1 files changed, 112 insertions, 54 deletions
diff --git a/src/lib/libcrypto/sha/sha512.c b/src/lib/libcrypto/sha/sha512.c
index 0bc6039326..6dc91cb0f5 100644
--- a/src/lib/libcrypto/sha/sha512.c
+++ b/src/lib/libcrypto/sha/sha512.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: sha512.c,v 1.39 2023/05/27 09:18:17 jsing Exp $ */
+/* $OpenBSD: sha512.c,v 1.40 2023/07/02 14:57:58 jsing Exp $ */
 /* ====================================================================
 * Copyright (c) 1998-2011 The OpenSSL Project.  All rights reserved.
 *
@@ -66,7 +66,7 @@
 #if !defined(OPENSSL_NO_SHA) && !defined(OPENSSL_NO_SHA512)
-/* Ensure that SHA_LONG64 is 64 bits. */
+/* Ensure that SHA_LONG64 and uint64_t are equivalent. */
 CTASSERT(sizeof(SHA_LONG64) == sizeof(uint64_t));
 #ifdef SHA512_ASM
@@ -117,36 +117,77 @@ static const SHA_LONG64 K512[80] = {
        U64(0x5fcb6fab3ad6faec), U64(0x6c44198c4a475817),
 };
-#define ROTR(x, s)      crypto_ror_u64(x, s)
+static inline SHA_LONG64
+Sigma0(SHA_LONG64 x)
+{
+        return crypto_ror_u64(x, 28) ^ crypto_ror_u64(x, 34) ^
+            crypto_ror_u64(x, 39);
+}
-#define Sigma0(x)       (ROTR((x),28) ^ ROTR((x),34) ^ ROTR((x),39))
+static inline SHA_LONG64
-#define Sigma1(x)       (ROTR((x),14) ^ ROTR((x),18) ^ ROTR((x),41))
+Sigma1(SHA_LONG64 x)
-#define sigma0(x)       (ROTR((x),1)  ^ ROTR((x),8)  ^ ((x)>>7))
+{
-#define sigma1(x)       (ROTR((x),19) ^ ROTR((x),61) ^ ((x)>>6))
+        return crypto_ror_u64(x, 14) ^ crypto_ror_u64(x, 18) ^
+            crypto_ror_u64(x, 41);
+}
-#define Ch(x, y, z)     (((x) & (y)) ^ ((~(x)) & (z)))
+static inline SHA_LONG64
-#define Maj(x, y, z)    (((x) & (y)) ^ ((x) & (z)) ^ ((y) & (z)))
+sigma0(SHA_LONG64 x)
+{
+        return crypto_ror_u64(x, 1) ^ crypto_ror_u64(x, 8) ^ (x >> 7);
+}
-#define ROUND_00_15(i, a, b, c, d, e, f, g, h, Wt)              do {    \
+static inline SHA_LONG64
-        T1 = h + Sigma1(e) + Ch(e, f, g) + K512[i] + Wt;                \
+sigma1(SHA_LONG64 x)
-        T2 = Sigma0(a) + Maj(a, b, c);                                  \
+{
-        d += T1;                                                        \
+        return crypto_ror_u64(x, 19) ^ crypto_ror_u64(x, 61) ^ (x >> 6);
-        h = T1 + T2;                                                    \
+}
-                                                                } while (0)
-#define ROUND_16_80(i, j, a, b, c, d, e, f, g, h, X)            do {    \
+static inline SHA_LONG64
-        s0 = sigma0(X[(j + 1) & 0x0f]);                                 \
+Ch(SHA_LONG64 x, SHA_LONG64 y, SHA_LONG64 z)
-        s1 = sigma1(X[(j + 14) & 0x0f]);                                \
+{
-        X[(j) & 0x0f] += s0 + s1 + X[(j + 9) & 0x0f];                   \
+        return (x & y) ^ (~x & z);
-        ROUND_00_15(i + j, a, b, c, d, e, f, g, h, X[(j) & 0x0f]);      \
+}
-                                                                } while (0)
+static inline SHA_LONG64
+Maj(SHA_LONG64 x, SHA_LONG64 y, SHA_LONG64 z)
+{
+        return (x & y) ^ (x & z) ^ (y & z);
+}
+static inline void
+sha512_msg_schedule_update(SHA_LONG64 *W0, SHA_LONG64 W1,
+    SHA_LONG64 W9, SHA_LONG64 W14)
+{
+        *W0 = sigma1(W14) + W9 + sigma0(W1) + *W0;
+}
+static inline void
+sha512_round(SHA_LONG64 *a, SHA_LONG64 *b, SHA_LONG64 *c, SHA_LONG64 *d,
+    SHA_LONG64 *e, SHA_LONG64 *f, SHA_LONG64 *g, SHA_LONG64 *h,
+    SHA_LONG64 Kt, SHA_LONG64 Wt)
+{
+        SHA_LONG64 T1, T2;
+        T1 = *h + Sigma1(*e) + Ch(*e, *f, *g) + Kt + Wt;
+        T2 = Sigma0(*a) + Maj(*a, *b, *c);
+        *h = *g;
+        *g = *f;
+        *f = *e;
+        *e = *d + T1;
+        *d = *c;
+        *c = *b;
+        *b = *a;
+        *a = T1 + T2;
+}
 static void
 sha512_block_data_order(SHA512_CTX *ctx, const void *_in, size_t num)
 {
        const uint8_t *in = _in;
        const SHA_LONG64 *in64;
-        SHA_LONG64 a, b, c, d, e, f, g, h, s0, s1, T1, T2;
+        SHA_LONG64 a, b, c, d, e, f, g, h;
        SHA_LONG64 X[16];
        int i;
@@ -200,40 +241,57 @@ sha512_block_data_order(SHA512_CTX *ctx, const void *_in, size_t num)
                }
                in += SHA512_CBLOCK;
-                ROUND_00_15(0, a, b, c, d, e, f, g, h, X[0]);
+                sha512_round(&a, &b, &c, &d, &e, &f, &g, &h, K512[0], X[0]);
-                ROUND_00_15(1, h, a, b, c, d, e, f, g, X[1]);
+                sha512_round(&a, &b, &c, &d, &e, &f, &g, &h, K512[1], X[1]);
-                ROUND_00_15(2, g, h, a, b, c, d, e, f, X[2]);
+                sha512_round(&a, &b, &c, &d, &e, &f, &g, &h, K512[2], X[2]);
-                ROUND_00_15(3, f, g, h, a, b, c, d, e, X[3]);
+                sha512_round(&a, &b, &c, &d, &e, &f, &g, &h, K512[3], X[3]);
-                ROUND_00_15(4, e, f, g, h, a, b, c, d, X[4]);
+                sha512_round(&a, &b, &c, &d, &e, &f, &g, &h, K512[4], X[4]);
-                ROUND_00_15(5, d, e, f, g, h, a, b, c, X[5]);
+                sha512_round(&a, &b, &c, &d, &e, &f, &g, &h, K512[5], X[5]);
-                ROUND_00_15(6, c, d, e, f, g, h, a, b, X[6]);
+                sha512_round(&a, &b, &c, &d, &e, &f, &g, &h, K512[6], X[6]);
-                ROUND_00_15(7, b, c, d, e, f, g, h, a, X[7]);
+                sha512_round(&a, &b, &c, &d, &e, &f, &g, &h, K512[7], X[7]);
-                ROUND_00_15(8, a, b, c, d, e, f, g, h, X[8]);
+                sha512_round(&a, &b, &c, &d, &e, &f, &g, &h, K512[8], X[8]);
-                ROUND_00_15(9, h, a, b, c, d, e, f, g, X[9]);
+                sha512_round(&a, &b, &c, &d, &e, &f, &g, &h, K512[9], X[9]);
-                ROUND_00_15(10, g, h, a, b, c, d, e, f, X[10]);
+                sha512_round(&a, &b, &c, &d, &e, &f, &g, &h, K512[10], X[10]);
-                ROUND_00_15(11, f, g, h, a, b, c, d, e, X[11]);
+                sha512_round(&a, &b, &c, &d, &e, &f, &g, &h, K512[11], X[11]);
-                ROUND_00_15(12, e, f, g, h, a, b, c, d, X[12]);
+                sha512_round(&a, &b, &c, &d, &e, &f, &g, &h, K512[12], X[12]);
-                ROUND_00_15(13, d, e, f, g, h, a, b, c, X[13]);
+                sha512_round(&a, &b, &c, &d, &e, &f, &g, &h, K512[13], X[13]);
-                ROUND_00_15(14, c, d, e, f, g, h, a, b, X[14]);
+                sha512_round(&a, &b, &c, &d, &e, &f, &g, &h, K512[14], X[14]);
-                ROUND_00_15(15, b, c, d, e, f, g, h, a, X[15]);
+                sha512_round(&a, &b, &c, &d, &e, &f, &g, &h, K512[15], X[15]);
                for (i = 16; i < 80; i += 16) {
-                        ROUND_16_80(i, 0, a, b, c, d, e, f, g, h, X);
+                        sha512_msg_schedule_update(&X[0], X[1], X[9], X[14]);
-                        ROUND_16_80(i, 1, h, a, b, c, d, e, f, g, X);
+                        sha512_msg_schedule_update(&X[1], X[2], X[10], X[15]);
-                        ROUND_16_80(i, 2, g, h, a, b, c, d, e, f, X);
+                        sha512_msg_schedule_update(&X[2], X[3], X[11], X[0]);
-                        ROUND_16_80(i, 3, f, g, h, a, b, c, d, e, X);
+                        sha512_msg_schedule_update(&X[3], X[4], X[12], X[1]);
-                        ROUND_16_80(i, 4, e, f, g, h, a, b, c, d, X);
+                        sha512_msg_schedule_update(&X[4], X[5], X[13], X[2]);
-                        ROUND_16_80(i, 5, d, e, f, g, h, a, b, c, X);
+                        sha512_msg_schedule_update(&X[5], X[6], X[14], X[3]);
-                        ROUND_16_80(i, 6, c, d, e, f, g, h, a, b, X);
+                        sha512_msg_schedule_update(&X[6], X[7], X[15], X[4]);
-                        ROUND_16_80(i, 7, b, c, d, e, f, g, h, a, X);
+                        sha512_msg_schedule_update(&X[7], X[8], X[0], X[5]);
-                        ROUND_16_80(i, 8, a, b, c, d, e, f, g, h, X);
+                        sha512_msg_schedule_update(&X[8], X[9], X[1], X[6]);
-                        ROUND_16_80(i, 9, h, a, b, c, d, e, f, g, X);
+                        sha512_msg_schedule_update(&X[9], X[10], X[2], X[7]);
-                        ROUND_16_80(i, 10, g, h, a, b, c, d, e, f, X);
+                        sha512_msg_schedule_update(&X[10], X[11], X[3], X[8]);
-                        ROUND_16_80(i, 11, f, g, h, a, b, c, d, e, X);
+                        sha512_msg_schedule_update(&X[11], X[12], X[4], X[9]);
-                        ROUND_16_80(i, 12, e, f, g, h, a, b, c, d, X);
+                        sha512_msg_schedule_update(&X[12], X[13], X[5], X[10]);
-                        ROUND_16_80(i, 13, d, e, f, g, h, a, b, c, X);
+                        sha512_msg_schedule_update(&X[13], X[14], X[6], X[11]);
-                        ROUND_16_80(i, 14, c, d, e, f, g, h, a, b, X);
+                        sha512_msg_schedule_update(&X[14], X[15], X[7], X[12]);
-                        ROUND_16_80(i, 15, b, c, d, e, f, g, h, a, X);
+                        sha512_msg_schedule_update(&X[15], X[0], X[8], X[13]);
+                        sha512_round(&a, &b, &c, &d, &e, &f, &g, &h, K512[i + 0], X[0]);
+                        sha512_round(&a, &b, &c, &d, &e, &f, &g, &h, K512[i + 1], X[1]);
+                        sha512_round(&a, &b, &c, &d, &e, &f, &g, &h, K512[i + 2], X[2]);
+                        sha512_round(&a, &b, &c, &d, &e, &f, &g, &h, K512[i + 3], X[3]);
+                        sha512_round(&a, &b, &c, &d, &e, &f, &g, &h, K512[i + 4], X[4]);
+                        sha512_round(&a, &b, &c, &d, &e, &f, &g, &h, K512[i + 5], X[5]);
+                        sha512_round(&a, &b, &c, &d, &e, &f, &g, &h, K512[i + 6], X[6]);
+                        sha512_round(&a, &b, &c, &d, &e, &f, &g, &h, K512[i + 7], X[7]);
+                        sha512_round(&a, &b, &c, &d, &e, &f, &g, &h, K512[i + 8], X[8]);
+                        sha512_round(&a, &b, &c, &d, &e, &f, &g, &h, K512[i + 9], X[9]);
+                        sha512_round(&a, &b, &c, &d, &e, &f, &g, &h, K512[i + 10], X[10]);
+                        sha512_round(&a, &b, &c, &d, &e, &f, &g, &h, K512[i + 11], X[11]);
+                        sha512_round(&a, &b, &c, &d, &e, &f, &g, &h, K512[i + 12], X[12]);
+                        sha512_round(&a, &b, &c, &d, &e, &f, &g, &h, K512[i + 13], X[13]);
+                        sha512_round(&a, &b, &c, &d, &e, &f, &g, &h, K512[i + 14], X[14]);
+                        sha512_round(&a, &b, &c, &d, &e, &f, &g, &h, K512[i + 15], X[15]);
                }
                ctx->h[0] += a;

diff --git a/src/lib/libcrypto/sha/sha512.c b/src/lib/libcrypto/sha/sha512.c index 0bc6039326..6dc91cb0f5 100644 --- a/src/lib/libcrypto/sha/sha512.c +++ b/src/lib/libcrypto/sha/sha512.c
@@ -1,4 +1,4 @@
1	/* $OpenBSD: sha512.c,v 1.39 2023/05/27 09:18:17 jsing Exp $ */	1	/* $OpenBSD: sha512.c,v 1.40 2023/07/02 14:57:58 jsing Exp $ */
2	/* ====================================================================	2	/* ====================================================================
3	* Copyright (c) 1998-2011 The OpenSSL Project. All rights reserved.	3	* Copyright (c) 1998-2011 The OpenSSL Project. All rights reserved.
4	*	4	*
@@ -66,7 +66,7 @@
66		66
67	#if !defined(OPENSSL_NO_SHA) && !defined(OPENSSL_NO_SHA512)	67	#if !defined(OPENSSL_NO_SHA) && !defined(OPENSSL_NO_SHA512)
68		68
69	/* Ensure that SHA_LONG64 is 64 bits. */	69	/* Ensure that SHA_LONG64 and uint64_t are equivalent. */
70	CTASSERT(sizeof(SHA_LONG64) == sizeof(uint64_t));	70	CTASSERT(sizeof(SHA_LONG64) == sizeof(uint64_t));
71		71
72	#ifdef SHA512_ASM	72	#ifdef SHA512_ASM
@@ -117,36 +117,77 @@ static const SHA_LONG64 K512[80] = {
117	U64(0x5fcb6fab3ad6faec), U64(0x6c44198c4a475817),	117	U64(0x5fcb6fab3ad6faec), U64(0x6c44198c4a475817),
118	};	118	};
119		119
120	#define ROTR(x, s) crypto_ror_u64(x, s)	120	static inline SHA_LONG64
		121	Sigma0(SHA_LONG64 x)
		122	{
		123	return crypto_ror_u64(x, 28) ^ crypto_ror_u64(x, 34) ^
		124	crypto_ror_u64(x, 39);
		125	}
121		126
122	#define Sigma0(x) (ROTR((x),28) ^ ROTR((x),34) ^ ROTR((x),39))	127	static inline SHA_LONG64
123	#define Sigma1(x) (ROTR((x),14) ^ ROTR((x),18) ^ ROTR((x),41))	128	Sigma1(SHA_LONG64 x)
124	#define sigma0(x) (ROTR((x),1) ^ ROTR((x),8) ^ ((x)>>7))	129	{
125	#define sigma1(x) (ROTR((x),19) ^ ROTR((x),61) ^ ((x)>>6))	130	return crypto_ror_u64(x, 14) ^ crypto_ror_u64(x, 18) ^
		131	crypto_ror_u64(x, 41);
		132	}
126		133
127	#define Ch(x, y, z) (((x) & (y)) ^ ((~(x)) & (z)))	134	static inline SHA_LONG64
128	#define Maj(x, y, z) (((x) & (y)) ^ ((x) & (z)) ^ ((y) & (z)))	135	sigma0(SHA_LONG64 x)
		136	{
		137	return crypto_ror_u64(x, 1) ^ crypto_ror_u64(x, 8) ^ (x >> 7);
		138	}
129		139
130	#define ROUND_00_15(i, a, b, c, d, e, f, g, h, Wt) do { \	140	static inline SHA_LONG64
131	T1 = h + Sigma1(e) + Ch(e, f, g) + K512[i] + Wt; \	141	sigma1(SHA_LONG64 x)
132	T2 = Sigma0(a) + Maj(a, b, c); \	142	{
133	d += T1; \	143	return crypto_ror_u64(x, 19) ^ crypto_ror_u64(x, 61) ^ (x >> 6);
134	h = T1 + T2; \	144	}
135	} while (0)
136		145
137	#define ROUND_16_80(i, j, a, b, c, d, e, f, g, h, X) do { \	146	static inline SHA_LONG64
138	s0 = sigma0(X[(j + 1) & 0x0f]); \	147	Ch(SHA_LONG64 x, SHA_LONG64 y, SHA_LONG64 z)
139	s1 = sigma1(X[(j + 14) & 0x0f]); \	148	{
140	X[(j) & 0x0f] += s0 + s1 + X[(j + 9) & 0x0f]; \	149	return (x & y) ^ (~x & z);
141	ROUND_00_15(i + j, a, b, c, d, e, f, g, h, X[(j) & 0x0f]); \	150	}
142	} while (0)	151
		152	static inline SHA_LONG64
		153	Maj(SHA_LONG64 x, SHA_LONG64 y, SHA_LONG64 z)
		154	{
		155	return (x & y) ^ (x & z) ^ (y & z);
		156	}
		157
		158	static inline void
		159	sha512_msg_schedule_update(SHA_LONG64 *W0, SHA_LONG64 W1,
		160	SHA_LONG64 W9, SHA_LONG64 W14)
		161	{
		162	W0 = sigma1(W14) + W9 + sigma0(W1) + W0;
		163	}
		164
		165	static inline void
		166	sha512_round(SHA_LONG64 a, SHA_LONG64 b, SHA_LONG64 c, SHA_LONG64 d,
		167	SHA_LONG64 e, SHA_LONG64 f, SHA_LONG64 g, SHA_LONG64 h,
		168	SHA_LONG64 Kt, SHA_LONG64 Wt)
		169	{
		170	SHA_LONG64 T1, T2;
		171
		172	T1 = h + Sigma1(e) + Ch(e, f, *g) + Kt + Wt;
		173	T2 = Sigma0(a) + Maj(a, b, c);
		174
		175	h = g;
		176	g = f;
		177	f = e;
		178	e = d + T1;
		179	d = c;
		180	c = b;
		181	b = a;
		182	*a = T1 + T2;
		183	}
143		184
144	static void	185	static void
145	sha512_block_data_order(SHA512_CTX ctx, const void _in, size_t num)	186	sha512_block_data_order(SHA512_CTX ctx, const void _in, size_t num)
146	{	187	{
147	const uint8_t *in = _in;	188	const uint8_t *in = _in;
148	const SHA_LONG64 *in64;	189	const SHA_LONG64 *in64;
149	SHA_LONG64 a, b, c, d, e, f, g, h, s0, s1, T1, T2;	190	SHA_LONG64 a, b, c, d, e, f, g, h;
150	SHA_LONG64 X[16];	191	SHA_LONG64 X[16];
151	int i;	192	int i;
152		193
@@ -200,40 +241,57 @@ sha512_block_data_order(SHA512_CTX ctx, const void _in, size_t num)
200	}	241	}
201	in += SHA512_CBLOCK;	242	in += SHA512_CBLOCK;
202		243
203	ROUND_00_15(0, a, b, c, d, e, f, g, h, X[0]);	244	sha512_round(&a, &b, &c, &d, &e, &f, &g, &h, K512[0], X[0]);
204	ROUND_00_15(1, h, a, b, c, d, e, f, g, X[1]);	245	sha512_round(&a, &b, &c, &d, &e, &f, &g, &h, K512[1], X[1]);
205	ROUND_00_15(2, g, h, a, b, c, d, e, f, X[2]);	246	sha512_round(&a, &b, &c, &d, &e, &f, &g, &h, K512[2], X[2]);
206	ROUND_00_15(3, f, g, h, a, b, c, d, e, X[3]);	247	sha512_round(&a, &b, &c, &d, &e, &f, &g, &h, K512[3], X[3]);
207	ROUND_00_15(4, e, f, g, h, a, b, c, d, X[4]);	248	sha512_round(&a, &b, &c, &d, &e, &f, &g, &h, K512[4], X[4]);
208	ROUND_00_15(5, d, e, f, g, h, a, b, c, X[5]);	249	sha512_round(&a, &b, &c, &d, &e, &f, &g, &h, K512[5], X[5]);
209	ROUND_00_15(6, c, d, e, f, g, h, a, b, X[6]);	250	sha512_round(&a, &b, &c, &d, &e, &f, &g, &h, K512[6], X[6]);
210	ROUND_00_15(7, b, c, d, e, f, g, h, a, X[7]);	251	sha512_round(&a, &b, &c, &d, &e, &f, &g, &h, K512[7], X[7]);
211	ROUND_00_15(8, a, b, c, d, e, f, g, h, X[8]);	252	sha512_round(&a, &b, &c, &d, &e, &f, &g, &h, K512[8], X[8]);
212	ROUND_00_15(9, h, a, b, c, d, e, f, g, X[9]);	253	sha512_round(&a, &b, &c, &d, &e, &f, &g, &h, K512[9], X[9]);
213	ROUND_00_15(10, g, h, a, b, c, d, e, f, X[10]);	254	sha512_round(&a, &b, &c, &d, &e, &f, &g, &h, K512[10], X[10]);
214	ROUND_00_15(11, f, g, h, a, b, c, d, e, X[11]);	255	sha512_round(&a, &b, &c, &d, &e, &f, &g, &h, K512[11], X[11]);
215	ROUND_00_15(12, e, f, g, h, a, b, c, d, X[12]);	256	sha512_round(&a, &b, &c, &d, &e, &f, &g, &h, K512[12], X[12]);
216	ROUND_00_15(13, d, e, f, g, h, a, b, c, X[13]);	257	sha512_round(&a, &b, &c, &d, &e, &f, &g, &h, K512[13], X[13]);
217	ROUND_00_15(14, c, d, e, f, g, h, a, b, X[14]);	258	sha512_round(&a, &b, &c, &d, &e, &f, &g, &h, K512[14], X[14]);
218	ROUND_00_15(15, b, c, d, e, f, g, h, a, X[15]);	259	sha512_round(&a, &b, &c, &d, &e, &f, &g, &h, K512[15], X[15]);
219		260
220	for (i = 16; i < 80; i += 16) {	261	for (i = 16; i < 80; i += 16) {
221	ROUND_16_80(i, 0, a, b, c, d, e, f, g, h, X);	262	sha512_msg_schedule_update(&X[0], X[1], X[9], X[14]);
222	ROUND_16_80(i, 1, h, a, b, c, d, e, f, g, X);	263	sha512_msg_schedule_update(&X[1], X[2], X[10], X[15]);
223	ROUND_16_80(i, 2, g, h, a, b, c, d, e, f, X);	264	sha512_msg_schedule_update(&X[2], X[3], X[11], X[0]);
224	ROUND_16_80(i, 3, f, g, h, a, b, c, d, e, X);	265	sha512_msg_schedule_update(&X[3], X[4], X[12], X[1]);
225	ROUND_16_80(i, 4, e, f, g, h, a, b, c, d, X);	266	sha512_msg_schedule_update(&X[4], X[5], X[13], X[2]);
226	ROUND_16_80(i, 5, d, e, f, g, h, a, b, c, X);	267	sha512_msg_schedule_update(&X[5], X[6], X[14], X[3]);
227	ROUND_16_80(i, 6, c, d, e, f, g, h, a, b, X);	268	sha512_msg_schedule_update(&X[6], X[7], X[15], X[4]);
228	ROUND_16_80(i, 7, b, c, d, e, f, g, h, a, X);	269	sha512_msg_schedule_update(&X[7], X[8], X[0], X[5]);
229	ROUND_16_80(i, 8, a, b, c, d, e, f, g, h, X);	270	sha512_msg_schedule_update(&X[8], X[9], X[1], X[6]);
230	ROUND_16_80(i, 9, h, a, b, c, d, e, f, g, X);	271	sha512_msg_schedule_update(&X[9], X[10], X[2], X[7]);
231	ROUND_16_80(i, 10, g, h, a, b, c, d, e, f, X);	272	sha512_msg_schedule_update(&X[10], X[11], X[3], X[8]);
232	ROUND_16_80(i, 11, f, g, h, a, b, c, d, e, X);	273	sha512_msg_schedule_update(&X[11], X[12], X[4], X[9]);
233	ROUND_16_80(i, 12, e, f, g, h, a, b, c, d, X);	274	sha512_msg_schedule_update(&X[12], X[13], X[5], X[10]);
234	ROUND_16_80(i, 13, d, e, f, g, h, a, b, c, X);	275	sha512_msg_schedule_update(&X[13], X[14], X[6], X[11]);
235	ROUND_16_80(i, 14, c, d, e, f, g, h, a, b, X);	276	sha512_msg_schedule_update(&X[14], X[15], X[7], X[12]);
236	ROUND_16_80(i, 15, b, c, d, e, f, g, h, a, X);	277	sha512_msg_schedule_update(&X[15], X[0], X[8], X[13]);
		278
		279	sha512_round(&a, &b, &c, &d, &e, &f, &g, &h, K512[i + 0], X[0]);
		280	sha512_round(&a, &b, &c, &d, &e, &f, &g, &h, K512[i + 1], X[1]);
		281	sha512_round(&a, &b, &c, &d, &e, &f, &g, &h, K512[i + 2], X[2]);
		282	sha512_round(&a, &b, &c, &d, &e, &f, &g, &h, K512[i + 3], X[3]);
		283	sha512_round(&a, &b, &c, &d, &e, &f, &g, &h, K512[i + 4], X[4]);
		284	sha512_round(&a, &b, &c, &d, &e, &f, &g, &h, K512[i + 5], X[5]);
		285	sha512_round(&a, &b, &c, &d, &e, &f, &g, &h, K512[i + 6], X[6]);
		286	sha512_round(&a, &b, &c, &d, &e, &f, &g, &h, K512[i + 7], X[7]);
		287	sha512_round(&a, &b, &c, &d, &e, &f, &g, &h, K512[i + 8], X[8]);
		288	sha512_round(&a, &b, &c, &d, &e, &f, &g, &h, K512[i + 9], X[9]);
		289	sha512_round(&a, &b, &c, &d, &e, &f, &g, &h, K512[i + 10], X[10]);
		290	sha512_round(&a, &b, &c, &d, &e, &f, &g, &h, K512[i + 11], X[11]);
		291	sha512_round(&a, &b, &c, &d, &e, &f, &g, &h, K512[i + 12], X[12]);
		292	sha512_round(&a, &b, &c, &d, &e, &f, &g, &h, K512[i + 13], X[13]);
		293	sha512_round(&a, &b, &c, &d, &e, &f, &g, &h, K512[i + 14], X[14]);
		294	sha512_round(&a, &b, &c, &d, &e, &f, &g, &h, K512[i + 15], X[15]);
237	}	295	}
238		296
239	ctx->h[0] += a;	297	ctx->h[0] += a;