/src/openssl/crypto/sha/sha256.c

Source (jump to first uncovered line)
/*
 * Copyright 2004-2016 The OpenSSL Project Authors. All Rights Reserved.
 *
 * Licensed under the Apache License 2.0 (the "License").  You may not use
 * this file except in compliance with the License.  You can obtain a copy
 * in the file LICENSE in the source distribution or at
 * https://www.openssl.org/source/license.html
 */

/*
 * SHA256 low level APIs are deprecated for public use, but still ok for
 * internal use.
 */
#include "internal/deprecated.h"

#include <openssl/opensslconf.h>

#include <stdlib.h>
#include <string.h>

#include <openssl/crypto.h>
#include <openssl/sha.h>
#include <openssl/opensslv.h>

int SHA224_Init(SHA256_CTX *c)
{
    memset(c, 0, sizeof(*c));
    c->h[0] = 0xc1059ed8UL;
    c->h[1] = 0x367cd507UL;
    c->h[2] = 0x3070dd17UL;
    c->h[3] = 0xf70e5939UL;
    c->h[4] = 0xffc00b31UL;
    c->h[5] = 0x68581511UL;
    c->h[6] = 0x64f98fa7UL;
    c->h[7] = 0xbefa4fa4UL;
    c->md_len = SHA224_DIGEST_LENGTH;
    return 1;
}

int SHA256_Init(SHA256_CTX *c)
{
    memset(c, 0, sizeof(*c));
    c->h[0] = 0x6a09e667UL;
    c->h[1] = 0xbb67ae85UL;
    c->h[2] = 0x3c6ef372UL;
    c->h[3] = 0xa54ff53aUL;
    c->h[4] = 0x510e527fUL;
    c->h[5] = 0x9b05688cUL;
    c->h[6] = 0x1f83d9abUL;
    c->h[7] = 0x5be0cd19UL;
    c->md_len = SHA256_DIGEST_LENGTH;
    return 1;
}

unsigned char *SHA224(const unsigned char *d, size_t n, unsigned char *md)
{
    SHA256_CTX c;
    static unsigned char m[SHA224_DIGEST_LENGTH];

    if (md == NULL)
        md = m;
    SHA224_Init(&c);
    SHA256_Update(&c, d, n);
    SHA256_Final(md, &c);
    OPENSSL_cleanse(&c, sizeof(c));
    return md;
}

unsigned char *SHA256(const unsigned char *d, size_t n, unsigned char *md)
{
    SHA256_CTX c;
    static unsigned char m[SHA256_DIGEST_LENGTH];

    if (md == NULL)
        md = m;
    SHA256_Init(&c);
    SHA256_Update(&c, d, n);
    SHA256_Final(md, &c);
    OPENSSL_cleanse(&c, sizeof(c));
    return md;
}

int SHA224_Update(SHA256_CTX *c, const void *data, size_t len)
{
    return SHA256_Update(c, data, len);
}

int SHA224_Final(unsigned char *md, SHA256_CTX *c)
{
    return SHA256_Final(md, c);
}

#define DATA_ORDER_IS_BIG_ENDIAN

#define HASH_LONG               SHA_LONG
#define HASH_CTX                SHA256_CTX
#define HASH_CBLOCK             SHA_CBLOCK

/*
 * Note that FIPS180-2 discusses "Truncation of the Hash Function Output."
 * default: case below covers for it. It's not clear however if it's
 * permitted to truncate to amount of bytes not divisible by 4. I bet not,
 * but if it is, then default: case shall be extended. For reference.
 * Idea behind separate cases for pre-defined lengths is to let the
 * compiler decide if it's appropriate to unroll small loops.
 */
#define HASH_MAKE_STRING(c,s)   do {    \
        unsigned long ll;               \
        unsigned int  nn;               \
        switch ((c)->md_len)            \
        {   case SHA224_DIGEST_LENGTH:  \
                for (nn=0;nn<SHA224_DIGEST_LENGTH/4;nn++)       \
                {   ll=(c)->h[nn]; (void)HOST_l2c(ll,(s));   }  \
                break;                  \
            case SHA256_DIGEST_LENGTH:  \
                for (nn=0;nn<SHA256_DIGEST_LENGTH/4;nn++)       \
                {   ll=(c)->h[nn]; (void)HOST_l2c(ll,(s));   }  \
                break;                  \
            default:                    \
                if ((c)->md_len > SHA256_DIGEST_LENGTH) \
                    return 0;                           \
                for (nn=0;nn<(c)->md_len/4;nn++)                \
                {   ll=(c)->h[nn]; (void)HOST_l2c(ll,(s));   }  \
                break;                  \
        }                               \
        } while (0)

#define HASH_UPDATE             SHA256_Update
#define HASH_TRANSFORM          SHA256_Transform
#define HASH_FINAL              SHA256_Final
#define HASH_BLOCK_DATA_ORDER   sha256_block_data_order
#ifndef SHA256_ASM
static
#endif
void sha256_block_data_order(SHA256_CTX *ctx, const void *in, size_t num);

#include "crypto/md32_common.h"

#ifndef SHA256_ASM
static const SHA_LONG K256[64] = {
    0x428a2f98UL, 0x71374491UL, 0xb5c0fbcfUL, 0xe9b5dba5UL,
    0x3956c25bUL, 0x59f111f1UL, 0x923f82a4UL, 0xab1c5ed5UL,
    0xd807aa98UL, 0x12835b01UL, 0x243185beUL, 0x550c7dc3UL,
    0x72be5d74UL, 0x80deb1feUL, 0x9bdc06a7UL, 0xc19bf174UL,
    0xe49b69c1UL, 0xefbe4786UL, 0x0fc19dc6UL, 0x240ca1ccUL,
    0x2de92c6fUL, 0x4a7484aaUL, 0x5cb0a9dcUL, 0x76f988daUL,
    0x983e5152UL, 0xa831c66dUL, 0xb00327c8UL, 0xbf597fc7UL,
    0xc6e00bf3UL, 0xd5a79147UL, 0x06ca6351UL, 0x14292967UL,
    0x27b70a85UL, 0x2e1b2138UL, 0x4d2c6dfcUL, 0x53380d13UL,
    0x650a7354UL, 0x766a0abbUL, 0x81c2c92eUL, 0x92722c85UL,
    0xa2bfe8a1UL, 0xa81a664bUL, 0xc24b8b70UL, 0xc76c51a3UL,
    0xd192e819UL, 0xd6990624UL, 0xf40e3585UL, 0x106aa070UL,
    0x19a4c116UL, 0x1e376c08UL, 0x2748774cUL, 0x34b0bcb5UL,
    0x391c0cb3UL, 0x4ed8aa4aUL, 0x5b9cca4fUL, 0x682e6ff3UL,
    0x748f82eeUL, 0x78a5636fUL, 0x84c87814UL, 0x8cc70208UL,
    0x90befffaUL, 0xa4506cebUL, 0xbef9a3f7UL, 0xc67178f2UL
};

/*
 * FIPS specification refers to right rotations, while our ROTATE macro
 * is left one. This is why you might notice that rotation coefficients
 * differ from those observed in FIPS document by 32-N...
 */
# define Sigma0(x)       (ROTATE((x),30) ^ ROTATE((x),19) ^ ROTATE((x),10))
# define Sigma1(x)       (ROTATE((x),26) ^ ROTATE((x),21) ^ ROTATE((x),7))
# define sigma0(x)       (ROTATE((x),25) ^ ROTATE((x),14) ^ ((x)>>3))
# define sigma1(x)       (ROTATE((x),15) ^ ROTATE((x),13) ^ ((x)>>10))

# define Ch(x,y,z)       (((x) & (y)) ^ ((~(x)) & (z)))
# define Maj(x,y,z)      (((x) & (y)) ^ ((x) & (z)) ^ ((y) & (z)))

# ifdef OPENSSL_SMALL_FOOTPRINT

static void sha256_block_data_order(SHA256_CTX *ctx, const void *in,
                                    size_t num)
{
    unsigned MD32_REG_T a, b, c, d, e, f, g, h, s0, s1, T1, T2;
    SHA_LONG X[16], l;
    int i;
    const unsigned char *data = in;

    while (num--) {

        a = ctx->h[0];
        b = ctx->h[1];
        c = ctx->h[2];
        d = ctx->h[3];
        e = ctx->h[4];
        f = ctx->h[5];
        g = ctx->h[6];
        h = ctx->h[7];

        for (i = 0; i < 16; i++) {
            (void)HOST_c2l(data, l);
            T1 = X[i] = l;
            T1 += h + Sigma1(e) + Ch(e, f, g) + K256[i];
            T2 = Sigma0(a) + Maj(a, b, c);
            h = g;
            g = f;
            f = e;
            e = d + T1;
            d = c;
            c = b;
            b = a;
            a = T1 + T2;
        }

        for (; i < 64; i++) {
            s0 = X[(i + 1) & 0x0f];
            s0 = sigma0(s0);
            s1 = X[(i + 14) & 0x0f];
            s1 = sigma1(s1);

            T1 = X[i & 0xf] += s0 + s1 + X[(i + 9) & 0xf];
            T1 += h + Sigma1(e) + Ch(e, f, g) + K256[i];
            T2 = Sigma0(a) + Maj(a, b, c);
            h = g;
            g = f;
            f = e;
            e = d + T1;
            d = c;
            c = b;
            b = a;
            a = T1 + T2;
        }

        ctx->h[0] += a;
        ctx->h[1] += b;
        ctx->h[2] += c;
        ctx->h[3] += d;
        ctx->h[4] += e;
        ctx->h[5] += f;
        ctx->h[6] += g;
        ctx->h[7] += h;

    }
}

# else

#  define ROUND_00_15(i,a,b,c,d,e,f,g,h)          do {    \
        T1 += h + Sigma1(e) + Ch(e,f,g) + K256[i];      \
        h = Sigma0(a) + Maj(a,b,c);                     \
        d += T1;        h += T1;                } while (0)

#  define ROUND_16_63(i,a,b,c,d,e,f,g,h,X)        do {    \
        s0 = X[(i+1)&0x0f];     s0 = sigma0(s0);        \
        s1 = X[(i+14)&0x0f];    s1 = sigma1(s1);        \
        T1 = X[(i)&0x0f] += s0 + s1 + X[(i+9)&0x0f];    \
        ROUND_00_15(i,a,b,c,d,e,f,g,h);         } while (0)

static void sha256_block_data_order(SHA256_CTX *ctx, const void *in,
                                    size_t num)
{
    unsigned MD32_REG_T a, b, c, d, e, f, g, h, s0, s1, T1;
    SHA_LONG X[16];
    int i;
    const unsigned char *data = in;
    const union {
        long one;
        char little;
    } is_endian = {
        1
    };

    while (num--) {

        a = ctx->h[0];
        b = ctx->h[1];
        c = ctx->h[2];
        d = ctx->h[3];
        e = ctx->h[4];
        f = ctx->h[5];
        g = ctx->h[6];
        h = ctx->h[7];

        if (!is_endian.little && sizeof(SHA_LONG) == 4
            && ((size_t)in % 4) == 0) {
            const SHA_LONG *W = (const SHA_LONG *)data;

            T1 = X[0] = W[0];
            ROUND_00_15(0, a, b, c, d, e, f, g, h);
            T1 = X[1] = W[1];
            ROUND_00_15(1, h, a, b, c, d, e, f, g);
            T1 = X[2] = W[2];
            ROUND_00_15(2, g, h, a, b, c, d, e, f);
            T1 = X[3] = W[3];
            ROUND_00_15(3, f, g, h, a, b, c, d, e);
            T1 = X[4] = W[4];
            ROUND_00_15(4, e, f, g, h, a, b, c, d);
            T1 = X[5] = W[5];
            ROUND_00_15(5, d, e, f, g, h, a, b, c);
            T1 = X[6] = W[6];
            ROUND_00_15(6, c, d, e, f, g, h, a, b);
            T1 = X[7] = W[7];
            ROUND_00_15(7, b, c, d, e, f, g, h, a);
            T1 = X[8] = W[8];
            ROUND_00_15(8, a, b, c, d, e, f, g, h);
            T1 = X[9] = W[9];
            ROUND_00_15(9, h, a, b, c, d, e, f, g);
            T1 = X[10] = W[10];
            ROUND_00_15(10, g, h, a, b, c, d, e, f);
            T1 = X[11] = W[11];
            ROUND_00_15(11, f, g, h, a, b, c, d, e);
            T1 = X[12] = W[12];
            ROUND_00_15(12, e, f, g, h, a, b, c, d);
            T1 = X[13] = W[13];
            ROUND_00_15(13, d, e, f, g, h, a, b, c);
            T1 = X[14] = W[14];
            ROUND_00_15(14, c, d, e, f, g, h, a, b);
            T1 = X[15] = W[15];
            ROUND_00_15(15, b, c, d, e, f, g, h, a);

            data += SHA256_CBLOCK;
        } else {
            SHA_LONG l;

            (void)HOST_c2l(data, l);
            T1 = X[0] = l;
            ROUND_00_15(0, a, b, c, d, e, f, g, h);
            (void)HOST_c2l(data, l);
            T1 = X[1] = l;
            ROUND_00_15(1, h, a, b, c, d, e, f, g);
            (void)HOST_c2l(data, l);
            T1 = X[2] = l;
            ROUND_00_15(2, g, h, a, b, c, d, e, f);
            (void)HOST_c2l(data, l);
            T1 = X[3] = l;
            ROUND_00_15(3, f, g, h, a, b, c, d, e);
            (void)HOST_c2l(data, l);
            T1 = X[4] = l;
            ROUND_00_15(4, e, f, g, h, a, b, c, d);
            (void)HOST_c2l(data, l);
            T1 = X[5] = l;
            ROUND_00_15(5, d, e, f, g, h, a, b, c);
            (void)HOST_c2l(data, l);
            T1 = X[6] = l;
            ROUND_00_15(6, c, d, e, f, g, h, a, b);
            (void)HOST_c2l(data, l);
            T1 = X[7] = l;
            ROUND_00_15(7, b, c, d, e, f, g, h, a);
            (void)HOST_c2l(data, l);
            T1 = X[8] = l;
            ROUND_00_15(8, a, b, c, d, e, f, g, h);
            (void)HOST_c2l(data, l);
            T1 = X[9] = l;
            ROUND_00_15(9, h, a, b, c, d, e, f, g);
            (void)HOST_c2l(data, l);
            T1 = X[10] = l;
            ROUND_00_15(10, g, h, a, b, c, d, e, f);
            (void)HOST_c2l(data, l);
            T1 = X[11] = l;
            ROUND_00_15(11, f, g, h, a, b, c, d, e);
            (void)HOST_c2l(data, l);
            T1 = X[12] = l;
            ROUND_00_15(12, e, f, g, h, a, b, c, d);
            (void)HOST_c2l(data, l);
            T1 = X[13] = l;
            ROUND_00_15(13, d, e, f, g, h, a, b, c);
            (void)HOST_c2l(data, l);
            T1 = X[14] = l;
            ROUND_00_15(14, c, d, e, f, g, h, a, b);
            (void)HOST_c2l(data, l);
            T1 = X[15] = l;
            ROUND_00_15(15, b, c, d, e, f, g, h, a);
        }

        for (i = 16; i < 64; i += 8) {
            ROUND_16_63(i + 0, a, b, c, d, e, f, g, h, X);
            ROUND_16_63(i + 1, h, a, b, c, d, e, f, g, X);
            ROUND_16_63(i + 2, g, h, a, b, c, d, e, f, X);
            ROUND_16_63(i + 3, f, g, h, a, b, c, d, e, X);
            ROUND_16_63(i + 4, e, f, g, h, a, b, c, d, X);
            ROUND_16_63(i + 5, d, e, f, g, h, a, b, c, X);
            ROUND_16_63(i + 6, c, d, e, f, g, h, a, b, X);
            ROUND_16_63(i + 7, b, c, d, e, f, g, h, a, X);
        }

        ctx->h[0] += a;
        ctx->h[1] += b;
        ctx->h[2] += c;
        ctx->h[3] += d;
        ctx->h[4] += e;
        ctx->h[5] += f;
        ctx->h[6] += g;
        ctx->h[7] += h;

    }
}

# endif
#endif                         /* SHA256_ASM */

Coverage Report

Created: 2024-05-18 12:36

Line	Count	Source (jump to first uncovered line)
1		/*
2		* Copyright 2004-2016 The OpenSSL Project Authors. All Rights Reserved.
3		*
4		* Licensed under the Apache License 2.0 (the "License"). You may not use
5		* this file except in compliance with the License. You can obtain a copy
6		* in the file LICENSE in the source distribution or at
7		* https://www.openssl.org/source/license.html
8		*/
9
10		/*
11		* SHA256 low level APIs are deprecated for public use, but still ok for
12		* internal use.
13		*/
14		#include "internal/deprecated.h"
15
16		#include <openssl/opensslconf.h>
17
18		#include <stdlib.h>
19		#include <string.h>
20
21		#include <openssl/crypto.h>
22		#include <openssl/sha.h>
23		#include <openssl/opensslv.h>
24
25		int SHA224_Init(SHA256_CTX *c)
26	0	{
27	0	memset(c, 0, sizeof(*c));
28	0	c->h[0] = 0xc1059ed8UL;
29	0	c->h[1] = 0x367cd507UL;
30	0	c->h[2] = 0x3070dd17UL;
31	0	c->h[3] = 0xf70e5939UL;
32	0	c->h[4] = 0xffc00b31UL;
33	0	c->h[5] = 0x68581511UL;
34	0	c->h[6] = 0x64f98fa7UL;
35	0	c->h[7] = 0xbefa4fa4UL;
36	0	c->md_len = SHA224_DIGEST_LENGTH;
37	0	return 1;
38	0	}
39
40		int SHA256_Init(SHA256_CTX *c)
41	0	{
42	0	memset(c, 0, sizeof(*c));
43	0	c->h[0] = 0x6a09e667UL;
44	0	c->h[1] = 0xbb67ae85UL;
45	0	c->h[2] = 0x3c6ef372UL;
46	0	c->h[3] = 0xa54ff53aUL;
47	0	c->h[4] = 0x510e527fUL;
48	0	c->h[5] = 0x9b05688cUL;
49	0	c->h[6] = 0x1f83d9abUL;
50	0	c->h[7] = 0x5be0cd19UL;
51	0	c->md_len = SHA256_DIGEST_LENGTH;
52	0	return 1;
53	0	}
54
55		unsigned char SHA224(const unsigned char d, size_t n, unsigned char *md)
56	0	{
57	0	SHA256_CTX c;
58	0	static unsigned char m[SHA224_DIGEST_LENGTH];
59
60	0	if (md == NULL)
61	0	md = m;
62	0	SHA224_Init(&c);
63	0	SHA256_Update(&c, d, n);
64	0	SHA256_Final(md, &c);
65	0	OPENSSL_cleanse(&c, sizeof(c));
66	0	return md;
67	0	}
68
69		unsigned char SHA256(const unsigned char d, size_t n, unsigned char *md)
70	0	{
71	0	SHA256_CTX c;
72	0	static unsigned char m[SHA256_DIGEST_LENGTH];
73
74	0	if (md == NULL)
75	0	md = m;
76	0	SHA256_Init(&c);
77	0	SHA256_Update(&c, d, n);
78	0	SHA256_Final(md, &c);
79	0	OPENSSL_cleanse(&c, sizeof(c));
80	0	return md;
81	0	}
82
83		int SHA224_Update(SHA256_CTX c, const void data, size_t len)
84	0	{
85	0	return SHA256_Update(c, data, len);
86	0	}
87
88		int SHA224_Final(unsigned char md, SHA256_CTX c)
89	0	{
90	0	return SHA256_Final(md, c);
91	0	}
92
93		#define DATA_ORDER_IS_BIG_ENDIAN
94
95	0	#define HASH_LONG SHA_LONG
96		#define HASH_CTX SHA256_CTX
97	0	#define HASH_CBLOCK SHA_CBLOCK
98
99		/*
100		* Note that FIPS180-2 discusses "Truncation of the Hash Function Output."
101		* default: case below covers for it. It's not clear however if it's
102		* permitted to truncate to amount of bytes not divisible by 4. I bet not,
103		* but if it is, then default: case shall be extended. For reference.
104		* Idea behind separate cases for pre-defined lengths is to let the
105		* compiler decide if it's appropriate to unroll small loops.
106		*/
107	0	#define HASH_MAKE_STRING(c,s) do { \
108	0	unsigned long ll; \
109	0	unsigned int nn; \
110	0	switch ((c)->md_len) \
111	0	{ case SHA224_DIGEST_LENGTH: \
112	0	for (nn=0;nn<SHA224_DIGEST_LENGTH/4;nn++) \
113	0	{ ll=(c)->h[nn]; (void)HOST_l2c(ll,(s)); } \
114	0	break; \
115	0	case SHA256_DIGEST_LENGTH: \
116	0	for (nn=0;nn<SHA256_DIGEST_LENGTH/4;nn++) \
117	0	{ ll=(c)->h[nn]; (void)HOST_l2c(ll,(s)); } \
118	0	break; \
119	0	default: \
120	0	if ((c)->md_len > SHA256_DIGEST_LENGTH) \
121	0	return 0; \
122	0	for (nn=0;nn<(c)->md_len/4;nn++) \
123	0	{ ll=(c)->h[nn]; (void)HOST_l2c(ll,(s)); } \
124	0	break; \
125	0	} \
126	0	} while (0)
127
128		#define HASH_UPDATE SHA256_Update
129		#define HASH_TRANSFORM SHA256_Transform
130		#define HASH_FINAL SHA256_Final
131	0	#define HASH_BLOCK_DATA_ORDER sha256_block_data_order
132		#ifndef SHA256_ASM
133		static
134		#endif
135		void sha256_block_data_order(SHA256_CTX ctx, const void in, size_t num);
136
137		#include "crypto/md32_common.h"
138
139		#ifndef SHA256_ASM
140		static const SHA_LONG K256[64] = {
141		0x428a2f98UL, 0x71374491UL, 0xb5c0fbcfUL, 0xe9b5dba5UL,
142		0x3956c25bUL, 0x59f111f1UL, 0x923f82a4UL, 0xab1c5ed5UL,
143		0xd807aa98UL, 0x12835b01UL, 0x243185beUL, 0x550c7dc3UL,
144		0x72be5d74UL, 0x80deb1feUL, 0x9bdc06a7UL, 0xc19bf174UL,
145		0xe49b69c1UL, 0xefbe4786UL, 0x0fc19dc6UL, 0x240ca1ccUL,
146		0x2de92c6fUL, 0x4a7484aaUL, 0x5cb0a9dcUL, 0x76f988daUL,
147		0x983e5152UL, 0xa831c66dUL, 0xb00327c8UL, 0xbf597fc7UL,
148		0xc6e00bf3UL, 0xd5a79147UL, 0x06ca6351UL, 0x14292967UL,
149		0x27b70a85UL, 0x2e1b2138UL, 0x4d2c6dfcUL, 0x53380d13UL,
150		0x650a7354UL, 0x766a0abbUL, 0x81c2c92eUL, 0x92722c85UL,
151		0xa2bfe8a1UL, 0xa81a664bUL, 0xc24b8b70UL, 0xc76c51a3UL,
152		0xd192e819UL, 0xd6990624UL, 0xf40e3585UL, 0x106aa070UL,
153		0x19a4c116UL, 0x1e376c08UL, 0x2748774cUL, 0x34b0bcb5UL,
154		0x391c0cb3UL, 0x4ed8aa4aUL, 0x5b9cca4fUL, 0x682e6ff3UL,
155		0x748f82eeUL, 0x78a5636fUL, 0x84c87814UL, 0x8cc70208UL,
156		0x90befffaUL, 0xa4506cebUL, 0xbef9a3f7UL, 0xc67178f2UL
157		};
158
159		/*
160		* FIPS specification refers to right rotations, while our ROTATE macro
161		* is left one. This is why you might notice that rotation coefficients
162		* differ from those observed in FIPS document by 32-N...
163		*/
164		# define Sigma0(x) (ROTATE((x),30) ^ ROTATE((x),19) ^ ROTATE((x),10))
165		# define Sigma1(x) (ROTATE((x),26) ^ ROTATE((x),21) ^ ROTATE((x),7))
166		# define sigma0(x) (ROTATE((x),25) ^ ROTATE((x),14) ^ ((x)>>3))
167		# define sigma1(x) (ROTATE((x),15) ^ ROTATE((x),13) ^ ((x)>>10))
168
169		# define Ch(x,y,z) (((x) & (y)) ^ ((~(x)) & (z)))
170		# define Maj(x,y,z) (((x) & (y)) ^ ((x) & (z)) ^ ((y) & (z)))
171
172		# ifdef OPENSSL_SMALL_FOOTPRINT
173
174		static void sha256_block_data_order(SHA256_CTX ctx, const void in,
175		size_t num)
176		{
177		unsigned MD32_REG_T a, b, c, d, e, f, g, h, s0, s1, T1, T2;
178		SHA_LONG X[16], l;
179		int i;
180		const unsigned char *data = in;
181
182		while (num--) {
183
184		a = ctx->h[0];
185		b = ctx->h[1];
186		c = ctx->h[2];
187		d = ctx->h[3];
188		e = ctx->h[4];
189		f = ctx->h[5];
190		g = ctx->h[6];
191		h = ctx->h[7];
192
193		for (i = 0; i < 16; i++) {
194		(void)HOST_c2l(data, l);
195		T1 = X[i] = l;
196		T1 += h + Sigma1(e) + Ch(e, f, g) + K256[i];
197		T2 = Sigma0(a) + Maj(a, b, c);
198		h = g;
199		g = f;
200		f = e;
201		e = d + T1;
202		d = c;
203		c = b;
204		b = a;
205		a = T1 + T2;
206		}
207
208		for (; i < 64; i++) {
209		s0 = X[(i + 1) & 0x0f];
210		s0 = sigma0(s0);
211		s1 = X[(i + 14) & 0x0f];
212		s1 = sigma1(s1);
213
214		T1 = X[i & 0xf] += s0 + s1 + X[(i + 9) & 0xf];
215		T1 += h + Sigma1(e) + Ch(e, f, g) + K256[i];
216		T2 = Sigma0(a) + Maj(a, b, c);
217		h = g;
218		g = f;
219		f = e;
220		e = d + T1;
221		d = c;
222		c = b;
223		b = a;
224		a = T1 + T2;
225		}
226
227		ctx->h[0] += a;
228		ctx->h[1] += b;
229		ctx->h[2] += c;
230		ctx->h[3] += d;
231		ctx->h[4] += e;
232		ctx->h[5] += f;
233		ctx->h[6] += g;
234		ctx->h[7] += h;
235
236		}
237		}
238
239		# else
240
241		# define ROUND_00_15(i,a,b,c,d,e,f,g,h) do { \
242		T1 += h + Sigma1(e) + Ch(e,f,g) + K256[i]; \
243		h = Sigma0(a) + Maj(a,b,c); \
244		d += T1; h += T1; } while (0)
245
246		# define ROUND_16_63(i,a,b,c,d,e,f,g,h,X) do { \
247		s0 = X[(i+1)&0x0f]; s0 = sigma0(s0); \
248		s1 = X[(i+14)&0x0f]; s1 = sigma1(s1); \
249		T1 = X[(i)&0x0f] += s0 + s1 + X[(i+9)&0x0f]; \
250		ROUND_00_15(i,a,b,c,d,e,f,g,h); } while (0)
251
252		static void sha256_block_data_order(SHA256_CTX ctx, const void in,
253		size_t num)
254		{
255		unsigned MD32_REG_T a, b, c, d, e, f, g, h, s0, s1, T1;
256		SHA_LONG X[16];
257		int i;
258		const unsigned char *data = in;
259		const union {
260		long one;
261		char little;
262		} is_endian = {
263		1
264		};
265
266		while (num--) {
267
268		a = ctx->h[0];
269		b = ctx->h[1];
270		c = ctx->h[2];
271		d = ctx->h[3];
272		e = ctx->h[4];
273		f = ctx->h[5];
274		g = ctx->h[6];
275		h = ctx->h[7];
276
277		if (!is_endian.little && sizeof(SHA_LONG) == 4
278		&& ((size_t)in % 4) == 0) {
279		const SHA_LONG W = (const SHA_LONG )data;
280
281		T1 = X[0] = W[0];
282		ROUND_00_15(0, a, b, c, d, e, f, g, h);
283		T1 = X[1] = W[1];
284		ROUND_00_15(1, h, a, b, c, d, e, f, g);
285		T1 = X[2] = W[2];
286		ROUND_00_15(2, g, h, a, b, c, d, e, f);
287		T1 = X[3] = W[3];
288		ROUND_00_15(3, f, g, h, a, b, c, d, e);
289		T1 = X[4] = W[4];
290		ROUND_00_15(4, e, f, g, h, a, b, c, d);
291		T1 = X[5] = W[5];
292		ROUND_00_15(5, d, e, f, g, h, a, b, c);
293		T1 = X[6] = W[6];
294		ROUND_00_15(6, c, d, e, f, g, h, a, b);
295		T1 = X[7] = W[7];
296		ROUND_00_15(7, b, c, d, e, f, g, h, a);
297		T1 = X[8] = W[8];
298		ROUND_00_15(8, a, b, c, d, e, f, g, h);
299		T1 = X[9] = W[9];
300		ROUND_00_15(9, h, a, b, c, d, e, f, g);
301		T1 = X[10] = W[10];
302		ROUND_00_15(10, g, h, a, b, c, d, e, f);
303		T1 = X[11] = W[11];
304		ROUND_00_15(11, f, g, h, a, b, c, d, e);
305		T1 = X[12] = W[12];
306		ROUND_00_15(12, e, f, g, h, a, b, c, d);
307		T1 = X[13] = W[13];
308		ROUND_00_15(13, d, e, f, g, h, a, b, c);
309		T1 = X[14] = W[14];
310		ROUND_00_15(14, c, d, e, f, g, h, a, b);
311		T1 = X[15] = W[15];
312		ROUND_00_15(15, b, c, d, e, f, g, h, a);
313
314		data += SHA256_CBLOCK;
315		} else {
316		SHA_LONG l;
317
318		(void)HOST_c2l(data, l);
319		T1 = X[0] = l;
320		ROUND_00_15(0, a, b, c, d, e, f, g, h);
321		(void)HOST_c2l(data, l);
322		T1 = X[1] = l;
323		ROUND_00_15(1, h, a, b, c, d, e, f, g);
324		(void)HOST_c2l(data, l);
325		T1 = X[2] = l;
326		ROUND_00_15(2, g, h, a, b, c, d, e, f);
327		(void)HOST_c2l(data, l);
328		T1 = X[3] = l;
329		ROUND_00_15(3, f, g, h, a, b, c, d, e);
330		(void)HOST_c2l(data, l);
331		T1 = X[4] = l;
332		ROUND_00_15(4, e, f, g, h, a, b, c, d);
333		(void)HOST_c2l(data, l);
334		T1 = X[5] = l;
335		ROUND_00_15(5, d, e, f, g, h, a, b, c);
336		(void)HOST_c2l(data, l);
337		T1 = X[6] = l;
338		ROUND_00_15(6, c, d, e, f, g, h, a, b);
339		(void)HOST_c2l(data, l);
340		T1 = X[7] = l;
341		ROUND_00_15(7, b, c, d, e, f, g, h, a);
342		(void)HOST_c2l(data, l);
343		T1 = X[8] = l;
344		ROUND_00_15(8, a, b, c, d, e, f, g, h);
345		(void)HOST_c2l(data, l);
346		T1 = X[9] = l;
347		ROUND_00_15(9, h, a, b, c, d, e, f, g);
348		(void)HOST_c2l(data, l);
349		T1 = X[10] = l;
350		ROUND_00_15(10, g, h, a, b, c, d, e, f);
351		(void)HOST_c2l(data, l);
352		T1 = X[11] = l;
353		ROUND_00_15(11, f, g, h, a, b, c, d, e);
354		(void)HOST_c2l(data, l);
355		T1 = X[12] = l;
356		ROUND_00_15(12, e, f, g, h, a, b, c, d);
357		(void)HOST_c2l(data, l);
358		T1 = X[13] = l;
359		ROUND_00_15(13, d, e, f, g, h, a, b, c);
360		(void)HOST_c2l(data, l);
361		T1 = X[14] = l;
362		ROUND_00_15(14, c, d, e, f, g, h, a, b);
363		(void)HOST_c2l(data, l);
364		T1 = X[15] = l;
365		ROUND_00_15(15, b, c, d, e, f, g, h, a);
366		}
367
368		for (i = 16; i < 64; i += 8) {
369		ROUND_16_63(i + 0, a, b, c, d, e, f, g, h, X);
370		ROUND_16_63(i + 1, h, a, b, c, d, e, f, g, X);
371		ROUND_16_63(i + 2, g, h, a, b, c, d, e, f, X);
372		ROUND_16_63(i + 3, f, g, h, a, b, c, d, e, X);
373		ROUND_16_63(i + 4, e, f, g, h, a, b, c, d, X);
374		ROUND_16_63(i + 5, d, e, f, g, h, a, b, c, X);
375		ROUND_16_63(i + 6, c, d, e, f, g, h, a, b, X);
376		ROUND_16_63(i + 7, b, c, d, e, f, g, h, a, X);
377		}
378
379		ctx->h[0] += a;
380		ctx->h[1] += b;
381		ctx->h[2] += c;
382		ctx->h[3] += d;
383		ctx->h[4] += e;
384		ctx->h[5] += f;
385		ctx->h[6] += g;
386		ctx->h[7] += h;
387
388		}
389		}
390
391		# endif
392		#endif /* SHA256_ASM */