/src/openssl/crypto/sha/sha256.c

Source (jump to first uncovered line)
/*
 * Copyright 2004-2024 The OpenSSL Project Authors. All Rights Reserved.
 *
 * Licensed under the Apache License 2.0 (the "License").  You may not use
 * this file except in compliance with the License.  You can obtain a copy
 * in the file LICENSE in the source distribution or at
 * https://www.openssl.org/source/license.html
 */

/*
 * SHA256 low level APIs are deprecated for public use, but still ok for
 * internal use.
 */
#include "internal/deprecated.h"

#include <openssl/opensslconf.h>

#include <stdlib.h>
#include <string.h>

#include <openssl/crypto.h>
#include <openssl/sha.h>
#include <openssl/opensslv.h>
#include "internal/endian.h"
#include "crypto/sha.h"

int SHA224_Init(SHA256_CTX *c)
{
    memset(c, 0, sizeof(*c));
    c->h[0] = 0xc1059ed8UL;
    c->h[1] = 0x367cd507UL;
    c->h[2] = 0x3070dd17UL;
    c->h[3] = 0xf70e5939UL;
    c->h[4] = 0xffc00b31UL;
    c->h[5] = 0x68581511UL;
    c->h[6] = 0x64f98fa7UL;
    c->h[7] = 0xbefa4fa4UL;
    c->md_len = SHA224_DIGEST_LENGTH;
    return 1;
}

int SHA256_Init(SHA256_CTX *c)
{
    memset(c, 0, sizeof(*c));
    c->h[0] = 0x6a09e667UL;
    c->h[1] = 0xbb67ae85UL;
    c->h[2] = 0x3c6ef372UL;
    c->h[3] = 0xa54ff53aUL;
    c->h[4] = 0x510e527fUL;
    c->h[5] = 0x9b05688cUL;
    c->h[6] = 0x1f83d9abUL;
    c->h[7] = 0x5be0cd19UL;
    c->md_len = SHA256_DIGEST_LENGTH;
    return 1;
}

int ossl_sha256_192_init(SHA256_CTX *c)
{
    SHA256_Init(c);
    c->md_len = SHA256_192_DIGEST_LENGTH;
    return 1;
}

int SHA224_Update(SHA256_CTX *c, const void *data, size_t len)
{
    return SHA256_Update(c, data, len);
}

int SHA224_Final(unsigned char *md, SHA256_CTX *c)
{
    return SHA256_Final(md, c);
}

#define DATA_ORDER_IS_BIG_ENDIAN

#define HASH_LONG               SHA_LONG
#define HASH_CTX                SHA256_CTX
#define HASH_CBLOCK             SHA_CBLOCK

/*
 * Note that FIPS180-2 discusses "Truncation of the Hash Function Output."
 * default: case below covers for it. It's not clear however if it's
 * permitted to truncate to amount of bytes not divisible by 4. I bet not,
 * but if it is, then default: case shall be extended. For reference.
 * Idea behind separate cases for pre-defined lengths is to let the
 * compiler decide if it's appropriate to unroll small loops.
 */
#define HASH_MAKE_STRING(c,s)   do {    \
        unsigned long ll;               \
        unsigned int  nn;               \
        switch ((c)->md_len) {          \
            case SHA256_192_DIGEST_LENGTH: \
                for (nn=0;nn<SHA256_192_DIGEST_LENGTH/4;nn++) { \
                    ll=(c)->h[nn]; (void)HOST_l2c(ll,(s));      \
                }                       \
                break;                  \
            case SHA224_DIGEST_LENGTH:  \
                for (nn=0;nn<SHA224_DIGEST_LENGTH/4;nn++) {     \
                    ll=(c)->h[nn]; (void)HOST_l2c(ll,(s));      \
                }                       \
                break;                  \
            case SHA256_DIGEST_LENGTH:  \
                for (nn=0;nn<SHA256_DIGEST_LENGTH/4;nn++) {     \
                    ll=(c)->h[nn]; (void)HOST_l2c(ll,(s));      \
                }                       \
                break;                  \
            default:                    \
                if ((c)->md_len > SHA256_DIGEST_LENGTH) \
                    return 0;                           \
                for (nn=0;nn<(c)->md_len/4;nn++) {              \
                    ll=(c)->h[nn]; (void)HOST_l2c(ll,(s));      \
                }                       \
                break;                  \
        }                               \
    } while (0)

#define HASH_UPDATE             SHA256_Update
#define HASH_TRANSFORM          SHA256_Transform
#define HASH_FINAL              SHA256_Final
#define HASH_BLOCK_DATA_ORDER   sha256_block_data_order
#ifndef SHA256_ASM
static
#else
# ifdef INCLUDE_C_SHA256
void sha256_block_data_order_c(SHA256_CTX *ctx, const void *in, size_t num);
# endif /* INCLUDE_C_SHA256 */
#endif /* SHA256_ASM */
void sha256_block_data_order(SHA256_CTX *ctx, const void *in, size_t num);

#include "crypto/md32_common.h"

#if !defined(SHA256_ASM) || defined(INCLUDE_C_SHA256)
static const SHA_LONG K256[64] = {
    0x428a2f98UL, 0x71374491UL, 0xb5c0fbcfUL, 0xe9b5dba5UL,
    0x3956c25bUL, 0x59f111f1UL, 0x923f82a4UL, 0xab1c5ed5UL,
    0xd807aa98UL, 0x12835b01UL, 0x243185beUL, 0x550c7dc3UL,
    0x72be5d74UL, 0x80deb1feUL, 0x9bdc06a7UL, 0xc19bf174UL,
    0xe49b69c1UL, 0xefbe4786UL, 0x0fc19dc6UL, 0x240ca1ccUL,
    0x2de92c6fUL, 0x4a7484aaUL, 0x5cb0a9dcUL, 0x76f988daUL,
    0x983e5152UL, 0xa831c66dUL, 0xb00327c8UL, 0xbf597fc7UL,
    0xc6e00bf3UL, 0xd5a79147UL, 0x06ca6351UL, 0x14292967UL,
    0x27b70a85UL, 0x2e1b2138UL, 0x4d2c6dfcUL, 0x53380d13UL,
    0x650a7354UL, 0x766a0abbUL, 0x81c2c92eUL, 0x92722c85UL,
    0xa2bfe8a1UL, 0xa81a664bUL, 0xc24b8b70UL, 0xc76c51a3UL,
    0xd192e819UL, 0xd6990624UL, 0xf40e3585UL, 0x106aa070UL,
    0x19a4c116UL, 0x1e376c08UL, 0x2748774cUL, 0x34b0bcb5UL,
    0x391c0cb3UL, 0x4ed8aa4aUL, 0x5b9cca4fUL, 0x682e6ff3UL,
    0x748f82eeUL, 0x78a5636fUL, 0x84c87814UL, 0x8cc70208UL,
    0x90befffaUL, 0xa4506cebUL, 0xbef9a3f7UL, 0xc67178f2UL
};

# ifndef PEDANTIC
#  if defined(__GNUC__) && __GNUC__>=2 && \
      !defined(OPENSSL_NO_ASM) && !defined(OPENSSL_NO_INLINE_ASM)
#   if defined(__riscv_zknh)
#    define Sigma0(x) ({ MD32_REG_T ret;            \
                        asm ("sha256sum0 %0, %1"    \
                        : "=r"(ret)                 \
                        : "r"(x)); ret;             })
#    define Sigma1(x) ({ MD32_REG_T ret;            \
                        asm ("sha256sum1 %0, %1"    \
                        : "=r"(ret)                 \
                        : "r"(x)); ret;             })
#    define sigma0(x) ({ MD32_REG_T ret;            \
                        asm ("sha256sig0 %0, %1"    \
                        : "=r"(ret)                 \
                        : "r"(x)); ret;             })
#    define sigma1(x) ({ MD32_REG_T ret;            \
                        asm ("sha256sig1 %0, %1"    \
                        : "=r"(ret)                 \
                        : "r"(x)); ret;             })
#   endif
#   if defined(__riscv_zbt) || defined(__riscv_zpn)
#    define Ch(x,y,z) ({  MD32_REG_T ret;                           \
                        asm (".insn r4 0x33, 1, 0x3, %0, %2, %1, %3"\
                        : "=r"(ret)                                 \
                        : "r"(x), "r"(y), "r"(z)); ret;             })
#    define Maj(x,y,z) ({ MD32_REG_T ret;                           \
                        asm (".insn r4 0x33, 1, 0x3, %0, %2, %1, %3"\
                        : "=r"(ret)                                 \
                        : "r"(x^z), "r"(y), "r"(x)); ret;           })
#   endif
#  endif
# endif

/*
 * FIPS specification refers to right rotations, while our ROTATE macro
 * is left one. This is why you might notice that rotation coefficients
 * differ from those observed in FIPS document by 32-N...
 */
# ifndef Sigma0
#  define Sigma0(x)       (ROTATE((x),30) ^ ROTATE((x),19) ^ ROTATE((x),10))
# endif
# ifndef Sigma1
#  define Sigma1(x)       (ROTATE((x),26) ^ ROTATE((x),21) ^ ROTATE((x),7))
# endif
# ifndef sigma0
#  define sigma0(x)       (ROTATE((x),25) ^ ROTATE((x),14) ^ ((x)>>3))
# endif
# ifndef sigma1
#  define sigma1(x)       (ROTATE((x),15) ^ ROTATE((x),13) ^ ((x)>>10))
# endif
# ifndef Ch
#  define Ch(x,y,z)       (((x) & (y)) ^ ((~(x)) & (z)))
# endif
# ifndef Maj
#  define Maj(x,y,z)      (((x) & (y)) ^ ((x) & (z)) ^ ((y) & (z)))
# endif

# ifdef OPENSSL_SMALL_FOOTPRINT

static void sha256_block_data_order(SHA256_CTX *ctx, const void *in,
                                    size_t num)
{
    unsigned MD32_REG_T a, b, c, d, e, f, g, h, s0, s1, T1, T2;
    SHA_LONG X[16], l;
    int i;
    const unsigned char *data = in;

    while (num--) {

        a = ctx->h[0];
        b = ctx->h[1];
        c = ctx->h[2];
        d = ctx->h[3];
        e = ctx->h[4];
        f = ctx->h[5];
        g = ctx->h[6];
        h = ctx->h[7];

        for (i = 0; i < 16; i++) {
            (void)HOST_c2l(data, l);
            T1 = X[i] = l;
            T1 += h + Sigma1(e) + Ch(e, f, g) + K256[i];
            T2 = Sigma0(a) + Maj(a, b, c);
            h = g;
            g = f;
            f = e;
            e = d + T1;
            d = c;
            c = b;
            b = a;
            a = T1 + T2;
        }

        for (; i < 64; i++) {
            s0 = X[(i + 1) & 0x0f];
            s0 = sigma0(s0);
            s1 = X[(i + 14) & 0x0f];
            s1 = sigma1(s1);

            T1 = X[i & 0xf] += s0 + s1 + X[(i + 9) & 0xf];
            T1 += h + Sigma1(e) + Ch(e, f, g) + K256[i];
            T2 = Sigma0(a) + Maj(a, b, c);
            h = g;
            g = f;
            f = e;
            e = d + T1;
            d = c;
            c = b;
            b = a;
            a = T1 + T2;
        }

        ctx->h[0] += a;
        ctx->h[1] += b;
        ctx->h[2] += c;
        ctx->h[3] += d;
        ctx->h[4] += e;
        ctx->h[5] += f;
        ctx->h[6] += g;
        ctx->h[7] += h;

    }
}

# else

#  define ROUND_00_15(i,a,b,c,d,e,f,g,h)          do {    \
        T1 += h + Sigma1(e) + Ch(e,f,g) + K256[i];      \
        h = Sigma0(a) + Maj(a,b,c);                     \
        d += T1;        h += T1;                } while (0)

#  define ROUND_16_63(i,a,b,c,d,e,f,g,h,X)        do {    \
        s0 = X[(i+1)&0x0f];     s0 = sigma0(s0);        \
        s1 = X[(i+14)&0x0f];    s1 = sigma1(s1);        \
        T1 = X[(i)&0x0f] += s0 + s1 + X[(i+9)&0x0f];    \
        ROUND_00_15(i,a,b,c,d,e,f,g,h);         } while (0)

#ifdef INCLUDE_C_SHA256
void sha256_block_data_order_c(SHA256_CTX *ctx, const void *in, size_t num)
#else
static void sha256_block_data_order(SHA256_CTX *ctx, const void *in,
                                    size_t num)
#endif
{
    unsigned MD32_REG_T a, b, c, d, e, f, g, h, s0, s1, T1;
    SHA_LONG X[16];
    int i;
    const unsigned char *data = in;
    DECLARE_IS_ENDIAN;

    while (num--) {

        a = ctx->h[0];
        b = ctx->h[1];
        c = ctx->h[2];
        d = ctx->h[3];
        e = ctx->h[4];
        f = ctx->h[5];
        g = ctx->h[6];
        h = ctx->h[7];

        if (!IS_LITTLE_ENDIAN && sizeof(SHA_LONG) == 4
            && ((size_t)in % 4) == 0) {
            const SHA_LONG *W = (const SHA_LONG *)data;

            T1 = X[0] = W[0];
            ROUND_00_15(0, a, b, c, d, e, f, g, h);
            T1 = X[1] = W[1];
            ROUND_00_15(1, h, a, b, c, d, e, f, g);
            T1 = X[2] = W[2];
            ROUND_00_15(2, g, h, a, b, c, d, e, f);
            T1 = X[3] = W[3];
            ROUND_00_15(3, f, g, h, a, b, c, d, e);
            T1 = X[4] = W[4];
            ROUND_00_15(4, e, f, g, h, a, b, c, d);
            T1 = X[5] = W[5];
            ROUND_00_15(5, d, e, f, g, h, a, b, c);
            T1 = X[6] = W[6];
            ROUND_00_15(6, c, d, e, f, g, h, a, b);
            T1 = X[7] = W[7];
            ROUND_00_15(7, b, c, d, e, f, g, h, a);
            T1 = X[8] = W[8];
            ROUND_00_15(8, a, b, c, d, e, f, g, h);
            T1 = X[9] = W[9];
            ROUND_00_15(9, h, a, b, c, d, e, f, g);
            T1 = X[10] = W[10];
            ROUND_00_15(10, g, h, a, b, c, d, e, f);
            T1 = X[11] = W[11];
            ROUND_00_15(11, f, g, h, a, b, c, d, e);
            T1 = X[12] = W[12];
            ROUND_00_15(12, e, f, g, h, a, b, c, d);
            T1 = X[13] = W[13];
            ROUND_00_15(13, d, e, f, g, h, a, b, c);
            T1 = X[14] = W[14];
            ROUND_00_15(14, c, d, e, f, g, h, a, b);
            T1 = X[15] = W[15];
            ROUND_00_15(15, b, c, d, e, f, g, h, a);

            data += SHA256_CBLOCK;
        } else {
            SHA_LONG l;

            (void)HOST_c2l(data, l);
            T1 = X[0] = l;
            ROUND_00_15(0, a, b, c, d, e, f, g, h);
            (void)HOST_c2l(data, l);
            T1 = X[1] = l;
            ROUND_00_15(1, h, a, b, c, d, e, f, g);
            (void)HOST_c2l(data, l);
            T1 = X[2] = l;
            ROUND_00_15(2, g, h, a, b, c, d, e, f);
            (void)HOST_c2l(data, l);
            T1 = X[3] = l;
            ROUND_00_15(3, f, g, h, a, b, c, d, e);
            (void)HOST_c2l(data, l);
            T1 = X[4] = l;
            ROUND_00_15(4, e, f, g, h, a, b, c, d);
            (void)HOST_c2l(data, l);
            T1 = X[5] = l;
            ROUND_00_15(5, d, e, f, g, h, a, b, c);
            (void)HOST_c2l(data, l);
            T1 = X[6] = l;
            ROUND_00_15(6, c, d, e, f, g, h, a, b);
            (void)HOST_c2l(data, l);
            T1 = X[7] = l;
            ROUND_00_15(7, b, c, d, e, f, g, h, a);
            (void)HOST_c2l(data, l);
            T1 = X[8] = l;
            ROUND_00_15(8, a, b, c, d, e, f, g, h);
            (void)HOST_c2l(data, l);
            T1 = X[9] = l;
            ROUND_00_15(9, h, a, b, c, d, e, f, g);
            (void)HOST_c2l(data, l);
            T1 = X[10] = l;
            ROUND_00_15(10, g, h, a, b, c, d, e, f);
            (void)HOST_c2l(data, l);
            T1 = X[11] = l;
            ROUND_00_15(11, f, g, h, a, b, c, d, e);
            (void)HOST_c2l(data, l);
            T1 = X[12] = l;
            ROUND_00_15(12, e, f, g, h, a, b, c, d);
            (void)HOST_c2l(data, l);
            T1 = X[13] = l;
            ROUND_00_15(13, d, e, f, g, h, a, b, c);
            (void)HOST_c2l(data, l);
            T1 = X[14] = l;
            ROUND_00_15(14, c, d, e, f, g, h, a, b);
            (void)HOST_c2l(data, l);
            T1 = X[15] = l;
            ROUND_00_15(15, b, c, d, e, f, g, h, a);
        }

        for (i = 16; i < 64; i += 8) {
            ROUND_16_63(i + 0, a, b, c, d, e, f, g, h, X);
            ROUND_16_63(i + 1, h, a, b, c, d, e, f, g, X);
            ROUND_16_63(i + 2, g, h, a, b, c, d, e, f, X);
            ROUND_16_63(i + 3, f, g, h, a, b, c, d, e, X);
            ROUND_16_63(i + 4, e, f, g, h, a, b, c, d, X);
            ROUND_16_63(i + 5, d, e, f, g, h, a, b, c, X);
            ROUND_16_63(i + 6, c, d, e, f, g, h, a, b, X);
            ROUND_16_63(i + 7, b, c, d, e, f, g, h, a, X);
        }

        ctx->h[0] += a;
        ctx->h[1] += b;
        ctx->h[2] += c;
        ctx->h[3] += d;
        ctx->h[4] += e;
        ctx->h[5] += f;
        ctx->h[6] += g;
        ctx->h[7] += h;

    }
}

# endif
#endif                         /* SHA256_ASM */

Coverage Report

Created: 2024-11-21 07:03

Line	Count	Source (jump to first uncovered line)
1		/*
2		* Copyright 2004-2024 The OpenSSL Project Authors. All Rights Reserved.
3		*
4		* Licensed under the Apache License 2.0 (the "License"). You may not use
5		* this file except in compliance with the License. You can obtain a copy
6		* in the file LICENSE in the source distribution or at
7		* https://www.openssl.org/source/license.html
8		*/
9
10		/*
11		* SHA256 low level APIs are deprecated for public use, but still ok for
12		* internal use.
13		*/
14		#include "internal/deprecated.h"
15
16		#include <openssl/opensslconf.h>
17
18		#include <stdlib.h>
19		#include <string.h>
20
21		#include <openssl/crypto.h>
22		#include <openssl/sha.h>
23		#include <openssl/opensslv.h>
24		#include "internal/endian.h"
25		#include "crypto/sha.h"
26
27		int SHA224_Init(SHA256_CTX *c)
28	1.43k	{
29	1.43k	memset(c, 0, sizeof(*c));
30	1.43k	c->h[0] = 0xc1059ed8UL;
31	1.43k	c->h[1] = 0x367cd507UL;
32	1.43k	c->h[2] = 0x3070dd17UL;
33	1.43k	c->h[3] = 0xf70e5939UL;
34	1.43k	c->h[4] = 0xffc00b31UL;
35	1.43k	c->h[5] = 0x68581511UL;
36	1.43k	c->h[6] = 0x64f98fa7UL;
37	1.43k	c->h[7] = 0xbefa4fa4UL;
38	1.43k	c->md_len = SHA224_DIGEST_LENGTH;
39	1.43k	return 1;
40	1.43k	}
41
42		int SHA256_Init(SHA256_CTX *c)
43	1.16k	{
44	1.16k	memset(c, 0, sizeof(*c));
45	1.16k	c->h[0] = 0x6a09e667UL;
46	1.16k	c->h[1] = 0xbb67ae85UL;
47	1.16k	c->h[2] = 0x3c6ef372UL;
48	1.16k	c->h[3] = 0xa54ff53aUL;
49	1.16k	c->h[4] = 0x510e527fUL;
50	1.16k	c->h[5] = 0x9b05688cUL;
51	1.16k	c->h[6] = 0x1f83d9abUL;
52	1.16k	c->h[7] = 0x5be0cd19UL;
53	1.16k	c->md_len = SHA256_DIGEST_LENGTH;
54	1.16k	return 1;
55	1.16k	}
56
57		int ossl_sha256_192_init(SHA256_CTX *c)
58	0	{
59	0	SHA256_Init(c);
60	0	c->md_len = SHA256_192_DIGEST_LENGTH;
61	0	return 1;
62	0	}
63
64		int SHA224_Update(SHA256_CTX c, const void data, size_t len)
65	11.7k	{
66	11.7k	return SHA256_Update(c, data, len);
67	11.7k	}
68
69		int SHA224_Final(unsigned char md, SHA256_CTX c)
70	5.31k	{
71	5.31k	return SHA256_Final(md, c);
72	5.31k	}
73
74		#define DATA_ORDER_IS_BIG_ENDIAN
75
76	33.8k	#define HASH_LONG SHA_LONG
77		#define HASH_CTX SHA256_CTX
78	162k	#define HASH_CBLOCK SHA_CBLOCK
79
80		/*
81		* Note that FIPS180-2 discusses "Truncation of the Hash Function Output."
82		* default: case below covers for it. It's not clear however if it's
83		* permitted to truncate to amount of bytes not divisible by 4. I bet not,
84		* but if it is, then default: case shall be extended. For reference.
85		* Idea behind separate cases for pre-defined lengths is to let the
86		* compiler decide if it's appropriate to unroll small loops.
87		*/
88	18.1k	#define HASH_MAKE_STRING(c,s) do { \
89	18.1k	unsigned long ll; \
90	18.1k	unsigned int nn; \
91	18.1k	switch ((c)->md_len) { \
92	0	case SHA256_192_DIGEST_LENGTH: \
93	0	for (nn=0;nn<SHA256_192_DIGEST_LENGTH/4;nn++) { \
94	0	ll=(c)->h[nn]; (void)HOST_l2c(ll,(s)); \
95	0	} \
96	0	break; \
97	5.31k	case SHA224_DIGEST_LENGTH: \
98	42.5k	for (nn=0;nn<SHA224_DIGEST_LENGTH/4;nn++) { \
99	37.1k	ll=(c)->h[nn]; (void)HOST_l2c(ll,(s)); \
100	37.1k	} \
101	5.31k	break; \
102	12.8k	case SHA256_DIGEST_LENGTH: \
103	115k	for (nn=0;nn<SHA256_DIGEST_LENGTH/4;nn++) { \
104	102k	ll=(c)->h[nn]; (void)HOST_l2c(ll,(s)); \
105	102k	} \
106	12.8k	break; \
107	0	default: \
108	0	if ((c)->md_len > SHA256_DIGEST_LENGTH) \
109	0	return 0; \
110	0	for (nn=0;nn<(c)->md_len/4;nn++) { \
111	0	ll=(c)->h[nn]; (void)HOST_l2c(ll,(s)); \
112	0	} \
113	0	break; \
114	18.1k	} \
115	18.1k	} while (0)
116
117		#define HASH_UPDATE SHA256_Update
118		#define HASH_TRANSFORM SHA256_Transform
119		#define HASH_FINAL SHA256_Final
120	33.8k	#define HASH_BLOCK_DATA_ORDER sha256_block_data_order
121		#ifndef SHA256_ASM
122		static
123		#else
124		# ifdef INCLUDE_C_SHA256
125		void sha256_block_data_order_c(SHA256_CTX ctx, const void in, size_t num);
126		# endif /* INCLUDE_C_SHA256 */
127		#endif /* SHA256_ASM */
128		void sha256_block_data_order(SHA256_CTX ctx, const void in, size_t num);
129
130		#include "crypto/md32_common.h"
131
132		#if !defined(SHA256_ASM) \|\| defined(INCLUDE_C_SHA256)
133		static const SHA_LONG K256[64] = {
134		0x428a2f98UL, 0x71374491UL, 0xb5c0fbcfUL, 0xe9b5dba5UL,
135		0x3956c25bUL, 0x59f111f1UL, 0x923f82a4UL, 0xab1c5ed5UL,
136		0xd807aa98UL, 0x12835b01UL, 0x243185beUL, 0x550c7dc3UL,
137		0x72be5d74UL, 0x80deb1feUL, 0x9bdc06a7UL, 0xc19bf174UL,
138		0xe49b69c1UL, 0xefbe4786UL, 0x0fc19dc6UL, 0x240ca1ccUL,
139		0x2de92c6fUL, 0x4a7484aaUL, 0x5cb0a9dcUL, 0x76f988daUL,
140		0x983e5152UL, 0xa831c66dUL, 0xb00327c8UL, 0xbf597fc7UL,
141		0xc6e00bf3UL, 0xd5a79147UL, 0x06ca6351UL, 0x14292967UL,
142		0x27b70a85UL, 0x2e1b2138UL, 0x4d2c6dfcUL, 0x53380d13UL,
143		0x650a7354UL, 0x766a0abbUL, 0x81c2c92eUL, 0x92722c85UL,
144		0xa2bfe8a1UL, 0xa81a664bUL, 0xc24b8b70UL, 0xc76c51a3UL,
145		0xd192e819UL, 0xd6990624UL, 0xf40e3585UL, 0x106aa070UL,
146		0x19a4c116UL, 0x1e376c08UL, 0x2748774cUL, 0x34b0bcb5UL,
147		0x391c0cb3UL, 0x4ed8aa4aUL, 0x5b9cca4fUL, 0x682e6ff3UL,
148		0x748f82eeUL, 0x78a5636fUL, 0x84c87814UL, 0x8cc70208UL,
149		0x90befffaUL, 0xa4506cebUL, 0xbef9a3f7UL, 0xc67178f2UL
150		};
151
152		# ifndef PEDANTIC
153		# if defined(__GNUC__) && __GNUC__>=2 && \
154		!defined(OPENSSL_NO_ASM) && !defined(OPENSSL_NO_INLINE_ASM)
155		# if defined(__riscv_zknh)
156		# define Sigma0(x) ({ MD32_REG_T ret; \
157		asm ("sha256sum0 %0, %1" \
158		: "=r"(ret) \
159		: "r"(x)); ret; })
160		# define Sigma1(x) ({ MD32_REG_T ret; \
161		asm ("sha256sum1 %0, %1" \
162		: "=r"(ret) \
163		: "r"(x)); ret; })
164		# define sigma0(x) ({ MD32_REG_T ret; \
165		asm ("sha256sig0 %0, %1" \
166		: "=r"(ret) \
167		: "r"(x)); ret; })
168		# define sigma1(x) ({ MD32_REG_T ret; \
169		asm ("sha256sig1 %0, %1" \
170		: "=r"(ret) \
171		: "r"(x)); ret; })
172		# endif
173		# if defined(__riscv_zbt) \|\| defined(__riscv_zpn)
174		# define Ch(x,y,z) ({ MD32_REG_T ret; \
175		asm (".insn r4 0x33, 1, 0x3, %0, %2, %1, %3"\
176		: "=r"(ret) \
177		: "r"(x), "r"(y), "r"(z)); ret; })
178		# define Maj(x,y,z) ({ MD32_REG_T ret; \
179		asm (".insn r4 0x33, 1, 0x3, %0, %2, %1, %3"\
180		: "=r"(ret) \
181		: "r"(x^z), "r"(y), "r"(x)); ret; })
182		# endif
183		# endif
184		# endif
185
186		/*
187		* FIPS specification refers to right rotations, while our ROTATE macro
188		* is left one. This is why you might notice that rotation coefficients
189		* differ from those observed in FIPS document by 32-N...
190		*/
191		# ifndef Sigma0
192	21.7M	# define Sigma0(x) (ROTATE((x),30) ^ ROTATE((x),19) ^ ROTATE((x),10))
193		# endif
194		# ifndef Sigma1
195	21.7M	# define Sigma1(x) (ROTATE((x),26) ^ ROTATE((x),21) ^ ROTATE((x),7))
196		# endif
197		# ifndef sigma0
198	16.3M	# define sigma0(x) (ROTATE((x),25) ^ ROTATE((x),14) ^ ((x)>>3))
199		# endif
200		# ifndef sigma1
201	16.3M	# define sigma1(x) (ROTATE((x),15) ^ ROTATE((x),13) ^ ((x)>>10))
202		# endif
203		# ifndef Ch
204	21.7M	# define Ch(x,y,z) (((x) & (y)) ^ ((~(x)) & (z)))
205		# endif
206		# ifndef Maj
207	21.7M	# define Maj(x,y,z) (((x) & (y)) ^ ((x) & (z)) ^ ((y) & (z)))
208		# endif
209
210		# ifdef OPENSSL_SMALL_FOOTPRINT
211
212		static void sha256_block_data_order(SHA256_CTX ctx, const void in,
213		size_t num)
214		{
215		unsigned MD32_REG_T a, b, c, d, e, f, g, h, s0, s1, T1, T2;
216		SHA_LONG X[16], l;
217		int i;
218		const unsigned char *data = in;
219
220		while (num--) {
221
222		a = ctx->h[0];
223		b = ctx->h[1];
224		c = ctx->h[2];
225		d = ctx->h[3];
226		e = ctx->h[4];
227		f = ctx->h[5];
228		g = ctx->h[6];
229		h = ctx->h[7];
230
231		for (i = 0; i < 16; i++) {
232		(void)HOST_c2l(data, l);
233		T1 = X[i] = l;
234		T1 += h + Sigma1(e) + Ch(e, f, g) + K256[i];
235		T2 = Sigma0(a) + Maj(a, b, c);
236		h = g;
237		g = f;
238		f = e;
239		e = d + T1;
240		d = c;
241		c = b;
242		b = a;
243		a = T1 + T2;
244		}
245
246		for (; i < 64; i++) {
247		s0 = X[(i + 1) & 0x0f];
248		s0 = sigma0(s0);
249		s1 = X[(i + 14) & 0x0f];
250		s1 = sigma1(s1);
251
252		T1 = X[i & 0xf] += s0 + s1 + X[(i + 9) & 0xf];
253		T1 += h + Sigma1(e) + Ch(e, f, g) + K256[i];
254		T2 = Sigma0(a) + Maj(a, b, c);
255		h = g;
256		g = f;
257		f = e;
258		e = d + T1;
259		d = c;
260		c = b;
261		b = a;
262		a = T1 + T2;
263		}
264
265		ctx->h[0] += a;
266		ctx->h[1] += b;
267		ctx->h[2] += c;
268		ctx->h[3] += d;
269		ctx->h[4] += e;
270		ctx->h[5] += f;
271		ctx->h[6] += g;
272		ctx->h[7] += h;
273
274		}
275		}
276
277		# else
278
279	21.7M	# define ROUND_00_15(i,a,b,c,d,e,f,g,h) do { \
280	21.7M	T1 += h + Sigma1(e) + Ch(e,f,g) + K256[i]; \
281	21.7M	h = Sigma0(a) + Maj(a,b,c); \
282	21.7M	d += T1; h += T1; } while (0)
283
284	16.3M	# define ROUND_16_63(i,a,b,c,d,e,f,g,h,X) do { \
285	16.3M	s0 = X[(i+1)&0x0f]; s0 = sigma0(s0); \
286	16.3M	s1 = X[(i+14)&0x0f]; s1 = sigma1(s1); \
287	16.3M	T1 = X[(i)&0x0f] += s0 + s1 + X[(i+9)&0x0f]; \
288	16.3M	ROUND_00_15(i,a,b,c,d,e,f,g,h); } while (0)
289
290		#ifdef INCLUDE_C_SHA256
291		void sha256_block_data_order_c(SHA256_CTX ctx, const void in, size_t num)
292		#else
293		static void sha256_block_data_order(SHA256_CTX ctx, const void in,
294		size_t num)
295		#endif
296	15.0k	{
297	15.0k	unsigned MD32_REG_T a, b, c, d, e, f, g, h, s0, s1, T1;
298	15.0k	SHA_LONG X[16];
299	15.0k	int i;
300	15.0k	const unsigned char *data = in;
301	15.0k	DECLARE_IS_ENDIAN;
302
303	354k	while (num--) {
304
305	339k	a = ctx->h[0];
306	339k	b = ctx->h[1];
307	339k	c = ctx->h[2];
308	339k	d = ctx->h[3];
309	339k	e = ctx->h[4];
310	339k	f = ctx->h[5];
311	339k	g = ctx->h[6];
312	339k	h = ctx->h[7];
313
314	339k	if (!IS_LITTLE_ENDIAN && sizeof(SHA_LONG) == 4
315	339k	&& ((size_t)in % 4) == 0) {
316	0	const SHA_LONG W = (const SHA_LONG )data;
317
318	0	T1 = X[0] = W[0];
319	0	ROUND_00_15(0, a, b, c, d, e, f, g, h);
320	0	T1 = X[1] = W[1];
321	0	ROUND_00_15(1, h, a, b, c, d, e, f, g);
322	0	T1 = X[2] = W[2];
323	0	ROUND_00_15(2, g, h, a, b, c, d, e, f);
324	0	T1 = X[3] = W[3];
325	0	ROUND_00_15(3, f, g, h, a, b, c, d, e);
326	0	T1 = X[4] = W[4];
327	0	ROUND_00_15(4, e, f, g, h, a, b, c, d);
328	0	T1 = X[5] = W[5];
329	0	ROUND_00_15(5, d, e, f, g, h, a, b, c);
330	0	T1 = X[6] = W[6];
331	0	ROUND_00_15(6, c, d, e, f, g, h, a, b);
332	0	T1 = X[7] = W[7];
333	0	ROUND_00_15(7, b, c, d, e, f, g, h, a);
334	0	T1 = X[8] = W[8];
335	0	ROUND_00_15(8, a, b, c, d, e, f, g, h);
336	0	T1 = X[9] = W[9];
337	0	ROUND_00_15(9, h, a, b, c, d, e, f, g);
338	0	T1 = X[10] = W[10];
339	0	ROUND_00_15(10, g, h, a, b, c, d, e, f);
340	0	T1 = X[11] = W[11];
341	0	ROUND_00_15(11, f, g, h, a, b, c, d, e);
342	0	T1 = X[12] = W[12];
343	0	ROUND_00_15(12, e, f, g, h, a, b, c, d);
344	0	T1 = X[13] = W[13];
345	0	ROUND_00_15(13, d, e, f, g, h, a, b, c);
346	0	T1 = X[14] = W[14];
347	0	ROUND_00_15(14, c, d, e, f, g, h, a, b);
348	0	T1 = X[15] = W[15];
349	0	ROUND_00_15(15, b, c, d, e, f, g, h, a);
350
351	0	data += SHA256_CBLOCK;
352	339k	} else {
353	339k	SHA_LONG l;
354
355	339k	(void)HOST_c2l(data, l);
356	339k	T1 = X[0] = l;
357	339k	ROUND_00_15(0, a, b, c, d, e, f, g, h);
358	339k	(void)HOST_c2l(data, l);
359	339k	T1 = X[1] = l;
360	339k	ROUND_00_15(1, h, a, b, c, d, e, f, g);
361	339k	(void)HOST_c2l(data, l);
362	339k	T1 = X[2] = l;
363	339k	ROUND_00_15(2, g, h, a, b, c, d, e, f);
364	339k	(void)HOST_c2l(data, l);
365	339k	T1 = X[3] = l;
366	339k	ROUND_00_15(3, f, g, h, a, b, c, d, e);
367	339k	(void)HOST_c2l(data, l);
368	339k	T1 = X[4] = l;
369	339k	ROUND_00_15(4, e, f, g, h, a, b, c, d);
370	339k	(void)HOST_c2l(data, l);
371	339k	T1 = X[5] = l;
372	339k	ROUND_00_15(5, d, e, f, g, h, a, b, c);
373	339k	(void)HOST_c2l(data, l);
374	339k	T1 = X[6] = l;
375	339k	ROUND_00_15(6, c, d, e, f, g, h, a, b);
376	339k	(void)HOST_c2l(data, l);
377	339k	T1 = X[7] = l;
378	339k	ROUND_00_15(7, b, c, d, e, f, g, h, a);
379	339k	(void)HOST_c2l(data, l);
380	339k	T1 = X[8] = l;
381	339k	ROUND_00_15(8, a, b, c, d, e, f, g, h);
382	339k	(void)HOST_c2l(data, l);
383	339k	T1 = X[9] = l;
384	339k	ROUND_00_15(9, h, a, b, c, d, e, f, g);
385	339k	(void)HOST_c2l(data, l);
386	339k	T1 = X[10] = l;
387	339k	ROUND_00_15(10, g, h, a, b, c, d, e, f);
388	339k	(void)HOST_c2l(data, l);
389	339k	T1 = X[11] = l;
390	339k	ROUND_00_15(11, f, g, h, a, b, c, d, e);
391	339k	(void)HOST_c2l(data, l);
392	339k	T1 = X[12] = l;
393	339k	ROUND_00_15(12, e, f, g, h, a, b, c, d);
394	339k	(void)HOST_c2l(data, l);
395	339k	T1 = X[13] = l;
396	339k	ROUND_00_15(13, d, e, f, g, h, a, b, c);
397	339k	(void)HOST_c2l(data, l);
398	339k	T1 = X[14] = l;
399	339k	ROUND_00_15(14, c, d, e, f, g, h, a, b);
400	339k	(void)HOST_c2l(data, l);
401	339k	T1 = X[15] = l;
402	339k	ROUND_00_15(15, b, c, d, e, f, g, h, a);
403	339k	}
404
405	2.37M	for (i = 16; i < 64; i += 8) {
406	2.03M	ROUND_16_63(i + 0, a, b, c, d, e, f, g, h, X);
407	2.03M	ROUND_16_63(i + 1, h, a, b, c, d, e, f, g, X);
408	2.03M	ROUND_16_63(i + 2, g, h, a, b, c, d, e, f, X);
409	2.03M	ROUND_16_63(i + 3, f, g, h, a, b, c, d, e, X);
410	2.03M	ROUND_16_63(i + 4, e, f, g, h, a, b, c, d, X);
411	2.03M	ROUND_16_63(i + 5, d, e, f, g, h, a, b, c, X);
412	2.03M	ROUND_16_63(i + 6, c, d, e, f, g, h, a, b, X);
413	2.03M	ROUND_16_63(i + 7, b, c, d, e, f, g, h, a, X);
414	2.03M	}
415
416	339k	ctx->h[0] += a;
417	339k	ctx->h[1] += b;
418	339k	ctx->h[2] += c;
419	339k	ctx->h[3] += d;
420	339k	ctx->h[4] += e;
421	339k	ctx->h[5] += f;
422	339k	ctx->h[6] += g;
423	339k	ctx->h[7] += h;
424
425	339k	}
426	15.0k	}
427
428		# endif
429		#endif /* SHA256_ASM */