/src/openssl/crypto/sha/sha256.c

Source
/*
 * Copyright 2004-2026 The OpenSSL Project Authors. All Rights Reserved.
 *
 * Licensed under the Apache License 2.0 (the "License").  You may not use
 * this file except in compliance with the License.  You can obtain a copy
 * in the file LICENSE in the source distribution or at
 * https://www.openssl.org/source/license.html
 */

/*
 * SHA256 low level APIs are deprecated for public use, but still ok for
 * internal use.
 */
#include "internal/deprecated.h"

#include <openssl/opensslconf.h>

#include <stdlib.h>
#include <string.h>

#include <openssl/crypto.h>
#include <openssl/sha.h>
#include <openssl/opensslv.h>
#include "internal/endian.h"
#include "crypto/sha.h"

int SHA224_Init(SHA256_CTX *c)
{
    memset(c, 0, sizeof(*c));
    c->h[0] = 0xc1059ed8UL;
    c->h[1] = 0x367cd507UL;
    c->h[2] = 0x3070dd17UL;
    c->h[3] = 0xf70e5939UL;
    c->h[4] = 0xffc00b31UL;
    c->h[5] = 0x68581511UL;
    c->h[6] = 0x64f98fa7UL;
    c->h[7] = 0xbefa4fa4UL;
    c->md_len = SHA224_DIGEST_LENGTH;
    return 1;
}

int SHA256_Init(SHA256_CTX *c)
{
    memset(c, 0, sizeof(*c));
    c->h[0] = 0x6a09e667UL;
    c->h[1] = 0xbb67ae85UL;
    c->h[2] = 0x3c6ef372UL;
    c->h[3] = 0xa54ff53aUL;
    c->h[4] = 0x510e527fUL;
    c->h[5] = 0x9b05688cUL;
    c->h[6] = 0x1f83d9abUL;
    c->h[7] = 0x5be0cd19UL;
    c->md_len = SHA256_DIGEST_LENGTH;
    return 1;
}

int ossl_sha256_192_init(SHA256_CTX *c)
{
    SHA256_Init(c);
    c->md_len = SHA256_192_DIGEST_LENGTH;
    return 1;
}

int SHA224_Update(SHA256_CTX *c, const void *data, size_t len)
{
    return SHA256_Update(c, data, len);
}

int SHA224_Final(unsigned char *md, SHA256_CTX *c)
{
    return SHA256_Final(md, c);
}

#define DATA_ORDER_IS_BIG_ENDIAN

#define HASH_LONG SHA_LONG
#define HASH_CTX SHA256_CTX
#define HASH_CBLOCK SHA_CBLOCK

/*
 * Note that FIPS180-2 discusses "Truncation of the Hash Function Output."
 * default: case below covers for it. It's not clear however if it's
 * permitted to truncate to amount of bytes not divisible by 4. I bet not,
 * but if it is, then default: case shall be extended. For reference.
 * Idea behind separate cases for pre-defined lengths is to let the
 * compiler decide if it's appropriate to unroll small loops.
 */
#define HASH_MAKE_STRING(c, s)                                      \
    do {                                                            \
        unsigned long ll;                                           \
        unsigned int nn;                                            \
        switch ((c)->md_len) {                                      \
        case SHA256_192_DIGEST_LENGTH:                              \
            for (nn = 0; nn < SHA256_192_DIGEST_LENGTH / 4; nn++) { \
                ll = (c)->h[nn];                                    \
                (void)HOST_l2c(ll, (s));                            \
            }                                                       \
            break;                                                  \
        case SHA224_DIGEST_LENGTH:                                  \
            for (nn = 0; nn < SHA224_DIGEST_LENGTH / 4; nn++) {     \
                ll = (c)->h[nn];                                    \
                (void)HOST_l2c(ll, (s));                            \
            }                                                       \
            break;                                                  \
        case SHA256_DIGEST_LENGTH:                                  \
            for (nn = 0; nn < SHA256_DIGEST_LENGTH / 4; nn++) {     \
                ll = (c)->h[nn];                                    \
                (void)HOST_l2c(ll, (s));                            \
            }                                                       \
            break;                                                  \
        default:                                                    \
            if ((c)->md_len > SHA256_DIGEST_LENGTH)                 \
                return 0;                                           \
            for (nn = 0; nn < (c)->md_len / 4; nn++) {              \
                ll = (c)->h[nn];                                    \
                (void)HOST_l2c(ll, (s));                            \
            }                                                       \
            break;                                                  \
        }                                                           \
    } while (0)

#define HASH_UPDATE_THUNK
#define HASH_UPDATE SHA256_Update_thunk
#define HASH_TRANSFORM SHA256_Transform
#define HASH_FINAL SHA256_Final
#define HASH_BLOCK_DATA_ORDER sha256_block_data_order
#ifndef SHA256_ASM
static
#else
#ifdef INCLUDE_C_SHA256
void sha256_block_data_order_c(SHA256_CTX *ctx, const void *in, size_t num);
#endif /* INCLUDE_C_SHA256 */
#endif /* SHA256_ASM */
    void sha256_block_data_order(SHA256_CTX *ctx, const void *in, size_t num);

/* clang-format off */
#include "crypto/md32_common.inc"
/* clang-format on */
#undef HASH_UPDATE_THUNK

int SHA256_Update(SHA256_CTX *ctx, const void *data, size_t sz)
{
    return SHA256_Update_thunk((void *)ctx, (const unsigned char *)data, sz);
}

#if !defined(SHA256_ASM) || defined(INCLUDE_C_SHA256)
static const SHA_LONG K256[64] = {
    0x428a2f98UL, 0x71374491UL, 0xb5c0fbcfUL, 0xe9b5dba5UL,
    0x3956c25bUL, 0x59f111f1UL, 0x923f82a4UL, 0xab1c5ed5UL,
    0xd807aa98UL, 0x12835b01UL, 0x243185beUL, 0x550c7dc3UL,
    0x72be5d74UL, 0x80deb1feUL, 0x9bdc06a7UL, 0xc19bf174UL,
    0xe49b69c1UL, 0xefbe4786UL, 0x0fc19dc6UL, 0x240ca1ccUL,
    0x2de92c6fUL, 0x4a7484aaUL, 0x5cb0a9dcUL, 0x76f988daUL,
    0x983e5152UL, 0xa831c66dUL, 0xb00327c8UL, 0xbf597fc7UL,
    0xc6e00bf3UL, 0xd5a79147UL, 0x06ca6351UL, 0x14292967UL,
    0x27b70a85UL, 0x2e1b2138UL, 0x4d2c6dfcUL, 0x53380d13UL,
    0x650a7354UL, 0x766a0abbUL, 0x81c2c92eUL, 0x92722c85UL,
    0xa2bfe8a1UL, 0xa81a664bUL, 0xc24b8b70UL, 0xc76c51a3UL,
    0xd192e819UL, 0xd6990624UL, 0xf40e3585UL, 0x106aa070UL,
    0x19a4c116UL, 0x1e376c08UL, 0x2748774cUL, 0x34b0bcb5UL,
    0x391c0cb3UL, 0x4ed8aa4aUL, 0x5b9cca4fUL, 0x682e6ff3UL,
    0x748f82eeUL, 0x78a5636fUL, 0x84c87814UL, 0x8cc70208UL,
    0x90befffaUL, 0xa4506cebUL, 0xbef9a3f7UL, 0xc67178f2UL
};

#ifndef PEDANTIC
#if defined(__GNUC__) && __GNUC__ >= 2 && !defined(OPENSSL_NO_ASM) && !defined(OPENSSL_NO_INLINE_ASM)
#if defined(__riscv_zknh)
#define Sigma0(x) ({ MD32_REG_T ret;            \
                        asm ("sha256sum0 %0, %1"    \
                        : "=r"(ret)                 \
                        : "r"(x)); ret; })
#define Sigma1(x) ({ MD32_REG_T ret;            \
                        asm ("sha256sum1 %0, %1"    \
                        : "=r"(ret)                 \
                        : "r"(x)); ret; })
#define sigma0(x) ({ MD32_REG_T ret;            \
                        asm ("sha256sig0 %0, %1"    \
                        : "=r"(ret)                 \
                        : "r"(x)); ret; })
#define sigma1(x) ({ MD32_REG_T ret;            \
                        asm ("sha256sig1 %0, %1"    \
                        : "=r"(ret)                 \
                        : "r"(x)); ret; })
#endif
#if defined(__riscv_zbt) || defined(__riscv_zpn)
#define Ch(x, y, z) ({  MD32_REG_T ret;                           \
                        asm (".insn r4 0x33, 1, 0x3, %0, %2, %1, %3"\
                        : "=r"(ret)                                 \
                        : "r"(x), "r"(y), "r"(z)); ret; })
#define Maj(x, y, z) ({ MD32_REG_T ret;                           \
                        asm (".insn r4 0x33, 1, 0x3, %0, %2, %1, %3"\
                        : "=r"(ret)                                 \
                        : "r"(x^z), "r"(y), "r"(x)); ret; })
#endif
#endif
#endif

/*
 * FIPS specification refers to right rotations, while our ROTATE macro
 * is left one. This is why you might notice that rotation coefficients
 * differ from those observed in FIPS document by 32-N...
 */
#ifndef Sigma0
#define Sigma0(x) (ROTATE((x), 30) ^ ROTATE((x), 19) ^ ROTATE((x), 10))
#endif
#ifndef Sigma1
#define Sigma1(x) (ROTATE((x), 26) ^ ROTATE((x), 21) ^ ROTATE((x), 7))
#endif
#ifndef sigma0
#define sigma0(x) (ROTATE((x), 25) ^ ROTATE((x), 14) ^ ((x) >> 3))
#endif
#ifndef sigma1
#define sigma1(x) (ROTATE((x), 15) ^ ROTATE((x), 13) ^ ((x) >> 10))
#endif
#ifndef Ch
#define Ch(x, y, z) (((x) & (y)) ^ ((~(x)) & (z)))
#endif
#ifndef Maj
#define Maj(x, y, z) (((x) & (y)) ^ ((x) & (z)) ^ ((y) & (z)))
#endif

#ifdef OPENSSL_SMALL_FOOTPRINT

static void sha256_block_data_order(SHA256_CTX *ctx, const void *in,
    size_t num)
{
    unsigned MD32_REG_T a, b, c, d, e, f, g, h, s0, s1, T1, T2;
    SHA_LONG X[16], l;
    int i;
    const unsigned char *data = in;

    while (num--) {

        a = ctx->h[0];
        b = ctx->h[1];
        c = ctx->h[2];
        d = ctx->h[3];
        e = ctx->h[4];
        f = ctx->h[5];
        g = ctx->h[6];
        h = ctx->h[7];

        for (i = 0; i < 16; i++) {
            (void)HOST_c2l(data, l);
            T1 = X[i] = l;
            T1 += h + Sigma1(e) + Ch(e, f, g) + K256[i];
            T2 = Sigma0(a) + Maj(a, b, c);
            h = g;
            g = f;
            f = e;
            e = d + T1;
            d = c;
            c = b;
            b = a;
            a = T1 + T2;
        }

        for (; i < 64; i++) {
            s0 = X[(i + 1) & 0x0f];
            s0 = sigma0(s0);
            s1 = X[(i + 14) & 0x0f];
            s1 = sigma1(s1);

            T1 = X[i & 0xf] += s0 + s1 + X[(i + 9) & 0xf];
            T1 += h + Sigma1(e) + Ch(e, f, g) + K256[i];
            T2 = Sigma0(a) + Maj(a, b, c);
            h = g;
            g = f;
            f = e;
            e = d + T1;
            d = c;
            c = b;
            b = a;
            a = T1 + T2;
        }

        ctx->h[0] += a;
        ctx->h[1] += b;
        ctx->h[2] += c;
        ctx->h[3] += d;
        ctx->h[4] += e;
        ctx->h[5] += f;
        ctx->h[6] += g;
        ctx->h[7] += h;
    }
}

#else

#define ROUND_00_15(i, a, b, c, d, e, f, g, h)       \
    do {                                             \
        T1 += h + Sigma1(e) + Ch(e, f, g) + K256[i]; \
        h = Sigma0(a) + Maj(a, b, c);                \
        d += T1;                                     \
        h += T1;                                     \
    } while (0)

#define ROUND_16_63(i, a, b, c, d, e, f, g, h, X)          \
    do {                                                   \
        s0 = X[(i + 1) & 0x0f];                            \
        s0 = sigma0(s0);                                   \
        s1 = X[(i + 14) & 0x0f];                           \
        s1 = sigma1(s1);                                   \
        T1 = X[(i) & 0x0f] += s0 + s1 + X[(i + 9) & 0x0f]; \
        ROUND_00_15(i, a, b, c, d, e, f, g, h);            \
    } while (0)

#ifdef INCLUDE_C_SHA256
void sha256_block_data_order_c(SHA256_CTX *ctx, const void *in, size_t num)
#else
static void sha256_block_data_order(SHA256_CTX *ctx, const void *in,
    size_t num)
#endif
{
    unsigned MD32_REG_T a, b, c, d, e, f, g, h, s0, s1, T1;
    SHA_LONG X[16];
    int i;
    const unsigned char *data = in;
    DECLARE_IS_ENDIAN;

    while (num--) {

        a = ctx->h[0];
        b = ctx->h[1];
        c = ctx->h[2];
        d = ctx->h[3];
        e = ctx->h[4];
        f = ctx->h[5];
        g = ctx->h[6];
        h = ctx->h[7];

        if (!IS_LITTLE_ENDIAN && sizeof(SHA_LONG) == 4
            && ((size_t)in % 4) == 0) {
            const SHA_LONG *W = (const SHA_LONG *)data;

            T1 = X[0] = W[0];
            ROUND_00_15(0, a, b, c, d, e, f, g, h);
            T1 = X[1] = W[1];
            ROUND_00_15(1, h, a, b, c, d, e, f, g);
            T1 = X[2] = W[2];
            ROUND_00_15(2, g, h, a, b, c, d, e, f);
            T1 = X[3] = W[3];
            ROUND_00_15(3, f, g, h, a, b, c, d, e);
            T1 = X[4] = W[4];
            ROUND_00_15(4, e, f, g, h, a, b, c, d);
            T1 = X[5] = W[5];
            ROUND_00_15(5, d, e, f, g, h, a, b, c);
            T1 = X[6] = W[6];
            ROUND_00_15(6, c, d, e, f, g, h, a, b);
            T1 = X[7] = W[7];
            ROUND_00_15(7, b, c, d, e, f, g, h, a);
            T1 = X[8] = W[8];
            ROUND_00_15(8, a, b, c, d, e, f, g, h);
            T1 = X[9] = W[9];
            ROUND_00_15(9, h, a, b, c, d, e, f, g);
            T1 = X[10] = W[10];
            ROUND_00_15(10, g, h, a, b, c, d, e, f);
            T1 = X[11] = W[11];
            ROUND_00_15(11, f, g, h, a, b, c, d, e);
            T1 = X[12] = W[12];
            ROUND_00_15(12, e, f, g, h, a, b, c, d);
            T1 = X[13] = W[13];
            ROUND_00_15(13, d, e, f, g, h, a, b, c);
            T1 = X[14] = W[14];
            ROUND_00_15(14, c, d, e, f, g, h, a, b);
            T1 = X[15] = W[15];
            ROUND_00_15(15, b, c, d, e, f, g, h, a);

            data += SHA256_CBLOCK;
        } else {
            SHA_LONG l;

            (void)HOST_c2l(data, l);
            T1 = X[0] = l;
            ROUND_00_15(0, a, b, c, d, e, f, g, h);
            (void)HOST_c2l(data, l);
            T1 = X[1] = l;
            ROUND_00_15(1, h, a, b, c, d, e, f, g);
            (void)HOST_c2l(data, l);
            T1 = X[2] = l;
            ROUND_00_15(2, g, h, a, b, c, d, e, f);
            (void)HOST_c2l(data, l);
            T1 = X[3] = l;
            ROUND_00_15(3, f, g, h, a, b, c, d, e);
            (void)HOST_c2l(data, l);
            T1 = X[4] = l;
            ROUND_00_15(4, e, f, g, h, a, b, c, d);
            (void)HOST_c2l(data, l);
            T1 = X[5] = l;
            ROUND_00_15(5, d, e, f, g, h, a, b, c);
            (void)HOST_c2l(data, l);
            T1 = X[6] = l;
            ROUND_00_15(6, c, d, e, f, g, h, a, b);
            (void)HOST_c2l(data, l);
            T1 = X[7] = l;
            ROUND_00_15(7, b, c, d, e, f, g, h, a);
            (void)HOST_c2l(data, l);
            T1 = X[8] = l;
            ROUND_00_15(8, a, b, c, d, e, f, g, h);
            (void)HOST_c2l(data, l);
            T1 = X[9] = l;
            ROUND_00_15(9, h, a, b, c, d, e, f, g);
            (void)HOST_c2l(data, l);
            T1 = X[10] = l;
            ROUND_00_15(10, g, h, a, b, c, d, e, f);
            (void)HOST_c2l(data, l);
            T1 = X[11] = l;
            ROUND_00_15(11, f, g, h, a, b, c, d, e);
            (void)HOST_c2l(data, l);
            T1 = X[12] = l;
            ROUND_00_15(12, e, f, g, h, a, b, c, d);
            (void)HOST_c2l(data, l);
            T1 = X[13] = l;
            ROUND_00_15(13, d, e, f, g, h, a, b, c);
            (void)HOST_c2l(data, l);
            T1 = X[14] = l;
            ROUND_00_15(14, c, d, e, f, g, h, a, b);
            (void)HOST_c2l(data, l);
            T1 = X[15] = l;
            ROUND_00_15(15, b, c, d, e, f, g, h, a);
        }

        for (i = 16; i < 64; i += 8) {
            ROUND_16_63(i + 0, a, b, c, d, e, f, g, h, X);
            ROUND_16_63(i + 1, h, a, b, c, d, e, f, g, X);
            ROUND_16_63(i + 2, g, h, a, b, c, d, e, f, X);
            ROUND_16_63(i + 3, f, g, h, a, b, c, d, e, X);
            ROUND_16_63(i + 4, e, f, g, h, a, b, c, d, X);
            ROUND_16_63(i + 5, d, e, f, g, h, a, b, c, X);
            ROUND_16_63(i + 6, c, d, e, f, g, h, a, b, X);
            ROUND_16_63(i + 7, b, c, d, e, f, g, h, a, X);
        }

        ctx->h[0] += a;
        ctx->h[1] += b;
        ctx->h[2] += c;
        ctx->h[3] += d;
        ctx->h[4] += e;
        ctx->h[5] += f;
        ctx->h[6] += g;
        ctx->h[7] += h;
    }
}

#endif
#endif /* SHA256_ASM */

Coverage Report

Created: 2026-06-08 06:07

Line	Count	Source
1		/*
2		* Copyright 2004-2026 The OpenSSL Project Authors. All Rights Reserved.
3		*
4		* Licensed under the Apache License 2.0 (the "License"). You may not use
5		* this file except in compliance with the License. You can obtain a copy
6		* in the file LICENSE in the source distribution or at
7		* https://www.openssl.org/source/license.html
8		*/
9
10		/*
11		* SHA256 low level APIs are deprecated for public use, but still ok for
12		* internal use.
13		*/
14		#include "internal/deprecated.h"
15
16		#include <openssl/opensslconf.h>
17
18		#include <stdlib.h>
19		#include <string.h>
20
21		#include <openssl/crypto.h>
22		#include <openssl/sha.h>
23		#include <openssl/opensslv.h>
24		#include "internal/endian.h"
25		#include "crypto/sha.h"
26
27		int SHA224_Init(SHA256_CTX *c)
28	56	{
29	56	memset(c, 0, sizeof(*c));
30	56	c->h[0] = 0xc1059ed8UL;
31	56	c->h[1] = 0x367cd507UL;
32	56	c->h[2] = 0x3070dd17UL;
33	56	c->h[3] = 0xf70e5939UL;
34	56	c->h[4] = 0xffc00b31UL;
35	56	c->h[5] = 0x68581511UL;
36	56	c->h[6] = 0x64f98fa7UL;
37	56	c->h[7] = 0xbefa4fa4UL;
38	56	c->md_len = SHA224_DIGEST_LENGTH;
39	56	return 1;
40	56	}
41
42		int SHA256_Init(SHA256_CTX *c)
43	8.39k	{
44	8.39k	memset(c, 0, sizeof(*c));
45	8.39k	c->h[0] = 0x6a09e667UL;
46	8.39k	c->h[1] = 0xbb67ae85UL;
47	8.39k	c->h[2] = 0x3c6ef372UL;
48	8.39k	c->h[3] = 0xa54ff53aUL;
49	8.39k	c->h[4] = 0x510e527fUL;
50	8.39k	c->h[5] = 0x9b05688cUL;
51	8.39k	c->h[6] = 0x1f83d9abUL;
52	8.39k	c->h[7] = 0x5be0cd19UL;
53	8.39k	c->md_len = SHA256_DIGEST_LENGTH;
54	8.39k	return 1;
55	8.39k	}
56
57		int ossl_sha256_192_init(SHA256_CTX *c)
58	2	{
59	2	SHA256_Init(c);
60	2	c->md_len = SHA256_192_DIGEST_LENGTH;
61	2	return 1;
62	2	}
63
64		int SHA224_Update(SHA256_CTX c, const void data, size_t len)
65	0	{
66	0	return SHA256_Update(c, data, len);
67	0	}
68
69		int SHA224_Final(unsigned char md, SHA256_CTX c)
70	28	{
71	28	return SHA256_Final(md, c);
72	28	}
73
74		#define DATA_ORDER_IS_BIG_ENDIAN
75
76	8.42k	#define HASH_LONG SHA_LONG
77	8.42k	#define HASH_CTX SHA256_CTX
78	38.0k	#define HASH_CBLOCK SHA_CBLOCK
79
80		/*
81		* Note that FIPS180-2 discusses "Truncation of the Hash Function Output."
82		* default: case below covers for it. It's not clear however if it's
83		* permitted to truncate to amount of bytes not divisible by 4. I bet not,
84		* but if it is, then default: case shall be extended. For reference.
85		* Idea behind separate cases for pre-defined lengths is to let the
86		* compiler decide if it's appropriate to unroll small loops.
87		*/
88		#define HASH_MAKE_STRING(c, s) \
89	4.22k	do { \
90	4.22k	unsigned long ll; \
91	4.22k	unsigned int nn; \
92	4.22k	switch ((c)->md_len) { \
93	1	case SHA256_192_DIGEST_LENGTH: \
94	7	for (nn = 0; nn < SHA256_192_DIGEST_LENGTH / 4; nn++) { \
95	6	ll = (c)->h[nn]; \
96	6	(void)HOST_l2c(ll, (s)); \
97	6	} \
98	1	break; \
99	28	case SHA224_DIGEST_LENGTH: \
100	224	for (nn = 0; nn < SHA224_DIGEST_LENGTH / 4; nn++) { \
101	196	ll = (c)->h[nn]; \
102	196	(void)HOST_l2c(ll, (s)); \
103	196	} \
104	28	break; \
105	4.19k	case SHA256_DIGEST_LENGTH: \
106	37.7k	for (nn = 0; nn < SHA256_DIGEST_LENGTH / 4; nn++) { \
107	33.5k	ll = (c)->h[nn]; \
108	33.5k	(void)HOST_l2c(ll, (s)); \
109	33.5k	} \
110	4.19k	break; \
111	0	default: \
112	0	if ((c)->md_len > SHA256_DIGEST_LENGTH) \
113	0	return 0; \
114	0	for (nn = 0; nn < (c)->md_len / 4; nn++) { \
115	0	ll = (c)->h[nn]; \
116	0	(void)HOST_l2c(ll, (s)); \
117	0	} \
118	0	break; \
119	4.22k	} \
120	4.22k	} while (0)
121
122		#define HASH_UPDATE_THUNK
123		#define HASH_UPDATE SHA256_Update_thunk
124		#define HASH_TRANSFORM SHA256_Transform
125		#define HASH_FINAL SHA256_Final
126	12.6k	#define HASH_BLOCK_DATA_ORDER sha256_block_data_order
127		#ifndef SHA256_ASM
128		static
129		#else
130		#ifdef INCLUDE_C_SHA256
131		void sha256_block_data_order_c(SHA256_CTX ctx, const void in, size_t num);
132		#endif /* INCLUDE_C_SHA256 */
133		#endif /* SHA256_ASM */
134		void sha256_block_data_order(SHA256_CTX ctx, const void in, size_t num);
135
136		/* clang-format off */
137		#include "crypto/md32_common.inc"
138		/* clang-format on */
139		#undef HASH_UPDATE_THUNK
140
141		int SHA256_Update(SHA256_CTX ctx, const void data, size_t sz)
142	0	{
143	0	return SHA256_Update_thunk((void )ctx, (const unsigned char )data, sz);
144	0	}
145
146		#if !defined(SHA256_ASM) \|\| defined(INCLUDE_C_SHA256)
147		static const SHA_LONG K256[64] = {
148		0x428a2f98UL, 0x71374491UL, 0xb5c0fbcfUL, 0xe9b5dba5UL,
149		0x3956c25bUL, 0x59f111f1UL, 0x923f82a4UL, 0xab1c5ed5UL,
150		0xd807aa98UL, 0x12835b01UL, 0x243185beUL, 0x550c7dc3UL,
151		0x72be5d74UL, 0x80deb1feUL, 0x9bdc06a7UL, 0xc19bf174UL,
152		0xe49b69c1UL, 0xefbe4786UL, 0x0fc19dc6UL, 0x240ca1ccUL,
153		0x2de92c6fUL, 0x4a7484aaUL, 0x5cb0a9dcUL, 0x76f988daUL,
154		0x983e5152UL, 0xa831c66dUL, 0xb00327c8UL, 0xbf597fc7UL,
155		0xc6e00bf3UL, 0xd5a79147UL, 0x06ca6351UL, 0x14292967UL,
156		0x27b70a85UL, 0x2e1b2138UL, 0x4d2c6dfcUL, 0x53380d13UL,
157		0x650a7354UL, 0x766a0abbUL, 0x81c2c92eUL, 0x92722c85UL,
158		0xa2bfe8a1UL, 0xa81a664bUL, 0xc24b8b70UL, 0xc76c51a3UL,
159		0xd192e819UL, 0xd6990624UL, 0xf40e3585UL, 0x106aa070UL,
160		0x19a4c116UL, 0x1e376c08UL, 0x2748774cUL, 0x34b0bcb5UL,
161		0x391c0cb3UL, 0x4ed8aa4aUL, 0x5b9cca4fUL, 0x682e6ff3UL,
162		0x748f82eeUL, 0x78a5636fUL, 0x84c87814UL, 0x8cc70208UL,
163		0x90befffaUL, 0xa4506cebUL, 0xbef9a3f7UL, 0xc67178f2UL
164		};
165
166		#ifndef PEDANTIC
167		#if defined(__GNUC__) && __GNUC__ >= 2 && !defined(OPENSSL_NO_ASM) && !defined(OPENSSL_NO_INLINE_ASM)
168		#if defined(__riscv_zknh)
169		#define Sigma0(x) ({ MD32_REG_T ret; \
170		asm ("sha256sum0 %0, %1" \
171		: "=r"(ret) \
172		: "r"(x)); ret; })
173		#define Sigma1(x) ({ MD32_REG_T ret; \
174		asm ("sha256sum1 %0, %1" \
175		: "=r"(ret) \
176		: "r"(x)); ret; })
177		#define sigma0(x) ({ MD32_REG_T ret; \
178		asm ("sha256sig0 %0, %1" \
179		: "=r"(ret) \
180		: "r"(x)); ret; })
181		#define sigma1(x) ({ MD32_REG_T ret; \
182		asm ("sha256sig1 %0, %1" \
183		: "=r"(ret) \
184		: "r"(x)); ret; })
185		#endif
186		#if defined(__riscv_zbt) \|\| defined(__riscv_zpn)
187		#define Ch(x, y, z) ({ MD32_REG_T ret; \
188		asm (".insn r4 0x33, 1, 0x3, %0, %2, %1, %3"\
189		: "=r"(ret) \
190		: "r"(x), "r"(y), "r"(z)); ret; })
191		#define Maj(x, y, z) ({ MD32_REG_T ret; \
192		asm (".insn r4 0x33, 1, 0x3, %0, %2, %1, %3"\
193		: "=r"(ret) \
194		: "r"(x^z), "r"(y), "r"(x)); ret; })
195		#endif
196		#endif
197		#endif
198
199		/*
200		* FIPS specification refers to right rotations, while our ROTATE macro
201		* is left one. This is why you might notice that rotation coefficients
202		* differ from those observed in FIPS document by 32-N...
203		*/
204		#ifndef Sigma0
205	363M	#define Sigma0(x) (ROTATE((x), 30) ^ ROTATE((x), 19) ^ ROTATE((x), 10))
206		#endif
207		#ifndef Sigma1
208	363M	#define Sigma1(x) (ROTATE((x), 26) ^ ROTATE((x), 21) ^ ROTATE((x), 7))
209		#endif
210		#ifndef sigma0
211	272M	#define sigma0(x) (ROTATE((x), 25) ^ ROTATE((x), 14) ^ ((x) >> 3))
212		#endif
213		#ifndef sigma1
214	272M	#define sigma1(x) (ROTATE((x), 15) ^ ROTATE((x), 13) ^ ((x) >> 10))
215		#endif
216		#ifndef Ch
217	363M	#define Ch(x, y, z) (((x) & (y)) ^ ((~(x)) & (z)))
218		#endif
219		#ifndef Maj
220	363M	#define Maj(x, y, z) (((x) & (y)) ^ ((x) & (z)) ^ ((y) & (z)))
221		#endif
222
223		#ifdef OPENSSL_SMALL_FOOTPRINT
224
225		static void sha256_block_data_order(SHA256_CTX ctx, const void in,
226		size_t num)
227		{
228		unsigned MD32_REG_T a, b, c, d, e, f, g, h, s0, s1, T1, T2;
229		SHA_LONG X[16], l;
230		int i;
231		const unsigned char *data = in;
232
233		while (num--) {
234
235		a = ctx->h[0];
236		b = ctx->h[1];
237		c = ctx->h[2];
238		d = ctx->h[3];
239		e = ctx->h[4];
240		f = ctx->h[5];
241		g = ctx->h[6];
242		h = ctx->h[7];
243
244		for (i = 0; i < 16; i++) {
245		(void)HOST_c2l(data, l);
246		T1 = X[i] = l;
247		T1 += h + Sigma1(e) + Ch(e, f, g) + K256[i];
248		T2 = Sigma0(a) + Maj(a, b, c);
249		h = g;
250		g = f;
251		f = e;
252		e = d + T1;
253		d = c;
254		c = b;
255		b = a;
256		a = T1 + T2;
257		}
258
259		for (; i < 64; i++) {
260		s0 = X[(i + 1) & 0x0f];
261		s0 = sigma0(s0);
262		s1 = X[(i + 14) & 0x0f];
263		s1 = sigma1(s1);
264
265		T1 = X[i & 0xf] += s0 + s1 + X[(i + 9) & 0xf];
266		T1 += h + Sigma1(e) + Ch(e, f, g) + K256[i];
267		T2 = Sigma0(a) + Maj(a, b, c);
268		h = g;
269		g = f;
270		f = e;
271		e = d + T1;
272		d = c;
273		c = b;
274		b = a;
275		a = T1 + T2;
276		}
277
278		ctx->h[0] += a;
279		ctx->h[1] += b;
280		ctx->h[2] += c;
281		ctx->h[3] += d;
282		ctx->h[4] += e;
283		ctx->h[5] += f;
284		ctx->h[6] += g;
285		ctx->h[7] += h;
286		}
287		}
288
289		#else
290
291		#define ROUND_00_15(i, a, b, c, d, e, f, g, h) \
292	363M	do { \
293	363M	T1 += h + Sigma1(e) + Ch(e, f, g) + K256[i]; \
294	363M	h = Sigma0(a) + Maj(a, b, c); \
295	363M	d += T1; \
296	363M	h += T1; \
297	363M	} while (0)
298
299		#define ROUND_16_63(i, a, b, c, d, e, f, g, h, X) \
300	272M	do { \
301	272M	s0 = X[(i + 1) & 0x0f]; \
302	272M	s0 = sigma0(s0); \
303	272M	s1 = X[(i + 14) & 0x0f]; \
304	272M	s1 = sigma1(s1); \
305	272M	T1 = X[(i) & 0x0f] += s0 + s1 + X[(i + 9) & 0x0f]; \
306	272M	ROUND_00_15(i, a, b, c, d, e, f, g, h); \
307	272M	} while (0)
308
309		#ifdef INCLUDE_C_SHA256
310		void sha256_block_data_order_c(SHA256_CTX ctx, const void in, size_t num)
311		#else
312		static void sha256_block_data_order(SHA256_CTX ctx, const void in,
313		size_t num)
314		#endif
315	12.6k	{
316	12.6k	unsigned MD32_REG_T a, b, c, d, e, f, g, h, s0, s1, T1;
317	12.6k	SHA_LONG X[16];
318	12.6k	int i;
319	12.6k	const unsigned char *data = in;
320	12.6k	DECLARE_IS_ENDIAN;
321
322	5.69M	while (num--) {
323
324	5.68M	a = ctx->h[0];
325	5.68M	b = ctx->h[1];
326	5.68M	c = ctx->h[2];
327	5.68M	d = ctx->h[3];
328	5.68M	e = ctx->h[4];
329	5.68M	f = ctx->h[5];
330	5.68M	g = ctx->h[6];
331	5.68M	h = ctx->h[7];
332
333	5.68M	if (!IS_LITTLE_ENDIAN && sizeof(SHA_LONG) == 4
334	0	&& ((size_t)in % 4) == 0) {
335	0	const SHA_LONG W = (const SHA_LONG )data;
336
337	0	T1 = X[0] = W[0];
338	0	ROUND_00_15(0, a, b, c, d, e, f, g, h);
339	0	T1 = X[1] = W[1];
340	0	ROUND_00_15(1, h, a, b, c, d, e, f, g);
341	0	T1 = X[2] = W[2];
342	0	ROUND_00_15(2, g, h, a, b, c, d, e, f);
343	0	T1 = X[3] = W[3];
344	0	ROUND_00_15(3, f, g, h, a, b, c, d, e);
345	0	T1 = X[4] = W[4];
346	0	ROUND_00_15(4, e, f, g, h, a, b, c, d);
347	0	T1 = X[5] = W[5];
348	0	ROUND_00_15(5, d, e, f, g, h, a, b, c);
349	0	T1 = X[6] = W[6];
350	0	ROUND_00_15(6, c, d, e, f, g, h, a, b);
351	0	T1 = X[7] = W[7];
352	0	ROUND_00_15(7, b, c, d, e, f, g, h, a);
353	0	T1 = X[8] = W[8];
354	0	ROUND_00_15(8, a, b, c, d, e, f, g, h);
355	0	T1 = X[9] = W[9];
356	0	ROUND_00_15(9, h, a, b, c, d, e, f, g);
357	0	T1 = X[10] = W[10];
358	0	ROUND_00_15(10, g, h, a, b, c, d, e, f);
359	0	T1 = X[11] = W[11];
360	0	ROUND_00_15(11, f, g, h, a, b, c, d, e);
361	0	T1 = X[12] = W[12];
362	0	ROUND_00_15(12, e, f, g, h, a, b, c, d);
363	0	T1 = X[13] = W[13];
364	0	ROUND_00_15(13, d, e, f, g, h, a, b, c);
365	0	T1 = X[14] = W[14];
366	0	ROUND_00_15(14, c, d, e, f, g, h, a, b);
367	0	T1 = X[15] = W[15];
368	0	ROUND_00_15(15, b, c, d, e, f, g, h, a);
369
370	0	data += SHA256_CBLOCK;
371	5.68M	} else {
372	5.68M	SHA_LONG l;
373
374	5.68M	(void)HOST_c2l(data, l);
375	5.68M	T1 = X[0] = l;
376	5.68M	ROUND_00_15(0, a, b, c, d, e, f, g, h);
377	5.68M	(void)HOST_c2l(data, l);
378	5.68M	T1 = X[1] = l;
379	5.68M	ROUND_00_15(1, h, a, b, c, d, e, f, g);
380	5.68M	(void)HOST_c2l(data, l);
381	5.68M	T1 = X[2] = l;
382	5.68M	ROUND_00_15(2, g, h, a, b, c, d, e, f);
383	5.68M	(void)HOST_c2l(data, l);
384	5.68M	T1 = X[3] = l;
385	5.68M	ROUND_00_15(3, f, g, h, a, b, c, d, e);
386	5.68M	(void)HOST_c2l(data, l);
387	5.68M	T1 = X[4] = l;
388	5.68M	ROUND_00_15(4, e, f, g, h, a, b, c, d);
389	5.68M	(void)HOST_c2l(data, l);
390	5.68M	T1 = X[5] = l;
391	5.68M	ROUND_00_15(5, d, e, f, g, h, a, b, c);
392	5.68M	(void)HOST_c2l(data, l);
393	5.68M	T1 = X[6] = l;
394	5.68M	ROUND_00_15(6, c, d, e, f, g, h, a, b);
395	5.68M	(void)HOST_c2l(data, l);
396	5.68M	T1 = X[7] = l;
397	5.68M	ROUND_00_15(7, b, c, d, e, f, g, h, a);
398	5.68M	(void)HOST_c2l(data, l);
399	5.68M	T1 = X[8] = l;
400	5.68M	ROUND_00_15(8, a, b, c, d, e, f, g, h);
401	5.68M	(void)HOST_c2l(data, l);
402	5.68M	T1 = X[9] = l;
403	5.68M	ROUND_00_15(9, h, a, b, c, d, e, f, g);
404	5.68M	(void)HOST_c2l(data, l);
405	5.68M	T1 = X[10] = l;
406	5.68M	ROUND_00_15(10, g, h, a, b, c, d, e, f);
407	5.68M	(void)HOST_c2l(data, l);
408	5.68M	T1 = X[11] = l;
409	5.68M	ROUND_00_15(11, f, g, h, a, b, c, d, e);
410	5.68M	(void)HOST_c2l(data, l);
411	5.68M	T1 = X[12] = l;
412	5.68M	ROUND_00_15(12, e, f, g, h, a, b, c, d);
413	5.68M	(void)HOST_c2l(data, l);
414	5.68M	T1 = X[13] = l;
415	5.68M	ROUND_00_15(13, d, e, f, g, h, a, b, c);
416	5.68M	(void)HOST_c2l(data, l);
417	5.68M	T1 = X[14] = l;
418	5.68M	ROUND_00_15(14, c, d, e, f, g, h, a, b);
419	5.68M	(void)HOST_c2l(data, l);
420	5.68M	T1 = X[15] = l;
421	5.68M	ROUND_00_15(15, b, c, d, e, f, g, h, a);
422	5.68M	}
423
424	39.7M	for (i = 16; i < 64; i += 8) {
425	34.1M	ROUND_16_63(i + 0, a, b, c, d, e, f, g, h, X);
426	34.1M	ROUND_16_63(i + 1, h, a, b, c, d, e, f, g, X);
427	34.1M	ROUND_16_63(i + 2, g, h, a, b, c, d, e, f, X);
428	34.1M	ROUND_16_63(i + 3, f, g, h, a, b, c, d, e, X);
429	34.1M	ROUND_16_63(i + 4, e, f, g, h, a, b, c, d, X);
430	34.1M	ROUND_16_63(i + 5, d, e, f, g, h, a, b, c, X);
431	34.1M	ROUND_16_63(i + 6, c, d, e, f, g, h, a, b, X);
432	34.1M	ROUND_16_63(i + 7, b, c, d, e, f, g, h, a, X);
433	34.1M	}
434
435	5.68M	ctx->h[0] += a;
436	5.68M	ctx->h[1] += b;
437	5.68M	ctx->h[2] += c;
438	5.68M	ctx->h[3] += d;
439	5.68M	ctx->h[4] += e;
440	5.68M	ctx->h[5] += f;
441	5.68M	ctx->h[6] += g;
442	5.68M	ctx->h[7] += h;
443	5.68M	}
444	12.6k	}
445
446		#endif
447		#endif /* SHA256_ASM */