/src/openssl/crypto/sha/sha256.c

Source
/*
 * Copyright 2004-2024 The OpenSSL Project Authors. All Rights Reserved.
 *
 * Licensed under the Apache License 2.0 (the "License").  You may not use
 * this file except in compliance with the License.  You can obtain a copy
 * in the file LICENSE in the source distribution or at
 * https://www.openssl.org/source/license.html
 */

/*
 * SHA256 low level APIs are deprecated for public use, but still ok for
 * internal use.
 */
#include "internal/deprecated.h"

#include <openssl/opensslconf.h>

#include <stdlib.h>
#include <string.h>

#include <openssl/crypto.h>
#include <openssl/sha.h>
#include <openssl/opensslv.h>
#include "internal/endian.h"
#include "crypto/sha.h"

int SHA224_Init(SHA256_CTX *c)
{
    memset(c, 0, sizeof(*c));
    c->h[0] = 0xc1059ed8UL;
    c->h[1] = 0x367cd507UL;
    c->h[2] = 0x3070dd17UL;
    c->h[3] = 0xf70e5939UL;
    c->h[4] = 0xffc00b31UL;
    c->h[5] = 0x68581511UL;
    c->h[6] = 0x64f98fa7UL;
    c->h[7] = 0xbefa4fa4UL;
    c->md_len = SHA224_DIGEST_LENGTH;
    return 1;
}

int SHA256_Init(SHA256_CTX *c)
{
    memset(c, 0, sizeof(*c));
    c->h[0] = 0x6a09e667UL;
    c->h[1] = 0xbb67ae85UL;
    c->h[2] = 0x3c6ef372UL;
    c->h[3] = 0xa54ff53aUL;
    c->h[4] = 0x510e527fUL;
    c->h[5] = 0x9b05688cUL;
    c->h[6] = 0x1f83d9abUL;
    c->h[7] = 0x5be0cd19UL;
    c->md_len = SHA256_DIGEST_LENGTH;
    return 1;
}

int ossl_sha256_192_init(SHA256_CTX *c)
{
    SHA256_Init(c);
    c->md_len = SHA256_192_DIGEST_LENGTH;
    return 1;
}

int SHA224_Update(SHA256_CTX *c, const void *data, size_t len)
{
    return SHA256_Update(c, data, len);
}

int SHA224_Final(unsigned char *md, SHA256_CTX *c)
{
    return SHA256_Final(md, c);
}

#define DATA_ORDER_IS_BIG_ENDIAN

#define HASH_LONG               SHA_LONG
#define HASH_CTX                SHA256_CTX
#define HASH_CBLOCK             SHA_CBLOCK

/*
 * Note that FIPS180-2 discusses "Truncation of the Hash Function Output."
 * default: case below covers for it. It's not clear however if it's
 * permitted to truncate to amount of bytes not divisible by 4. I bet not,
 * but if it is, then default: case shall be extended. For reference.
 * Idea behind separate cases for pre-defined lengths is to let the
 * compiler decide if it's appropriate to unroll small loops.
 */
#define HASH_MAKE_STRING(c,s)   do {    \
        unsigned long ll;               \
        unsigned int  nn;               \
        switch ((c)->md_len) {          \
            case SHA256_192_DIGEST_LENGTH: \
                for (nn=0;nn<SHA256_192_DIGEST_LENGTH/4;nn++) { \
                    ll=(c)->h[nn]; (void)HOST_l2c(ll,(s));      \
                }                       \
                break;                  \
            case SHA224_DIGEST_LENGTH:  \
                for (nn=0;nn<SHA224_DIGEST_LENGTH/4;nn++) {     \
                    ll=(c)->h[nn]; (void)HOST_l2c(ll,(s));      \
                }                       \
                break;                  \
            case SHA256_DIGEST_LENGTH:  \
                for (nn=0;nn<SHA256_DIGEST_LENGTH/4;nn++) {     \
                    ll=(c)->h[nn]; (void)HOST_l2c(ll,(s));      \
                }                       \
                break;                  \
            default:                    \
                if ((c)->md_len > SHA256_DIGEST_LENGTH) \
                    return 0;                           \
                for (nn=0;nn<(c)->md_len/4;nn++) {              \
                    ll=(c)->h[nn]; (void)HOST_l2c(ll,(s));      \
                }                       \
                break;                  \
        }                               \
    } while (0)

#define HASH_UPDATE             SHA256_Update
#define HASH_TRANSFORM          SHA256_Transform
#define HASH_FINAL              SHA256_Final
#define HASH_BLOCK_DATA_ORDER   sha256_block_data_order
#ifndef SHA256_ASM
static
#else
# ifdef INCLUDE_C_SHA256
void sha256_block_data_order_c(SHA256_CTX *ctx, const void *in, size_t num);
# endif /* INCLUDE_C_SHA256 */
#endif /* SHA256_ASM */
void sha256_block_data_order(SHA256_CTX *ctx, const void *in, size_t num);

#include "crypto/md32_common.h"

#if !defined(SHA256_ASM) || defined(INCLUDE_C_SHA256)
static const SHA_LONG K256[64] = {
    0x428a2f98UL, 0x71374491UL, 0xb5c0fbcfUL, 0xe9b5dba5UL,
    0x3956c25bUL, 0x59f111f1UL, 0x923f82a4UL, 0xab1c5ed5UL,
    0xd807aa98UL, 0x12835b01UL, 0x243185beUL, 0x550c7dc3UL,
    0x72be5d74UL, 0x80deb1feUL, 0x9bdc06a7UL, 0xc19bf174UL,
    0xe49b69c1UL, 0xefbe4786UL, 0x0fc19dc6UL, 0x240ca1ccUL,
    0x2de92c6fUL, 0x4a7484aaUL, 0x5cb0a9dcUL, 0x76f988daUL,
    0x983e5152UL, 0xa831c66dUL, 0xb00327c8UL, 0xbf597fc7UL,
    0xc6e00bf3UL, 0xd5a79147UL, 0x06ca6351UL, 0x14292967UL,
    0x27b70a85UL, 0x2e1b2138UL, 0x4d2c6dfcUL, 0x53380d13UL,
    0x650a7354UL, 0x766a0abbUL, 0x81c2c92eUL, 0x92722c85UL,
    0xa2bfe8a1UL, 0xa81a664bUL, 0xc24b8b70UL, 0xc76c51a3UL,
    0xd192e819UL, 0xd6990624UL, 0xf40e3585UL, 0x106aa070UL,
    0x19a4c116UL, 0x1e376c08UL, 0x2748774cUL, 0x34b0bcb5UL,
    0x391c0cb3UL, 0x4ed8aa4aUL, 0x5b9cca4fUL, 0x682e6ff3UL,
    0x748f82eeUL, 0x78a5636fUL, 0x84c87814UL, 0x8cc70208UL,
    0x90befffaUL, 0xa4506cebUL, 0xbef9a3f7UL, 0xc67178f2UL
};

# ifndef PEDANTIC
#  if defined(__GNUC__) && __GNUC__>=2 && \
      !defined(OPENSSL_NO_ASM) && !defined(OPENSSL_NO_INLINE_ASM)
#   if defined(__riscv_zknh)
#    define Sigma0(x) ({ MD32_REG_T ret;            \
                        asm ("sha256sum0 %0, %1"    \
                        : "=r"(ret)                 \
                        : "r"(x)); ret;             })
#    define Sigma1(x) ({ MD32_REG_T ret;            \
                        asm ("sha256sum1 %0, %1"    \
                        : "=r"(ret)                 \
                        : "r"(x)); ret;             })
#    define sigma0(x) ({ MD32_REG_T ret;            \
                        asm ("sha256sig0 %0, %1"    \
                        : "=r"(ret)                 \
                        : "r"(x)); ret;             })
#    define sigma1(x) ({ MD32_REG_T ret;            \
                        asm ("sha256sig1 %0, %1"    \
                        : "=r"(ret)                 \
                        : "r"(x)); ret;             })
#   endif
#   if defined(__riscv_zbt) || defined(__riscv_zpn)
#    define Ch(x,y,z) ({  MD32_REG_T ret;                           \
                        asm (".insn r4 0x33, 1, 0x3, %0, %2, %1, %3"\
                        : "=r"(ret)                                 \
                        : "r"(x), "r"(y), "r"(z)); ret;             })
#    define Maj(x,y,z) ({ MD32_REG_T ret;                           \
                        asm (".insn r4 0x33, 1, 0x3, %0, %2, %1, %3"\
                        : "=r"(ret)                                 \
                        : "r"(x^z), "r"(y), "r"(x)); ret;           })
#   endif
#  endif
# endif

/*
 * FIPS specification refers to right rotations, while our ROTATE macro
 * is left one. This is why you might notice that rotation coefficients
 * differ from those observed in FIPS document by 32-N...
 */
# ifndef Sigma0
#  define Sigma0(x)       (ROTATE((x),30) ^ ROTATE((x),19) ^ ROTATE((x),10))
# endif
# ifndef Sigma1
#  define Sigma1(x)       (ROTATE((x),26) ^ ROTATE((x),21) ^ ROTATE((x),7))
# endif
# ifndef sigma0
#  define sigma0(x)       (ROTATE((x),25) ^ ROTATE((x),14) ^ ((x)>>3))
# endif
# ifndef sigma1
#  define sigma1(x)       (ROTATE((x),15) ^ ROTATE((x),13) ^ ((x)>>10))
# endif
# ifndef Ch
#  define Ch(x,y,z)       (((x) & (y)) ^ ((~(x)) & (z)))
# endif
# ifndef Maj
#  define Maj(x,y,z)      (((x) & (y)) ^ ((x) & (z)) ^ ((y) & (z)))
# endif

# ifdef OPENSSL_SMALL_FOOTPRINT

static void sha256_block_data_order(SHA256_CTX *ctx, const void *in,
                                    size_t num)
{
    unsigned MD32_REG_T a, b, c, d, e, f, g, h, s0, s1, T1, T2;
    SHA_LONG X[16], l;
    int i;
    const unsigned char *data = in;

    while (num--) {

        a = ctx->h[0];
        b = ctx->h[1];
        c = ctx->h[2];
        d = ctx->h[3];
        e = ctx->h[4];
        f = ctx->h[5];
        g = ctx->h[6];
        h = ctx->h[7];

        for (i = 0; i < 16; i++) {
            (void)HOST_c2l(data, l);
            T1 = X[i] = l;
            T1 += h + Sigma1(e) + Ch(e, f, g) + K256[i];
            T2 = Sigma0(a) + Maj(a, b, c);
            h = g;
            g = f;
            f = e;
            e = d + T1;
            d = c;
            c = b;
            b = a;
            a = T1 + T2;
        }

        for (; i < 64; i++) {
            s0 = X[(i + 1) & 0x0f];
            s0 = sigma0(s0);
            s1 = X[(i + 14) & 0x0f];
            s1 = sigma1(s1);

            T1 = X[i & 0xf] += s0 + s1 + X[(i + 9) & 0xf];
            T1 += h + Sigma1(e) + Ch(e, f, g) + K256[i];
            T2 = Sigma0(a) + Maj(a, b, c);
            h = g;
            g = f;
            f = e;
            e = d + T1;
            d = c;
            c = b;
            b = a;
            a = T1 + T2;
        }

        ctx->h[0] += a;
        ctx->h[1] += b;
        ctx->h[2] += c;
        ctx->h[3] += d;
        ctx->h[4] += e;
        ctx->h[5] += f;
        ctx->h[6] += g;
        ctx->h[7] += h;

    }
}

# else

#  define ROUND_00_15(i,a,b,c,d,e,f,g,h)          do {    \
        T1 += h + Sigma1(e) + Ch(e,f,g) + K256[i];      \
        h = Sigma0(a) + Maj(a,b,c);                     \
        d += T1;        h += T1;                } while (0)

#  define ROUND_16_63(i,a,b,c,d,e,f,g,h,X)        do {    \
        s0 = X[(i+1)&0x0f];     s0 = sigma0(s0);        \
        s1 = X[(i+14)&0x0f];    s1 = sigma1(s1);        \
        T1 = X[(i)&0x0f] += s0 + s1 + X[(i+9)&0x0f];    \
        ROUND_00_15(i,a,b,c,d,e,f,g,h);         } while (0)

#ifdef INCLUDE_C_SHA256
void sha256_block_data_order_c(SHA256_CTX *ctx, const void *in, size_t num)
#else
static void sha256_block_data_order(SHA256_CTX *ctx, const void *in,
                                    size_t num)
#endif
{
    unsigned MD32_REG_T a, b, c, d, e, f, g, h, s0, s1, T1;
    SHA_LONG X[16];
    int i;
    const unsigned char *data = in;
    DECLARE_IS_ENDIAN;

    while (num--) {

        a = ctx->h[0];
        b = ctx->h[1];
        c = ctx->h[2];
        d = ctx->h[3];
        e = ctx->h[4];
        f = ctx->h[5];
        g = ctx->h[6];
        h = ctx->h[7];

        if (!IS_LITTLE_ENDIAN && sizeof(SHA_LONG) == 4
            && ((size_t)in % 4) == 0) {
            const SHA_LONG *W = (const SHA_LONG *)data;

            T1 = X[0] = W[0];
            ROUND_00_15(0, a, b, c, d, e, f, g, h);
            T1 = X[1] = W[1];
            ROUND_00_15(1, h, a, b, c, d, e, f, g);
            T1 = X[2] = W[2];
            ROUND_00_15(2, g, h, a, b, c, d, e, f);
            T1 = X[3] = W[3];
            ROUND_00_15(3, f, g, h, a, b, c, d, e);
            T1 = X[4] = W[4];
            ROUND_00_15(4, e, f, g, h, a, b, c, d);
            T1 = X[5] = W[5];
            ROUND_00_15(5, d, e, f, g, h, a, b, c);
            T1 = X[6] = W[6];
            ROUND_00_15(6, c, d, e, f, g, h, a, b);
            T1 = X[7] = W[7];
            ROUND_00_15(7, b, c, d, e, f, g, h, a);
            T1 = X[8] = W[8];
            ROUND_00_15(8, a, b, c, d, e, f, g, h);
            T1 = X[9] = W[9];
            ROUND_00_15(9, h, a, b, c, d, e, f, g);
            T1 = X[10] = W[10];
            ROUND_00_15(10, g, h, a, b, c, d, e, f);
            T1 = X[11] = W[11];
            ROUND_00_15(11, f, g, h, a, b, c, d, e);
            T1 = X[12] = W[12];
            ROUND_00_15(12, e, f, g, h, a, b, c, d);
            T1 = X[13] = W[13];
            ROUND_00_15(13, d, e, f, g, h, a, b, c);
            T1 = X[14] = W[14];
            ROUND_00_15(14, c, d, e, f, g, h, a, b);
            T1 = X[15] = W[15];
            ROUND_00_15(15, b, c, d, e, f, g, h, a);

            data += SHA256_CBLOCK;
        } else {
            SHA_LONG l;

            (void)HOST_c2l(data, l);
            T1 = X[0] = l;
            ROUND_00_15(0, a, b, c, d, e, f, g, h);
            (void)HOST_c2l(data, l);
            T1 = X[1] = l;
            ROUND_00_15(1, h, a, b, c, d, e, f, g);
            (void)HOST_c2l(data, l);
            T1 = X[2] = l;
            ROUND_00_15(2, g, h, a, b, c, d, e, f);
            (void)HOST_c2l(data, l);
            T1 = X[3] = l;
            ROUND_00_15(3, f, g, h, a, b, c, d, e);
            (void)HOST_c2l(data, l);
            T1 = X[4] = l;
            ROUND_00_15(4, e, f, g, h, a, b, c, d);
            (void)HOST_c2l(data, l);
            T1 = X[5] = l;
            ROUND_00_15(5, d, e, f, g, h, a, b, c);
            (void)HOST_c2l(data, l);
            T1 = X[6] = l;
            ROUND_00_15(6, c, d, e, f, g, h, a, b);
            (void)HOST_c2l(data, l);
            T1 = X[7] = l;
            ROUND_00_15(7, b, c, d, e, f, g, h, a);
            (void)HOST_c2l(data, l);
            T1 = X[8] = l;
            ROUND_00_15(8, a, b, c, d, e, f, g, h);
            (void)HOST_c2l(data, l);
            T1 = X[9] = l;
            ROUND_00_15(9, h, a, b, c, d, e, f, g);
            (void)HOST_c2l(data, l);
            T1 = X[10] = l;
            ROUND_00_15(10, g, h, a, b, c, d, e, f);
            (void)HOST_c2l(data, l);
            T1 = X[11] = l;
            ROUND_00_15(11, f, g, h, a, b, c, d, e);
            (void)HOST_c2l(data, l);
            T1 = X[12] = l;
            ROUND_00_15(12, e, f, g, h, a, b, c, d);
            (void)HOST_c2l(data, l);
            T1 = X[13] = l;
            ROUND_00_15(13, d, e, f, g, h, a, b, c);
            (void)HOST_c2l(data, l);
            T1 = X[14] = l;
            ROUND_00_15(14, c, d, e, f, g, h, a, b);
            (void)HOST_c2l(data, l);
            T1 = X[15] = l;
            ROUND_00_15(15, b, c, d, e, f, g, h, a);
        }

        for (i = 16; i < 64; i += 8) {
            ROUND_16_63(i + 0, a, b, c, d, e, f, g, h, X);
            ROUND_16_63(i + 1, h, a, b, c, d, e, f, g, X);
            ROUND_16_63(i + 2, g, h, a, b, c, d, e, f, X);
            ROUND_16_63(i + 3, f, g, h, a, b, c, d, e, X);
            ROUND_16_63(i + 4, e, f, g, h, a, b, c, d, X);
            ROUND_16_63(i + 5, d, e, f, g, h, a, b, c, X);
            ROUND_16_63(i + 6, c, d, e, f, g, h, a, b, X);
            ROUND_16_63(i + 7, b, c, d, e, f, g, h, a, X);
        }

        ctx->h[0] += a;
        ctx->h[1] += b;
        ctx->h[2] += c;
        ctx->h[3] += d;
        ctx->h[4] += e;
        ctx->h[5] += f;
        ctx->h[6] += g;
        ctx->h[7] += h;

    }
}

# endif
#endif                         /* SHA256_ASM */

Coverage Report

Created: 2025-10-12 06:56

Line	Count	Source
1		/*
2		* Copyright 2004-2024 The OpenSSL Project Authors. All Rights Reserved.
3		*
4		* Licensed under the Apache License 2.0 (the "License"). You may not use
5		* this file except in compliance with the License. You can obtain a copy
6		* in the file LICENSE in the source distribution or at
7		* https://www.openssl.org/source/license.html
8		*/
9
10		/*
11		* SHA256 low level APIs are deprecated for public use, but still ok for
12		* internal use.
13		*/
14		#include "internal/deprecated.h"
15
16		#include <openssl/opensslconf.h>
17
18		#include <stdlib.h>
19		#include <string.h>
20
21		#include <openssl/crypto.h>
22		#include <openssl/sha.h>
23		#include <openssl/opensslv.h>
24		#include "internal/endian.h"
25		#include "crypto/sha.h"
26
27		int SHA224_Init(SHA256_CTX *c)
28	68	{
29	68	memset(c, 0, sizeof(*c));
30	68	c->h[0] = 0xc1059ed8UL;
31	68	c->h[1] = 0x367cd507UL;
32	68	c->h[2] = 0x3070dd17UL;
33	68	c->h[3] = 0xf70e5939UL;
34	68	c->h[4] = 0xffc00b31UL;
35	68	c->h[5] = 0x68581511UL;
36	68	c->h[6] = 0x64f98fa7UL;
37	68	c->h[7] = 0xbefa4fa4UL;
38	68	c->md_len = SHA224_DIGEST_LENGTH;
39	68	return 1;
40	68	}
41
42		int SHA256_Init(SHA256_CTX *c)
43	22.6k	{
44	22.6k	memset(c, 0, sizeof(*c));
45	22.6k	c->h[0] = 0x6a09e667UL;
46	22.6k	c->h[1] = 0xbb67ae85UL;
47	22.6k	c->h[2] = 0x3c6ef372UL;
48	22.6k	c->h[3] = 0xa54ff53aUL;
49	22.6k	c->h[4] = 0x510e527fUL;
50	22.6k	c->h[5] = 0x9b05688cUL;
51	22.6k	c->h[6] = 0x1f83d9abUL;
52	22.6k	c->h[7] = 0x5be0cd19UL;
53	22.6k	c->md_len = SHA256_DIGEST_LENGTH;
54	22.6k	return 1;
55	22.6k	}
56
57		int ossl_sha256_192_init(SHA256_CTX *c)
58	0	{
59	0	SHA256_Init(c);
60	0	c->md_len = SHA256_192_DIGEST_LENGTH;
61	0	return 1;
62	0	}
63
64		int SHA224_Update(SHA256_CTX c, const void data, size_t len)
65	68	{
66	68	return SHA256_Update(c, data, len);
67	68	}
68
69		int SHA224_Final(unsigned char md, SHA256_CTX c)
70	34	{
71	34	return SHA256_Final(md, c);
72	34	}
73
74		#define DATA_ORDER_IS_BIG_ENDIAN
75
76	149M	#define HASH_LONG SHA_LONG
77		#define HASH_CTX SHA256_CTX
78	306M	#define HASH_CBLOCK SHA_CBLOCK
79
80		/*
81		* Note that FIPS180-2 discusses "Truncation of the Hash Function Output."
82		* default: case below covers for it. It's not clear however if it's
83		* permitted to truncate to amount of bytes not divisible by 4. I bet not,
84		* but if it is, then default: case shall be extended. For reference.
85		* Idea behind separate cases for pre-defined lengths is to let the
86		* compiler decide if it's appropriate to unroll small loops.
87		*/
88	11.2k	#define HASH_MAKE_STRING(c,s) do { \
89	11.2k	unsigned long ll; \
90	11.2k	unsigned int nn; \
91	11.2k	switch ((c)->md_len) { \
92	0	case SHA256_192_DIGEST_LENGTH: \
93	0	for (nn=0;nn<SHA256_192_DIGEST_LENGTH/4;nn++) { \
94	0	ll=(c)->h[nn]; (void)HOST_l2c(ll,(s)); \
95	0	} \
96	0	break; \
97	34	case SHA224_DIGEST_LENGTH: \
98	272	for (nn=0;nn<SHA224_DIGEST_LENGTH/4;nn++) { \
99	238	ll=(c)->h[nn]; (void)HOST_l2c(ll,(s)); \
100	238	} \
101	34	break; \
102	11.1k	case SHA256_DIGEST_LENGTH: \
103	100k	for (nn=0;nn<SHA256_DIGEST_LENGTH/4;nn++) { \
104	89.4k	ll=(c)->h[nn]; (void)HOST_l2c(ll,(s)); \
105	89.4k	} \
106	11.1k	break; \
107	0	default: \
108	0	if ((c)->md_len > SHA256_DIGEST_LENGTH) \
109	0	return 0; \
110	0	for (nn=0;nn<(c)->md_len/4;nn++) { \
111	0	ll=(c)->h[nn]; (void)HOST_l2c(ll,(s)); \
112	0	} \
113	0	break; \
114	11.2k	} \
115	11.2k	} while (0)
116
117		#define HASH_UPDATE SHA256_Update
118		#define HASH_TRANSFORM SHA256_Transform
119		#define HASH_FINAL SHA256_Final
120	2.37M	#define HASH_BLOCK_DATA_ORDER sha256_block_data_order
121		#ifndef SHA256_ASM
122		static
123		#else
124		# ifdef INCLUDE_C_SHA256
125		void sha256_block_data_order_c(SHA256_CTX ctx, const void in, size_t num);
126		# endif /* INCLUDE_C_SHA256 */
127		#endif /* SHA256_ASM */
128		void sha256_block_data_order(SHA256_CTX ctx, const void in, size_t num);
129
130		#include "crypto/md32_common.h"
131
132		#if !defined(SHA256_ASM) \|\| defined(INCLUDE_C_SHA256)
133		static const SHA_LONG K256[64] = {
134		0x428a2f98UL, 0x71374491UL, 0xb5c0fbcfUL, 0xe9b5dba5UL,
135		0x3956c25bUL, 0x59f111f1UL, 0x923f82a4UL, 0xab1c5ed5UL,
136		0xd807aa98UL, 0x12835b01UL, 0x243185beUL, 0x550c7dc3UL,
137		0x72be5d74UL, 0x80deb1feUL, 0x9bdc06a7UL, 0xc19bf174UL,
138		0xe49b69c1UL, 0xefbe4786UL, 0x0fc19dc6UL, 0x240ca1ccUL,
139		0x2de92c6fUL, 0x4a7484aaUL, 0x5cb0a9dcUL, 0x76f988daUL,
140		0x983e5152UL, 0xa831c66dUL, 0xb00327c8UL, 0xbf597fc7UL,
141		0xc6e00bf3UL, 0xd5a79147UL, 0x06ca6351UL, 0x14292967UL,
142		0x27b70a85UL, 0x2e1b2138UL, 0x4d2c6dfcUL, 0x53380d13UL,
143		0x650a7354UL, 0x766a0abbUL, 0x81c2c92eUL, 0x92722c85UL,
144		0xa2bfe8a1UL, 0xa81a664bUL, 0xc24b8b70UL, 0xc76c51a3UL,
145		0xd192e819UL, 0xd6990624UL, 0xf40e3585UL, 0x106aa070UL,
146		0x19a4c116UL, 0x1e376c08UL, 0x2748774cUL, 0x34b0bcb5UL,
147		0x391c0cb3UL, 0x4ed8aa4aUL, 0x5b9cca4fUL, 0x682e6ff3UL,
148		0x748f82eeUL, 0x78a5636fUL, 0x84c87814UL, 0x8cc70208UL,
149		0x90befffaUL, 0xa4506cebUL, 0xbef9a3f7UL, 0xc67178f2UL
150		};
151
152		# ifndef PEDANTIC
153		# if defined(__GNUC__) && __GNUC__>=2 && \
154		!defined(OPENSSL_NO_ASM) && !defined(OPENSSL_NO_INLINE_ASM)
155		# if defined(__riscv_zknh)
156		# define Sigma0(x) ({ MD32_REG_T ret; \
157		asm ("sha256sum0 %0, %1" \
158		: "=r"(ret) \
159		: "r"(x)); ret; })
160		# define Sigma1(x) ({ MD32_REG_T ret; \
161		asm ("sha256sum1 %0, %1" \
162		: "=r"(ret) \
163		: "r"(x)); ret; })
164		# define sigma0(x) ({ MD32_REG_T ret; \
165		asm ("sha256sig0 %0, %1" \
166		: "=r"(ret) \
167		: "r"(x)); ret; })
168		# define sigma1(x) ({ MD32_REG_T ret; \
169		asm ("sha256sig1 %0, %1" \
170		: "=r"(ret) \
171		: "r"(x)); ret; })
172		# endif
173		# if defined(__riscv_zbt) \|\| defined(__riscv_zpn)
174		# define Ch(x,y,z) ({ MD32_REG_T ret; \
175		asm (".insn r4 0x33, 1, 0x3, %0, %2, %1, %3"\
176		: "=r"(ret) \
177		: "r"(x), "r"(y), "r"(z)); ret; })
178		# define Maj(x,y,z) ({ MD32_REG_T ret; \
179		asm (".insn r4 0x33, 1, 0x3, %0, %2, %1, %3"\
180		: "=r"(ret) \
181		: "r"(x^z), "r"(y), "r"(x)); ret; })
182		# endif
183		# endif
184		# endif
185
186		/*
187		* FIPS specification refers to right rotations, while our ROTATE macro
188		* is left one. This is why you might notice that rotation coefficients
189		* differ from those observed in FIPS document by 32-N...
190		*/
191		# ifndef Sigma0
192	627M	# define Sigma0(x) (ROTATE((x),30) ^ ROTATE((x),19) ^ ROTATE((x),10))
193		# endif
194		# ifndef Sigma1
195	627M	# define Sigma1(x) (ROTATE((x),26) ^ ROTATE((x),21) ^ ROTATE((x),7))
196		# endif
197		# ifndef sigma0
198	470M	# define sigma0(x) (ROTATE((x),25) ^ ROTATE((x),14) ^ ((x)>>3))
199		# endif
200		# ifndef sigma1
201	470M	# define sigma1(x) (ROTATE((x),15) ^ ROTATE((x),13) ^ ((x)>>10))
202		# endif
203		# ifndef Ch
204	627M	# define Ch(x,y,z) (((x) & (y)) ^ ((~(x)) & (z)))
205		# endif
206		# ifndef Maj
207	627M	# define Maj(x,y,z) (((x) & (y)) ^ ((x) & (z)) ^ ((y) & (z)))
208		# endif
209
210		# ifdef OPENSSL_SMALL_FOOTPRINT
211
212		static void sha256_block_data_order(SHA256_CTX ctx, const void in,
213		size_t num)
214		{
215		unsigned MD32_REG_T a, b, c, d, e, f, g, h, s0, s1, T1, T2;
216		SHA_LONG X[16], l;
217		int i;
218		const unsigned char *data = in;
219
220		while (num--) {
221
222		a = ctx->h[0];
223		b = ctx->h[1];
224		c = ctx->h[2];
225		d = ctx->h[3];
226		e = ctx->h[4];
227		f = ctx->h[5];
228		g = ctx->h[6];
229		h = ctx->h[7];
230
231		for (i = 0; i < 16; i++) {
232		(void)HOST_c2l(data, l);
233		T1 = X[i] = l;
234		T1 += h + Sigma1(e) + Ch(e, f, g) + K256[i];
235		T2 = Sigma0(a) + Maj(a, b, c);
236		h = g;
237		g = f;
238		f = e;
239		e = d + T1;
240		d = c;
241		c = b;
242		b = a;
243		a = T1 + T2;
244		}
245
246		for (; i < 64; i++) {
247		s0 = X[(i + 1) & 0x0f];
248		s0 = sigma0(s0);
249		s1 = X[(i + 14) & 0x0f];
250		s1 = sigma1(s1);
251
252		T1 = X[i & 0xf] += s0 + s1 + X[(i + 9) & 0xf];
253		T1 += h + Sigma1(e) + Ch(e, f, g) + K256[i];
254		T2 = Sigma0(a) + Maj(a, b, c);
255		h = g;
256		g = f;
257		f = e;
258		e = d + T1;
259		d = c;
260		c = b;
261		b = a;
262		a = T1 + T2;
263		}
264
265		ctx->h[0] += a;
266		ctx->h[1] += b;
267		ctx->h[2] += c;
268		ctx->h[3] += d;
269		ctx->h[4] += e;
270		ctx->h[5] += f;
271		ctx->h[6] += g;
272		ctx->h[7] += h;
273
274		}
275		}
276
277		# else
278
279	627M	# define ROUND_00_15(i,a,b,c,d,e,f,g,h) do { \
280	627M	T1 += h + Sigma1(e) + Ch(e,f,g) + K256[i]; \
281	627M	h = Sigma0(a) + Maj(a,b,c); \
282	627M	d += T1; h += T1; } while (0)
283
284	470M	# define ROUND_16_63(i,a,b,c,d,e,f,g,h,X) do { \
285	470M	s0 = X[(i+1)&0x0f]; s0 = sigma0(s0); \
286	470M	s1 = X[(i+14)&0x0f]; s1 = sigma1(s1); \
287	470M	T1 = X[(i)&0x0f] += s0 + s1 + X[(i+9)&0x0f]; \
288	470M	ROUND_00_15(i,a,b,c,d,e,f,g,h); } while (0)
289
290		#ifdef INCLUDE_C_SHA256
291		void sha256_block_data_order_c(SHA256_CTX ctx, const void in, size_t num)
292		#else
293		static void sha256_block_data_order(SHA256_CTX ctx, const void in,
294		size_t num)
295		#endif
296	2.37M	{
297	2.37M	unsigned MD32_REG_T a, b, c, d, e, f, g, h, s0, s1, T1;
298	2.37M	SHA_LONG X[16];
299	2.37M	int i;
300	2.37M	const unsigned char *data = in;
301	2.37M	DECLARE_IS_ENDIAN;
302
303	12.1M	while (num--) {
304
305	9.81M	a = ctx->h[0];
306	9.81M	b = ctx->h[1];
307	9.81M	c = ctx->h[2];
308	9.81M	d = ctx->h[3];
309	9.81M	e = ctx->h[4];
310	9.81M	f = ctx->h[5];
311	9.81M	g = ctx->h[6];
312	9.81M	h = ctx->h[7];
313
314	9.81M	if (!IS_LITTLE_ENDIAN && sizeof(SHA_LONG) == 4
315	0	&& ((size_t)in % 4) == 0) {
316	0	const SHA_LONG W = (const SHA_LONG )data;
317
318	0	T1 = X[0] = W[0];
319	0	ROUND_00_15(0, a, b, c, d, e, f, g, h);
320	0	T1 = X[1] = W[1];
321	0	ROUND_00_15(1, h, a, b, c, d, e, f, g);
322	0	T1 = X[2] = W[2];
323	0	ROUND_00_15(2, g, h, a, b, c, d, e, f);
324	0	T1 = X[3] = W[3];
325	0	ROUND_00_15(3, f, g, h, a, b, c, d, e);
326	0	T1 = X[4] = W[4];
327	0	ROUND_00_15(4, e, f, g, h, a, b, c, d);
328	0	T1 = X[5] = W[5];
329	0	ROUND_00_15(5, d, e, f, g, h, a, b, c);
330	0	T1 = X[6] = W[6];
331	0	ROUND_00_15(6, c, d, e, f, g, h, a, b);
332	0	T1 = X[7] = W[7];
333	0	ROUND_00_15(7, b, c, d, e, f, g, h, a);
334	0	T1 = X[8] = W[8];
335	0	ROUND_00_15(8, a, b, c, d, e, f, g, h);
336	0	T1 = X[9] = W[9];
337	0	ROUND_00_15(9, h, a, b, c, d, e, f, g);
338	0	T1 = X[10] = W[10];
339	0	ROUND_00_15(10, g, h, a, b, c, d, e, f);
340	0	T1 = X[11] = W[11];
341	0	ROUND_00_15(11, f, g, h, a, b, c, d, e);
342	0	T1 = X[12] = W[12];
343	0	ROUND_00_15(12, e, f, g, h, a, b, c, d);
344	0	T1 = X[13] = W[13];
345	0	ROUND_00_15(13, d, e, f, g, h, a, b, c);
346	0	T1 = X[14] = W[14];
347	0	ROUND_00_15(14, c, d, e, f, g, h, a, b);
348	0	T1 = X[15] = W[15];
349	0	ROUND_00_15(15, b, c, d, e, f, g, h, a);
350
351	0	data += SHA256_CBLOCK;
352	9.81M	} else {
353	9.81M	SHA_LONG l;
354
355	9.81M	(void)HOST_c2l(data, l);
356	9.81M	T1 = X[0] = l;
357	9.81M	ROUND_00_15(0, a, b, c, d, e, f, g, h);
358	9.81M	(void)HOST_c2l(data, l);
359	9.81M	T1 = X[1] = l;
360	9.81M	ROUND_00_15(1, h, a, b, c, d, e, f, g);
361	9.81M	(void)HOST_c2l(data, l);
362	9.81M	T1 = X[2] = l;
363	9.81M	ROUND_00_15(2, g, h, a, b, c, d, e, f);
364	9.81M	(void)HOST_c2l(data, l);
365	9.81M	T1 = X[3] = l;
366	9.81M	ROUND_00_15(3, f, g, h, a, b, c, d, e);
367	9.81M	(void)HOST_c2l(data, l);
368	9.81M	T1 = X[4] = l;
369	9.81M	ROUND_00_15(4, e, f, g, h, a, b, c, d);
370	9.81M	(void)HOST_c2l(data, l);
371	9.81M	T1 = X[5] = l;
372	9.81M	ROUND_00_15(5, d, e, f, g, h, a, b, c);
373	9.81M	(void)HOST_c2l(data, l);
374	9.81M	T1 = X[6] = l;
375	9.81M	ROUND_00_15(6, c, d, e, f, g, h, a, b);
376	9.81M	(void)HOST_c2l(data, l);
377	9.81M	T1 = X[7] = l;
378	9.81M	ROUND_00_15(7, b, c, d, e, f, g, h, a);
379	9.81M	(void)HOST_c2l(data, l);
380	9.81M	T1 = X[8] = l;
381	9.81M	ROUND_00_15(8, a, b, c, d, e, f, g, h);
382	9.81M	(void)HOST_c2l(data, l);
383	9.81M	T1 = X[9] = l;
384	9.81M	ROUND_00_15(9, h, a, b, c, d, e, f, g);
385	9.81M	(void)HOST_c2l(data, l);
386	9.81M	T1 = X[10] = l;
387	9.81M	ROUND_00_15(10, g, h, a, b, c, d, e, f);
388	9.81M	(void)HOST_c2l(data, l);
389	9.81M	T1 = X[11] = l;
390	9.81M	ROUND_00_15(11, f, g, h, a, b, c, d, e);
391	9.81M	(void)HOST_c2l(data, l);
392	9.81M	T1 = X[12] = l;
393	9.81M	ROUND_00_15(12, e, f, g, h, a, b, c, d);
394	9.81M	(void)HOST_c2l(data, l);
395	9.81M	T1 = X[13] = l;
396	9.81M	ROUND_00_15(13, d, e, f, g, h, a, b, c);
397	9.81M	(void)HOST_c2l(data, l);
398	9.81M	T1 = X[14] = l;
399	9.81M	ROUND_00_15(14, c, d, e, f, g, h, a, b);
400	9.81M	(void)HOST_c2l(data, l);
401	9.81M	T1 = X[15] = l;
402	9.81M	ROUND_00_15(15, b, c, d, e, f, g, h, a);
403	9.81M	}
404
405	68.6M	for (i = 16; i < 64; i += 8) {
406	58.8M	ROUND_16_63(i + 0, a, b, c, d, e, f, g, h, X);
407	58.8M	ROUND_16_63(i + 1, h, a, b, c, d, e, f, g, X);
408	58.8M	ROUND_16_63(i + 2, g, h, a, b, c, d, e, f, X);
409	58.8M	ROUND_16_63(i + 3, f, g, h, a, b, c, d, e, X);
410	58.8M	ROUND_16_63(i + 4, e, f, g, h, a, b, c, d, X);
411	58.8M	ROUND_16_63(i + 5, d, e, f, g, h, a, b, c, X);
412	58.8M	ROUND_16_63(i + 6, c, d, e, f, g, h, a, b, X);
413	58.8M	ROUND_16_63(i + 7, b, c, d, e, f, g, h, a, X);
414	58.8M	}
415
416	9.81M	ctx->h[0] += a;
417	9.81M	ctx->h[1] += b;
418	9.81M	ctx->h[2] += c;
419	9.81M	ctx->h[3] += d;
420	9.81M	ctx->h[4] += e;
421	9.81M	ctx->h[5] += f;
422	9.81M	ctx->h[6] += g;
423	9.81M	ctx->h[7] += h;
424
425	9.81M	}
426	2.37M	}
427
428		# endif
429		#endif /* SHA256_ASM */