/src/openssl/crypto/sha/sha256.c

Source (jump to first uncovered line)
/*
 * Copyright 2004-2023 The OpenSSL Project Authors. All Rights Reserved.
 *
 * Licensed under the Apache License 2.0 (the "License").  You may not use
 * this file except in compliance with the License.  You can obtain a copy
 * in the file LICENSE in the source distribution or at
 * https://www.openssl.org/source/license.html
 */

/*
 * SHA256 low level APIs are deprecated for public use, but still ok for
 * internal use.
 */
#include "internal/deprecated.h"

#include <openssl/opensslconf.h>

#include <stdlib.h>
#include <string.h>

#include <openssl/crypto.h>
#include <openssl/sha.h>
#include <openssl/opensslv.h>
#include "internal/endian.h"
#include "crypto/sha.h"

int SHA224_Init(SHA256_CTX *c)
{
    memset(c, 0, sizeof(*c));
    c->h[0] = 0xc1059ed8UL;
    c->h[1] = 0x367cd507UL;
    c->h[2] = 0x3070dd17UL;
    c->h[3] = 0xf70e5939UL;
    c->h[4] = 0xffc00b31UL;
    c->h[5] = 0x68581511UL;
    c->h[6] = 0x64f98fa7UL;
    c->h[7] = 0xbefa4fa4UL;
    c->md_len = SHA224_DIGEST_LENGTH;
    return 1;
}

int SHA256_Init(SHA256_CTX *c)
{
    memset(c, 0, sizeof(*c));
    c->h[0] = 0x6a09e667UL;
    c->h[1] = 0xbb67ae85UL;
    c->h[2] = 0x3c6ef372UL;
    c->h[3] = 0xa54ff53aUL;
    c->h[4] = 0x510e527fUL;
    c->h[5] = 0x9b05688cUL;
    c->h[6] = 0x1f83d9abUL;
    c->h[7] = 0x5be0cd19UL;
    c->md_len = SHA256_DIGEST_LENGTH;
    return 1;
}

int ossl_sha256_192_init(SHA256_CTX *c)
{
    SHA256_Init(c);
    c->md_len = SHA256_192_DIGEST_LENGTH;
    return 1;
}

int SHA224_Update(SHA256_CTX *c, const void *data, size_t len)
{
    return SHA256_Update(c, data, len);
}

int SHA224_Final(unsigned char *md, SHA256_CTX *c)
{
    return SHA256_Final(md, c);
}

#define DATA_ORDER_IS_BIG_ENDIAN

#define HASH_LONG               SHA_LONG
#define HASH_CTX                SHA256_CTX
#define HASH_CBLOCK             SHA_CBLOCK

/*
 * Note that FIPS180-2 discusses "Truncation of the Hash Function Output."
 * default: case below covers for it. It's not clear however if it's
 * permitted to truncate to amount of bytes not divisible by 4. I bet not,
 * but if it is, then default: case shall be extended. For reference.
 * Idea behind separate cases for pre-defined lengths is to let the
 * compiler decide if it's appropriate to unroll small loops.
 */
#define HASH_MAKE_STRING(c,s)   do {    \
        unsigned long ll;               \
        unsigned int  nn;               \
        switch ((c)->md_len)            \
        {   case SHA256_192_DIGEST_LENGTH: \
                for (nn=0;nn<SHA256_192_DIGEST_LENGTH/4;nn++)   \
                {   ll=(c)->h[nn]; (void)HOST_l2c(ll,(s));   }  \
                break;                  \
            case SHA224_DIGEST_LENGTH:  \
                for (nn=0;nn<SHA224_DIGEST_LENGTH/4;nn++)       \
                {   ll=(c)->h[nn]; (void)HOST_l2c(ll,(s));   }  \
                break;                  \
            case SHA256_DIGEST_LENGTH:  \
                for (nn=0;nn<SHA256_DIGEST_LENGTH/4;nn++)       \
                {   ll=(c)->h[nn]; (void)HOST_l2c(ll,(s));   }  \
                break;                  \
            default:                    \
                if ((c)->md_len > SHA256_DIGEST_LENGTH) \
                    return 0;                           \
                for (nn=0;nn<(c)->md_len/4;nn++)                \
                {   ll=(c)->h[nn]; (void)HOST_l2c(ll,(s));   }  \
                break;                  \
        }                               \
        } while (0)

#define HASH_UPDATE             SHA256_Update
#define HASH_TRANSFORM          SHA256_Transform
#define HASH_FINAL              SHA256_Final
#define HASH_BLOCK_DATA_ORDER   sha256_block_data_order
#ifndef SHA256_ASM
static
#else
# ifdef INCLUDE_C_SHA256
void sha256_block_data_order_c(SHA256_CTX *ctx, const void *in, size_t num);
# endif /* INCLUDE_C_SHA256 */
#endif /* SHA256_ASM */
void sha256_block_data_order(SHA256_CTX *ctx, const void *in, size_t num);

#include "crypto/md32_common.h"

#if !defined(SHA256_ASM) || defined(INCLUDE_C_SHA256)
static const SHA_LONG K256[64] = {
    0x428a2f98UL, 0x71374491UL, 0xb5c0fbcfUL, 0xe9b5dba5UL,
    0x3956c25bUL, 0x59f111f1UL, 0x923f82a4UL, 0xab1c5ed5UL,
    0xd807aa98UL, 0x12835b01UL, 0x243185beUL, 0x550c7dc3UL,
    0x72be5d74UL, 0x80deb1feUL, 0x9bdc06a7UL, 0xc19bf174UL,
    0xe49b69c1UL, 0xefbe4786UL, 0x0fc19dc6UL, 0x240ca1ccUL,
    0x2de92c6fUL, 0x4a7484aaUL, 0x5cb0a9dcUL, 0x76f988daUL,
    0x983e5152UL, 0xa831c66dUL, 0xb00327c8UL, 0xbf597fc7UL,
    0xc6e00bf3UL, 0xd5a79147UL, 0x06ca6351UL, 0x14292967UL,
    0x27b70a85UL, 0x2e1b2138UL, 0x4d2c6dfcUL, 0x53380d13UL,
    0x650a7354UL, 0x766a0abbUL, 0x81c2c92eUL, 0x92722c85UL,
    0xa2bfe8a1UL, 0xa81a664bUL, 0xc24b8b70UL, 0xc76c51a3UL,
    0xd192e819UL, 0xd6990624UL, 0xf40e3585UL, 0x106aa070UL,
    0x19a4c116UL, 0x1e376c08UL, 0x2748774cUL, 0x34b0bcb5UL,
    0x391c0cb3UL, 0x4ed8aa4aUL, 0x5b9cca4fUL, 0x682e6ff3UL,
    0x748f82eeUL, 0x78a5636fUL, 0x84c87814UL, 0x8cc70208UL,
    0x90befffaUL, 0xa4506cebUL, 0xbef9a3f7UL, 0xc67178f2UL
};

# ifndef PEDANTIC
#  if defined(__GNUC__) && __GNUC__>=2 && \
      !defined(OPENSSL_NO_ASM) && !defined(OPENSSL_NO_INLINE_ASM)
#   if defined(__riscv_zknh)
#    define Sigma0(x) ({ MD32_REG_T ret;            \
                        asm ("sha256sum0 %0, %1"    \
                        : "=r"(ret)                 \
                        : "r"(x)); ret;             })
#    define Sigma1(x) ({ MD32_REG_T ret;            \
                        asm ("sha256sum1 %0, %1"    \
                        : "=r"(ret)                 \
                        : "r"(x)); ret;             })
#    define sigma0(x) ({ MD32_REG_T ret;            \
                        asm ("sha256sig0 %0, %1"    \
                        : "=r"(ret)                 \
                        : "r"(x)); ret;             })
#    define sigma1(x) ({ MD32_REG_T ret;            \
                        asm ("sha256sig1 %0, %1"    \
                        : "=r"(ret)                 \
                        : "r"(x)); ret;             })
#   endif
#   if defined(__riscv_zbt) || defined(__riscv_zpn)
#    define Ch(x,y,z) ({  MD32_REG_T ret;                           \
                        asm (".insn r4 0x33, 1, 0x3, %0, %2, %1, %3"\
                        : "=r"(ret)                                 \
                        : "r"(x), "r"(y), "r"(z)); ret;             })
#    define Maj(x,y,z) ({ MD32_REG_T ret;                           \
                        asm (".insn r4 0x33, 1, 0x3, %0, %2, %1, %3"\
                        : "=r"(ret)                                 \
                        : "r"(x^z), "r"(y), "r"(x)); ret;           })
#   endif
#  endif
# endif

/*
 * FIPS specification refers to right rotations, while our ROTATE macro
 * is left one. This is why you might notice that rotation coefficients
 * differ from those observed in FIPS document by 32-N...
 */
# ifndef Sigma0
#  define Sigma0(x)       (ROTATE((x),30) ^ ROTATE((x),19) ^ ROTATE((x),10))
# endif
# ifndef Sigma1
#  define Sigma1(x)       (ROTATE((x),26) ^ ROTATE((x),21) ^ ROTATE((x),7))
# endif
# ifndef sigma0
#  define sigma0(x)       (ROTATE((x),25) ^ ROTATE((x),14) ^ ((x)>>3))
# endif
# ifndef sigma1
#  define sigma1(x)       (ROTATE((x),15) ^ ROTATE((x),13) ^ ((x)>>10))
# endif
# ifndef Ch
#  define Ch(x,y,z)       (((x) & (y)) ^ ((~(x)) & (z)))
# endif
# ifndef Maj
#  define Maj(x,y,z)      (((x) & (y)) ^ ((x) & (z)) ^ ((y) & (z)))
# endif

# ifdef OPENSSL_SMALL_FOOTPRINT

static void sha256_block_data_order(SHA256_CTX *ctx, const void *in,
                                    size_t num)
{
    unsigned MD32_REG_T a, b, c, d, e, f, g, h, s0, s1, T1, T2;
    SHA_LONG X[16], l;
    int i;
    const unsigned char *data = in;

    while (num--) {

        a = ctx->h[0];
        b = ctx->h[1];
        c = ctx->h[2];
        d = ctx->h[3];
        e = ctx->h[4];
        f = ctx->h[5];
        g = ctx->h[6];
        h = ctx->h[7];

        for (i = 0; i < 16; i++) {
            (void)HOST_c2l(data, l);
            T1 = X[i] = l;
            T1 += h + Sigma1(e) + Ch(e, f, g) + K256[i];
            T2 = Sigma0(a) + Maj(a, b, c);
            h = g;
            g = f;
            f = e;
            e = d + T1;
            d = c;
            c = b;
            b = a;
            a = T1 + T2;
        }

        for (; i < 64; i++) {
            s0 = X[(i + 1) & 0x0f];
            s0 = sigma0(s0);
            s1 = X[(i + 14) & 0x0f];
            s1 = sigma1(s1);

            T1 = X[i & 0xf] += s0 + s1 + X[(i + 9) & 0xf];
            T1 += h + Sigma1(e) + Ch(e, f, g) + K256[i];
            T2 = Sigma0(a) + Maj(a, b, c);
            h = g;
            g = f;
            f = e;
            e = d + T1;
            d = c;
            c = b;
            b = a;
            a = T1 + T2;
        }

        ctx->h[0] += a;
        ctx->h[1] += b;
        ctx->h[2] += c;
        ctx->h[3] += d;
        ctx->h[4] += e;
        ctx->h[5] += f;
        ctx->h[6] += g;
        ctx->h[7] += h;

    }
}

# else

#  define ROUND_00_15(i,a,b,c,d,e,f,g,h)          do {    \
        T1 += h + Sigma1(e) + Ch(e,f,g) + K256[i];      \
        h = Sigma0(a) + Maj(a,b,c);                     \
        d += T1;        h += T1;                } while (0)

#  define ROUND_16_63(i,a,b,c,d,e,f,g,h,X)        do {    \
        s0 = X[(i+1)&0x0f];     s0 = sigma0(s0);        \
        s1 = X[(i+14)&0x0f];    s1 = sigma1(s1);        \
        T1 = X[(i)&0x0f] += s0 + s1 + X[(i+9)&0x0f];    \
        ROUND_00_15(i,a,b,c,d,e,f,g,h);         } while (0)

#ifdef INCLUDE_C_SHA256
void sha256_block_data_order_c(SHA256_CTX *ctx, const void *in, size_t num)
#else
static void sha256_block_data_order(SHA256_CTX *ctx, const void *in,
                                    size_t num)
#endif
{
    unsigned MD32_REG_T a, b, c, d, e, f, g, h, s0, s1, T1;
    SHA_LONG X[16];
    int i;
    const unsigned char *data = in;
    DECLARE_IS_ENDIAN;

    while (num--) {

        a = ctx->h[0];
        b = ctx->h[1];
        c = ctx->h[2];
        d = ctx->h[3];
        e = ctx->h[4];
        f = ctx->h[5];
        g = ctx->h[6];
        h = ctx->h[7];

        if (!IS_LITTLE_ENDIAN && sizeof(SHA_LONG) == 4
            && ((size_t)in % 4) == 0) {
            const SHA_LONG *W = (const SHA_LONG *)data;

            T1 = X[0] = W[0];
            ROUND_00_15(0, a, b, c, d, e, f, g, h);
            T1 = X[1] = W[1];
            ROUND_00_15(1, h, a, b, c, d, e, f, g);
            T1 = X[2] = W[2];
            ROUND_00_15(2, g, h, a, b, c, d, e, f);
            T1 = X[3] = W[3];
            ROUND_00_15(3, f, g, h, a, b, c, d, e);
            T1 = X[4] = W[4];
            ROUND_00_15(4, e, f, g, h, a, b, c, d);
            T1 = X[5] = W[5];
            ROUND_00_15(5, d, e, f, g, h, a, b, c);
            T1 = X[6] = W[6];
            ROUND_00_15(6, c, d, e, f, g, h, a, b);
            T1 = X[7] = W[7];
            ROUND_00_15(7, b, c, d, e, f, g, h, a);
            T1 = X[8] = W[8];
            ROUND_00_15(8, a, b, c, d, e, f, g, h);
            T1 = X[9] = W[9];
            ROUND_00_15(9, h, a, b, c, d, e, f, g);
            T1 = X[10] = W[10];
            ROUND_00_15(10, g, h, a, b, c, d, e, f);
            T1 = X[11] = W[11];
            ROUND_00_15(11, f, g, h, a, b, c, d, e);
            T1 = X[12] = W[12];
            ROUND_00_15(12, e, f, g, h, a, b, c, d);
            T1 = X[13] = W[13];
            ROUND_00_15(13, d, e, f, g, h, a, b, c);
            T1 = X[14] = W[14];
            ROUND_00_15(14, c, d, e, f, g, h, a, b);
            T1 = X[15] = W[15];
            ROUND_00_15(15, b, c, d, e, f, g, h, a);

            data += SHA256_CBLOCK;
        } else {
            SHA_LONG l;

            (void)HOST_c2l(data, l);
            T1 = X[0] = l;
            ROUND_00_15(0, a, b, c, d, e, f, g, h);
            (void)HOST_c2l(data, l);
            T1 = X[1] = l;
            ROUND_00_15(1, h, a, b, c, d, e, f, g);
            (void)HOST_c2l(data, l);
            T1 = X[2] = l;
            ROUND_00_15(2, g, h, a, b, c, d, e, f);
            (void)HOST_c2l(data, l);
            T1 = X[3] = l;
            ROUND_00_15(3, f, g, h, a, b, c, d, e);
            (void)HOST_c2l(data, l);
            T1 = X[4] = l;
            ROUND_00_15(4, e, f, g, h, a, b, c, d);
            (void)HOST_c2l(data, l);
            T1 = X[5] = l;
            ROUND_00_15(5, d, e, f, g, h, a, b, c);
            (void)HOST_c2l(data, l);
            T1 = X[6] = l;
            ROUND_00_15(6, c, d, e, f, g, h, a, b);
            (void)HOST_c2l(data, l);
            T1 = X[7] = l;
            ROUND_00_15(7, b, c, d, e, f, g, h, a);
            (void)HOST_c2l(data, l);
            T1 = X[8] = l;
            ROUND_00_15(8, a, b, c, d, e, f, g, h);
            (void)HOST_c2l(data, l);
            T1 = X[9] = l;
            ROUND_00_15(9, h, a, b, c, d, e, f, g);
            (void)HOST_c2l(data, l);
            T1 = X[10] = l;
            ROUND_00_15(10, g, h, a, b, c, d, e, f);
            (void)HOST_c2l(data, l);
            T1 = X[11] = l;
            ROUND_00_15(11, f, g, h, a, b, c, d, e);
            (void)HOST_c2l(data, l);
            T1 = X[12] = l;
            ROUND_00_15(12, e, f, g, h, a, b, c, d);
            (void)HOST_c2l(data, l);
            T1 = X[13] = l;
            ROUND_00_15(13, d, e, f, g, h, a, b, c);
            (void)HOST_c2l(data, l);
            T1 = X[14] = l;
            ROUND_00_15(14, c, d, e, f, g, h, a, b);
            (void)HOST_c2l(data, l);
            T1 = X[15] = l;
            ROUND_00_15(15, b, c, d, e, f, g, h, a);
        }

        for (i = 16; i < 64; i += 8) {
            ROUND_16_63(i + 0, a, b, c, d, e, f, g, h, X);
            ROUND_16_63(i + 1, h, a, b, c, d, e, f, g, X);
            ROUND_16_63(i + 2, g, h, a, b, c, d, e, f, X);
            ROUND_16_63(i + 3, f, g, h, a, b, c, d, e, X);
            ROUND_16_63(i + 4, e, f, g, h, a, b, c, d, X);
            ROUND_16_63(i + 5, d, e, f, g, h, a, b, c, X);
            ROUND_16_63(i + 6, c, d, e, f, g, h, a, b, X);
            ROUND_16_63(i + 7, b, c, d, e, f, g, h, a, X);
        }

        ctx->h[0] += a;
        ctx->h[1] += b;
        ctx->h[2] += c;
        ctx->h[3] += d;
        ctx->h[4] += e;
        ctx->h[5] += f;
        ctx->h[6] += g;
        ctx->h[7] += h;

    }
}

# endif
#endif                         /* SHA256_ASM */

Coverage Report

Created: 2024-05-21 06:33

Line	Count	Source (jump to first uncovered line)
1		/*
2		* Copyright 2004-2023 The OpenSSL Project Authors. All Rights Reserved.
3		*
4		* Licensed under the Apache License 2.0 (the "License"). You may not use
5		* this file except in compliance with the License. You can obtain a copy
6		* in the file LICENSE in the source distribution or at
7		* https://www.openssl.org/source/license.html
8		*/
9
10		/*
11		* SHA256 low level APIs are deprecated for public use, but still ok for
12		* internal use.
13		*/
14		#include "internal/deprecated.h"
15
16		#include <openssl/opensslconf.h>
17
18		#include <stdlib.h>
19		#include <string.h>
20
21		#include <openssl/crypto.h>
22		#include <openssl/sha.h>
23		#include <openssl/opensslv.h>
24		#include "internal/endian.h"
25		#include "crypto/sha.h"
26
27		int SHA224_Init(SHA256_CTX *c)
28	44	{
29	44	memset(c, 0, sizeof(*c));
30	44	c->h[0] = 0xc1059ed8UL;
31	44	c->h[1] = 0x367cd507UL;
32	44	c->h[2] = 0x3070dd17UL;
33	44	c->h[3] = 0xf70e5939UL;
34	44	c->h[4] = 0xffc00b31UL;
35	44	c->h[5] = 0x68581511UL;
36	44	c->h[6] = 0x64f98fa7UL;
37	44	c->h[7] = 0xbefa4fa4UL;
38	44	c->md_len = SHA224_DIGEST_LENGTH;
39	44	return 1;
40	44	}
41
42		int SHA256_Init(SHA256_CTX *c)
43	29.2k	{
44	29.2k	memset(c, 0, sizeof(*c));
45	29.2k	c->h[0] = 0x6a09e667UL;
46	29.2k	c->h[1] = 0xbb67ae85UL;
47	29.2k	c->h[2] = 0x3c6ef372UL;
48	29.2k	c->h[3] = 0xa54ff53aUL;
49	29.2k	c->h[4] = 0x510e527fUL;
50	29.2k	c->h[5] = 0x9b05688cUL;
51	29.2k	c->h[6] = 0x1f83d9abUL;
52	29.2k	c->h[7] = 0x5be0cd19UL;
53	29.2k	c->md_len = SHA256_DIGEST_LENGTH;
54	29.2k	return 1;
55	29.2k	}
56
57		int ossl_sha256_192_init(SHA256_CTX *c)
58	2	{
59	2	SHA256_Init(c);
60	2	c->md_len = SHA256_192_DIGEST_LENGTH;
61	2	return 1;
62	2	}
63
64		int SHA224_Update(SHA256_CTX c, const void data, size_t len)
65	44	{
66	44	return SHA256_Update(c, data, len);
67	44	}
68
69		int SHA224_Final(unsigned char md, SHA256_CTX c)
70	22	{
71	22	return SHA256_Final(md, c);
72	22	}
73
74		#define DATA_ORDER_IS_BIG_ENDIAN
75
76	191M	#define HASH_LONG SHA_LONG
77		#define HASH_CTX SHA256_CTX
78	392M	#define HASH_CBLOCK SHA_CBLOCK
79
80		/*
81		* Note that FIPS180-2 discusses "Truncation of the Hash Function Output."
82		* default: case below covers for it. It's not clear however if it's
83		* permitted to truncate to amount of bytes not divisible by 4. I bet not,
84		* but if it is, then default: case shall be extended. For reference.
85		* Idea behind separate cases for pre-defined lengths is to let the
86		* compiler decide if it's appropriate to unroll small loops.
87		*/
88	14.4k	#define HASH_MAKE_STRING(c,s) do { \
89	14.4k	unsigned long ll; \
90	14.4k	unsigned int nn; \
91	14.4k	switch ((c)->md_len) \
92	14.4k	{ case SHA256_192_DIGEST_LENGTH: \
93	7	for (nn=0;nn<SHA256_192_DIGEST_LENGTH/4;nn++) \
94	6	{ ll=(c)->h[nn]; (void)HOST_l2c(ll,(s)); } \
95	1	break; \
96	22	case SHA224_DIGEST_LENGTH: \
97	176	for (nn=0;nn<SHA224_DIGEST_LENGTH/4;nn++) \
98	154	{ ll=(c)->h[nn]; (void)HOST_l2c(ll,(s)); } \
99	22	break; \
100	14.3k	case SHA256_DIGEST_LENGTH: \
101	129k	for (nn=0;nn<SHA256_DIGEST_LENGTH/4;nn++) \
102	115k	{ ll=(c)->h[nn]; (void)HOST_l2c(ll,(s)); } \
103	14.3k	break; \
104	0	default: \
105	0	if ((c)->md_len > SHA256_DIGEST_LENGTH) \
106	0	return 0; \
107	0	for (nn=0;nn<(c)->md_len/4;nn++) \
108	0	{ ll=(c)->h[nn]; (void)HOST_l2c(ll,(s)); } \
109	0	break; \
110	14.4k	} \
111	14.4k	} while (0)
112
113		#define HASH_UPDATE SHA256_Update
114		#define HASH_TRANSFORM SHA256_Transform
115		#define HASH_FINAL SHA256_Final
116	3.03M	#define HASH_BLOCK_DATA_ORDER sha256_block_data_order
117		#ifndef SHA256_ASM
118		static
119		#else
120		# ifdef INCLUDE_C_SHA256
121		void sha256_block_data_order_c(SHA256_CTX ctx, const void in, size_t num);
122		# endif /* INCLUDE_C_SHA256 */
123		#endif /* SHA256_ASM */
124		void sha256_block_data_order(SHA256_CTX ctx, const void in, size_t num);
125
126		#include "crypto/md32_common.h"
127
128		#if !defined(SHA256_ASM) \|\| defined(INCLUDE_C_SHA256)
129		static const SHA_LONG K256[64] = {
130		0x428a2f98UL, 0x71374491UL, 0xb5c0fbcfUL, 0xe9b5dba5UL,
131		0x3956c25bUL, 0x59f111f1UL, 0x923f82a4UL, 0xab1c5ed5UL,
132		0xd807aa98UL, 0x12835b01UL, 0x243185beUL, 0x550c7dc3UL,
133		0x72be5d74UL, 0x80deb1feUL, 0x9bdc06a7UL, 0xc19bf174UL,
134		0xe49b69c1UL, 0xefbe4786UL, 0x0fc19dc6UL, 0x240ca1ccUL,
135		0x2de92c6fUL, 0x4a7484aaUL, 0x5cb0a9dcUL, 0x76f988daUL,
136		0x983e5152UL, 0xa831c66dUL, 0xb00327c8UL, 0xbf597fc7UL,
137		0xc6e00bf3UL, 0xd5a79147UL, 0x06ca6351UL, 0x14292967UL,
138		0x27b70a85UL, 0x2e1b2138UL, 0x4d2c6dfcUL, 0x53380d13UL,
139		0x650a7354UL, 0x766a0abbUL, 0x81c2c92eUL, 0x92722c85UL,
140		0xa2bfe8a1UL, 0xa81a664bUL, 0xc24b8b70UL, 0xc76c51a3UL,
141		0xd192e819UL, 0xd6990624UL, 0xf40e3585UL, 0x106aa070UL,
142		0x19a4c116UL, 0x1e376c08UL, 0x2748774cUL, 0x34b0bcb5UL,
143		0x391c0cb3UL, 0x4ed8aa4aUL, 0x5b9cca4fUL, 0x682e6ff3UL,
144		0x748f82eeUL, 0x78a5636fUL, 0x84c87814UL, 0x8cc70208UL,
145		0x90befffaUL, 0xa4506cebUL, 0xbef9a3f7UL, 0xc67178f2UL
146		};
147
148		# ifndef PEDANTIC
149		# if defined(__GNUC__) && __GNUC__>=2 && \
150		!defined(OPENSSL_NO_ASM) && !defined(OPENSSL_NO_INLINE_ASM)
151		# if defined(__riscv_zknh)
152		# define Sigma0(x) ({ MD32_REG_T ret; \
153		asm ("sha256sum0 %0, %1" \
154		: "=r"(ret) \
155		: "r"(x)); ret; })
156		# define Sigma1(x) ({ MD32_REG_T ret; \
157		asm ("sha256sum1 %0, %1" \
158		: "=r"(ret) \
159		: "r"(x)); ret; })
160		# define sigma0(x) ({ MD32_REG_T ret; \
161		asm ("sha256sig0 %0, %1" \
162		: "=r"(ret) \
163		: "r"(x)); ret; })
164		# define sigma1(x) ({ MD32_REG_T ret; \
165		asm ("sha256sig1 %0, %1" \
166		: "=r"(ret) \
167		: "r"(x)); ret; })
168		# endif
169		# if defined(__riscv_zbt) \|\| defined(__riscv_zpn)
170		# define Ch(x,y,z) ({ MD32_REG_T ret; \
171		asm (".insn r4 0x33, 1, 0x3, %0, %2, %1, %3"\
172		: "=r"(ret) \
173		: "r"(x), "r"(y), "r"(z)); ret; })
174		# define Maj(x,y,z) ({ MD32_REG_T ret; \
175		asm (".insn r4 0x33, 1, 0x3, %0, %2, %1, %3"\
176		: "=r"(ret) \
177		: "r"(x^z), "r"(y), "r"(x)); ret; })
178		# endif
179		# endif
180		# endif
181
182		/*
183		* FIPS specification refers to right rotations, while our ROTATE macro
184		* is left one. This is why you might notice that rotation coefficients
185		* differ from those observed in FIPS document by 32-N...
186		*/
187		# ifndef Sigma0
188	807M	# define Sigma0(x) (ROTATE((x),30) ^ ROTATE((x),19) ^ ROTATE((x),10))
189		# endif
190		# ifndef Sigma1
191	807M	# define Sigma1(x) (ROTATE((x),26) ^ ROTATE((x),21) ^ ROTATE((x),7))
192		# endif
193		# ifndef sigma0
194	605M	# define sigma0(x) (ROTATE((x),25) ^ ROTATE((x),14) ^ ((x)>>3))
195		# endif
196		# ifndef sigma1
197	605M	# define sigma1(x) (ROTATE((x),15) ^ ROTATE((x),13) ^ ((x)>>10))
198		# endif
199		# ifndef Ch
200	807M	# define Ch(x,y,z) (((x) & (y)) ^ ((~(x)) & (z)))
201		# endif
202		# ifndef Maj
203	807M	# define Maj(x,y,z) (((x) & (y)) ^ ((x) & (z)) ^ ((y) & (z)))
204		# endif
205
206		# ifdef OPENSSL_SMALL_FOOTPRINT
207
208		static void sha256_block_data_order(SHA256_CTX ctx, const void in,
209		size_t num)
210		{
211		unsigned MD32_REG_T a, b, c, d, e, f, g, h, s0, s1, T1, T2;
212		SHA_LONG X[16], l;
213		int i;
214		const unsigned char *data = in;
215
216		while (num--) {
217
218		a = ctx->h[0];
219		b = ctx->h[1];
220		c = ctx->h[2];
221		d = ctx->h[3];
222		e = ctx->h[4];
223		f = ctx->h[5];
224		g = ctx->h[6];
225		h = ctx->h[7];
226
227		for (i = 0; i < 16; i++) {
228		(void)HOST_c2l(data, l);
229		T1 = X[i] = l;
230		T1 += h + Sigma1(e) + Ch(e, f, g) + K256[i];
231		T2 = Sigma0(a) + Maj(a, b, c);
232		h = g;
233		g = f;
234		f = e;
235		e = d + T1;
236		d = c;
237		c = b;
238		b = a;
239		a = T1 + T2;
240		}
241
242		for (; i < 64; i++) {
243		s0 = X[(i + 1) & 0x0f];
244		s0 = sigma0(s0);
245		s1 = X[(i + 14) & 0x0f];
246		s1 = sigma1(s1);
247
248		T1 = X[i & 0xf] += s0 + s1 + X[(i + 9) & 0xf];
249		T1 += h + Sigma1(e) + Ch(e, f, g) + K256[i];
250		T2 = Sigma0(a) + Maj(a, b, c);
251		h = g;
252		g = f;
253		f = e;
254		e = d + T1;
255		d = c;
256		c = b;
257		b = a;
258		a = T1 + T2;
259		}
260
261		ctx->h[0] += a;
262		ctx->h[1] += b;
263		ctx->h[2] += c;
264		ctx->h[3] += d;
265		ctx->h[4] += e;
266		ctx->h[5] += f;
267		ctx->h[6] += g;
268		ctx->h[7] += h;
269
270		}
271		}
272
273		# else
274
275	807M	# define ROUND_00_15(i,a,b,c,d,e,f,g,h) do { \
276	807M	T1 += h + Sigma1(e) + Ch(e,f,g) + K256[i]; \
277	807M	h = Sigma0(a) + Maj(a,b,c); \
278	807M	d += T1; h += T1; } while (0)
279
280	605M	# define ROUND_16_63(i,a,b,c,d,e,f,g,h,X) do { \
281	605M	s0 = X[(i+1)&0x0f]; s0 = sigma0(s0); \
282	605M	s1 = X[(i+14)&0x0f]; s1 = sigma1(s1); \
283	605M	T1 = X[(i)&0x0f] += s0 + s1 + X[(i+9)&0x0f]; \
284	605M	ROUND_00_15(i,a,b,c,d,e,f,g,h); } while (0)
285
286		#ifdef INCLUDE_C_SHA256
287		void sha256_block_data_order_c(SHA256_CTX ctx, const void in, size_t num)
288		#else
289		static void sha256_block_data_order(SHA256_CTX ctx, const void in,
290		size_t num)
291		#endif
292	3.03M	{
293	3.03M	unsigned MD32_REG_T a, b, c, d, e, f, g, h, s0, s1, T1;
294	3.03M	SHA_LONG X[16];
295	3.03M	int i;
296	3.03M	const unsigned char *data = in;
297	3.03M	DECLARE_IS_ENDIAN;
298
299	15.6M	while (num--) {
300
301	12.6M	a = ctx->h[0];
302	12.6M	b = ctx->h[1];
303	12.6M	c = ctx->h[2];
304	12.6M	d = ctx->h[3];
305	12.6M	e = ctx->h[4];
306	12.6M	f = ctx->h[5];
307	12.6M	g = ctx->h[6];
308	12.6M	h = ctx->h[7];
309
310	12.6M	if (!IS_LITTLE_ENDIAN && sizeof(SHA_LONG) == 4
311	12.6M	&& ((size_t)in % 4) == 0) {
312	0	const SHA_LONG W = (const SHA_LONG )data;
313
314	0	T1 = X[0] = W[0];
315	0	ROUND_00_15(0, a, b, c, d, e, f, g, h);
316	0	T1 = X[1] = W[1];
317	0	ROUND_00_15(1, h, a, b, c, d, e, f, g);
318	0	T1 = X[2] = W[2];
319	0	ROUND_00_15(2, g, h, a, b, c, d, e, f);
320	0	T1 = X[3] = W[3];
321	0	ROUND_00_15(3, f, g, h, a, b, c, d, e);
322	0	T1 = X[4] = W[4];
323	0	ROUND_00_15(4, e, f, g, h, a, b, c, d);
324	0	T1 = X[5] = W[5];
325	0	ROUND_00_15(5, d, e, f, g, h, a, b, c);
326	0	T1 = X[6] = W[6];
327	0	ROUND_00_15(6, c, d, e, f, g, h, a, b);
328	0	T1 = X[7] = W[7];
329	0	ROUND_00_15(7, b, c, d, e, f, g, h, a);
330	0	T1 = X[8] = W[8];
331	0	ROUND_00_15(8, a, b, c, d, e, f, g, h);
332	0	T1 = X[9] = W[9];
333	0	ROUND_00_15(9, h, a, b, c, d, e, f, g);
334	0	T1 = X[10] = W[10];
335	0	ROUND_00_15(10, g, h, a, b, c, d, e, f);
336	0	T1 = X[11] = W[11];
337	0	ROUND_00_15(11, f, g, h, a, b, c, d, e);
338	0	T1 = X[12] = W[12];
339	0	ROUND_00_15(12, e, f, g, h, a, b, c, d);
340	0	T1 = X[13] = W[13];
341	0	ROUND_00_15(13, d, e, f, g, h, a, b, c);
342	0	T1 = X[14] = W[14];
343	0	ROUND_00_15(14, c, d, e, f, g, h, a, b);
344	0	T1 = X[15] = W[15];
345	0	ROUND_00_15(15, b, c, d, e, f, g, h, a);
346
347	0	data += SHA256_CBLOCK;
348	12.6M	} else {
349	12.6M	SHA_LONG l;
350
351	12.6M	(void)HOST_c2l(data, l);
352	12.6M	T1 = X[0] = l;
353	12.6M	ROUND_00_15(0, a, b, c, d, e, f, g, h);
354	12.6M	(void)HOST_c2l(data, l);
355	12.6M	T1 = X[1] = l;
356	12.6M	ROUND_00_15(1, h, a, b, c, d, e, f, g);
357	12.6M	(void)HOST_c2l(data, l);
358	12.6M	T1 = X[2] = l;
359	12.6M	ROUND_00_15(2, g, h, a, b, c, d, e, f);
360	12.6M	(void)HOST_c2l(data, l);
361	12.6M	T1 = X[3] = l;
362	12.6M	ROUND_00_15(3, f, g, h, a, b, c, d, e);
363	12.6M	(void)HOST_c2l(data, l);
364	12.6M	T1 = X[4] = l;
365	12.6M	ROUND_00_15(4, e, f, g, h, a, b, c, d);
366	12.6M	(void)HOST_c2l(data, l);
367	12.6M	T1 = X[5] = l;
368	12.6M	ROUND_00_15(5, d, e, f, g, h, a, b, c);
369	12.6M	(void)HOST_c2l(data, l);
370	12.6M	T1 = X[6] = l;
371	12.6M	ROUND_00_15(6, c, d, e, f, g, h, a, b);
372	12.6M	(void)HOST_c2l(data, l);
373	12.6M	T1 = X[7] = l;
374	12.6M	ROUND_00_15(7, b, c, d, e, f, g, h, a);
375	12.6M	(void)HOST_c2l(data, l);
376	12.6M	T1 = X[8] = l;
377	12.6M	ROUND_00_15(8, a, b, c, d, e, f, g, h);
378	12.6M	(void)HOST_c2l(data, l);
379	12.6M	T1 = X[9] = l;
380	12.6M	ROUND_00_15(9, h, a, b, c, d, e, f, g);
381	12.6M	(void)HOST_c2l(data, l);
382	12.6M	T1 = X[10] = l;
383	12.6M	ROUND_00_15(10, g, h, a, b, c, d, e, f);
384	12.6M	(void)HOST_c2l(data, l);
385	12.6M	T1 = X[11] = l;
386	12.6M	ROUND_00_15(11, f, g, h, a, b, c, d, e);
387	12.6M	(void)HOST_c2l(data, l);
388	12.6M	T1 = X[12] = l;
389	12.6M	ROUND_00_15(12, e, f, g, h, a, b, c, d);
390	12.6M	(void)HOST_c2l(data, l);
391	12.6M	T1 = X[13] = l;
392	12.6M	ROUND_00_15(13, d, e, f, g, h, a, b, c);
393	12.6M	(void)HOST_c2l(data, l);
394	12.6M	T1 = X[14] = l;
395	12.6M	ROUND_00_15(14, c, d, e, f, g, h, a, b);
396	12.6M	(void)HOST_c2l(data, l);
397	12.6M	T1 = X[15] = l;
398	12.6M	ROUND_00_15(15, b, c, d, e, f, g, h, a);
399	12.6M	}
400
401	88.3M	for (i = 16; i < 64; i += 8) {
402	75.6M	ROUND_16_63(i + 0, a, b, c, d, e, f, g, h, X);
403	75.6M	ROUND_16_63(i + 1, h, a, b, c, d, e, f, g, X);
404	75.6M	ROUND_16_63(i + 2, g, h, a, b, c, d, e, f, X);
405	75.6M	ROUND_16_63(i + 3, f, g, h, a, b, c, d, e, X);
406	75.6M	ROUND_16_63(i + 4, e, f, g, h, a, b, c, d, X);
407	75.6M	ROUND_16_63(i + 5, d, e, f, g, h, a, b, c, X);
408	75.6M	ROUND_16_63(i + 6, c, d, e, f, g, h, a, b, X);
409	75.6M	ROUND_16_63(i + 7, b, c, d, e, f, g, h, a, X);
410	75.6M	}
411
412	12.6M	ctx->h[0] += a;
413	12.6M	ctx->h[1] += b;
414	12.6M	ctx->h[2] += c;
415	12.6M	ctx->h[3] += d;
416	12.6M	ctx->h[4] += e;
417	12.6M	ctx->h[5] += f;
418	12.6M	ctx->h[6] += g;
419	12.6M	ctx->h[7] += h;
420
421	12.6M	}
422	3.03M	}
423
424		# endif
425		#endif /* SHA256_ASM */