[0] = A; |
392 | | F[4] = E; |
393 | | F[8] = T; |
394 | | T += F[7] + Sigma1(E) + Ch(E,F[5],F[6]) + K512[i]; |
395 | | E = F[3] + T; |
396 | | A = T + Sigma0(A) + Maj(A,F[1],F[2]); |
397 | | } |
398 | | |
399 | | ctx->h[0] += A; ctx->h[1] += F[1]; |
400 | | ctx->h[2] += F[2]; ctx->h[3] += F[3]; |
401 | | ctx->h[4] += E; ctx->h[5] += F[5]; |
402 | | ctx->h[6] += F[6]; ctx->h[7] += F[7]; |
403 | | |
404 | | W+=SHA_LBLOCK; |
405 | | } |
406 | | } |
407 | | |
408 | | #elif defined(OPENSSL_SMALL_FOOTPRINT) |
409 | | |
410 | | static void sha512_block_data_order (SHA512_CTX *ctx, const void *in, size_t num) |
411 | | { |
412 | | const SHA_LONG64 *W=in; |
413 | | SHA_LONG64 a,b,c,d,e,f,g,h,s0,s1,T1,T2; |
414 | | SHA_LONG64 X[16]; |
415 | | int i; |
416 | | |
417 | | while (num--) { |
418 | | |
419 | | a = ctx->h[0]; b = ctx->h[1]; c = ctx->h[2]; d = ctx->h[3]; |
420 | | e = ctx->h[4]; f = ctx->h[5]; g = ctx->h[6]; h = ctx->h[7]; |
421 | | |
422 | | for (i=0;i<16;i++) |
423 | | { |
424 | | #if BYTE_ORDER == BIG_ENDIAN |
425 | | T1 = X[i] = W[i]; |
426 | | #else |
427 | | T1 = X[i] = PULL64(W[i]); |
428 | | #endif |
429 | | T1 += h + Sigma1(e) + Ch(e,f,g) + K512[i]; |
430 | | T2 = Sigma0(a) + Maj(a,b,c); |
431 | | h = g; g = f; f = e; e = d + T1; |
432 | | d = c; c = b; b = a; a = T1 + T2; |
433 | | } |
434 | | |
435 | | for (;i<80;i++) |
436 | | { |
437 | | s0 = X[(i+1)&0x0f]; s0 = sigma0(s0); |
438 | | s1 = X[(i+14)&0x0f]; s1 = sigma1(s1); |
439 | | |
440 | | T1 = X[i&0xf] += s0 + s1 + X[(i+9)&0xf]; |
441 | | T1 += h + Sigma1(e) + Ch(e,f,g) + K512[i]; |
442 | | T2 = Sigma0(a) + Maj(a,b,c); |
443 | | h = g; g = f; f = e; e = d + T1; |
444 | | d = c; c = b; b = a; a = T1 + T2; |
445 | | } |
446 | | |
447 | | ctx->h[0] += a; ctx->h[1] += b; ctx->h[2] += c; ctx->h[3] += d; |
448 | | ctx->h[4] += e; ctx->h[5] += f; ctx->h[6] += g; ctx->h[7] += h; |
449 | | |
450 | | W+=SHA_LBLOCK; |
451 | | } |
452 | | } |
453 | | |
454 | | #else |
455 | | |
456 | | #define ROUND_00_15(i,a,b,c,d,e,f,g,h) do { \ |
457 | | T1 += h + Sigma1(e) + Ch(e,f,g) + K512[i]; \ |
458 | | h = Sigma0(a) + Maj(a,b,c); \ |
459 | | d += T1; h += T1; } while (0) |
460 | | |
461 | | #define ROUND_16_80(i,j,a,b,c,d,e,f,g,h,X) do { \ |
462 | | s0 = X[(j+1)&0x0f]; s0 = sigma0(s0); \ |
463 | | s1 = X[(j+14)&0x0f]; s1 = sigma1(s1); \ |
464 | | T1 = X[(j)&0x0f] += s0 + s1 + X[(j+9)&0x0f]; \ |
465 | | ROUND_00_15(i+j,a,b,c,d,e,f,g,h); } while (0) |
466 | | |
467 | | static void sha512_block_data_order (SHA512_CTX *ctx, const void *in, size_t num) |
468 | | { |
469 | | const SHA_LONG64 *W=in; |
470 | | SHA_LONG64 a,b,c,d,e,f,g,h,s0,s1,T1; |
471 | | SHA_LONG64 X[16]; |
472 | | int i; |
473 | | |
474 | | while (num--) { |
475 | | |
476 | | a = ctx->h[0]; b = ctx->h[1]; c = ctx->h[2]; d = ctx->h[3]; |
477 | | e = ctx->h[4]; f = ctx->h[5]; g = ctx->h[6]; h = ctx->h[7]; |
478 | | |
479 | | #if BYTE_ORDER == BIG_ENDIAN |
480 | | T1 = X[0] = W[0]; ROUND_00_15(0,a,b,c,d,e,f,g,h); |
481 | | T1 = X[1] = W[1]; ROUND_00_15(1,h,a,b,c,d,e,f,g); |
482 | | T1 = X[2] = W[2]; ROUND_00_15(2,g,h,a,b,c,d,e,f); |
483 | | T1 = X[3] = W[3]; ROUND_00_15(3,f,g,h,a,b,c,d,e); |
484 | | T1 = X[4] = W[4]; ROUND_00_15(4,e,f,g,h,a,b,c,d); |
485 | | T1 = X[5] = W[5]; ROUND_00_15(5,d,e,f,g,h,a,b,c); |
486 | | T1 = X[6] = W[6]; ROUND_00_15(6,c,d,e,f,g,h,a,b); |
487 | | T1 = X[7] = W[7]; ROUND_00_15(7,b,c,d,e,f,g,h,a); |
488 | | T1 = X[8] = W[8]; ROUND_00_15(8,a,b,c,d,e,f,g,h); |
489 | | T1 = X[9] = W[9]; ROUND_00_15(9,h,a,b,c,d,e,f,g); |
490 | | T1 = X[10] = W[10]; ROUND_00_15(10,g,h,a,b,c,d,e,f); |
491 | | T1 = X[11] = W[11]; ROUND_00_15(11,f,g,h,a,b,c,d,e); |
492 | | T1 = X[12] = W[12]; ROUND_00_15(12,e,f,g,h,a,b,c,d); |
493 | | T1 = X[13] = W[13]; ROUND_00_15(13,d,e,f,g,h,a,b,c); |
494 | | T1 = X[14] = W[14]; ROUND_00_15(14,c,d,e,f,g,h,a,b); |
495 | | T1 = X[15] = W[15]; ROUND_00_15(15,b,c,d,e,f,g,h,a); |
496 | | #else |
497 | | T1 = X[0] = PULL64(W[0]); ROUND_00_15(0,a,b,c,d,e,f,g,h); |
498 | | T1 = X[1] = PULL64(W[1]); ROUND_00_15(1,h,a,b,c,d,e,f,g); |
499 | | T1 = X[2] = PULL64(W[2]); ROUND_00_15(2,g,h,a,b,c,d,e,f); |
500 | | T1 = X[3] = PULL64(W[3]); ROUND_00_15(3,f,g,h,a,b,c,d,e); |
501 | | T1 = X[4] = PULL64(W[4]); ROUND_00_15(4,e,f,g,h,a,b,c,d); |
502 | | T1 = X[5] = PULL64(W[5]); ROUND_00_15(5,d,e,f,g,h,a,b,c); |
503 | | T1 = X[6] = PULL64(W[6]); ROUND_00_15(6,c,d,e,f,g,h,a,b); |
504 | | T1 = X[7] = PULL64(W[7]); ROUND_00_15(7,b,c,d,e,f,g,h,a); |
505 | | T1 = X[8] = PULL64(W[8]); ROUND_00_15(8,a,b,c,d,e,f,g,h); |
506 | | T1 = X[9] = PULL64(W[9]); ROUND_00_15(9,h,a,b,c,d,e,f,g); |
507 | | T1 = X[10] = PULL64(W[10]); ROUND_00_15(10,g,h,a,b,c,d,e,f); |
508 | | T1 = X[11] = PULL64(W[11]); ROUND_00_15(11,f,g,h,a,b,c,d,e); |
509 | | T1 = X[12] = PULL64(W[12]); ROUND_00_15(12,e,f,g,h,a,b,c,d); |
510 | | T1 = X[13] = PULL64(W[13]); ROUND_00_15(13,d,e,f,g,h,a,b,c); |
511 | | T1 = X[14] = PULL64(W[14]); ROUND_00_15(14,c,d,e,f,g,h,a,b); |
512 | | T1 = X[15] = PULL64(W[15]); ROUND_00_15(15,b,c,d,e,f,g,h,a); |
513 | | #endif |
514 | | |
515 | | for (i=16;i<80;i+=16) |
516 | | { |
517 | | ROUND_16_80(i, 0,a,b,c,d,e,f,g,h,X); |
518 | | ROUND_16_80(i, 1,h,a,b,c,d,e,f,g,X); |
519 | | ROUND_16_80(i, 2,g,h,a,b,c,d,e,f,X); |
520 | | ROUND_16_80(i, 3,f,g,h,a,b,c,d,e,X); |
521 | | ROUND_16_80(i, 4,e,f,g,h,a,b,c,d,X); |
522 | | ROUND_16_80(i, 5,d,e,f,g,h,a,b,c,X); |
523 | | ROUND_16_80(i, 6,c,d,e,f,g,h,a,b,X); |
524 | | ROUND_16_80(i, 7,b,c,d,e,f,g,h,a,X); |
525 | | ROUND_16_80(i, 8,a,b,c,d,e,f,g,h,X); |
526 | | ROUND_16_80(i, 9,h,a,b,c,d,e,f,g,X); |
527 | | ROUND_16_80(i,10,g,h,a,b,c,d,e,f,X); |
528 | | ROUND_16_80(i,11,f,g,h,a,b,c,d,e,X); |
529 | | ROUND_16_80(i,12,e,f,g,h,a,b,c,d,X); |
530 | | ROUND_16_80(i,13,d,e,f,g,h,a,b,c,X); |
531 | | ROUND_16_80(i,14,c,d,e,f,g,h,a,b,X); |
532 | | ROUND_16_80(i,15,b,c,d,e,f,g,h,a,X); |
533 | | } |
534 | | |
535 | | ctx->h[0] += a; ctx->h[1] += b; ctx->h[2] += c; ctx->h[3] += d; |
536 | | ctx->h[4] += e; ctx->h[5] += f; ctx->h[6] += g; ctx->h[7] += h; |
537 | | |
538 | | W+=SHA_LBLOCK; |
539 | | } |
540 | | } |
541 | | |
542 | | #endif |
543 | | |
544 | | #endif /* SHA512_ASM */ |
545 | | |
546 | | #endif /* !OPENSSL_NO_SHA512 */ |