/src/openssl/crypto/sha/sha256.c

Source (jump to first uncovered line)
/* crypto/sha/sha256.c */
/* ====================================================================
 * Copyright (c) 2004 The OpenSSL Project.  All rights reserved
 * according to the OpenSSL license [found in ../../LICENSE].
 * ====================================================================
 */
#include <openssl/opensslconf.h>
#if !defined(OPENSSL_NO_SHA) && !defined(OPENSSL_NO_SHA256)

# include <stdlib.h>
# include <string.h>

# include <openssl/crypto.h>
# include <openssl/sha.h>
# include <openssl/opensslv.h>

const char SHA256_version[] = "SHA-256" OPENSSL_VERSION_PTEXT;

fips_md_init_ctx(SHA224, SHA256)
{
    memset(c, 0, sizeof(*c));
    c->h[0] = 0xc1059ed8UL;
    c->h[1] = 0x367cd507UL;
    c->h[2] = 0x3070dd17UL;
    c->h[3] = 0xf70e5939UL;
    c->h[4] = 0xffc00b31UL;
    c->h[5] = 0x68581511UL;
    c->h[6] = 0x64f98fa7UL;
    c->h[7] = 0xbefa4fa4UL;
    c->md_len = SHA224_DIGEST_LENGTH;
    return 1;
}

fips_md_init(SHA256)
{
    memset(c, 0, sizeof(*c));
    c->h[0] = 0x6a09e667UL;
    c->h[1] = 0xbb67ae85UL;
    c->h[2] = 0x3c6ef372UL;
    c->h[3] = 0xa54ff53aUL;
    c->h[4] = 0x510e527fUL;
    c->h[5] = 0x9b05688cUL;
    c->h[6] = 0x1f83d9abUL;
    c->h[7] = 0x5be0cd19UL;
    c->md_len = SHA256_DIGEST_LENGTH;
    return 1;
}

unsigned char *SHA224(const unsigned char *d, size_t n, unsigned char *md)
{
    SHA256_CTX c;
    static unsigned char m[SHA224_DIGEST_LENGTH];

    if (md == NULL)
        md = m;
    SHA224_Init(&c);
    SHA256_Update(&c, d, n);
    SHA256_Final(md, &c);
    OPENSSL_cleanse(&c, sizeof(c));
    return (md);
}

unsigned char *SHA256(const unsigned char *d, size_t n, unsigned char *md)
{
    SHA256_CTX c;
    static unsigned char m[SHA256_DIGEST_LENGTH];

    if (md == NULL)
        md = m;
    SHA256_Init(&c);
    SHA256_Update(&c, d, n);
    SHA256_Final(md, &c);
    OPENSSL_cleanse(&c, sizeof(c));
    return (md);
}

int SHA224_Update(SHA256_CTX *c, const void *data, size_t len)
{
    return SHA256_Update(c, data, len);
}

int SHA224_Final(unsigned char *md, SHA256_CTX *c)
{
    return SHA256_Final(md, c);
}

# define DATA_ORDER_IS_BIG_ENDIAN

# define HASH_LONG               SHA_LONG
# define HASH_CTX                SHA256_CTX
# define HASH_CBLOCK             SHA_CBLOCK
/*
 * Note that FIPS180-2 discusses "Truncation of the Hash Function Output."
 * default: case below covers for it. It's not clear however if it's
 * permitted to truncate to amount of bytes not divisible by 4. I bet not,
 * but if it is, then default: case shall be extended. For reference.
 * Idea behind separate cases for pre-defined lenghts is to let the
 * compiler decide if it's appropriate to unroll small loops.
 */
# define HASH_MAKE_STRING(c,s)   do {    \
        unsigned long ll;               \
        unsigned int  nn;               \
        switch ((c)->md_len)            \
        {   case SHA224_DIGEST_LENGTH:  \
                for (nn=0;nn<SHA224_DIGEST_LENGTH/4;nn++)       \
                {   ll=(c)->h[nn]; (void)HOST_l2c(ll,(s));   }  \
                break;                  \
            case SHA256_DIGEST_LENGTH:  \
                for (nn=0;nn<SHA256_DIGEST_LENGTH/4;nn++)       \
                {   ll=(c)->h[nn]; (void)HOST_l2c(ll,(s));   }  \
                break;                  \
            default:                    \
                if ((c)->md_len > SHA256_DIGEST_LENGTH) \
                    return 0;                           \
                for (nn=0;nn<(c)->md_len/4;nn++)                \
                {   ll=(c)->h[nn]; (void)HOST_l2c(ll,(s));   }  \
                break;                  \
        }                               \
        } while (0)

# define HASH_UPDATE             SHA256_Update
# define HASH_TRANSFORM          SHA256_Transform
# define HASH_FINAL              SHA256_Final
# define HASH_BLOCK_DATA_ORDER   sha256_block_data_order
# ifndef SHA256_ASM
static
# endif
void sha256_block_data_order(SHA256_CTX *ctx, const void *in, size_t num);

# include "md32_common.h"

# ifndef SHA256_ASM
static const SHA_LONG K256[64] = {
    0x428a2f98UL, 0x71374491UL, 0xb5c0fbcfUL, 0xe9b5dba5UL,
    0x3956c25bUL, 0x59f111f1UL, 0x923f82a4UL, 0xab1c5ed5UL,
    0xd807aa98UL, 0x12835b01UL, 0x243185beUL, 0x550c7dc3UL,
    0x72be5d74UL, 0x80deb1feUL, 0x9bdc06a7UL, 0xc19bf174UL,
    0xe49b69c1UL, 0xefbe4786UL, 0x0fc19dc6UL, 0x240ca1ccUL,
    0x2de92c6fUL, 0x4a7484aaUL, 0x5cb0a9dcUL, 0x76f988daUL,
    0x983e5152UL, 0xa831c66dUL, 0xb00327c8UL, 0xbf597fc7UL,
    0xc6e00bf3UL, 0xd5a79147UL, 0x06ca6351UL, 0x14292967UL,
    0x27b70a85UL, 0x2e1b2138UL, 0x4d2c6dfcUL, 0x53380d13UL,
    0x650a7354UL, 0x766a0abbUL, 0x81c2c92eUL, 0x92722c85UL,
    0xa2bfe8a1UL, 0xa81a664bUL, 0xc24b8b70UL, 0xc76c51a3UL,
    0xd192e819UL, 0xd6990624UL, 0xf40e3585UL, 0x106aa070UL,
    0x19a4c116UL, 0x1e376c08UL, 0x2748774cUL, 0x34b0bcb5UL,
    0x391c0cb3UL, 0x4ed8aa4aUL, 0x5b9cca4fUL, 0x682e6ff3UL,
    0x748f82eeUL, 0x78a5636fUL, 0x84c87814UL, 0x8cc70208UL,
    0x90befffaUL, 0xa4506cebUL, 0xbef9a3f7UL, 0xc67178f2UL
};

/*
 * FIPS specification refers to right rotations, while our ROTATE macro
 * is left one. This is why you might notice that rotation coefficients
 * differ from those observed in FIPS document by 32-N...
 */
#  define Sigma0(x)       (ROTATE((x),30) ^ ROTATE((x),19) ^ ROTATE((x),10))
#  define Sigma1(x)       (ROTATE((x),26) ^ ROTATE((x),21) ^ ROTATE((x),7))
#  define sigma0(x)       (ROTATE((x),25) ^ ROTATE((x),14) ^ ((x)>>3))
#  define sigma1(x)       (ROTATE((x),15) ^ ROTATE((x),13) ^ ((x)>>10))

#  define Ch(x,y,z)       (((x) & (y)) ^ ((~(x)) & (z)))
#  define Maj(x,y,z)      (((x) & (y)) ^ ((x) & (z)) ^ ((y) & (z)))

#  ifdef OPENSSL_SMALL_FOOTPRINT

static void sha256_block_data_order(SHA256_CTX *ctx, const void *in,
                                    size_t num)
{
    unsigned MD32_REG_T a, b, c, d, e, f, g, h, s0, s1, T1, T2;
    SHA_LONG X[16], l;
    int i;
    const unsigned char *data = in;

    while (num--) {

        a = ctx->h[0];
        b = ctx->h[1];
        c = ctx->h[2];
        d = ctx->h[3];
        e = ctx->h[4];
        f = ctx->h[5];
        g = ctx->h[6];
        h = ctx->h[7];

        for (i = 0; i < 16; i++) {
            HOST_c2l(data, l);
            T1 = X[i] = l;
            T1 += h + Sigma1(e) + Ch(e, f, g) + K256[i];
            T2 = Sigma0(a) + Maj(a, b, c);
            h = g;
            g = f;
            f = e;
            e = d + T1;
            d = c;
            c = b;
            b = a;
            a = T1 + T2;
        }

        for (; i < 64; i++) {
            s0 = X[(i + 1) & 0x0f];
            s0 = sigma0(s0);
            s1 = X[(i + 14) & 0x0f];
            s1 = sigma1(s1);

            T1 = X[i & 0xf] += s0 + s1 + X[(i + 9) & 0xf];
            T1 += h + Sigma1(e) + Ch(e, f, g) + K256[i];
            T2 = Sigma0(a) + Maj(a, b, c);
            h = g;
            g = f;
            f = e;
            e = d + T1;
            d = c;
            c = b;
            b = a;
            a = T1 + T2;
        }

        ctx->h[0] += a;
        ctx->h[1] += b;
        ctx->h[2] += c;
        ctx->h[3] += d;
        ctx->h[4] += e;
        ctx->h[5] += f;
        ctx->h[6] += g;
        ctx->h[7] += h;

    }
}

#  else

#   define ROUND_00_15(i,a,b,c,d,e,f,g,h)          do {    \
        T1 += h + Sigma1(e) + Ch(e,f,g) + K256[i];      \
        h = Sigma0(a) + Maj(a,b,c);                     \
        d += T1;        h += T1;                } while (0)

#   define ROUND_16_63(i,a,b,c,d,e,f,g,h,X)        do {    \
        s0 = X[(i+1)&0x0f];     s0 = sigma0(s0);        \
        s1 = X[(i+14)&0x0f];    s1 = sigma1(s1);        \
        T1 = X[(i)&0x0f] += s0 + s1 + X[(i+9)&0x0f];    \
        ROUND_00_15(i,a,b,c,d,e,f,g,h);         } while (0)

static void sha256_block_data_order(SHA256_CTX *ctx, const void *in,
                                    size_t num)
{
    unsigned MD32_REG_T a, b, c, d, e, f, g, h, s0, s1, T1;
    SHA_LONG X[16];
    int i;
    const unsigned char *data = in;
    const union {
        long one;
        char little;
    } is_endian = {
        1
    };

    while (num--) {

        a = ctx->h[0];
        b = ctx->h[1];
        c = ctx->h[2];
        d = ctx->h[3];
        e = ctx->h[4];
        f = ctx->h[5];
        g = ctx->h[6];
        h = ctx->h[7];

        if (!is_endian.little && sizeof(SHA_LONG) == 4
            && ((size_t)in % 4) == 0) {
            const SHA_LONG *W = (const SHA_LONG *)data;

            T1 = X[0] = W[0];
            ROUND_00_15(0, a, b, c, d, e, f, g, h);
            T1 = X[1] = W[1];
            ROUND_00_15(1, h, a, b, c, d, e, f, g);
            T1 = X[2] = W[2];
            ROUND_00_15(2, g, h, a, b, c, d, e, f);
            T1 = X[3] = W[3];
            ROUND_00_15(3, f, g, h, a, b, c, d, e);
            T1 = X[4] = W[4];
            ROUND_00_15(4, e, f, g, h, a, b, c, d);
            T1 = X[5] = W[5];
            ROUND_00_15(5, d, e, f, g, h, a, b, c);
            T1 = X[6] = W[6];
            ROUND_00_15(6, c, d, e, f, g, h, a, b);
            T1 = X[7] = W[7];
            ROUND_00_15(7, b, c, d, e, f, g, h, a);
            T1 = X[8] = W[8];
            ROUND_00_15(8, a, b, c, d, e, f, g, h);
            T1 = X[9] = W[9];
            ROUND_00_15(9, h, a, b, c, d, e, f, g);
            T1 = X[10] = W[10];
            ROUND_00_15(10, g, h, a, b, c, d, e, f);
            T1 = X[11] = W[11];
            ROUND_00_15(11, f, g, h, a, b, c, d, e);
            T1 = X[12] = W[12];
            ROUND_00_15(12, e, f, g, h, a, b, c, d);
            T1 = X[13] = W[13];
            ROUND_00_15(13, d, e, f, g, h, a, b, c);
            T1 = X[14] = W[14];
            ROUND_00_15(14, c, d, e, f, g, h, a, b);
            T1 = X[15] = W[15];
            ROUND_00_15(15, b, c, d, e, f, g, h, a);

            data += SHA256_CBLOCK;
        } else {
            SHA_LONG l;

            HOST_c2l(data, l);
            T1 = X[0] = l;
            ROUND_00_15(0, a, b, c, d, e, f, g, h);
            HOST_c2l(data, l);
            T1 = X[1] = l;
            ROUND_00_15(1, h, a, b, c, d, e, f, g);
            HOST_c2l(data, l);
            T1 = X[2] = l;
            ROUND_00_15(2, g, h, a, b, c, d, e, f);
            HOST_c2l(data, l);
            T1 = X[3] = l;
            ROUND_00_15(3, f, g, h, a, b, c, d, e);
            HOST_c2l(data, l);
            T1 = X[4] = l;
            ROUND_00_15(4, e, f, g, h, a, b, c, d);
            HOST_c2l(data, l);
            T1 = X[5] = l;
            ROUND_00_15(5, d, e, f, g, h, a, b, c);
            HOST_c2l(data, l);
            T1 = X[6] = l;
            ROUND_00_15(6, c, d, e, f, g, h, a, b);
            HOST_c2l(data, l);
            T1 = X[7] = l;
            ROUND_00_15(7, b, c, d, e, f, g, h, a);
            HOST_c2l(data, l);
            T1 = X[8] = l;
            ROUND_00_15(8, a, b, c, d, e, f, g, h);
            HOST_c2l(data, l);
            T1 = X[9] = l;
            ROUND_00_15(9, h, a, b, c, d, e, f, g);
            HOST_c2l(data, l);
            T1 = X[10] = l;
            ROUND_00_15(10, g, h, a, b, c, d, e, f);
            HOST_c2l(data, l);
            T1 = X[11] = l;
            ROUND_00_15(11, f, g, h, a, b, c, d, e);
            HOST_c2l(data, l);
            T1 = X[12] = l;
            ROUND_00_15(12, e, f, g, h, a, b, c, d);
            HOST_c2l(data, l);
            T1 = X[13] = l;
            ROUND_00_15(13, d, e, f, g, h, a, b, c);
            HOST_c2l(data, l);
            T1 = X[14] = l;
            ROUND_00_15(14, c, d, e, f, g, h, a, b);
            HOST_c2l(data, l);
            T1 = X[15] = l;
            ROUND_00_15(15, b, c, d, e, f, g, h, a);
        }

        for (i = 16; i < 64; i += 8) {
            ROUND_16_63(i + 0, a, b, c, d, e, f, g, h, X);
            ROUND_16_63(i + 1, h, a, b, c, d, e, f, g, X);
            ROUND_16_63(i + 2, g, h, a, b, c, d, e, f, X);
            ROUND_16_63(i + 3, f, g, h, a, b, c, d, e, X);
            ROUND_16_63(i + 4, e, f, g, h, a, b, c, d, X);
            ROUND_16_63(i + 5, d, e, f, g, h, a, b, c, X);
            ROUND_16_63(i + 6, c, d, e, f, g, h, a, b, X);
            ROUND_16_63(i + 7, b, c, d, e, f, g, h, a, X);
        }

        ctx->h[0] += a;
        ctx->h[1] += b;
        ctx->h[2] += c;
        ctx->h[3] += d;
        ctx->h[4] += e;
        ctx->h[5] += f;
        ctx->h[6] += g;
        ctx->h[7] += h;

    }
}

#  endif
# endif                         /* SHA256_ASM */

#endif                          /* OPENSSL_NO_SHA256 */

Coverage Report

Created: 2022-11-30 06:20

Line	Count	Source (jump to first uncovered line)
1		/* crypto/sha/sha256.c */
2		/* ====================================================================
3		* Copyright (c) 2004 The OpenSSL Project. All rights reserved
4		* according to the OpenSSL license [found in ../../LICENSE].
5		* ====================================================================
6		*/
7		#include <openssl/opensslconf.h>
8		#if !defined(OPENSSL_NO_SHA) && !defined(OPENSSL_NO_SHA256)
9
10		# include <stdlib.h>
11		# include <string.h>
12
13		# include <openssl/crypto.h>
14		# include <openssl/sha.h>
15		# include <openssl/opensslv.h>
16
17		const char SHA256_version[] = "SHA-256" OPENSSL_VERSION_PTEXT;
18
19		fips_md_init_ctx(SHA224, SHA256)
20	0	{
21	0	memset(c, 0, sizeof(*c));
22	0	c->h[0] = 0xc1059ed8UL;
23	0	c->h[1] = 0x367cd507UL;
24	0	c->h[2] = 0x3070dd17UL;
25	0	c->h[3] = 0xf70e5939UL;
26	0	c->h[4] = 0xffc00b31UL;
27	0	c->h[5] = 0x68581511UL;
28	0	c->h[6] = 0x64f98fa7UL;
29	0	c->h[7] = 0xbefa4fa4UL;
30	0	c->md_len = SHA224_DIGEST_LENGTH;
31	0	return 1;
32	0	}
33
34		fips_md_init(SHA256)
35	16.9k	{
36	16.9k	memset(c, 0, sizeof(*c));
37	16.9k	c->h[0] = 0x6a09e667UL;
38	16.9k	c->h[1] = 0xbb67ae85UL;
39	16.9k	c->h[2] = 0x3c6ef372UL;
40	16.9k	c->h[3] = 0xa54ff53aUL;
41	16.9k	c->h[4] = 0x510e527fUL;
42	16.9k	c->h[5] = 0x9b05688cUL;
43	16.9k	c->h[6] = 0x1f83d9abUL;
44	16.9k	c->h[7] = 0x5be0cd19UL;
45	16.9k	c->md_len = SHA256_DIGEST_LENGTH;
46	16.9k	return 1;
47	16.9k	}
48
49		unsigned char SHA224(const unsigned char d, size_t n, unsigned char *md)
50	0	{
51	0	SHA256_CTX c;
52	0	static unsigned char m[SHA224_DIGEST_LENGTH];
53
54	0	if (md == NULL)
55	0	md = m;
56	0	SHA224_Init(&c);
57	0	SHA256_Update(&c, d, n);
58	0	SHA256_Final(md, &c);
59	0	OPENSSL_cleanse(&c, sizeof(c));
60	0	return (md);
61	0	}
62
63		unsigned char SHA256(const unsigned char d, size_t n, unsigned char *md)
64	0	{
65	0	SHA256_CTX c;
66	0	static unsigned char m[SHA256_DIGEST_LENGTH];
67
68	0	if (md == NULL)
69	0	md = m;
70	0	SHA256_Init(&c);
71	0	SHA256_Update(&c, d, n);
72	0	SHA256_Final(md, &c);
73	0	OPENSSL_cleanse(&c, sizeof(c));
74	0	return (md);
75	0	}
76
77		int SHA224_Update(SHA256_CTX c, const void data, size_t len)
78	0	{
79	0	return SHA256_Update(c, data, len);
80	0	}
81
82		int SHA224_Final(unsigned char md, SHA256_CTX c)
83	0	{
84	0	return SHA256_Final(md, c);
85	0	}
86
87		# define DATA_ORDER_IS_BIG_ENDIAN
88
89	919k	# define HASH_LONG SHA_LONG
90		# define HASH_CTX SHA256_CTX
91	1.95M	# define HASH_CBLOCK SHA_CBLOCK
92		/*
93		* Note that FIPS180-2 discusses "Truncation of the Hash Function Output."
94		* default: case below covers for it. It's not clear however if it's
95		* permitted to truncate to amount of bytes not divisible by 4. I bet not,
96		* but if it is, then default: case shall be extended. For reference.
97		* Idea behind separate cases for pre-defined lenghts is to let the
98		* compiler decide if it's appropriate to unroll small loops.
99		*/
100	16.9k	# define HASH_MAKE_STRING(c,s) do { \
101	16.9k	unsigned long ll; \
102	16.9k	unsigned int nn; \
103	16.9k	switch ((c)->md_len) \
104	16.9k	{ case SHA224_DIGEST_LENGTH: \
105	0	for (nn=0;nn<SHA224_DIGEST_LENGTH/4;nn++) \
106	0	{ ll=(c)->h[nn]; (void)HOST_l2c(ll,(s)); } \
107	0	break; \
108	16.9k	case SHA256_DIGEST_LENGTH: \
109	152k	for (nn=0;nn<SHA256_DIGEST_LENGTH/4;nn++) \
110	135k	{ ll=(c)->h[nn]; (void)HOST_l2c(ll,(s)); } \
111	16.9k	break; \
112	0	default: \
113	0	if ((c)->md_len > SHA256_DIGEST_LENGTH) \
114	0	return 0; \
115	0	for (nn=0;nn<(c)->md_len/4;nn++) \
116	0	{ ll=(c)->h[nn]; (void)HOST_l2c(ll,(s)); } \
117	0	break; \
118	16.9k	} \
119	16.9k	} while (0)
120
121		# define HASH_UPDATE SHA256_Update
122		# define HASH_TRANSFORM SHA256_Transform
123		# define HASH_FINAL SHA256_Final
124	35.4k	# define HASH_BLOCK_DATA_ORDER sha256_block_data_order
125		# ifndef SHA256_ASM
126		static
127		# endif
128		void sha256_block_data_order(SHA256_CTX ctx, const void in, size_t num);
129
130		# include "md32_common.h"
131
132		# ifndef SHA256_ASM
133		static const SHA_LONG K256[64] = {
134		0x428a2f98UL, 0x71374491UL, 0xb5c0fbcfUL, 0xe9b5dba5UL,
135		0x3956c25bUL, 0x59f111f1UL, 0x923f82a4UL, 0xab1c5ed5UL,
136		0xd807aa98UL, 0x12835b01UL, 0x243185beUL, 0x550c7dc3UL,
137		0x72be5d74UL, 0x80deb1feUL, 0x9bdc06a7UL, 0xc19bf174UL,
138		0xe49b69c1UL, 0xefbe4786UL, 0x0fc19dc6UL, 0x240ca1ccUL,
139		0x2de92c6fUL, 0x4a7484aaUL, 0x5cb0a9dcUL, 0x76f988daUL,
140		0x983e5152UL, 0xa831c66dUL, 0xb00327c8UL, 0xbf597fc7UL,
141		0xc6e00bf3UL, 0xd5a79147UL, 0x06ca6351UL, 0x14292967UL,
142		0x27b70a85UL, 0x2e1b2138UL, 0x4d2c6dfcUL, 0x53380d13UL,
143		0x650a7354UL, 0x766a0abbUL, 0x81c2c92eUL, 0x92722c85UL,
144		0xa2bfe8a1UL, 0xa81a664bUL, 0xc24b8b70UL, 0xc76c51a3UL,
145		0xd192e819UL, 0xd6990624UL, 0xf40e3585UL, 0x106aa070UL,
146		0x19a4c116UL, 0x1e376c08UL, 0x2748774cUL, 0x34b0bcb5UL,
147		0x391c0cb3UL, 0x4ed8aa4aUL, 0x5b9cca4fUL, 0x682e6ff3UL,
148		0x748f82eeUL, 0x78a5636fUL, 0x84c87814UL, 0x8cc70208UL,
149		0x90befffaUL, 0xa4506cebUL, 0xbef9a3f7UL, 0xc67178f2UL
150		};
151
152		/*
153		* FIPS specification refers to right rotations, while our ROTATE macro
154		* is left one. This is why you might notice that rotation coefficients
155		* differ from those observed in FIPS document by 32-N...
156		*/
157		# define Sigma0(x) (ROTATE((x),30) ^ ROTATE((x),19) ^ ROTATE((x),10))
158		# define Sigma1(x) (ROTATE((x),26) ^ ROTATE((x),21) ^ ROTATE((x),7))
159		# define sigma0(x) (ROTATE((x),25) ^ ROTATE((x),14) ^ ((x)>>3))
160		# define sigma1(x) (ROTATE((x),15) ^ ROTATE((x),13) ^ ((x)>>10))
161
162		# define Ch(x,y,z) (((x) & (y)) ^ ((~(x)) & (z)))
163		# define Maj(x,y,z) (((x) & (y)) ^ ((x) & (z)) ^ ((y) & (z)))
164
165		# ifdef OPENSSL_SMALL_FOOTPRINT
166
167		static void sha256_block_data_order(SHA256_CTX ctx, const void in,
168		size_t num)
169		{
170		unsigned MD32_REG_T a, b, c, d, e, f, g, h, s0, s1, T1, T2;
171		SHA_LONG X[16], l;
172		int i;
173		const unsigned char *data = in;
174
175		while (num--) {
176
177		a = ctx->h[0];
178		b = ctx->h[1];
179		c = ctx->h[2];
180		d = ctx->h[3];
181		e = ctx->h[4];
182		f = ctx->h[5];
183		g = ctx->h[6];
184		h = ctx->h[7];
185
186		for (i = 0; i < 16; i++) {
187		HOST_c2l(data, l);
188		T1 = X[i] = l;
189		T1 += h + Sigma1(e) + Ch(e, f, g) + K256[i];
190		T2 = Sigma0(a) + Maj(a, b, c);
191		h = g;
192		g = f;
193		f = e;
194		e = d + T1;
195		d = c;
196		c = b;
197		b = a;
198		a = T1 + T2;
199		}
200
201		for (; i < 64; i++) {
202		s0 = X[(i + 1) & 0x0f];
203		s0 = sigma0(s0);
204		s1 = X[(i + 14) & 0x0f];
205		s1 = sigma1(s1);
206
207		T1 = X[i & 0xf] += s0 + s1 + X[(i + 9) & 0xf];
208		T1 += h + Sigma1(e) + Ch(e, f, g) + K256[i];
209		T2 = Sigma0(a) + Maj(a, b, c);
210		h = g;
211		g = f;
212		f = e;
213		e = d + T1;
214		d = c;
215		c = b;
216		b = a;
217		a = T1 + T2;
218		}
219
220		ctx->h[0] += a;
221		ctx->h[1] += b;
222		ctx->h[2] += c;
223		ctx->h[3] += d;
224		ctx->h[4] += e;
225		ctx->h[5] += f;
226		ctx->h[6] += g;
227		ctx->h[7] += h;
228
229		}
230		}
231
232		# else
233
234		# define ROUND_00_15(i,a,b,c,d,e,f,g,h) do { \
235		T1 += h + Sigma1(e) + Ch(e,f,g) + K256[i]; \
236		h = Sigma0(a) + Maj(a,b,c); \
237		d += T1; h += T1; } while (0)
238
239		# define ROUND_16_63(i,a,b,c,d,e,f,g,h,X) do { \
240		s0 = X[(i+1)&0x0f]; s0 = sigma0(s0); \
241		s1 = X[(i+14)&0x0f]; s1 = sigma1(s1); \
242		T1 = X[(i)&0x0f] += s0 + s1 + X[(i+9)&0x0f]; \
243		ROUND_00_15(i,a,b,c,d,e,f,g,h); } while (0)
244
245		static void sha256_block_data_order(SHA256_CTX ctx, const void in,
246		size_t num)
247		{
248		unsigned MD32_REG_T a, b, c, d, e, f, g, h, s0, s1, T1;
249		SHA_LONG X[16];
250		int i;
251		const unsigned char *data = in;
252		const union {
253		long one;
254		char little;
255		} is_endian = {
256		1
257		};
258
259		while (num--) {
260
261		a = ctx->h[0];
262		b = ctx->h[1];
263		c = ctx->h[2];
264		d = ctx->h[3];
265		e = ctx->h[4];
266		f = ctx->h[5];
267		g = ctx->h[6];
268		h = ctx->h[7];
269
270		if (!is_endian.little && sizeof(SHA_LONG) == 4
271		&& ((size_t)in % 4) == 0) {
272		const SHA_LONG W = (const SHA_LONG )data;
273
274		T1 = X[0] = W[0];
275		ROUND_00_15(0, a, b, c, d, e, f, g, h);
276		T1 = X[1] = W[1];
277		ROUND_00_15(1, h, a, b, c, d, e, f, g);
278		T1 = X[2] = W[2];
279		ROUND_00_15(2, g, h, a, b, c, d, e, f);
280		T1 = X[3] = W[3];
281		ROUND_00_15(3, f, g, h, a, b, c, d, e);
282		T1 = X[4] = W[4];
283		ROUND_00_15(4, e, f, g, h, a, b, c, d);
284		T1 = X[5] = W[5];
285		ROUND_00_15(5, d, e, f, g, h, a, b, c);
286		T1 = X[6] = W[6];
287		ROUND_00_15(6, c, d, e, f, g, h, a, b);
288		T1 = X[7] = W[7];
289		ROUND_00_15(7, b, c, d, e, f, g, h, a);
290		T1 = X[8] = W[8];
291		ROUND_00_15(8, a, b, c, d, e, f, g, h);
292		T1 = X[9] = W[9];
293		ROUND_00_15(9, h, a, b, c, d, e, f, g);
294		T1 = X[10] = W[10];
295		ROUND_00_15(10, g, h, a, b, c, d, e, f);
296		T1 = X[11] = W[11];
297		ROUND_00_15(11, f, g, h, a, b, c, d, e);
298		T1 = X[12] = W[12];
299		ROUND_00_15(12, e, f, g, h, a, b, c, d);
300		T1 = X[13] = W[13];
301		ROUND_00_15(13, d, e, f, g, h, a, b, c);
302		T1 = X[14] = W[14];
303		ROUND_00_15(14, c, d, e, f, g, h, a, b);
304		T1 = X[15] = W[15];
305		ROUND_00_15(15, b, c, d, e, f, g, h, a);
306
307		data += SHA256_CBLOCK;
308		} else {
309		SHA_LONG l;
310
311		HOST_c2l(data, l);
312		T1 = X[0] = l;
313		ROUND_00_15(0, a, b, c, d, e, f, g, h);
314		HOST_c2l(data, l);
315		T1 = X[1] = l;
316		ROUND_00_15(1, h, a, b, c, d, e, f, g);
317		HOST_c2l(data, l);
318		T1 = X[2] = l;
319		ROUND_00_15(2, g, h, a, b, c, d, e, f);
320		HOST_c2l(data, l);
321		T1 = X[3] = l;
322		ROUND_00_15(3, f, g, h, a, b, c, d, e);
323		HOST_c2l(data, l);
324		T1 = X[4] = l;
325		ROUND_00_15(4, e, f, g, h, a, b, c, d);
326		HOST_c2l(data, l);
327		T1 = X[5] = l;
328		ROUND_00_15(5, d, e, f, g, h, a, b, c);
329		HOST_c2l(data, l);
330		T1 = X[6] = l;
331		ROUND_00_15(6, c, d, e, f, g, h, a, b);
332		HOST_c2l(data, l);
333		T1 = X[7] = l;
334		ROUND_00_15(7, b, c, d, e, f, g, h, a);
335		HOST_c2l(data, l);
336		T1 = X[8] = l;
337		ROUND_00_15(8, a, b, c, d, e, f, g, h);
338		HOST_c2l(data, l);
339		T1 = X[9] = l;
340		ROUND_00_15(9, h, a, b, c, d, e, f, g);
341		HOST_c2l(data, l);
342		T1 = X[10] = l;
343		ROUND_00_15(10, g, h, a, b, c, d, e, f);
344		HOST_c2l(data, l);
345		T1 = X[11] = l;
346		ROUND_00_15(11, f, g, h, a, b, c, d, e);
347		HOST_c2l(data, l);
348		T1 = X[12] = l;
349		ROUND_00_15(12, e, f, g, h, a, b, c, d);
350		HOST_c2l(data, l);
351		T1 = X[13] = l;
352		ROUND_00_15(13, d, e, f, g, h, a, b, c);
353		HOST_c2l(data, l);
354		T1 = X[14] = l;
355		ROUND_00_15(14, c, d, e, f, g, h, a, b);
356		HOST_c2l(data, l);
357		T1 = X[15] = l;
358		ROUND_00_15(15, b, c, d, e, f, g, h, a);
359		}
360
361		for (i = 16; i < 64; i += 8) {
362		ROUND_16_63(i + 0, a, b, c, d, e, f, g, h, X);
363		ROUND_16_63(i + 1, h, a, b, c, d, e, f, g, X);
364		ROUND_16_63(i + 2, g, h, a, b, c, d, e, f, X);
365		ROUND_16_63(i + 3, f, g, h, a, b, c, d, e, X);
366		ROUND_16_63(i + 4, e, f, g, h, a, b, c, d, X);
367		ROUND_16_63(i + 5, d, e, f, g, h, a, b, c, X);
368		ROUND_16_63(i + 6, c, d, e, f, g, h, a, b, X);
369		ROUND_16_63(i + 7, b, c, d, e, f, g, h, a, X);
370		}
371
372		ctx->h[0] += a;
373		ctx->h[1] += b;
374		ctx->h[2] += c;
375		ctx->h[3] += d;
376		ctx->h[4] += e;
377		ctx->h[5] += f;
378		ctx->h[6] += g;
379		ctx->h[7] += h;
380
381		}
382		}
383
384		# endif
385		# endif /* SHA256_ASM */
386
387		#endif /* OPENSSL_NO_SHA256 */