/src/openssl/crypto/sha/sha256.c

Source (jump to first uncovered line)
/*
 * Copyright 2004-2020 The OpenSSL Project Authors. All Rights Reserved.
 *
 * Licensed under the Apache License 2.0 (the "License").  You may not use
 * this file except in compliance with the License.  You can obtain a copy
 * in the file LICENSE in the source distribution or at
 * https://www.openssl.org/source/license.html
 */

/*
 * SHA256 low level APIs are deprecated for public use, but still ok for
 * internal use.
 */
#include "internal/deprecated.h"

#include <openssl/opensslconf.h>

#include <stdlib.h>
#include <string.h>

#include <openssl/crypto.h>
#include <openssl/sha.h>
#include <openssl/opensslv.h>
#include "internal/endian.h"

int SHA224_Init(SHA256_CTX *c)
{
    memset(c, 0, sizeof(*c));
    c->h[0] = 0xc1059ed8UL;
    c->h[1] = 0x367cd507UL;
    c->h[2] = 0x3070dd17UL;
    c->h[3] = 0xf70e5939UL;
    c->h[4] = 0xffc00b31UL;
    c->h[5] = 0x68581511UL;
    c->h[6] = 0x64f98fa7UL;
    c->h[7] = 0xbefa4fa4UL;
    c->md_len = SHA224_DIGEST_LENGTH;
    return 1;
}

int SHA256_Init(SHA256_CTX *c)
{
    memset(c, 0, sizeof(*c));
    c->h[0] = 0x6a09e667UL;
    c->h[1] = 0xbb67ae85UL;
    c->h[2] = 0x3c6ef372UL;
    c->h[3] = 0xa54ff53aUL;
    c->h[4] = 0x510e527fUL;
    c->h[5] = 0x9b05688cUL;
    c->h[6] = 0x1f83d9abUL;
    c->h[7] = 0x5be0cd19UL;
    c->md_len = SHA256_DIGEST_LENGTH;
    return 1;
}

unsigned char *SHA224(const unsigned char *d, size_t n, unsigned char *md)
{
    SHA256_CTX c;
    static unsigned char m[SHA224_DIGEST_LENGTH];

    if (md == NULL)
        md = m;
    SHA224_Init(&c);
    SHA256_Update(&c, d, n);
    SHA256_Final(md, &c);
    OPENSSL_cleanse(&c, sizeof(c));
    return md;
}

unsigned char *SHA256(const unsigned char *d, size_t n, unsigned char *md)
{
    SHA256_CTX c;
    static unsigned char m[SHA256_DIGEST_LENGTH];

    if (md == NULL)
        md = m;
    SHA256_Init(&c);
    SHA256_Update(&c, d, n);
    SHA256_Final(md, &c);
    OPENSSL_cleanse(&c, sizeof(c));
    return md;
}

int SHA224_Update(SHA256_CTX *c, const void *data, size_t len)
{
    return SHA256_Update(c, data, len);
}

int SHA224_Final(unsigned char *md, SHA256_CTX *c)
{
    return SHA256_Final(md, c);
}

#define DATA_ORDER_IS_BIG_ENDIAN

#define HASH_LONG               SHA_LONG
#define HASH_CTX                SHA256_CTX
#define HASH_CBLOCK             SHA_CBLOCK

/*
 * Note that FIPS180-2 discusses "Truncation of the Hash Function Output."
 * default: case below covers for it. It's not clear however if it's
 * permitted to truncate to amount of bytes not divisible by 4. I bet not,
 * but if it is, then default: case shall be extended. For reference.
 * Idea behind separate cases for pre-defined lengths is to let the
 * compiler decide if it's appropriate to unroll small loops.
 */
#define HASH_MAKE_STRING(c,s)   do {    \
        unsigned long ll;               \
        unsigned int  nn;               \
        switch ((c)->md_len)            \
        {   case SHA224_DIGEST_LENGTH:  \
                for (nn=0;nn<SHA224_DIGEST_LENGTH/4;nn++)       \
                {   ll=(c)->h[nn]; (void)HOST_l2c(ll,(s));   }  \
                break;                  \
            case SHA256_DIGEST_LENGTH:  \
                for (nn=0;nn<SHA256_DIGEST_LENGTH/4;nn++)       \
                {   ll=(c)->h[nn]; (void)HOST_l2c(ll,(s));   }  \
                break;                  \
            default:                    \
                if ((c)->md_len > SHA256_DIGEST_LENGTH) \
                    return 0;                           \
                for (nn=0;nn<(c)->md_len/4;nn++)                \
                {   ll=(c)->h[nn]; (void)HOST_l2c(ll,(s));   }  \
                break;                  \
        }                               \
        } while (0)

#define HASH_UPDATE             SHA256_Update
#define HASH_TRANSFORM          SHA256_Transform
#define HASH_FINAL              SHA256_Final
#define HASH_BLOCK_DATA_ORDER   sha256_block_data_order
#ifndef SHA256_ASM
static
#endif
void sha256_block_data_order(SHA256_CTX *ctx, const void *in, size_t num);

#include "crypto/md32_common.h"

#ifndef SHA256_ASM
static const SHA_LONG K256[64] = {
    0x428a2f98UL, 0x71374491UL, 0xb5c0fbcfUL, 0xe9b5dba5UL,
    0x3956c25bUL, 0x59f111f1UL, 0x923f82a4UL, 0xab1c5ed5UL,
    0xd807aa98UL, 0x12835b01UL, 0x243185beUL, 0x550c7dc3UL,
    0x72be5d74UL, 0x80deb1feUL, 0x9bdc06a7UL, 0xc19bf174UL,
    0xe49b69c1UL, 0xefbe4786UL, 0x0fc19dc6UL, 0x240ca1ccUL,
    0x2de92c6fUL, 0x4a7484aaUL, 0x5cb0a9dcUL, 0x76f988daUL,
    0x983e5152UL, 0xa831c66dUL, 0xb00327c8UL, 0xbf597fc7UL,
    0xc6e00bf3UL, 0xd5a79147UL, 0x06ca6351UL, 0x14292967UL,
    0x27b70a85UL, 0x2e1b2138UL, 0x4d2c6dfcUL, 0x53380d13UL,
    0x650a7354UL, 0x766a0abbUL, 0x81c2c92eUL, 0x92722c85UL,
    0xa2bfe8a1UL, 0xa81a664bUL, 0xc24b8b70UL, 0xc76c51a3UL,
    0xd192e819UL, 0xd6990624UL, 0xf40e3585UL, 0x106aa070UL,
    0x19a4c116UL, 0x1e376c08UL, 0x2748774cUL, 0x34b0bcb5UL,
    0x391c0cb3UL, 0x4ed8aa4aUL, 0x5b9cca4fUL, 0x682e6ff3UL,
    0x748f82eeUL, 0x78a5636fUL, 0x84c87814UL, 0x8cc70208UL,
    0x90befffaUL, 0xa4506cebUL, 0xbef9a3f7UL, 0xc67178f2UL
};

/*
 * FIPS specification refers to right rotations, while our ROTATE macro
 * is left one. This is why you might notice that rotation coefficients
 * differ from those observed in FIPS document by 32-N...
 */
# define Sigma0(x)       (ROTATE((x),30) ^ ROTATE((x),19) ^ ROTATE((x),10))
# define Sigma1(x)       (ROTATE((x),26) ^ ROTATE((x),21) ^ ROTATE((x),7))
# define sigma0(x)       (ROTATE((x),25) ^ ROTATE((x),14) ^ ((x)>>3))
# define sigma1(x)       (ROTATE((x),15) ^ ROTATE((x),13) ^ ((x)>>10))

# define Ch(x,y,z)       (((x) & (y)) ^ ((~(x)) & (z)))
# define Maj(x,y,z)      (((x) & (y)) ^ ((x) & (z)) ^ ((y) & (z)))

# ifdef OPENSSL_SMALL_FOOTPRINT

static void sha256_block_data_order(SHA256_CTX *ctx, const void *in,
                                    size_t num)
{
    unsigned MD32_REG_T a, b, c, d, e, f, g, h, s0, s1, T1, T2;
    SHA_LONG X[16], l;
    int i;
    const unsigned char *data = in;

    while (num--) {

        a = ctx->h[0];
        b = ctx->h[1];
        c = ctx->h[2];
        d = ctx->h[3];
        e = ctx->h[4];
        f = ctx->h[5];
        g = ctx->h[6];
        h = ctx->h[7];

        for (i = 0; i < 16; i++) {
            (void)HOST_c2l(data, l);
            T1 = X[i] = l;
            T1 += h + Sigma1(e) + Ch(e, f, g) + K256[i];
            T2 = Sigma0(a) + Maj(a, b, c);
            h = g;
            g = f;
            f = e;
            e = d + T1;
            d = c;
            c = b;
            b = a;
            a = T1 + T2;
        }

        for (; i < 64; i++) {
            s0 = X[(i + 1) & 0x0f];
            s0 = sigma0(s0);
            s1 = X[(i + 14) & 0x0f];
            s1 = sigma1(s1);

            T1 = X[i & 0xf] += s0 + s1 + X[(i + 9) & 0xf];
            T1 += h + Sigma1(e) + Ch(e, f, g) + K256[i];
            T2 = Sigma0(a) + Maj(a, b, c);
            h = g;
            g = f;
            f = e;
            e = d + T1;
            d = c;
            c = b;
            b = a;
            a = T1 + T2;
        }

        ctx->h[0] += a;
        ctx->h[1] += b;
        ctx->h[2] += c;
        ctx->h[3] += d;
        ctx->h[4] += e;
        ctx->h[5] += f;
        ctx->h[6] += g;
        ctx->h[7] += h;

    }
}

# else

#  define ROUND_00_15(i,a,b,c,d,e,f,g,h)          do {    \
        T1 += h + Sigma1(e) + Ch(e,f,g) + K256[i];      \
        h = Sigma0(a) + Maj(a,b,c);                     \
        d += T1;        h += T1;                } while (0)

#  define ROUND_16_63(i,a,b,c,d,e,f,g,h,X)        do {    \
        s0 = X[(i+1)&0x0f];     s0 = sigma0(s0);        \
        s1 = X[(i+14)&0x0f];    s1 = sigma1(s1);        \
        T1 = X[(i)&0x0f] += s0 + s1 + X[(i+9)&0x0f];    \
        ROUND_00_15(i,a,b,c,d,e,f,g,h);         } while (0)

static void sha256_block_data_order(SHA256_CTX *ctx, const void *in,
                                    size_t num)
{
    unsigned MD32_REG_T a, b, c, d, e, f, g, h, s0, s1, T1;
    SHA_LONG X[16];
    int i;
    const unsigned char *data = in;
    DECLARE_IS_ENDIAN;

    while (num--) {

        a = ctx->h[0];
        b = ctx->h[1];
        c = ctx->h[2];
        d = ctx->h[3];
        e = ctx->h[4];
        f = ctx->h[5];
        g = ctx->h[6];
        h = ctx->h[7];

        if (!IS_LITTLE_ENDIAN && sizeof(SHA_LONG) == 4
            && ((size_t)in % 4) == 0) {
            const SHA_LONG *W = (const SHA_LONG *)data;

            T1 = X[0] = W[0];
            ROUND_00_15(0, a, b, c, d, e, f, g, h);
            T1 = X[1] = W[1];
            ROUND_00_15(1, h, a, b, c, d, e, f, g);
            T1 = X[2] = W[2];
            ROUND_00_15(2, g, h, a, b, c, d, e, f);
            T1 = X[3] = W[3];
            ROUND_00_15(3, f, g, h, a, b, c, d, e);
            T1 = X[4] = W[4];
            ROUND_00_15(4, e, f, g, h, a, b, c, d);
            T1 = X[5] = W[5];
            ROUND_00_15(5, d, e, f, g, h, a, b, c);
            T1 = X[6] = W[6];
            ROUND_00_15(6, c, d, e, f, g, h, a, b);
            T1 = X[7] = W[7];
            ROUND_00_15(7, b, c, d, e, f, g, h, a);
            T1 = X[8] = W[8];
            ROUND_00_15(8, a, b, c, d, e, f, g, h);
            T1 = X[9] = W[9];
            ROUND_00_15(9, h, a, b, c, d, e, f, g);
            T1 = X[10] = W[10];
            ROUND_00_15(10, g, h, a, b, c, d, e, f);
            T1 = X[11] = W[11];
            ROUND_00_15(11, f, g, h, a, b, c, d, e);
            T1 = X[12] = W[12];
            ROUND_00_15(12, e, f, g, h, a, b, c, d);
            T1 = X[13] = W[13];
            ROUND_00_15(13, d, e, f, g, h, a, b, c);
            T1 = X[14] = W[14];
            ROUND_00_15(14, c, d, e, f, g, h, a, b);
            T1 = X[15] = W[15];
            ROUND_00_15(15, b, c, d, e, f, g, h, a);

            data += SHA256_CBLOCK;
        } else {
            SHA_LONG l;

            (void)HOST_c2l(data, l);
            T1 = X[0] = l;
            ROUND_00_15(0, a, b, c, d, e, f, g, h);
            (void)HOST_c2l(data, l);
            T1 = X[1] = l;
            ROUND_00_15(1, h, a, b, c, d, e, f, g);
            (void)HOST_c2l(data, l);
            T1 = X[2] = l;
            ROUND_00_15(2, g, h, a, b, c, d, e, f);
            (void)HOST_c2l(data, l);
            T1 = X[3] = l;
            ROUND_00_15(3, f, g, h, a, b, c, d, e);
            (void)HOST_c2l(data, l);
            T1 = X[4] = l;
            ROUND_00_15(4, e, f, g, h, a, b, c, d);
            (void)HOST_c2l(data, l);
            T1 = X[5] = l;
            ROUND_00_15(5, d, e, f, g, h, a, b, c);
            (void)HOST_c2l(data, l);
            T1 = X[6] = l;
            ROUND_00_15(6, c, d, e, f, g, h, a, b);
            (void)HOST_c2l(data, l);
            T1 = X[7] = l;
            ROUND_00_15(7, b, c, d, e, f, g, h, a);
            (void)HOST_c2l(data, l);
            T1 = X[8] = l;
            ROUND_00_15(8, a, b, c, d, e, f, g, h);
            (void)HOST_c2l(data, l);
            T1 = X[9] = l;
            ROUND_00_15(9, h, a, b, c, d, e, f, g);
            (void)HOST_c2l(data, l);
            T1 = X[10] = l;
            ROUND_00_15(10, g, h, a, b, c, d, e, f);
            (void)HOST_c2l(data, l);
            T1 = X[11] = l;
            ROUND_00_15(11, f, g, h, a, b, c, d, e);
            (void)HOST_c2l(data, l);
            T1 = X[12] = l;
            ROUND_00_15(12, e, f, g, h, a, b, c, d);
            (void)HOST_c2l(data, l);
            T1 = X[13] = l;
            ROUND_00_15(13, d, e, f, g, h, a, b, c);
            (void)HOST_c2l(data, l);
            T1 = X[14] = l;
            ROUND_00_15(14, c, d, e, f, g, h, a, b);
            (void)HOST_c2l(data, l);
            T1 = X[15] = l;
            ROUND_00_15(15, b, c, d, e, f, g, h, a);
        }

        for (i = 16; i < 64; i += 8) {
            ROUND_16_63(i + 0, a, b, c, d, e, f, g, h, X);
            ROUND_16_63(i + 1, h, a, b, c, d, e, f, g, X);
            ROUND_16_63(i + 2, g, h, a, b, c, d, e, f, X);
            ROUND_16_63(i + 3, f, g, h, a, b, c, d, e, X);
            ROUND_16_63(i + 4, e, f, g, h, a, b, c, d, X);
            ROUND_16_63(i + 5, d, e, f, g, h, a, b, c, X);
            ROUND_16_63(i + 6, c, d, e, f, g, h, a, b, X);
            ROUND_16_63(i + 7, b, c, d, e, f, g, h, a, X);
        }

        ctx->h[0] += a;
        ctx->h[1] += b;
        ctx->h[2] += c;
        ctx->h[3] += d;
        ctx->h[4] += e;
        ctx->h[5] += f;
        ctx->h[6] += g;
        ctx->h[7] += h;

    }
}

# endif
#endif                         /* SHA256_ASM */

Coverage Report

Created: 2020-08-14 21:15

Line	Count	Source (jump to first uncovered line)
1		/*
2		* Copyright 2004-2020 The OpenSSL Project Authors. All Rights Reserved.
3		*
4		* Licensed under the Apache License 2.0 (the "License"). You may not use
5		* this file except in compliance with the License. You can obtain a copy
6		* in the file LICENSE in the source distribution or at
7		* https://www.openssl.org/source/license.html
8		*/
9
10		/*
11		* SHA256 low level APIs are deprecated for public use, but still ok for
12		* internal use.
13		*/
14		#include "internal/deprecated.h"
15
16		#include <openssl/opensslconf.h>
17
18		#include <stdlib.h>
19		#include <string.h>
20
21		#include <openssl/crypto.h>
22		#include <openssl/sha.h>
23		#include <openssl/opensslv.h>
24		#include "internal/endian.h"
25
26	0	int SHA224_Init(SHA256_CTX *c)
27	0	{
28	0	memset(c, 0, sizeof(*c));
29	0	c->h[0] = 0xc1059ed8UL;
30	0	c->h[1] = 0x367cd507UL;
31	0	c->h[2] = 0x3070dd17UL;
32	0	c->h[3] = 0xf70e5939UL;
33	0	c->h[4] = 0xffc00b31UL;
34	0	c->h[5] = 0x68581511UL;
35	0	c->h[6] = 0x64f98fa7UL;
36	0	c->h[7] = 0xbefa4fa4UL;
37	0	c->md_len = SHA224_DIGEST_LENGTH;
38	0	return 1;
39		}
40
41	0	int SHA256_Init(SHA256_CTX *c)
42	0	{
43	0	memset(c, 0, sizeof(*c));
44	0	c->h[0] = 0x6a09e667UL;
45	0	c->h[1] = 0xbb67ae85UL;
46	0	c->h[2] = 0x3c6ef372UL;
47	0	c->h[3] = 0xa54ff53aUL;
48	0	c->h[4] = 0x510e527fUL;
49	0	c->h[5] = 0x9b05688cUL;
50	0	c->h[6] = 0x1f83d9abUL;
51	0	c->h[7] = 0x5be0cd19UL;
52	0	c->md_len = SHA256_DIGEST_LENGTH;
53	0	return 1;
54		}
55
56	0	unsigned char SHA224(const unsigned char d, size_t n, unsigned char *md)
57	0	{
58	0	SHA256_CTX c;
59	0	static unsigned char m[SHA224_DIGEST_LENGTH];
60	0
61	0	if (md == NULL)
62	0	md = m;
63	0	SHA224_Init(&c);
64	0	SHA256_Update(&c, d, n);
65	0	SHA256_Final(md, &c);
66	0	OPENSSL_cleanse(&c, sizeof(c));
67	0	return md;
68		}
69
70	0	unsigned char SHA256(const unsigned char d, size_t n, unsigned char *md)
71	0	{
72	0	SHA256_CTX c;
73	0	static unsigned char m[SHA256_DIGEST_LENGTH];
74	0
75	0	if (md == NULL)
76	0	md = m;
77	0	SHA256_Init(&c);
78	0	SHA256_Update(&c, d, n);
79	0	SHA256_Final(md, &c);
80	0	OPENSSL_cleanse(&c, sizeof(c));
81	0	return md;
82		}
83
84	0	int SHA224_Update(SHA256_CTX c, const void data, size_t len)
85	0	{
86	0	return SHA256_Update(c, data, len);
87		}
88
89	0	int SHA224_Final(unsigned char md, SHA256_CTX c)
90	0	{
91	0	return SHA256_Final(md, c);
92		}
93
94		#define DATA_ORDER_IS_BIG_ENDIAN
95	0
96		#define HASH_LONG SHA_LONG
97	0	#define HASH_CTX SHA256_CTX
98		#define HASH_CBLOCK SHA_CBLOCK
99
100		/*
101		* Note that FIPS180-2 discusses "Truncation of the Hash Function Output."
102		* default: case below covers for it. It's not clear however if it's
103		* permitted to truncate to amount of bytes not divisible by 4. I bet not,
104		* but if it is, then default: case shall be extended. For reference.
105		* Idea behind separate cases for pre-defined lengths is to let the
106		* compiler decide if it's appropriate to unroll small loops.
107	0	*/
108	0	#define HASH_MAKE_STRING(c,s) do { \
109	0	unsigned long ll; \
110	0	unsigned int nn; \
111	0	switch ((c)->md_len) \
112	0	{ case SHA224_DIGEST_LENGTH: \
113	0	for (nn=0;nn<SHA224_DIGEST_LENGTH/4;nn++) \
114	0	{ ll=(c)->h[nn]; (void)HOST_l2c(ll,(s)); } \
115	0	break; \
116	0	case SHA256_DIGEST_LENGTH: \
117	0	for (nn=0;nn<SHA256_DIGEST_LENGTH/4;nn++) \
118	0	{ ll=(c)->h[nn]; (void)HOST_l2c(ll,(s)); } \
119	0	break; \
120	0	default: \
121	0	if ((c)->md_len > SHA256_DIGEST_LENGTH) \
122	0	return 0; \
123	0	for (nn=0;nn<(c)->md_len/4;nn++) \
124	0	{ ll=(c)->h[nn]; (void)HOST_l2c(ll,(s)); } \
125	0	break; \
126	0	} \
127		} while (0)
128
129		#define HASH_UPDATE SHA256_Update
130		#define HASH_TRANSFORM SHA256_Transform
131	0	#define HASH_FINAL SHA256_Final
132		#define HASH_BLOCK_DATA_ORDER sha256_block_data_order
133		#ifndef SHA256_ASM
134		static
135		#endif
136		void sha256_block_data_order(SHA256_CTX ctx, const void in, size_t num);
137
138		#include "crypto/md32_common.h"
139
140		#ifndef SHA256_ASM
141		static const SHA_LONG K256[64] = {
142		0x428a2f98UL, 0x71374491UL, 0xb5c0fbcfUL, 0xe9b5dba5UL,
143		0x3956c25bUL, 0x59f111f1UL, 0x923f82a4UL, 0xab1c5ed5UL,
144		0xd807aa98UL, 0x12835b01UL, 0x243185beUL, 0x550c7dc3UL,
145		0x72be5d74UL, 0x80deb1feUL, 0x9bdc06a7UL, 0xc19bf174UL,
146		0xe49b69c1UL, 0xefbe4786UL, 0x0fc19dc6UL, 0x240ca1ccUL,
147		0x2de92c6fUL, 0x4a7484aaUL, 0x5cb0a9dcUL, 0x76f988daUL,
148		0x983e5152UL, 0xa831c66dUL, 0xb00327c8UL, 0xbf597fc7UL,
149		0xc6e00bf3UL, 0xd5a79147UL, 0x06ca6351UL, 0x14292967UL,
150		0x27b70a85UL, 0x2e1b2138UL, 0x4d2c6dfcUL, 0x53380d13UL,
151		0x650a7354UL, 0x766a0abbUL, 0x81c2c92eUL, 0x92722c85UL,
152		0xa2bfe8a1UL, 0xa81a664bUL, 0xc24b8b70UL, 0xc76c51a3UL,
153		0xd192e819UL, 0xd6990624UL, 0xf40e3585UL, 0x106aa070UL,
154		0x19a4c116UL, 0x1e376c08UL, 0x2748774cUL, 0x34b0bcb5UL,
155		0x391c0cb3UL, 0x4ed8aa4aUL, 0x5b9cca4fUL, 0x682e6ff3UL,
156		0x748f82eeUL, 0x78a5636fUL, 0x84c87814UL, 0x8cc70208UL,
157		0x90befffaUL, 0xa4506cebUL, 0xbef9a3f7UL, 0xc67178f2UL
158		};
159
160		/*
161		* FIPS specification refers to right rotations, while our ROTATE macro
162		* is left one. This is why you might notice that rotation coefficients
163		* differ from those observed in FIPS document by 32-N...
164		*/
165		# define Sigma0(x) (ROTATE((x),30) ^ ROTATE((x),19) ^ ROTATE((x),10))
166		# define Sigma1(x) (ROTATE((x),26) ^ ROTATE((x),21) ^ ROTATE((x),7))
167		# define sigma0(x) (ROTATE((x),25) ^ ROTATE((x),14) ^ ((x)>>3))
168		# define sigma1(x) (ROTATE((x),15) ^ ROTATE((x),13) ^ ((x)>>10))
169
170		# define Ch(x,y,z) (((x) & (y)) ^ ((~(x)) & (z)))
171		# define Maj(x,y,z) (((x) & (y)) ^ ((x) & (z)) ^ ((y) & (z)))
172
173		# ifdef OPENSSL_SMALL_FOOTPRINT
174
175		static void sha256_block_data_order(SHA256_CTX ctx, const void in,
176		size_t num)
177		{
178		unsigned MD32_REG_T a, b, c, d, e, f, g, h, s0, s1, T1, T2;
179		SHA_LONG X[16], l;
180		int i;
181		const unsigned char *data = in;
182
183		while (num--) {
184
185		a = ctx->h[0];
186		b = ctx->h[1];
187		c = ctx->h[2];
188		d = ctx->h[3];
189		e = ctx->h[4];
190		f = ctx->h[5];
191		g = ctx->h[6];
192		h = ctx->h[7];
193
194		for (i = 0; i < 16; i++) {
195		(void)HOST_c2l(data, l);
196		T1 = X[i] = l;
197		T1 += h + Sigma1(e) + Ch(e, f, g) + K256[i];
198		T2 = Sigma0(a) + Maj(a, b, c);
199		h = g;
200		g = f;
201		f = e;
202		e = d + T1;
203		d = c;
204		c = b;
205		b = a;
206		a = T1 + T2;
207		}
208
209		for (; i < 64; i++) {
210		s0 = X[(i + 1) & 0x0f];
211		s0 = sigma0(s0);
212		s1 = X[(i + 14) & 0x0f];
213		s1 = sigma1(s1);
214
215		T1 = X[i & 0xf] += s0 + s1 + X[(i + 9) & 0xf];
216		T1 += h + Sigma1(e) + Ch(e, f, g) + K256[i];
217		T2 = Sigma0(a) + Maj(a, b, c);
218		h = g;
219		g = f;
220		f = e;
221		e = d + T1;
222		d = c;
223		c = b;
224		b = a;
225		a = T1 + T2;
226		}
227
228		ctx->h[0] += a;
229		ctx->h[1] += b;
230		ctx->h[2] += c;
231		ctx->h[3] += d;
232		ctx->h[4] += e;
233		ctx->h[5] += f;
234		ctx->h[6] += g;
235		ctx->h[7] += h;
236
237		}
238		}
239
240		# else
241
242		# define ROUND_00_15(i,a,b,c,d,e,f,g,h) do { \
243		T1 += h + Sigma1(e) + Ch(e,f,g) + K256[i]; \
244		h = Sigma0(a) + Maj(a,b,c); \
245		d += T1; h += T1; } while (0)
246
247		# define ROUND_16_63(i,a,b,c,d,e,f,g,h,X) do { \
248		s0 = X[(i+1)&0x0f]; s0 = sigma0(s0); \
249		s1 = X[(i+14)&0x0f]; s1 = sigma1(s1); \
250		T1 = X[(i)&0x0f] += s0 + s1 + X[(i+9)&0x0f]; \
251		ROUND_00_15(i,a,b,c,d,e,f,g,h); } while (0)
252
253		static void sha256_block_data_order(SHA256_CTX ctx, const void in,
254		size_t num)
255		{
256		unsigned MD32_REG_T a, b, c, d, e, f, g, h, s0, s1, T1;
257		SHA_LONG X[16];
258		int i;
259		const unsigned char *data = in;
260		DECLARE_IS_ENDIAN;
261
262		while (num--) {
263
264		a = ctx->h[0];
265		b = ctx->h[1];
266		c = ctx->h[2];
267		d = ctx->h[3];
268		e = ctx->h[4];
269		f = ctx->h[5];
270		g = ctx->h[6];
271		h = ctx->h[7];
272
273		if (!IS_LITTLE_ENDIAN && sizeof(SHA_LONG) == 4
274		&& ((size_t)in % 4) == 0) {
275		const SHA_LONG W = (const SHA_LONG )data;
276
277		T1 = X[0] = W[0];
278		ROUND_00_15(0, a, b, c, d, e, f, g, h);
279		T1 = X[1] = W[1];
280		ROUND_00_15(1, h, a, b, c, d, e, f, g);
281		T1 = X[2] = W[2];
282		ROUND_00_15(2, g, h, a, b, c, d, e, f);
283		T1 = X[3] = W[3];
284		ROUND_00_15(3, f, g, h, a, b, c, d, e);
285		T1 = X[4] = W[4];
286		ROUND_00_15(4, e, f, g, h, a, b, c, d);
287		T1 = X[5] = W[5];
288		ROUND_00_15(5, d, e, f, g, h, a, b, c);
289		T1 = X[6] = W[6];
290		ROUND_00_15(6, c, d, e, f, g, h, a, b);
291		T1 = X[7] = W[7];
292		ROUND_00_15(7, b, c, d, e, f, g, h, a);
293		T1 = X[8] = W[8];
294		ROUND_00_15(8, a, b, c, d, e, f, g, h);
295		T1 = X[9] = W[9];
296		ROUND_00_15(9, h, a, b, c, d, e, f, g);
297		T1 = X[10] = W[10];
298		ROUND_00_15(10, g, h, a, b, c, d, e, f);
299		T1 = X[11] = W[11];
300		ROUND_00_15(11, f, g, h, a, b, c, d, e);
301		T1 = X[12] = W[12];
302		ROUND_00_15(12, e, f, g, h, a, b, c, d);
303		T1 = X[13] = W[13];
304		ROUND_00_15(13, d, e, f, g, h, a, b, c);
305		T1 = X[14] = W[14];
306		ROUND_00_15(14, c, d, e, f, g, h, a, b);
307		T1 = X[15] = W[15];
308		ROUND_00_15(15, b, c, d, e, f, g, h, a);
309
310		data += SHA256_CBLOCK;
311		} else {
312		SHA_LONG l;
313
314		(void)HOST_c2l(data, l);
315		T1 = X[0] = l;
316		ROUND_00_15(0, a, b, c, d, e, f, g, h);
317		(void)HOST_c2l(data, l);
318		T1 = X[1] = l;
319		ROUND_00_15(1, h, a, b, c, d, e, f, g);
320		(void)HOST_c2l(data, l);
321		T1 = X[2] = l;
322		ROUND_00_15(2, g, h, a, b, c, d, e, f);
323		(void)HOST_c2l(data, l);
324		T1 = X[3] = l;
325		ROUND_00_15(3, f, g, h, a, b, c, d, e);
326		(void)HOST_c2l(data, l);
327		T1 = X[4] = l;
328		ROUND_00_15(4, e, f, g, h, a, b, c, d);
329		(void)HOST_c2l(data, l);
330		T1 = X[5] = l;
331		ROUND_00_15(5, d, e, f, g, h, a, b, c);
332		(void)HOST_c2l(data, l);
333		T1 = X[6] = l;
334		ROUND_00_15(6, c, d, e, f, g, h, a, b);
335		(void)HOST_c2l(data, l);
336		T1 = X[7] = l;
337		ROUND_00_15(7, b, c, d, e, f, g, h, a);
338		(void)HOST_c2l(data, l);
339		T1 = X[8] = l;
340		ROUND_00_15(8, a, b, c, d, e, f, g, h);
341		(void)HOST_c2l(data, l);
342		T1 = X[9] = l;
343		ROUND_00_15(9, h, a, b, c, d, e, f, g);
344		(void)HOST_c2l(data, l);
345		T1 = X[10] = l;
346		ROUND_00_15(10, g, h, a, b, c, d, e, f);
347		(void)HOST_c2l(data, l);
348		T1 = X[11] = l;
349		ROUND_00_15(11, f, g, h, a, b, c, d, e);
350		(void)HOST_c2l(data, l);
351		T1 = X[12] = l;
352		ROUND_00_15(12, e, f, g, h, a, b, c, d);
353		(void)HOST_c2l(data, l);
354		T1 = X[13] = l;
355		ROUND_00_15(13, d, e, f, g, h, a, b, c);
356		(void)HOST_c2l(data, l);
357		T1 = X[14] = l;
358		ROUND_00_15(14, c, d, e, f, g, h, a, b);
359		(void)HOST_c2l(data, l);
360		T1 = X[15] = l;
361		ROUND_00_15(15, b, c, d, e, f, g, h, a);
362		}
363
364		for (i = 16; i < 64; i += 8) {
365		ROUND_16_63(i + 0, a, b, c, d, e, f, g, h, X);
366		ROUND_16_63(i + 1, h, a, b, c, d, e, f, g, X);
367		ROUND_16_63(i + 2, g, h, a, b, c, d, e, f, X);
368		ROUND_16_63(i + 3, f, g, h, a, b, c, d, e, X);
369		ROUND_16_63(i + 4, e, f, g, h, a, b, c, d, X);
370		ROUND_16_63(i + 5, d, e, f, g, h, a, b, c, X);
371		ROUND_16_63(i + 6, c, d, e, f, g, h, a, b, X);
372		ROUND_16_63(i + 7, b, c, d, e, f, g, h, a, X);
373		}
374
375		ctx->h[0] += a;
376		ctx->h[1] += b;
377		ctx->h[2] += c;
378		ctx->h[3] += d;
379		ctx->h[4] += e;
380		ctx->h[5] += f;
381		ctx->h[6] += g;
382		ctx->h[7] += h;
383
384		}
385		}
386
387		# endif
388		#endif /* SHA256_ASM */