/src/openssl/crypto/sha/sha256.c

Source
/*
 * Copyright 2004-2024 The OpenSSL Project Authors. All Rights Reserved.
 *
 * Licensed under the Apache License 2.0 (the "License").  You may not use
 * this file except in compliance with the License.  You can obtain a copy
 * in the file LICENSE in the source distribution or at
 * https://www.openssl.org/source/license.html
 */

/*
 * SHA256 low level APIs are deprecated for public use, but still ok for
 * internal use.
 */
#include "internal/deprecated.h"

#include <openssl/opensslconf.h>

#include <stdlib.h>
#include <string.h>

#include <openssl/crypto.h>
#include <openssl/sha.h>
#include <openssl/opensslv.h>
#include "internal/endian.h"
#include "crypto/sha.h"

int SHA224_Init(SHA256_CTX *c)
{
    memset(c, 0, sizeof(*c));
    c->h[0] = 0xc1059ed8UL;
    c->h[1] = 0x367cd507UL;
    c->h[2] = 0x3070dd17UL;
    c->h[3] = 0xf70e5939UL;
    c->h[4] = 0xffc00b31UL;
    c->h[5] = 0x68581511UL;
    c->h[6] = 0x64f98fa7UL;
    c->h[7] = 0xbefa4fa4UL;
    c->md_len = SHA224_DIGEST_LENGTH;
    return 1;
}

int SHA256_Init(SHA256_CTX *c)
{
    memset(c, 0, sizeof(*c));
    c->h[0] = 0x6a09e667UL;
    c->h[1] = 0xbb67ae85UL;
    c->h[2] = 0x3c6ef372UL;
    c->h[3] = 0xa54ff53aUL;
    c->h[4] = 0x510e527fUL;
    c->h[5] = 0x9b05688cUL;
    c->h[6] = 0x1f83d9abUL;
    c->h[7] = 0x5be0cd19UL;
    c->md_len = SHA256_DIGEST_LENGTH;
    return 1;
}

int ossl_sha256_192_init(SHA256_CTX *c)
{
    SHA256_Init(c);
    c->md_len = SHA256_192_DIGEST_LENGTH;
    return 1;
}

int SHA224_Update(SHA256_CTX *c, const void *data, size_t len)
{
    return SHA256_Update(c, data, len);
}

int SHA224_Final(unsigned char *md, SHA256_CTX *c)
{
    return SHA256_Final(md, c);
}

#define DATA_ORDER_IS_BIG_ENDIAN

#define HASH_LONG SHA_LONG
#define HASH_CTX SHA256_CTX
#define HASH_CBLOCK SHA_CBLOCK

/*
 * Note that FIPS180-2 discusses "Truncation of the Hash Function Output."
 * default: case below covers for it. It's not clear however if it's
 * permitted to truncate to amount of bytes not divisible by 4. I bet not,
 * but if it is, then default: case shall be extended. For reference.
 * Idea behind separate cases for pre-defined lengths is to let the
 * compiler decide if it's appropriate to unroll small loops.
 */
#define HASH_MAKE_STRING(c, s)                                      \
    do {                                                            \
        unsigned long ll;                                           \
        unsigned int nn;                                            \
        switch ((c)->md_len) {                                      \
        case SHA256_192_DIGEST_LENGTH:                              \
            for (nn = 0; nn < SHA256_192_DIGEST_LENGTH / 4; nn++) { \
                ll = (c)->h[nn];                                    \
                (void)HOST_l2c(ll, (s));                            \
            }                                                       \
            break;                                                  \
        case SHA224_DIGEST_LENGTH:                                  \
            for (nn = 0; nn < SHA224_DIGEST_LENGTH / 4; nn++) {     \
                ll = (c)->h[nn];                                    \
                (void)HOST_l2c(ll, (s));                            \
            }                                                       \
            break;                                                  \
        case SHA256_DIGEST_LENGTH:                                  \
            for (nn = 0; nn < SHA256_DIGEST_LENGTH / 4; nn++) {     \
                ll = (c)->h[nn];                                    \
                (void)HOST_l2c(ll, (s));                            \
            }                                                       \
            break;                                                  \
        default:                                                    \
            if ((c)->md_len > SHA256_DIGEST_LENGTH)                 \
                return 0;                                           \
            for (nn = 0; nn < (c)->md_len / 4; nn++) {              \
                ll = (c)->h[nn];                                    \
                (void)HOST_l2c(ll, (s));                            \
            }                                                       \
            break;                                                  \
        }                                                           \
    } while (0)

#define HASH_UPDATE SHA256_Update
#define HASH_TRANSFORM SHA256_Transform
#define HASH_FINAL SHA256_Final
#define HASH_BLOCK_DATA_ORDER sha256_block_data_order
#ifndef SHA256_ASM
static
#else
#ifdef INCLUDE_C_SHA256
void sha256_block_data_order_c(SHA256_CTX *ctx, const void *in, size_t num);
#endif /* INCLUDE_C_SHA256 */
#endif /* SHA256_ASM */
    void sha256_block_data_order(SHA256_CTX *ctx, const void *in, size_t num);

#include "crypto/md32_common.h"

#if !defined(SHA256_ASM) || defined(INCLUDE_C_SHA256)
static const SHA_LONG K256[64] = {
    0x428a2f98UL, 0x71374491UL, 0xb5c0fbcfUL, 0xe9b5dba5UL,
    0x3956c25bUL, 0x59f111f1UL, 0x923f82a4UL, 0xab1c5ed5UL,
    0xd807aa98UL, 0x12835b01UL, 0x243185beUL, 0x550c7dc3UL,
    0x72be5d74UL, 0x80deb1feUL, 0x9bdc06a7UL, 0xc19bf174UL,
    0xe49b69c1UL, 0xefbe4786UL, 0x0fc19dc6UL, 0x240ca1ccUL,
    0x2de92c6fUL, 0x4a7484aaUL, 0x5cb0a9dcUL, 0x76f988daUL,
    0x983e5152UL, 0xa831c66dUL, 0xb00327c8UL, 0xbf597fc7UL,
    0xc6e00bf3UL, 0xd5a79147UL, 0x06ca6351UL, 0x14292967UL,
    0x27b70a85UL, 0x2e1b2138UL, 0x4d2c6dfcUL, 0x53380d13UL,
    0x650a7354UL, 0x766a0abbUL, 0x81c2c92eUL, 0x92722c85UL,
    0xa2bfe8a1UL, 0xa81a664bUL, 0xc24b8b70UL, 0xc76c51a3UL,
    0xd192e819UL, 0xd6990624UL, 0xf40e3585UL, 0x106aa070UL,
    0x19a4c116UL, 0x1e376c08UL, 0x2748774cUL, 0x34b0bcb5UL,
    0x391c0cb3UL, 0x4ed8aa4aUL, 0x5b9cca4fUL, 0x682e6ff3UL,
    0x748f82eeUL, 0x78a5636fUL, 0x84c87814UL, 0x8cc70208UL,
    0x90befffaUL, 0xa4506cebUL, 0xbef9a3f7UL, 0xc67178f2UL
};

#ifndef PEDANTIC
#if defined(__GNUC__) && __GNUC__ >= 2 && !defined(OPENSSL_NO_ASM) && !defined(OPENSSL_NO_INLINE_ASM)
#if defined(__riscv_zknh)
#define Sigma0(x) ({ MD32_REG_T ret;            \
                        asm ("sha256sum0 %0, %1"    \
                        : "=r"(ret)                 \
                        : "r"(x)); ret; })
#define Sigma1(x) ({ MD32_REG_T ret;            \
                        asm ("sha256sum1 %0, %1"    \
                        : "=r"(ret)                 \
                        : "r"(x)); ret; })
#define sigma0(x) ({ MD32_REG_T ret;            \
                        asm ("sha256sig0 %0, %1"    \
                        : "=r"(ret)                 \
                        : "r"(x)); ret; })
#define sigma1(x) ({ MD32_REG_T ret;            \
                        asm ("sha256sig1 %0, %1"    \
                        : "=r"(ret)                 \
                        : "r"(x)); ret; })
#endif
#if defined(__riscv_zbt) || defined(__riscv_zpn)
#define Ch(x, y, z) ({  MD32_REG_T ret;                           \
                        asm (".insn r4 0x33, 1, 0x3, %0, %2, %1, %3"\
                        : "=r"(ret)                                 \
                        : "r"(x), "r"(y), "r"(z)); ret; })
#define Maj(x, y, z) ({ MD32_REG_T ret;                           \
                        asm (".insn r4 0x33, 1, 0x3, %0, %2, %1, %3"\
                        : "=r"(ret)                                 \
                        : "r"(x^z), "r"(y), "r"(x)); ret; })
#endif
#endif
#endif

/*
 * FIPS specification refers to right rotations, while our ROTATE macro
 * is left one. This is why you might notice that rotation coefficients
 * differ from those observed in FIPS document by 32-N...
 */
#ifndef Sigma0
#define Sigma0(x) (ROTATE((x), 30) ^ ROTATE((x), 19) ^ ROTATE((x), 10))
#endif
#ifndef Sigma1
#define Sigma1(x) (ROTATE((x), 26) ^ ROTATE((x), 21) ^ ROTATE((x), 7))
#endif
#ifndef sigma0
#define sigma0(x) (ROTATE((x), 25) ^ ROTATE((x), 14) ^ ((x) >> 3))
#endif
#ifndef sigma1
#define sigma1(x) (ROTATE((x), 15) ^ ROTATE((x), 13) ^ ((x) >> 10))
#endif
#ifndef Ch
#define Ch(x, y, z) (((x) & (y)) ^ ((~(x)) & (z)))
#endif
#ifndef Maj
#define Maj(x, y, z) (((x) & (y)) ^ ((x) & (z)) ^ ((y) & (z)))
#endif

#ifdef OPENSSL_SMALL_FOOTPRINT

static void sha256_block_data_order(SHA256_CTX *ctx, const void *in,
    size_t num)
{
    unsigned MD32_REG_T a, b, c, d, e, f, g, h, s0, s1, T1, T2;
    SHA_LONG X[16], l;
    int i;
    const unsigned char *data = in;

    while (num--) {

        a = ctx->h[0];
        b = ctx->h[1];
        c = ctx->h[2];
        d = ctx->h[3];
        e = ctx->h[4];
        f = ctx->h[5];
        g = ctx->h[6];
        h = ctx->h[7];

        for (i = 0; i < 16; i++) {
            (void)HOST_c2l(data, l);
            T1 = X[i] = l;
            T1 += h + Sigma1(e) + Ch(e, f, g) + K256[i];
            T2 = Sigma0(a) + Maj(a, b, c);
            h = g;
            g = f;
            f = e;
            e = d + T1;
            d = c;
            c = b;
            b = a;
            a = T1 + T2;
        }

        for (; i < 64; i++) {
            s0 = X[(i + 1) & 0x0f];
            s0 = sigma0(s0);
            s1 = X[(i + 14) & 0x0f];
            s1 = sigma1(s1);

            T1 = X[i & 0xf] += s0 + s1 + X[(i + 9) & 0xf];
            T1 += h + Sigma1(e) + Ch(e, f, g) + K256[i];
            T2 = Sigma0(a) + Maj(a, b, c);
            h = g;
            g = f;
            f = e;
            e = d + T1;
            d = c;
            c = b;
            b = a;
            a = T1 + T2;
        }

        ctx->h[0] += a;
        ctx->h[1] += b;
        ctx->h[2] += c;
        ctx->h[3] += d;
        ctx->h[4] += e;
        ctx->h[5] += f;
        ctx->h[6] += g;
        ctx->h[7] += h;
    }
}

#else

#define ROUND_00_15(i, a, b, c, d, e, f, g, h)       \
    do {                                             \
        T1 += h + Sigma1(e) + Ch(e, f, g) + K256[i]; \
        h = Sigma0(a) + Maj(a, b, c);                \
        d += T1;                                     \
        h += T1;                                     \
    } while (0)

#define ROUND_16_63(i, a, b, c, d, e, f, g, h, X)          \
    do {                                                   \
        s0 = X[(i + 1) & 0x0f];                            \
        s0 = sigma0(s0);                                   \
        s1 = X[(i + 14) & 0x0f];                           \
        s1 = sigma1(s1);                                   \
        T1 = X[(i) & 0x0f] += s0 + s1 + X[(i + 9) & 0x0f]; \
        ROUND_00_15(i, a, b, c, d, e, f, g, h);            \
    } while (0)

#ifdef INCLUDE_C_SHA256
void sha256_block_data_order_c(SHA256_CTX *ctx, const void *in, size_t num)
#else
static void sha256_block_data_order(SHA256_CTX *ctx, const void *in,
    size_t num)
#endif
{
    unsigned MD32_REG_T a, b, c, d, e, f, g, h, s0, s1, T1;
    SHA_LONG X[16];
    int i;
    const unsigned char *data = in;
    DECLARE_IS_ENDIAN;

    while (num--) {

        a = ctx->h[0];
        b = ctx->h[1];
        c = ctx->h[2];
        d = ctx->h[3];
        e = ctx->h[4];
        f = ctx->h[5];
        g = ctx->h[6];
        h = ctx->h[7];

        if (!IS_LITTLE_ENDIAN && sizeof(SHA_LONG) == 4
            && ((size_t)in % 4) == 0) {
            const SHA_LONG *W = (const SHA_LONG *)data;

            T1 = X[0] = W[0];
            ROUND_00_15(0, a, b, c, d, e, f, g, h);
            T1 = X[1] = W[1];
            ROUND_00_15(1, h, a, b, c, d, e, f, g);
            T1 = X[2] = W[2];
            ROUND_00_15(2, g, h, a, b, c, d, e, f);
            T1 = X[3] = W[3];
            ROUND_00_15(3, f, g, h, a, b, c, d, e);
            T1 = X[4] = W[4];
            ROUND_00_15(4, e, f, g, h, a, b, c, d);
            T1 = X[5] = W[5];
            ROUND_00_15(5, d, e, f, g, h, a, b, c);
            T1 = X[6] = W[6];
            ROUND_00_15(6, c, d, e, f, g, h, a, b);
            T1 = X[7] = W[7];
            ROUND_00_15(7, b, c, d, e, f, g, h, a);
            T1 = X[8] = W[8];
            ROUND_00_15(8, a, b, c, d, e, f, g, h);
            T1 = X[9] = W[9];
            ROUND_00_15(9, h, a, b, c, d, e, f, g);
            T1 = X[10] = W[10];
            ROUND_00_15(10, g, h, a, b, c, d, e, f);
            T1 = X[11] = W[11];
            ROUND_00_15(11, f, g, h, a, b, c, d, e);
            T1 = X[12] = W[12];
            ROUND_00_15(12, e, f, g, h, a, b, c, d);
            T1 = X[13] = W[13];
            ROUND_00_15(13, d, e, f, g, h, a, b, c);
            T1 = X[14] = W[14];
            ROUND_00_15(14, c, d, e, f, g, h, a, b);
            T1 = X[15] = W[15];
            ROUND_00_15(15, b, c, d, e, f, g, h, a);

            data += SHA256_CBLOCK;
        } else {
            SHA_LONG l;

            (void)HOST_c2l(data, l);
            T1 = X[0] = l;
            ROUND_00_15(0, a, b, c, d, e, f, g, h);
            (void)HOST_c2l(data, l);
            T1 = X[1] = l;
            ROUND_00_15(1, h, a, b, c, d, e, f, g);
            (void)HOST_c2l(data, l);
            T1 = X[2] = l;
            ROUND_00_15(2, g, h, a, b, c, d, e, f);
            (void)HOST_c2l(data, l);
            T1 = X[3] = l;
            ROUND_00_15(3, f, g, h, a, b, c, d, e);
            (void)HOST_c2l(data, l);
            T1 = X[4] = l;
            ROUND_00_15(4, e, f, g, h, a, b, c, d);
            (void)HOST_c2l(data, l);
            T1 = X[5] = l;
            ROUND_00_15(5, d, e, f, g, h, a, b, c);
            (void)HOST_c2l(data, l);
            T1 = X[6] = l;
            ROUND_00_15(6, c, d, e, f, g, h, a, b);
            (void)HOST_c2l(data, l);
            T1 = X[7] = l;
            ROUND_00_15(7, b, c, d, e, f, g, h, a);
            (void)HOST_c2l(data, l);
            T1 = X[8] = l;
            ROUND_00_15(8, a, b, c, d, e, f, g, h);
            (void)HOST_c2l(data, l);
            T1 = X[9] = l;
            ROUND_00_15(9, h, a, b, c, d, e, f, g);
            (void)HOST_c2l(data, l);
            T1 = X[10] = l;
            ROUND_00_15(10, g, h, a, b, c, d, e, f);
            (void)HOST_c2l(data, l);
            T1 = X[11] = l;
            ROUND_00_15(11, f, g, h, a, b, c, d, e);
            (void)HOST_c2l(data, l);
            T1 = X[12] = l;
            ROUND_00_15(12, e, f, g, h, a, b, c, d);
            (void)HOST_c2l(data, l);
            T1 = X[13] = l;
            ROUND_00_15(13, d, e, f, g, h, a, b, c);
            (void)HOST_c2l(data, l);
            T1 = X[14] = l;
            ROUND_00_15(14, c, d, e, f, g, h, a, b);
            (void)HOST_c2l(data, l);
            T1 = X[15] = l;
            ROUND_00_15(15, b, c, d, e, f, g, h, a);
        }

        for (i = 16; i < 64; i += 8) {
            ROUND_16_63(i + 0, a, b, c, d, e, f, g, h, X);
            ROUND_16_63(i + 1, h, a, b, c, d, e, f, g, X);
            ROUND_16_63(i + 2, g, h, a, b, c, d, e, f, X);
            ROUND_16_63(i + 3, f, g, h, a, b, c, d, e, X);
            ROUND_16_63(i + 4, e, f, g, h, a, b, c, d, X);
            ROUND_16_63(i + 5, d, e, f, g, h, a, b, c, X);
            ROUND_16_63(i + 6, c, d, e, f, g, h, a, b, X);
            ROUND_16_63(i + 7, b, c, d, e, f, g, h, a, X);
        }

        ctx->h[0] += a;
        ctx->h[1] += b;
        ctx->h[2] += c;
        ctx->h[3] += d;
        ctx->h[4] += e;
        ctx->h[5] += f;
        ctx->h[6] += g;
        ctx->h[7] += h;
    }
}

#endif
#endif /* SHA256_ASM */

Coverage Report

Created: 2025-12-14 06:35

Line	Count	Source
1		/*
2		* Copyright 2004-2024 The OpenSSL Project Authors. All Rights Reserved.
3		*
4		* Licensed under the Apache License 2.0 (the "License"). You may not use
5		* this file except in compliance with the License. You can obtain a copy
6		* in the file LICENSE in the source distribution or at
7		* https://www.openssl.org/source/license.html
8		*/
9
10		/*
11		* SHA256 low level APIs are deprecated for public use, but still ok for
12		* internal use.
13		*/
14		#include "internal/deprecated.h"
15
16		#include <openssl/opensslconf.h>
17
18		#include <stdlib.h>
19		#include <string.h>
20
21		#include <openssl/crypto.h>
22		#include <openssl/sha.h>
23		#include <openssl/opensslv.h>
24		#include "internal/endian.h"
25		#include "crypto/sha.h"
26
27		int SHA224_Init(SHA256_CTX *c)
28	58	{
29	58	memset(c, 0, sizeof(*c));
30	58	c->h[0] = 0xc1059ed8UL;
31	58	c->h[1] = 0x367cd507UL;
32	58	c->h[2] = 0x3070dd17UL;
33	58	c->h[3] = 0xf70e5939UL;
34	58	c->h[4] = 0xffc00b31UL;
35	58	c->h[5] = 0x68581511UL;
36	58	c->h[6] = 0x64f98fa7UL;
37	58	c->h[7] = 0xbefa4fa4UL;
38	58	c->md_len = SHA224_DIGEST_LENGTH;
39	58	return 1;
40	58	}
41
42		int SHA256_Init(SHA256_CTX *c)
43	10.1k	{
44	10.1k	memset(c, 0, sizeof(*c));
45	10.1k	c->h[0] = 0x6a09e667UL;
46	10.1k	c->h[1] = 0xbb67ae85UL;
47	10.1k	c->h[2] = 0x3c6ef372UL;
48	10.1k	c->h[3] = 0xa54ff53aUL;
49	10.1k	c->h[4] = 0x510e527fUL;
50	10.1k	c->h[5] = 0x9b05688cUL;
51	10.1k	c->h[6] = 0x1f83d9abUL;
52	10.1k	c->h[7] = 0x5be0cd19UL;
53	10.1k	c->md_len = SHA256_DIGEST_LENGTH;
54	10.1k	return 1;
55	10.1k	}
56
57		int ossl_sha256_192_init(SHA256_CTX *c)
58	2	{
59	2	SHA256_Init(c);
60	2	c->md_len = SHA256_192_DIGEST_LENGTH;
61	2	return 1;
62	2	}
63
64		int SHA224_Update(SHA256_CTX c, const void data, size_t len)
65	58	{
66	58	return SHA256_Update(c, data, len);
67	58	}
68
69		int SHA224_Final(unsigned char md, SHA256_CTX c)
70	29	{
71	29	return SHA256_Final(md, c);
72	29	}
73
74		#define DATA_ORDER_IS_BIG_ENDIAN
75
76	10.1k	#define HASH_LONG SHA_LONG
77		#define HASH_CTX SHA256_CTX
78	45.9k	#define HASH_CBLOCK SHA_CBLOCK
79
80		/*
81		* Note that FIPS180-2 discusses "Truncation of the Hash Function Output."
82		* default: case below covers for it. It's not clear however if it's
83		* permitted to truncate to amount of bytes not divisible by 4. I bet not,
84		* but if it is, then default: case shall be extended. For reference.
85		* Idea behind separate cases for pre-defined lengths is to let the
86		* compiler decide if it's appropriate to unroll small loops.
87		*/
88		#define HASH_MAKE_STRING(c, s) \
89	5.10k	do { \
90	5.10k	unsigned long ll; \
91	5.10k	unsigned int nn; \
92	5.10k	switch ((c)->md_len) { \
93	1	case SHA256_192_DIGEST_LENGTH: \
94	7	for (nn = 0; nn < SHA256_192_DIGEST_LENGTH / 4; nn++) { \
95	6	ll = (c)->h[nn]; \
96	6	(void)HOST_l2c(ll, (s)); \
97	6	} \
98	1	break; \
99	29	case SHA224_DIGEST_LENGTH: \
100	232	for (nn = 0; nn < SHA224_DIGEST_LENGTH / 4; nn++) { \
101	203	ll = (c)->h[nn]; \
102	203	(void)HOST_l2c(ll, (s)); \
103	203	} \
104	29	break; \
105	5.07k	case SHA256_DIGEST_LENGTH: \
106	45.6k	for (nn = 0; nn < SHA256_DIGEST_LENGTH / 4; nn++) { \
107	40.5k	ll = (c)->h[nn]; \
108	40.5k	(void)HOST_l2c(ll, (s)); \
109	40.5k	} \
110	5.07k	break; \
111	0	default: \
112	0	if ((c)->md_len > SHA256_DIGEST_LENGTH) \
113	0	return 0; \
114	0	for (nn = 0; nn < (c)->md_len / 4; nn++) { \
115	0	ll = (c)->h[nn]; \
116	0	(void)HOST_l2c(ll, (s)); \
117	0	} \
118	0	break; \
119	5.10k	} \
120	5.10k	} while (0)
121
122		#define HASH_UPDATE SHA256_Update
123		#define HASH_TRANSFORM SHA256_Transform
124		#define HASH_FINAL SHA256_Final
125	15.3k	#define HASH_BLOCK_DATA_ORDER sha256_block_data_order
126		#ifndef SHA256_ASM
127		static
128		#else
129		#ifdef INCLUDE_C_SHA256
130		void sha256_block_data_order_c(SHA256_CTX ctx, const void in, size_t num);
131		#endif /* INCLUDE_C_SHA256 */
132		#endif /* SHA256_ASM */
133		void sha256_block_data_order(SHA256_CTX ctx, const void in, size_t num);
134
135		#include "crypto/md32_common.h"
136
137		#if !defined(SHA256_ASM) \|\| defined(INCLUDE_C_SHA256)
138		static const SHA_LONG K256[64] = {
139		0x428a2f98UL, 0x71374491UL, 0xb5c0fbcfUL, 0xe9b5dba5UL,
140		0x3956c25bUL, 0x59f111f1UL, 0x923f82a4UL, 0xab1c5ed5UL,
141		0xd807aa98UL, 0x12835b01UL, 0x243185beUL, 0x550c7dc3UL,
142		0x72be5d74UL, 0x80deb1feUL, 0x9bdc06a7UL, 0xc19bf174UL,
143		0xe49b69c1UL, 0xefbe4786UL, 0x0fc19dc6UL, 0x240ca1ccUL,
144		0x2de92c6fUL, 0x4a7484aaUL, 0x5cb0a9dcUL, 0x76f988daUL,
145		0x983e5152UL, 0xa831c66dUL, 0xb00327c8UL, 0xbf597fc7UL,
146		0xc6e00bf3UL, 0xd5a79147UL, 0x06ca6351UL, 0x14292967UL,
147		0x27b70a85UL, 0x2e1b2138UL, 0x4d2c6dfcUL, 0x53380d13UL,
148		0x650a7354UL, 0x766a0abbUL, 0x81c2c92eUL, 0x92722c85UL,
149		0xa2bfe8a1UL, 0xa81a664bUL, 0xc24b8b70UL, 0xc76c51a3UL,
150		0xd192e819UL, 0xd6990624UL, 0xf40e3585UL, 0x106aa070UL,
151		0x19a4c116UL, 0x1e376c08UL, 0x2748774cUL, 0x34b0bcb5UL,
152		0x391c0cb3UL, 0x4ed8aa4aUL, 0x5b9cca4fUL, 0x682e6ff3UL,
153		0x748f82eeUL, 0x78a5636fUL, 0x84c87814UL, 0x8cc70208UL,
154		0x90befffaUL, 0xa4506cebUL, 0xbef9a3f7UL, 0xc67178f2UL
155		};
156
157		#ifndef PEDANTIC
158		#if defined(__GNUC__) && __GNUC__ >= 2 && !defined(OPENSSL_NO_ASM) && !defined(OPENSSL_NO_INLINE_ASM)
159		#if defined(__riscv_zknh)
160		#define Sigma0(x) ({ MD32_REG_T ret; \
161		asm ("sha256sum0 %0, %1" \
162		: "=r"(ret) \
163		: "r"(x)); ret; })
164		#define Sigma1(x) ({ MD32_REG_T ret; \
165		asm ("sha256sum1 %0, %1" \
166		: "=r"(ret) \
167		: "r"(x)); ret; })
168		#define sigma0(x) ({ MD32_REG_T ret; \
169		asm ("sha256sig0 %0, %1" \
170		: "=r"(ret) \
171		: "r"(x)); ret; })
172		#define sigma1(x) ({ MD32_REG_T ret; \
173		asm ("sha256sig1 %0, %1" \
174		: "=r"(ret) \
175		: "r"(x)); ret; })
176		#endif
177		#if defined(__riscv_zbt) \|\| defined(__riscv_zpn)
178		#define Ch(x, y, z) ({ MD32_REG_T ret; \
179		asm (".insn r4 0x33, 1, 0x3, %0, %2, %1, %3"\
180		: "=r"(ret) \
181		: "r"(x), "r"(y), "r"(z)); ret; })
182		#define Maj(x, y, z) ({ MD32_REG_T ret; \
183		asm (".insn r4 0x33, 1, 0x3, %0, %2, %1, %3"\
184		: "=r"(ret) \
185		: "r"(x^z), "r"(y), "r"(x)); ret; })
186		#endif
187		#endif
188		#endif
189
190		/*
191		* FIPS specification refers to right rotations, while our ROTATE macro
192		* is left one. This is why you might notice that rotation coefficients
193		* differ from those observed in FIPS document by 32-N...
194		*/
195		#ifndef Sigma0
196	442M	#define Sigma0(x) (ROTATE((x), 30) ^ ROTATE((x), 19) ^ ROTATE((x), 10))
197		#endif
198		#ifndef Sigma1
199	442M	#define Sigma1(x) (ROTATE((x), 26) ^ ROTATE((x), 21) ^ ROTATE((x), 7))
200		#endif
201		#ifndef sigma0
202	331M	#define sigma0(x) (ROTATE((x), 25) ^ ROTATE((x), 14) ^ ((x) >> 3))
203		#endif
204		#ifndef sigma1
205	331M	#define sigma1(x) (ROTATE((x), 15) ^ ROTATE((x), 13) ^ ((x) >> 10))
206		#endif
207		#ifndef Ch
208	442M	#define Ch(x, y, z) (((x) & (y)) ^ ((~(x)) & (z)))
209		#endif
210		#ifndef Maj
211	442M	#define Maj(x, y, z) (((x) & (y)) ^ ((x) & (z)) ^ ((y) & (z)))
212		#endif
213
214		#ifdef OPENSSL_SMALL_FOOTPRINT
215
216		static void sha256_block_data_order(SHA256_CTX ctx, const void in,
217		size_t num)
218		{
219		unsigned MD32_REG_T a, b, c, d, e, f, g, h, s0, s1, T1, T2;
220		SHA_LONG X[16], l;
221		int i;
222		const unsigned char *data = in;
223
224		while (num--) {
225
226		a = ctx->h[0];
227		b = ctx->h[1];
228		c = ctx->h[2];
229		d = ctx->h[3];
230		e = ctx->h[4];
231		f = ctx->h[5];
232		g = ctx->h[6];
233		h = ctx->h[7];
234
235		for (i = 0; i < 16; i++) {
236		(void)HOST_c2l(data, l);
237		T1 = X[i] = l;
238		T1 += h + Sigma1(e) + Ch(e, f, g) + K256[i];
239		T2 = Sigma0(a) + Maj(a, b, c);
240		h = g;
241		g = f;
242		f = e;
243		e = d + T1;
244		d = c;
245		c = b;
246		b = a;
247		a = T1 + T2;
248		}
249
250		for (; i < 64; i++) {
251		s0 = X[(i + 1) & 0x0f];
252		s0 = sigma0(s0);
253		s1 = X[(i + 14) & 0x0f];
254		s1 = sigma1(s1);
255
256		T1 = X[i & 0xf] += s0 + s1 + X[(i + 9) & 0xf];
257		T1 += h + Sigma1(e) + Ch(e, f, g) + K256[i];
258		T2 = Sigma0(a) + Maj(a, b, c);
259		h = g;
260		g = f;
261		f = e;
262		e = d + T1;
263		d = c;
264		c = b;
265		b = a;
266		a = T1 + T2;
267		}
268
269		ctx->h[0] += a;
270		ctx->h[1] += b;
271		ctx->h[2] += c;
272		ctx->h[3] += d;
273		ctx->h[4] += e;
274		ctx->h[5] += f;
275		ctx->h[6] += g;
276		ctx->h[7] += h;
277		}
278		}
279
280		#else
281
282		#define ROUND_00_15(i, a, b, c, d, e, f, g, h) \
283	442M	do { \
284	442M	T1 += h + Sigma1(e) + Ch(e, f, g) + K256[i]; \
285	442M	h = Sigma0(a) + Maj(a, b, c); \
286	442M	d += T1; \
287	442M	h += T1; \
288	442M	} while (0)
289
290		#define ROUND_16_63(i, a, b, c, d, e, f, g, h, X) \
291	331M	do { \
292	331M	s0 = X[(i + 1) & 0x0f]; \
293	331M	s0 = sigma0(s0); \
294	331M	s1 = X[(i + 14) & 0x0f]; \
295	331M	s1 = sigma1(s1); \
296	331M	T1 = X[(i) & 0x0f] += s0 + s1 + X[(i + 9) & 0x0f]; \
297	331M	ROUND_00_15(i, a, b, c, d, e, f, g, h); \
298	331M	} while (0)
299
300		#ifdef INCLUDE_C_SHA256
301		void sha256_block_data_order_c(SHA256_CTX ctx, const void in, size_t num)
302		#else
303		static void sha256_block_data_order(SHA256_CTX ctx, const void in,
304		size_t num)
305		#endif
306	15.3k	{
307	15.3k	unsigned MD32_REG_T a, b, c, d, e, f, g, h, s0, s1, T1;
308	15.3k	SHA_LONG X[16];
309	15.3k	int i;
310	15.3k	const unsigned char *data = in;
311	15.3k	DECLARE_IS_ENDIAN;
312
313	6.93M	while (num--) {
314
315	6.91M	a = ctx->h[0];
316	6.91M	b = ctx->h[1];
317	6.91M	c = ctx->h[2];
318	6.91M	d = ctx->h[3];
319	6.91M	e = ctx->h[4];
320	6.91M	f = ctx->h[5];
321	6.91M	g = ctx->h[6];
322	6.91M	h = ctx->h[7];
323
324	6.91M	if (!IS_LITTLE_ENDIAN && sizeof(SHA_LONG) == 4
325	0	&& ((size_t)in % 4) == 0) {
326	0	const SHA_LONG W = (const SHA_LONG )data;
327
328	0	T1 = X[0] = W[0];
329	0	ROUND_00_15(0, a, b, c, d, e, f, g, h);
330	0	T1 = X[1] = W[1];
331	0	ROUND_00_15(1, h, a, b, c, d, e, f, g);
332	0	T1 = X[2] = W[2];
333	0	ROUND_00_15(2, g, h, a, b, c, d, e, f);
334	0	T1 = X[3] = W[3];
335	0	ROUND_00_15(3, f, g, h, a, b, c, d, e);
336	0	T1 = X[4] = W[4];
337	0	ROUND_00_15(4, e, f, g, h, a, b, c, d);
338	0	T1 = X[5] = W[5];
339	0	ROUND_00_15(5, d, e, f, g, h, a, b, c);
340	0	T1 = X[6] = W[6];
341	0	ROUND_00_15(6, c, d, e, f, g, h, a, b);
342	0	T1 = X[7] = W[7];
343	0	ROUND_00_15(7, b, c, d, e, f, g, h, a);
344	0	T1 = X[8] = W[8];
345	0	ROUND_00_15(8, a, b, c, d, e, f, g, h);
346	0	T1 = X[9] = W[9];
347	0	ROUND_00_15(9, h, a, b, c, d, e, f, g);
348	0	T1 = X[10] = W[10];
349	0	ROUND_00_15(10, g, h, a, b, c, d, e, f);
350	0	T1 = X[11] = W[11];
351	0	ROUND_00_15(11, f, g, h, a, b, c, d, e);
352	0	T1 = X[12] = W[12];
353	0	ROUND_00_15(12, e, f, g, h, a, b, c, d);
354	0	T1 = X[13] = W[13];
355	0	ROUND_00_15(13, d, e, f, g, h, a, b, c);
356	0	T1 = X[14] = W[14];
357	0	ROUND_00_15(14, c, d, e, f, g, h, a, b);
358	0	T1 = X[15] = W[15];
359	0	ROUND_00_15(15, b, c, d, e, f, g, h, a);
360
361	0	data += SHA256_CBLOCK;
362	6.91M	} else {
363	6.91M	SHA_LONG l;
364
365	6.91M	(void)HOST_c2l(data, l);
366	6.91M	T1 = X[0] = l;
367	6.91M	ROUND_00_15(0, a, b, c, d, e, f, g, h);
368	6.91M	(void)HOST_c2l(data, l);
369	6.91M	T1 = X[1] = l;
370	6.91M	ROUND_00_15(1, h, a, b, c, d, e, f, g);
371	6.91M	(void)HOST_c2l(data, l);
372	6.91M	T1 = X[2] = l;
373	6.91M	ROUND_00_15(2, g, h, a, b, c, d, e, f);
374	6.91M	(void)HOST_c2l(data, l);
375	6.91M	T1 = X[3] = l;
376	6.91M	ROUND_00_15(3, f, g, h, a, b, c, d, e);
377	6.91M	(void)HOST_c2l(data, l);
378	6.91M	T1 = X[4] = l;
379	6.91M	ROUND_00_15(4, e, f, g, h, a, b, c, d);
380	6.91M	(void)HOST_c2l(data, l);
381	6.91M	T1 = X[5] = l;
382	6.91M	ROUND_00_15(5, d, e, f, g, h, a, b, c);
383	6.91M	(void)HOST_c2l(data, l);
384	6.91M	T1 = X[6] = l;
385	6.91M	ROUND_00_15(6, c, d, e, f, g, h, a, b);
386	6.91M	(void)HOST_c2l(data, l);
387	6.91M	T1 = X[7] = l;
388	6.91M	ROUND_00_15(7, b, c, d, e, f, g, h, a);
389	6.91M	(void)HOST_c2l(data, l);
390	6.91M	T1 = X[8] = l;
391	6.91M	ROUND_00_15(8, a, b, c, d, e, f, g, h);
392	6.91M	(void)HOST_c2l(data, l);
393	6.91M	T1 = X[9] = l;
394	6.91M	ROUND_00_15(9, h, a, b, c, d, e, f, g);
395	6.91M	(void)HOST_c2l(data, l);
396	6.91M	T1 = X[10] = l;
397	6.91M	ROUND_00_15(10, g, h, a, b, c, d, e, f);
398	6.91M	(void)HOST_c2l(data, l);
399	6.91M	T1 = X[11] = l;
400	6.91M	ROUND_00_15(11, f, g, h, a, b, c, d, e);
401	6.91M	(void)HOST_c2l(data, l);
402	6.91M	T1 = X[12] = l;
403	6.91M	ROUND_00_15(12, e, f, g, h, a, b, c, d);
404	6.91M	(void)HOST_c2l(data, l);
405	6.91M	T1 = X[13] = l;
406	6.91M	ROUND_00_15(13, d, e, f, g, h, a, b, c);
407	6.91M	(void)HOST_c2l(data, l);
408	6.91M	T1 = X[14] = l;
409	6.91M	ROUND_00_15(14, c, d, e, f, g, h, a, b);
410	6.91M	(void)HOST_c2l(data, l);
411	6.91M	T1 = X[15] = l;
412	6.91M	ROUND_00_15(15, b, c, d, e, f, g, h, a);
413	6.91M	}
414
415	48.4M	for (i = 16; i < 64; i += 8) {
416	41.4M	ROUND_16_63(i + 0, a, b, c, d, e, f, g, h, X);
417	41.4M	ROUND_16_63(i + 1, h, a, b, c, d, e, f, g, X);
418	41.4M	ROUND_16_63(i + 2, g, h, a, b, c, d, e, f, X);
419	41.4M	ROUND_16_63(i + 3, f, g, h, a, b, c, d, e, X);
420	41.4M	ROUND_16_63(i + 4, e, f, g, h, a, b, c, d, X);
421	41.4M	ROUND_16_63(i + 5, d, e, f, g, h, a, b, c, X);
422	41.4M	ROUND_16_63(i + 6, c, d, e, f, g, h, a, b, X);
423	41.4M	ROUND_16_63(i + 7, b, c, d, e, f, g, h, a, X);
424	41.4M	}
425
426	6.91M	ctx->h[0] += a;
427	6.91M	ctx->h[1] += b;
428	6.91M	ctx->h[2] += c;
429	6.91M	ctx->h[3] += d;
430	6.91M	ctx->h[4] += e;
431	6.91M	ctx->h[5] += f;
432	6.91M	ctx->h[6] += g;
433	6.91M	ctx->h[7] += h;
434	6.91M	}
435	15.3k	}
436
437		#endif
438		#endif /* SHA256_ASM */