/src/openssl/crypto/sha/sha256.c

Source
/*
 * Copyright 2004-2024 The OpenSSL Project Authors. All Rights Reserved.
 *
 * Licensed under the Apache License 2.0 (the "License").  You may not use
 * this file except in compliance with the License.  You can obtain a copy
 * in the file LICENSE in the source distribution or at
 * https://www.openssl.org/source/license.html
 */

/*
 * SHA256 low level APIs are deprecated for public use, but still ok for
 * internal use.
 */
#include "internal/deprecated.h"

#include <openssl/opensslconf.h>

#include <stdlib.h>
#include <string.h>

#include <openssl/crypto.h>
#include <openssl/sha.h>
#include <openssl/opensslv.h>
#include "internal/endian.h"
#include "crypto/sha.h"

int SHA224_Init(SHA256_CTX *c)
{
    memset(c, 0, sizeof(*c));
    c->h[0] = 0xc1059ed8UL;
    c->h[1] = 0x367cd507UL;
    c->h[2] = 0x3070dd17UL;
    c->h[3] = 0xf70e5939UL;
    c->h[4] = 0xffc00b31UL;
    c->h[5] = 0x68581511UL;
    c->h[6] = 0x64f98fa7UL;
    c->h[7] = 0xbefa4fa4UL;
    c->md_len = SHA224_DIGEST_LENGTH;
    return 1;
}

int SHA256_Init(SHA256_CTX *c)
{
    memset(c, 0, sizeof(*c));
    c->h[0] = 0x6a09e667UL;
    c->h[1] = 0xbb67ae85UL;
    c->h[2] = 0x3c6ef372UL;
    c->h[3] = 0xa54ff53aUL;
    c->h[4] = 0x510e527fUL;
    c->h[5] = 0x9b05688cUL;
    c->h[6] = 0x1f83d9abUL;
    c->h[7] = 0x5be0cd19UL;
    c->md_len = SHA256_DIGEST_LENGTH;
    return 1;
}

int ossl_sha256_192_init(SHA256_CTX *c)
{
    SHA256_Init(c);
    c->md_len = SHA256_192_DIGEST_LENGTH;
    return 1;
}

int SHA224_Update(SHA256_CTX *c, const void *data, size_t len)
{
    return SHA256_Update(c, data, len);
}

int SHA224_Final(unsigned char *md, SHA256_CTX *c)
{
    return SHA256_Final(md, c);
}

#define DATA_ORDER_IS_BIG_ENDIAN

#define HASH_LONG SHA_LONG
#define HASH_CTX SHA256_CTX
#define HASH_CBLOCK SHA_CBLOCK

/*
 * Note that FIPS180-2 discusses "Truncation of the Hash Function Output."
 * default: case below covers for it. It's not clear however if it's
 * permitted to truncate to amount of bytes not divisible by 4. I bet not,
 * but if it is, then default: case shall be extended. For reference.
 * Idea behind separate cases for pre-defined lengths is to let the
 * compiler decide if it's appropriate to unroll small loops.
 */
#define HASH_MAKE_STRING(c, s)                                      \
    do {                                                            \
        unsigned long ll;                                           \
        unsigned int nn;                                            \
        switch ((c)->md_len) {                                      \
        case SHA256_192_DIGEST_LENGTH:                              \
            for (nn = 0; nn < SHA256_192_DIGEST_LENGTH / 4; nn++) { \
                ll = (c)->h[nn];                                    \
                (void)HOST_l2c(ll, (s));                            \
            }                                                       \
            break;                                                  \
        case SHA224_DIGEST_LENGTH:                                  \
            for (nn = 0; nn < SHA224_DIGEST_LENGTH / 4; nn++) {     \
                ll = (c)->h[nn];                                    \
                (void)HOST_l2c(ll, (s));                            \
            }                                                       \
            break;                                                  \
        case SHA256_DIGEST_LENGTH:                                  \
            for (nn = 0; nn < SHA256_DIGEST_LENGTH / 4; nn++) {     \
                ll = (c)->h[nn];                                    \
                (void)HOST_l2c(ll, (s));                            \
            }                                                       \
            break;                                                  \
        default:                                                    \
            if ((c)->md_len > SHA256_DIGEST_LENGTH)                 \
                return 0;                                           \
            for (nn = 0; nn < (c)->md_len / 4; nn++) {              \
                ll = (c)->h[nn];                                    \
                (void)HOST_l2c(ll, (s));                            \
            }                                                       \
            break;                                                  \
        }                                                           \
    } while (0)

#define HASH_UPDATE_THUNK
#define HASH_UPDATE SHA256_Update_thunk
#define HASH_TRANSFORM SHA256_Transform
#define HASH_FINAL SHA256_Final
#define HASH_BLOCK_DATA_ORDER sha256_block_data_order
#ifndef SHA256_ASM
static
#else
#ifdef INCLUDE_C_SHA256
void sha256_block_data_order_c(SHA256_CTX *ctx, const void *in, size_t num);
#endif /* INCLUDE_C_SHA256 */
#endif /* SHA256_ASM */
    void sha256_block_data_order(SHA256_CTX *ctx, const void *in, size_t num);

#include "crypto/md32_common.h"
#undef HASH_UPDATE_THUNK

int SHA256_Update(SHA256_CTX *ctx, const void *data, size_t sz)
{
    return SHA256_Update_thunk((void *)ctx, (const unsigned char *)data, sz);
}

#if !defined(SHA256_ASM) || defined(INCLUDE_C_SHA256)
static const SHA_LONG K256[64] = {
    0x428a2f98UL, 0x71374491UL, 0xb5c0fbcfUL, 0xe9b5dba5UL,
    0x3956c25bUL, 0x59f111f1UL, 0x923f82a4UL, 0xab1c5ed5UL,
    0xd807aa98UL, 0x12835b01UL, 0x243185beUL, 0x550c7dc3UL,
    0x72be5d74UL, 0x80deb1feUL, 0x9bdc06a7UL, 0xc19bf174UL,
    0xe49b69c1UL, 0xefbe4786UL, 0x0fc19dc6UL, 0x240ca1ccUL,
    0x2de92c6fUL, 0x4a7484aaUL, 0x5cb0a9dcUL, 0x76f988daUL,
    0x983e5152UL, 0xa831c66dUL, 0xb00327c8UL, 0xbf597fc7UL,
    0xc6e00bf3UL, 0xd5a79147UL, 0x06ca6351UL, 0x14292967UL,
    0x27b70a85UL, 0x2e1b2138UL, 0x4d2c6dfcUL, 0x53380d13UL,
    0x650a7354UL, 0x766a0abbUL, 0x81c2c92eUL, 0x92722c85UL,
    0xa2bfe8a1UL, 0xa81a664bUL, 0xc24b8b70UL, 0xc76c51a3UL,
    0xd192e819UL, 0xd6990624UL, 0xf40e3585UL, 0x106aa070UL,
    0x19a4c116UL, 0x1e376c08UL, 0x2748774cUL, 0x34b0bcb5UL,
    0x391c0cb3UL, 0x4ed8aa4aUL, 0x5b9cca4fUL, 0x682e6ff3UL,
    0x748f82eeUL, 0x78a5636fUL, 0x84c87814UL, 0x8cc70208UL,
    0x90befffaUL, 0xa4506cebUL, 0xbef9a3f7UL, 0xc67178f2UL
};

#ifndef PEDANTIC
#if defined(__GNUC__) && __GNUC__ >= 2 && !defined(OPENSSL_NO_ASM) && !defined(OPENSSL_NO_INLINE_ASM)
#if defined(__riscv_zknh)
#define Sigma0(x) ({ MD32_REG_T ret;            \
                        asm ("sha256sum0 %0, %1"    \
                        : "=r"(ret)                 \
                        : "r"(x)); ret; })
#define Sigma1(x) ({ MD32_REG_T ret;            \
                        asm ("sha256sum1 %0, %1"    \
                        : "=r"(ret)                 \
                        : "r"(x)); ret; })
#define sigma0(x) ({ MD32_REG_T ret;            \
                        asm ("sha256sig0 %0, %1"    \
                        : "=r"(ret)                 \
                        : "r"(x)); ret; })
#define sigma1(x) ({ MD32_REG_T ret;            \
                        asm ("sha256sig1 %0, %1"    \
                        : "=r"(ret)                 \
                        : "r"(x)); ret; })
#endif
#if defined(__riscv_zbt) || defined(__riscv_zpn)
#define Ch(x, y, z) ({  MD32_REG_T ret;                           \
                        asm (".insn r4 0x33, 1, 0x3, %0, %2, %1, %3"\
                        : "=r"(ret)                                 \
                        : "r"(x), "r"(y), "r"(z)); ret; })
#define Maj(x, y, z) ({ MD32_REG_T ret;                           \
                        asm (".insn r4 0x33, 1, 0x3, %0, %2, %1, %3"\
                        : "=r"(ret)                                 \
                        : "r"(x^z), "r"(y), "r"(x)); ret; })
#endif
#endif
#endif

/*
 * FIPS specification refers to right rotations, while our ROTATE macro
 * is left one. This is why you might notice that rotation coefficients
 * differ from those observed in FIPS document by 32-N...
 */
#ifndef Sigma0
#define Sigma0(x) (ROTATE((x), 30) ^ ROTATE((x), 19) ^ ROTATE((x), 10))
#endif
#ifndef Sigma1
#define Sigma1(x) (ROTATE((x), 26) ^ ROTATE((x), 21) ^ ROTATE((x), 7))
#endif
#ifndef sigma0
#define sigma0(x) (ROTATE((x), 25) ^ ROTATE((x), 14) ^ ((x) >> 3))
#endif
#ifndef sigma1
#define sigma1(x) (ROTATE((x), 15) ^ ROTATE((x), 13) ^ ((x) >> 10))
#endif
#ifndef Ch
#define Ch(x, y, z) (((x) & (y)) ^ ((~(x)) & (z)))
#endif
#ifndef Maj
#define Maj(x, y, z) (((x) & (y)) ^ ((x) & (z)) ^ ((y) & (z)))
#endif

#ifdef OPENSSL_SMALL_FOOTPRINT

static void sha256_block_data_order(SHA256_CTX *ctx, const void *in,
    size_t num)
{
    unsigned MD32_REG_T a, b, c, d, e, f, g, h, s0, s1, T1, T2;
    SHA_LONG X[16], l;
    int i;
    const unsigned char *data = in;

    while (num--) {

        a = ctx->h[0];
        b = ctx->h[1];
        c = ctx->h[2];
        d = ctx->h[3];
        e = ctx->h[4];
        f = ctx->h[5];
        g = ctx->h[6];
        h = ctx->h[7];

        for (i = 0; i < 16; i++) {
            (void)HOST_c2l(data, l);
            T1 = X[i] = l;
            T1 += h + Sigma1(e) + Ch(e, f, g) + K256[i];
            T2 = Sigma0(a) + Maj(a, b, c);
            h = g;
            g = f;
            f = e;
            e = d + T1;
            d = c;
            c = b;
            b = a;
            a = T1 + T2;
        }

        for (; i < 64; i++) {
            s0 = X[(i + 1) & 0x0f];
            s0 = sigma0(s0);
            s1 = X[(i + 14) & 0x0f];
            s1 = sigma1(s1);

            T1 = X[i & 0xf] += s0 + s1 + X[(i + 9) & 0xf];
            T1 += h + Sigma1(e) + Ch(e, f, g) + K256[i];
            T2 = Sigma0(a) + Maj(a, b, c);
            h = g;
            g = f;
            f = e;
            e = d + T1;
            d = c;
            c = b;
            b = a;
            a = T1 + T2;
        }

        ctx->h[0] += a;
        ctx->h[1] += b;
        ctx->h[2] += c;
        ctx->h[3] += d;
        ctx->h[4] += e;
        ctx->h[5] += f;
        ctx->h[6] += g;
        ctx->h[7] += h;
    }
}

#else

#define ROUND_00_15(i, a, b, c, d, e, f, g, h)       \
    do {                                             \
        T1 += h + Sigma1(e) + Ch(e, f, g) + K256[i]; \
        h = Sigma0(a) + Maj(a, b, c);                \
        d += T1;                                     \
        h += T1;                                     \
    } while (0)

#define ROUND_16_63(i, a, b, c, d, e, f, g, h, X)          \
    do {                                                   \
        s0 = X[(i + 1) & 0x0f];                            \
        s0 = sigma0(s0);                                   \
        s1 = X[(i + 14) & 0x0f];                           \
        s1 = sigma1(s1);                                   \
        T1 = X[(i) & 0x0f] += s0 + s1 + X[(i + 9) & 0x0f]; \
        ROUND_00_15(i, a, b, c, d, e, f, g, h);            \
    } while (0)

#ifdef INCLUDE_C_SHA256
void sha256_block_data_order_c(SHA256_CTX *ctx, const void *in, size_t num)
#else
static void sha256_block_data_order(SHA256_CTX *ctx, const void *in,
    size_t num)
#endif
{
    unsigned MD32_REG_T a, b, c, d, e, f, g, h, s0, s1, T1;
    SHA_LONG X[16];
    int i;
    const unsigned char *data = in;
    DECLARE_IS_ENDIAN;

    while (num--) {

        a = ctx->h[0];
        b = ctx->h[1];
        c = ctx->h[2];
        d = ctx->h[3];
        e = ctx->h[4];
        f = ctx->h[5];
        g = ctx->h[6];
        h = ctx->h[7];

        if (!IS_LITTLE_ENDIAN && sizeof(SHA_LONG) == 4
            && ((size_t)in % 4) == 0) {
            const SHA_LONG *W = (const SHA_LONG *)data;

            T1 = X[0] = W[0];
            ROUND_00_15(0, a, b, c, d, e, f, g, h);
            T1 = X[1] = W[1];
            ROUND_00_15(1, h, a, b, c, d, e, f, g);
            T1 = X[2] = W[2];
            ROUND_00_15(2, g, h, a, b, c, d, e, f);
            T1 = X[3] = W[3];
            ROUND_00_15(3, f, g, h, a, b, c, d, e);
            T1 = X[4] = W[4];
            ROUND_00_15(4, e, f, g, h, a, b, c, d);
            T1 = X[5] = W[5];
            ROUND_00_15(5, d, e, f, g, h, a, b, c);
            T1 = X[6] = W[6];
            ROUND_00_15(6, c, d, e, f, g, h, a, b);
            T1 = X[7] = W[7];
            ROUND_00_15(7, b, c, d, e, f, g, h, a);
            T1 = X[8] = W[8];
            ROUND_00_15(8, a, b, c, d, e, f, g, h);
            T1 = X[9] = W[9];
            ROUND_00_15(9, h, a, b, c, d, e, f, g);
            T1 = X[10] = W[10];
            ROUND_00_15(10, g, h, a, b, c, d, e, f);
            T1 = X[11] = W[11];
            ROUND_00_15(11, f, g, h, a, b, c, d, e);
            T1 = X[12] = W[12];
            ROUND_00_15(12, e, f, g, h, a, b, c, d);
            T1 = X[13] = W[13];
            ROUND_00_15(13, d, e, f, g, h, a, b, c);
            T1 = X[14] = W[14];
            ROUND_00_15(14, c, d, e, f, g, h, a, b);
            T1 = X[15] = W[15];
            ROUND_00_15(15, b, c, d, e, f, g, h, a);

            data += SHA256_CBLOCK;
        } else {
            SHA_LONG l;

            (void)HOST_c2l(data, l);
            T1 = X[0] = l;
            ROUND_00_15(0, a, b, c, d, e, f, g, h);
            (void)HOST_c2l(data, l);
            T1 = X[1] = l;
            ROUND_00_15(1, h, a, b, c, d, e, f, g);
            (void)HOST_c2l(data, l);
            T1 = X[2] = l;
            ROUND_00_15(2, g, h, a, b, c, d, e, f);
            (void)HOST_c2l(data, l);
            T1 = X[3] = l;
            ROUND_00_15(3, f, g, h, a, b, c, d, e);
            (void)HOST_c2l(data, l);
            T1 = X[4] = l;
            ROUND_00_15(4, e, f, g, h, a, b, c, d);
            (void)HOST_c2l(data, l);
            T1 = X[5] = l;
            ROUND_00_15(5, d, e, f, g, h, a, b, c);
            (void)HOST_c2l(data, l);
            T1 = X[6] = l;
            ROUND_00_15(6, c, d, e, f, g, h, a, b);
            (void)HOST_c2l(data, l);
            T1 = X[7] = l;
            ROUND_00_15(7, b, c, d, e, f, g, h, a);
            (void)HOST_c2l(data, l);
            T1 = X[8] = l;
            ROUND_00_15(8, a, b, c, d, e, f, g, h);
            (void)HOST_c2l(data, l);
            T1 = X[9] = l;
            ROUND_00_15(9, h, a, b, c, d, e, f, g);
            (void)HOST_c2l(data, l);
            T1 = X[10] = l;
            ROUND_00_15(10, g, h, a, b, c, d, e, f);
            (void)HOST_c2l(data, l);
            T1 = X[11] = l;
            ROUND_00_15(11, f, g, h, a, b, c, d, e);
            (void)HOST_c2l(data, l);
            T1 = X[12] = l;
            ROUND_00_15(12, e, f, g, h, a, b, c, d);
            (void)HOST_c2l(data, l);
            T1 = X[13] = l;
            ROUND_00_15(13, d, e, f, g, h, a, b, c);
            (void)HOST_c2l(data, l);
            T1 = X[14] = l;
            ROUND_00_15(14, c, d, e, f, g, h, a, b);
            (void)HOST_c2l(data, l);
            T1 = X[15] = l;
            ROUND_00_15(15, b, c, d, e, f, g, h, a);
        }

        for (i = 16; i < 64; i += 8) {
            ROUND_16_63(i + 0, a, b, c, d, e, f, g, h, X);
            ROUND_16_63(i + 1, h, a, b, c, d, e, f, g, X);
            ROUND_16_63(i + 2, g, h, a, b, c, d, e, f, X);
            ROUND_16_63(i + 3, f, g, h, a, b, c, d, e, X);
            ROUND_16_63(i + 4, e, f, g, h, a, b, c, d, X);
            ROUND_16_63(i + 5, d, e, f, g, h, a, b, c, X);
            ROUND_16_63(i + 6, c, d, e, f, g, h, a, b, X);
            ROUND_16_63(i + 7, b, c, d, e, f, g, h, a, X);
        }

        ctx->h[0] += a;
        ctx->h[1] += b;
        ctx->h[2] += c;
        ctx->h[3] += d;
        ctx->h[4] += e;
        ctx->h[5] += f;
        ctx->h[6] += g;
        ctx->h[7] += h;
    }
}

#endif
#endif /* SHA256_ASM */

Coverage Report

Created: 2026-02-22 06:11

Line	Count	Source
1		/*
2		* Copyright 2004-2024 The OpenSSL Project Authors. All Rights Reserved.
3		*
4		* Licensed under the Apache License 2.0 (the "License"). You may not use
5		* this file except in compliance with the License. You can obtain a copy
6		* in the file LICENSE in the source distribution or at
7		* https://www.openssl.org/source/license.html
8		*/
9
10		/*
11		* SHA256 low level APIs are deprecated for public use, but still ok for
12		* internal use.
13		*/
14		#include "internal/deprecated.h"
15
16		#include <openssl/opensslconf.h>
17
18		#include <stdlib.h>
19		#include <string.h>
20
21		#include <openssl/crypto.h>
22		#include <openssl/sha.h>
23		#include <openssl/opensslv.h>
24		#include "internal/endian.h"
25		#include "crypto/sha.h"
26
27		int SHA224_Init(SHA256_CTX *c)
28	68	{
29	68	memset(c, 0, sizeof(*c));
30	68	c->h[0] = 0xc1059ed8UL;
31	68	c->h[1] = 0x367cd507UL;
32	68	c->h[2] = 0x3070dd17UL;
33	68	c->h[3] = 0xf70e5939UL;
34	68	c->h[4] = 0xffc00b31UL;
35	68	c->h[5] = 0x68581511UL;
36	68	c->h[6] = 0x64f98fa7UL;
37	68	c->h[7] = 0xbefa4fa4UL;
38	68	c->md_len = SHA224_DIGEST_LENGTH;
39	68	return 1;
40	68	}
41
42		int SHA256_Init(SHA256_CTX *c)
43	8.03k	{
44	8.03k	memset(c, 0, sizeof(*c));
45	8.03k	c->h[0] = 0x6a09e667UL;
46	8.03k	c->h[1] = 0xbb67ae85UL;
47	8.03k	c->h[2] = 0x3c6ef372UL;
48	8.03k	c->h[3] = 0xa54ff53aUL;
49	8.03k	c->h[4] = 0x510e527fUL;
50	8.03k	c->h[5] = 0x9b05688cUL;
51	8.03k	c->h[6] = 0x1f83d9abUL;
52	8.03k	c->h[7] = 0x5be0cd19UL;
53	8.03k	c->md_len = SHA256_DIGEST_LENGTH;
54	8.03k	return 1;
55	8.03k	}
56
57		int ossl_sha256_192_init(SHA256_CTX *c)
58	2	{
59	2	SHA256_Init(c);
60	2	c->md_len = SHA256_192_DIGEST_LENGTH;
61	2	return 1;
62	2	}
63
64		int SHA224_Update(SHA256_CTX c, const void data, size_t len)
65	0	{
66	0	return SHA256_Update(c, data, len);
67	0	}
68
69		int SHA224_Final(unsigned char md, SHA256_CTX c)
70	34	{
71	34	return SHA256_Final(md, c);
72	34	}
73
74		#define DATA_ORDER_IS_BIG_ENDIAN
75
76	8.09k	#define HASH_LONG SHA_LONG
77	8.09k	#define HASH_CTX SHA256_CTX
78	36.4k	#define HASH_CBLOCK SHA_CBLOCK
79
80		/*
81		* Note that FIPS180-2 discusses "Truncation of the Hash Function Output."
82		* default: case below covers for it. It's not clear however if it's
83		* permitted to truncate to amount of bytes not divisible by 4. I bet not,
84		* but if it is, then default: case shall be extended. For reference.
85		* Idea behind separate cases for pre-defined lengths is to let the
86		* compiler decide if it's appropriate to unroll small loops.
87		*/
88		#define HASH_MAKE_STRING(c, s) \
89	4.05k	do { \
90	4.05k	unsigned long ll; \
91	4.05k	unsigned int nn; \
92	4.05k	switch ((c)->md_len) { \
93	1	case SHA256_192_DIGEST_LENGTH: \
94	7	for (nn = 0; nn < SHA256_192_DIGEST_LENGTH / 4; nn++) { \
95	6	ll = (c)->h[nn]; \
96	6	(void)HOST_l2c(ll, (s)); \
97	6	} \
98	1	break; \
99	34	case SHA224_DIGEST_LENGTH: \
100	272	for (nn = 0; nn < SHA224_DIGEST_LENGTH / 4; nn++) { \
101	238	ll = (c)->h[nn]; \
102	238	(void)HOST_l2c(ll, (s)); \
103	238	} \
104	34	break; \
105	4.01k	case SHA256_DIGEST_LENGTH: \
106	36.1k	for (nn = 0; nn < SHA256_DIGEST_LENGTH / 4; nn++) { \
107	32.1k	ll = (c)->h[nn]; \
108	32.1k	(void)HOST_l2c(ll, (s)); \
109	32.1k	} \
110	4.01k	break; \
111	0	default: \
112	0	if ((c)->md_len > SHA256_DIGEST_LENGTH) \
113	0	return 0; \
114	0	for (nn = 0; nn < (c)->md_len / 4; nn++) { \
115	0	ll = (c)->h[nn]; \
116	0	(void)HOST_l2c(ll, (s)); \
117	0	} \
118	0	break; \
119	4.05k	} \
120	4.05k	} while (0)
121
122		#define HASH_UPDATE_THUNK
123		#define HASH_UPDATE SHA256_Update_thunk
124		#define HASH_TRANSFORM SHA256_Transform
125		#define HASH_FINAL SHA256_Final
126	12.1k	#define HASH_BLOCK_DATA_ORDER sha256_block_data_order
127		#ifndef SHA256_ASM
128		static
129		#else
130		#ifdef INCLUDE_C_SHA256
131		void sha256_block_data_order_c(SHA256_CTX ctx, const void in, size_t num);
132		#endif /* INCLUDE_C_SHA256 */
133		#endif /* SHA256_ASM */
134		void sha256_block_data_order(SHA256_CTX ctx, const void in, size_t num);
135
136		#include "crypto/md32_common.h"
137		#undef HASH_UPDATE_THUNK
138
139		int SHA256_Update(SHA256_CTX ctx, const void data, size_t sz)
140	0	{
141	0	return SHA256_Update_thunk((void )ctx, (const unsigned char )data, sz);
142	0	}
143
144		#if !defined(SHA256_ASM) \|\| defined(INCLUDE_C_SHA256)
145		static const SHA_LONG K256[64] = {
146		0x428a2f98UL, 0x71374491UL, 0xb5c0fbcfUL, 0xe9b5dba5UL,
147		0x3956c25bUL, 0x59f111f1UL, 0x923f82a4UL, 0xab1c5ed5UL,
148		0xd807aa98UL, 0x12835b01UL, 0x243185beUL, 0x550c7dc3UL,
149		0x72be5d74UL, 0x80deb1feUL, 0x9bdc06a7UL, 0xc19bf174UL,
150		0xe49b69c1UL, 0xefbe4786UL, 0x0fc19dc6UL, 0x240ca1ccUL,
151		0x2de92c6fUL, 0x4a7484aaUL, 0x5cb0a9dcUL, 0x76f988daUL,
152		0x983e5152UL, 0xa831c66dUL, 0xb00327c8UL, 0xbf597fc7UL,
153		0xc6e00bf3UL, 0xd5a79147UL, 0x06ca6351UL, 0x14292967UL,
154		0x27b70a85UL, 0x2e1b2138UL, 0x4d2c6dfcUL, 0x53380d13UL,
155		0x650a7354UL, 0x766a0abbUL, 0x81c2c92eUL, 0x92722c85UL,
156		0xa2bfe8a1UL, 0xa81a664bUL, 0xc24b8b70UL, 0xc76c51a3UL,
157		0xd192e819UL, 0xd6990624UL, 0xf40e3585UL, 0x106aa070UL,
158		0x19a4c116UL, 0x1e376c08UL, 0x2748774cUL, 0x34b0bcb5UL,
159		0x391c0cb3UL, 0x4ed8aa4aUL, 0x5b9cca4fUL, 0x682e6ff3UL,
160		0x748f82eeUL, 0x78a5636fUL, 0x84c87814UL, 0x8cc70208UL,
161		0x90befffaUL, 0xa4506cebUL, 0xbef9a3f7UL, 0xc67178f2UL
162		};
163
164		#ifndef PEDANTIC
165		#if defined(__GNUC__) && __GNUC__ >= 2 && !defined(OPENSSL_NO_ASM) && !defined(OPENSSL_NO_INLINE_ASM)
166		#if defined(__riscv_zknh)
167		#define Sigma0(x) ({ MD32_REG_T ret; \
168		asm ("sha256sum0 %0, %1" \
169		: "=r"(ret) \
170		: "r"(x)); ret; })
171		#define Sigma1(x) ({ MD32_REG_T ret; \
172		asm ("sha256sum1 %0, %1" \
173		: "=r"(ret) \
174		: "r"(x)); ret; })
175		#define sigma0(x) ({ MD32_REG_T ret; \
176		asm ("sha256sig0 %0, %1" \
177		: "=r"(ret) \
178		: "r"(x)); ret; })
179		#define sigma1(x) ({ MD32_REG_T ret; \
180		asm ("sha256sig1 %0, %1" \
181		: "=r"(ret) \
182		: "r"(x)); ret; })
183		#endif
184		#if defined(__riscv_zbt) \|\| defined(__riscv_zpn)
185		#define Ch(x, y, z) ({ MD32_REG_T ret; \
186		asm (".insn r4 0x33, 1, 0x3, %0, %2, %1, %3"\
187		: "=r"(ret) \
188		: "r"(x), "r"(y), "r"(z)); ret; })
189		#define Maj(x, y, z) ({ MD32_REG_T ret; \
190		asm (".insn r4 0x33, 1, 0x3, %0, %2, %1, %3"\
191		: "=r"(ret) \
192		: "r"(x^z), "r"(y), "r"(x)); ret; })
193		#endif
194		#endif
195		#endif
196
197		/*
198		* FIPS specification refers to right rotations, while our ROTATE macro
199		* is left one. This is why you might notice that rotation coefficients
200		* differ from those observed in FIPS document by 32-N...
201		*/
202		#ifndef Sigma0
203	362M	#define Sigma0(x) (ROTATE((x), 30) ^ ROTATE((x), 19) ^ ROTATE((x), 10))
204		#endif
205		#ifndef Sigma1
206	362M	#define Sigma1(x) (ROTATE((x), 26) ^ ROTATE((x), 21) ^ ROTATE((x), 7))
207		#endif
208		#ifndef sigma0
209	272M	#define sigma0(x) (ROTATE((x), 25) ^ ROTATE((x), 14) ^ ((x) >> 3))
210		#endif
211		#ifndef sigma1
212	272M	#define sigma1(x) (ROTATE((x), 15) ^ ROTATE((x), 13) ^ ((x) >> 10))
213		#endif
214		#ifndef Ch
215	362M	#define Ch(x, y, z) (((x) & (y)) ^ ((~(x)) & (z)))
216		#endif
217		#ifndef Maj
218	362M	#define Maj(x, y, z) (((x) & (y)) ^ ((x) & (z)) ^ ((y) & (z)))
219		#endif
220
221		#ifdef OPENSSL_SMALL_FOOTPRINT
222
223		static void sha256_block_data_order(SHA256_CTX ctx, const void in,
224		size_t num)
225		{
226		unsigned MD32_REG_T a, b, c, d, e, f, g, h, s0, s1, T1, T2;
227		SHA_LONG X[16], l;
228		int i;
229		const unsigned char *data = in;
230
231		while (num--) {
232
233		a = ctx->h[0];
234		b = ctx->h[1];
235		c = ctx->h[2];
236		d = ctx->h[3];
237		e = ctx->h[4];
238		f = ctx->h[5];
239		g = ctx->h[6];
240		h = ctx->h[7];
241
242		for (i = 0; i < 16; i++) {
243		(void)HOST_c2l(data, l);
244		T1 = X[i] = l;
245		T1 += h + Sigma1(e) + Ch(e, f, g) + K256[i];
246		T2 = Sigma0(a) + Maj(a, b, c);
247		h = g;
248		g = f;
249		f = e;
250		e = d + T1;
251		d = c;
252		c = b;
253		b = a;
254		a = T1 + T2;
255		}
256
257		for (; i < 64; i++) {
258		s0 = X[(i + 1) & 0x0f];
259		s0 = sigma0(s0);
260		s1 = X[(i + 14) & 0x0f];
261		s1 = sigma1(s1);
262
263		T1 = X[i & 0xf] += s0 + s1 + X[(i + 9) & 0xf];
264		T1 += h + Sigma1(e) + Ch(e, f, g) + K256[i];
265		T2 = Sigma0(a) + Maj(a, b, c);
266		h = g;
267		g = f;
268		f = e;
269		e = d + T1;
270		d = c;
271		c = b;
272		b = a;
273		a = T1 + T2;
274		}
275
276		ctx->h[0] += a;
277		ctx->h[1] += b;
278		ctx->h[2] += c;
279		ctx->h[3] += d;
280		ctx->h[4] += e;
281		ctx->h[5] += f;
282		ctx->h[6] += g;
283		ctx->h[7] += h;
284		}
285		}
286
287		#else
288
289		#define ROUND_00_15(i, a, b, c, d, e, f, g, h) \
290	362M	do { \
291	362M	T1 += h + Sigma1(e) + Ch(e, f, g) + K256[i]; \
292	362M	h = Sigma0(a) + Maj(a, b, c); \
293	362M	d += T1; \
294	362M	h += T1; \
295	362M	} while (0)
296
297		#define ROUND_16_63(i, a, b, c, d, e, f, g, h, X) \
298	272M	do { \
299	272M	s0 = X[(i + 1) & 0x0f]; \
300	272M	s0 = sigma0(s0); \
301	272M	s1 = X[(i + 14) & 0x0f]; \
302	272M	s1 = sigma1(s1); \
303	272M	T1 = X[(i) & 0x0f] += s0 + s1 + X[(i + 9) & 0x0f]; \
304	272M	ROUND_00_15(i, a, b, c, d, e, f, g, h); \
305	272M	} while (0)
306
307		#ifdef INCLUDE_C_SHA256
308		void sha256_block_data_order_c(SHA256_CTX ctx, const void in, size_t num)
309		#else
310		static void sha256_block_data_order(SHA256_CTX ctx, const void in,
311		size_t num)
312		#endif
313	12.1k	{
314	12.1k	unsigned MD32_REG_T a, b, c, d, e, f, g, h, s0, s1, T1;
315	12.1k	SHA_LONG X[16];
316	12.1k	int i;
317	12.1k	const unsigned char *data = in;
318	12.1k	DECLARE_IS_ENDIAN;
319
320	5.68M	while (num--) {
321
322	5.66M	a = ctx->h[0];
323	5.66M	b = ctx->h[1];
324	5.66M	c = ctx->h[2];
325	5.66M	d = ctx->h[3];
326	5.66M	e = ctx->h[4];
327	5.66M	f = ctx->h[5];
328	5.66M	g = ctx->h[6];
329	5.66M	h = ctx->h[7];
330
331	5.66M	if (!IS_LITTLE_ENDIAN && sizeof(SHA_LONG) == 4
332	0	&& ((size_t)in % 4) == 0) {
333	0	const SHA_LONG W = (const SHA_LONG )data;
334
335	0	T1 = X[0] = W[0];
336	0	ROUND_00_15(0, a, b, c, d, e, f, g, h);
337	0	T1 = X[1] = W[1];
338	0	ROUND_00_15(1, h, a, b, c, d, e, f, g);
339	0	T1 = X[2] = W[2];
340	0	ROUND_00_15(2, g, h, a, b, c, d, e, f);
341	0	T1 = X[3] = W[3];
342	0	ROUND_00_15(3, f, g, h, a, b, c, d, e);
343	0	T1 = X[4] = W[4];
344	0	ROUND_00_15(4, e, f, g, h, a, b, c, d);
345	0	T1 = X[5] = W[5];
346	0	ROUND_00_15(5, d, e, f, g, h, a, b, c);
347	0	T1 = X[6] = W[6];
348	0	ROUND_00_15(6, c, d, e, f, g, h, a, b);
349	0	T1 = X[7] = W[7];
350	0	ROUND_00_15(7, b, c, d, e, f, g, h, a);
351	0	T1 = X[8] = W[8];
352	0	ROUND_00_15(8, a, b, c, d, e, f, g, h);
353	0	T1 = X[9] = W[9];
354	0	ROUND_00_15(9, h, a, b, c, d, e, f, g);
355	0	T1 = X[10] = W[10];
356	0	ROUND_00_15(10, g, h, a, b, c, d, e, f);
357	0	T1 = X[11] = W[11];
358	0	ROUND_00_15(11, f, g, h, a, b, c, d, e);
359	0	T1 = X[12] = W[12];
360	0	ROUND_00_15(12, e, f, g, h, a, b, c, d);
361	0	T1 = X[13] = W[13];
362	0	ROUND_00_15(13, d, e, f, g, h, a, b, c);
363	0	T1 = X[14] = W[14];
364	0	ROUND_00_15(14, c, d, e, f, g, h, a, b);
365	0	T1 = X[15] = W[15];
366	0	ROUND_00_15(15, b, c, d, e, f, g, h, a);
367
368	0	data += SHA256_CBLOCK;
369	5.66M	} else {
370	5.66M	SHA_LONG l;
371
372	5.66M	(void)HOST_c2l(data, l);
373	5.66M	T1 = X[0] = l;
374	5.66M	ROUND_00_15(0, a, b, c, d, e, f, g, h);
375	5.66M	(void)HOST_c2l(data, l);
376	5.66M	T1 = X[1] = l;
377	5.66M	ROUND_00_15(1, h, a, b, c, d, e, f, g);
378	5.66M	(void)HOST_c2l(data, l);
379	5.66M	T1 = X[2] = l;
380	5.66M	ROUND_00_15(2, g, h, a, b, c, d, e, f);
381	5.66M	(void)HOST_c2l(data, l);
382	5.66M	T1 = X[3] = l;
383	5.66M	ROUND_00_15(3, f, g, h, a, b, c, d, e);
384	5.66M	(void)HOST_c2l(data, l);
385	5.66M	T1 = X[4] = l;
386	5.66M	ROUND_00_15(4, e, f, g, h, a, b, c, d);
387	5.66M	(void)HOST_c2l(data, l);
388	5.66M	T1 = X[5] = l;
389	5.66M	ROUND_00_15(5, d, e, f, g, h, a, b, c);
390	5.66M	(void)HOST_c2l(data, l);
391	5.66M	T1 = X[6] = l;
392	5.66M	ROUND_00_15(6, c, d, e, f, g, h, a, b);
393	5.66M	(void)HOST_c2l(data, l);
394	5.66M	T1 = X[7] = l;
395	5.66M	ROUND_00_15(7, b, c, d, e, f, g, h, a);
396	5.66M	(void)HOST_c2l(data, l);
397	5.66M	T1 = X[8] = l;
398	5.66M	ROUND_00_15(8, a, b, c, d, e, f, g, h);
399	5.66M	(void)HOST_c2l(data, l);
400	5.66M	T1 = X[9] = l;
401	5.66M	ROUND_00_15(9, h, a, b, c, d, e, f, g);
402	5.66M	(void)HOST_c2l(data, l);
403	5.66M	T1 = X[10] = l;
404	5.66M	ROUND_00_15(10, g, h, a, b, c, d, e, f);
405	5.66M	(void)HOST_c2l(data, l);
406	5.66M	T1 = X[11] = l;
407	5.66M	ROUND_00_15(11, f, g, h, a, b, c, d, e);
408	5.66M	(void)HOST_c2l(data, l);
409	5.66M	T1 = X[12] = l;
410	5.66M	ROUND_00_15(12, e, f, g, h, a, b, c, d);
411	5.66M	(void)HOST_c2l(data, l);
412	5.66M	T1 = X[13] = l;
413	5.66M	ROUND_00_15(13, d, e, f, g, h, a, b, c);
414	5.66M	(void)HOST_c2l(data, l);
415	5.66M	T1 = X[14] = l;
416	5.66M	ROUND_00_15(14, c, d, e, f, g, h, a, b);
417	5.66M	(void)HOST_c2l(data, l);
418	5.66M	T1 = X[15] = l;
419	5.66M	ROUND_00_15(15, b, c, d, e, f, g, h, a);
420	5.66M	}
421
422	39.6M	for (i = 16; i < 64; i += 8) {
423	34.0M	ROUND_16_63(i + 0, a, b, c, d, e, f, g, h, X);
424	34.0M	ROUND_16_63(i + 1, h, a, b, c, d, e, f, g, X);
425	34.0M	ROUND_16_63(i + 2, g, h, a, b, c, d, e, f, X);
426	34.0M	ROUND_16_63(i + 3, f, g, h, a, b, c, d, e, X);
427	34.0M	ROUND_16_63(i + 4, e, f, g, h, a, b, c, d, X);
428	34.0M	ROUND_16_63(i + 5, d, e, f, g, h, a, b, c, X);
429	34.0M	ROUND_16_63(i + 6, c, d, e, f, g, h, a, b, X);
430	34.0M	ROUND_16_63(i + 7, b, c, d, e, f, g, h, a, X);
431	34.0M	}
432
433	5.66M	ctx->h[0] += a;
434	5.66M	ctx->h[1] += b;
435	5.66M	ctx->h[2] += c;
436	5.66M	ctx->h[3] += d;
437	5.66M	ctx->h[4] += e;
438	5.66M	ctx->h[5] += f;
439	5.66M	ctx->h[6] += g;
440	5.66M	ctx->h[7] += h;
441	5.66M	}
442	12.1k	}
443
444		#endif
445		#endif /* SHA256_ASM */