/src/openssl30/crypto/sha/sha256.c

Source (jump to first uncovered line)
/*
 * Copyright 2004-2021 The OpenSSL Project Authors. All Rights Reserved.
 *
 * Licensed under the Apache License 2.0 (the "License").  You may not use
 * this file except in compliance with the License.  You can obtain a copy
 * in the file LICENSE in the source distribution or at
 * https://www.openssl.org/source/license.html
 */

/*
 * SHA256 low level APIs are deprecated for public use, but still ok for
 * internal use.
 */
#include "internal/deprecated.h"

#include <openssl/opensslconf.h>

#include <stdlib.h>
#include <string.h>

#include <openssl/crypto.h>
#include <openssl/sha.h>
#include <openssl/opensslv.h>
#include "internal/endian.h"

int SHA224_Init(SHA256_CTX *c)
{
    memset(c, 0, sizeof(*c));
    c->h[0] = 0xc1059ed8UL;
    c->h[1] = 0x367cd507UL;
    c->h[2] = 0x3070dd17UL;
    c->h[3] = 0xf70e5939UL;
    c->h[4] = 0xffc00b31UL;
    c->h[5] = 0x68581511UL;
    c->h[6] = 0x64f98fa7UL;
    c->h[7] = 0xbefa4fa4UL;
    c->md_len = SHA224_DIGEST_LENGTH;
    return 1;
}

int SHA256_Init(SHA256_CTX *c)
{
    memset(c, 0, sizeof(*c));
    c->h[0] = 0x6a09e667UL;
    c->h[1] = 0xbb67ae85UL;
    c->h[2] = 0x3c6ef372UL;
    c->h[3] = 0xa54ff53aUL;
    c->h[4] = 0x510e527fUL;
    c->h[5] = 0x9b05688cUL;
    c->h[6] = 0x1f83d9abUL;
    c->h[7] = 0x5be0cd19UL;
    c->md_len = SHA256_DIGEST_LENGTH;
    return 1;
}

int SHA224_Update(SHA256_CTX *c, const void *data, size_t len)
{
    return SHA256_Update(c, data, len);
}

int SHA224_Final(unsigned char *md, SHA256_CTX *c)
{
    return SHA256_Final(md, c);
}

#define DATA_ORDER_IS_BIG_ENDIAN

#define HASH_LONG               SHA_LONG
#define HASH_CTX                SHA256_CTX
#define HASH_CBLOCK             SHA_CBLOCK

/*
 * Note that FIPS180-2 discusses "Truncation of the Hash Function Output."
 * default: case below covers for it. It's not clear however if it's
 * permitted to truncate to amount of bytes not divisible by 4. I bet not,
 * but if it is, then default: case shall be extended. For reference.
 * Idea behind separate cases for pre-defined lengths is to let the
 * compiler decide if it's appropriate to unroll small loops.
 */
#define HASH_MAKE_STRING(c,s)   do {    \
        unsigned long ll;               \
        unsigned int  nn;               \
        switch ((c)->md_len)            \
        {   case SHA224_DIGEST_LENGTH:  \
                for (nn=0;nn<SHA224_DIGEST_LENGTH/4;nn++)       \
                {   ll=(c)->h[nn]; (void)HOST_l2c(ll,(s));   }  \
                break;                  \
            case SHA256_DIGEST_LENGTH:  \
                for (nn=0;nn<SHA256_DIGEST_LENGTH/4;nn++)       \
                {   ll=(c)->h[nn]; (void)HOST_l2c(ll,(s));   }  \
                break;                  \
            default:                    \
                if ((c)->md_len > SHA256_DIGEST_LENGTH) \
                    return 0;                           \
                for (nn=0;nn<(c)->md_len/4;nn++)                \
                {   ll=(c)->h[nn]; (void)HOST_l2c(ll,(s));   }  \
                break;                  \
        }                               \
        } while (0)

#define HASH_UPDATE             SHA256_Update
#define HASH_TRANSFORM          SHA256_Transform
#define HASH_FINAL              SHA256_Final
#define HASH_BLOCK_DATA_ORDER   sha256_block_data_order
#ifndef SHA256_ASM
static
#endif
void sha256_block_data_order(SHA256_CTX *ctx, const void *in, size_t num);

#include "crypto/md32_common.h"

#ifndef SHA256_ASM
static const SHA_LONG K256[64] = {
    0x428a2f98UL, 0x71374491UL, 0xb5c0fbcfUL, 0xe9b5dba5UL,
    0x3956c25bUL, 0x59f111f1UL, 0x923f82a4UL, 0xab1c5ed5UL,
    0xd807aa98UL, 0x12835b01UL, 0x243185beUL, 0x550c7dc3UL,
    0x72be5d74UL, 0x80deb1feUL, 0x9bdc06a7UL, 0xc19bf174UL,
    0xe49b69c1UL, 0xefbe4786UL, 0x0fc19dc6UL, 0x240ca1ccUL,
    0x2de92c6fUL, 0x4a7484aaUL, 0x5cb0a9dcUL, 0x76f988daUL,
    0x983e5152UL, 0xa831c66dUL, 0xb00327c8UL, 0xbf597fc7UL,
    0xc6e00bf3UL, 0xd5a79147UL, 0x06ca6351UL, 0x14292967UL,
    0x27b70a85UL, 0x2e1b2138UL, 0x4d2c6dfcUL, 0x53380d13UL,
    0x650a7354UL, 0x766a0abbUL, 0x81c2c92eUL, 0x92722c85UL,
    0xa2bfe8a1UL, 0xa81a664bUL, 0xc24b8b70UL, 0xc76c51a3UL,
    0xd192e819UL, 0xd6990624UL, 0xf40e3585UL, 0x106aa070UL,
    0x19a4c116UL, 0x1e376c08UL, 0x2748774cUL, 0x34b0bcb5UL,
    0x391c0cb3UL, 0x4ed8aa4aUL, 0x5b9cca4fUL, 0x682e6ff3UL,
    0x748f82eeUL, 0x78a5636fUL, 0x84c87814UL, 0x8cc70208UL,
    0x90befffaUL, 0xa4506cebUL, 0xbef9a3f7UL, 0xc67178f2UL
};

/*
 * FIPS specification refers to right rotations, while our ROTATE macro
 * is left one. This is why you might notice that rotation coefficients
 * differ from those observed in FIPS document by 32-N...
 */
# define Sigma0(x)       (ROTATE((x),30) ^ ROTATE((x),19) ^ ROTATE((x),10))
# define Sigma1(x)       (ROTATE((x),26) ^ ROTATE((x),21) ^ ROTATE((x),7))
# define sigma0(x)       (ROTATE((x),25) ^ ROTATE((x),14) ^ ((x)>>3))
# define sigma1(x)       (ROTATE((x),15) ^ ROTATE((x),13) ^ ((x)>>10))

# define Ch(x,y,z)       (((x) & (y)) ^ ((~(x)) & (z)))
# define Maj(x,y,z)      (((x) & (y)) ^ ((x) & (z)) ^ ((y) & (z)))

# ifdef OPENSSL_SMALL_FOOTPRINT

static void sha256_block_data_order(SHA256_CTX *ctx, const void *in,
                                    size_t num)
{
    unsigned MD32_REG_T a, b, c, d, e, f, g, h, s0, s1, T1, T2;
    SHA_LONG X[16], l;
    int i;
    const unsigned char *data = in;

    while (num--) {

        a = ctx->h[0];
        b = ctx->h[1];
        c = ctx->h[2];
        d = ctx->h[3];
        e = ctx->h[4];
        f = ctx->h[5];
        g = ctx->h[6];
        h = ctx->h[7];

        for (i = 0; i < 16; i++) {
            (void)HOST_c2l(data, l);
            T1 = X[i] = l;
            T1 += h + Sigma1(e) + Ch(e, f, g) + K256[i];
            T2 = Sigma0(a) + Maj(a, b, c);
            h = g;
            g = f;
            f = e;
            e = d + T1;
            d = c;
            c = b;
            b = a;
            a = T1 + T2;
        }

        for (; i < 64; i++) {
            s0 = X[(i + 1) & 0x0f];
            s0 = sigma0(s0);
            s1 = X[(i + 14) & 0x0f];
            s1 = sigma1(s1);

            T1 = X[i & 0xf] += s0 + s1 + X[(i + 9) & 0xf];
            T1 += h + Sigma1(e) + Ch(e, f, g) + K256[i];
            T2 = Sigma0(a) + Maj(a, b, c);
            h = g;
            g = f;
            f = e;
            e = d + T1;
            d = c;
            c = b;
            b = a;
            a = T1 + T2;
        }

        ctx->h[0] += a;
        ctx->h[1] += b;
        ctx->h[2] += c;
        ctx->h[3] += d;
        ctx->h[4] += e;
        ctx->h[5] += f;
        ctx->h[6] += g;
        ctx->h[7] += h;

    }
}

# else

#  define ROUND_00_15(i,a,b,c,d,e,f,g,h)          do {    \
        T1 += h + Sigma1(e) + Ch(e,f,g) + K256[i];      \
        h = Sigma0(a) + Maj(a,b,c);                     \
        d += T1;        h += T1;                } while (0)

#  define ROUND_16_63(i,a,b,c,d,e,f,g,h,X)        do {    \
        s0 = X[(i+1)&0x0f];     s0 = sigma0(s0);        \
        s1 = X[(i+14)&0x0f];    s1 = sigma1(s1);        \
        T1 = X[(i)&0x0f] += s0 + s1 + X[(i+9)&0x0f];    \
        ROUND_00_15(i,a,b,c,d,e,f,g,h);         } while (0)

static void sha256_block_data_order(SHA256_CTX *ctx, const void *in,
                                    size_t num)
{
    unsigned MD32_REG_T a, b, c, d, e, f, g, h, s0, s1, T1;
    SHA_LONG X[16];
    int i;
    const unsigned char *data = in;
    DECLARE_IS_ENDIAN;

    while (num--) {

        a = ctx->h[0];
        b = ctx->h[1];
        c = ctx->h[2];
        d = ctx->h[3];
        e = ctx->h[4];
        f = ctx->h[5];
        g = ctx->h[6];
        h = ctx->h[7];

        if (!IS_LITTLE_ENDIAN && sizeof(SHA_LONG) == 4
            && ((size_t)in % 4) == 0) {
            const SHA_LONG *W = (const SHA_LONG *)data;

            T1 = X[0] = W[0];
            ROUND_00_15(0, a, b, c, d, e, f, g, h);
            T1 = X[1] = W[1];
            ROUND_00_15(1, h, a, b, c, d, e, f, g);
            T1 = X[2] = W[2];
            ROUND_00_15(2, g, h, a, b, c, d, e, f);
            T1 = X[3] = W[3];
            ROUND_00_15(3, f, g, h, a, b, c, d, e);
            T1 = X[4] = W[4];
            ROUND_00_15(4, e, f, g, h, a, b, c, d);
            T1 = X[5] = W[5];
            ROUND_00_15(5, d, e, f, g, h, a, b, c);
            T1 = X[6] = W[6];
            ROUND_00_15(6, c, d, e, f, g, h, a, b);
            T1 = X[7] = W[7];
            ROUND_00_15(7, b, c, d, e, f, g, h, a);
            T1 = X[8] = W[8];
            ROUND_00_15(8, a, b, c, d, e, f, g, h);
            T1 = X[9] = W[9];
            ROUND_00_15(9, h, a, b, c, d, e, f, g);
            T1 = X[10] = W[10];
            ROUND_00_15(10, g, h, a, b, c, d, e, f);
            T1 = X[11] = W[11];
            ROUND_00_15(11, f, g, h, a, b, c, d, e);
            T1 = X[12] = W[12];
            ROUND_00_15(12, e, f, g, h, a, b, c, d);
            T1 = X[13] = W[13];
            ROUND_00_15(13, d, e, f, g, h, a, b, c);
            T1 = X[14] = W[14];
            ROUND_00_15(14, c, d, e, f, g, h, a, b);
            T1 = X[15] = W[15];
            ROUND_00_15(15, b, c, d, e, f, g, h, a);

            data += SHA256_CBLOCK;
        } else {
            SHA_LONG l;

            (void)HOST_c2l(data, l);
            T1 = X[0] = l;
            ROUND_00_15(0, a, b, c, d, e, f, g, h);
            (void)HOST_c2l(data, l);
            T1 = X[1] = l;
            ROUND_00_15(1, h, a, b, c, d, e, f, g);
            (void)HOST_c2l(data, l);
            T1 = X[2] = l;
            ROUND_00_15(2, g, h, a, b, c, d, e, f);
            (void)HOST_c2l(data, l);
            T1 = X[3] = l;
            ROUND_00_15(3, f, g, h, a, b, c, d, e);
            (void)HOST_c2l(data, l);
            T1 = X[4] = l;
            ROUND_00_15(4, e, f, g, h, a, b, c, d);
            (void)HOST_c2l(data, l);
            T1 = X[5] = l;
            ROUND_00_15(5, d, e, f, g, h, a, b, c);
            (void)HOST_c2l(data, l);
            T1 = X[6] = l;
            ROUND_00_15(6, c, d, e, f, g, h, a, b);
            (void)HOST_c2l(data, l);
            T1 = X[7] = l;
            ROUND_00_15(7, b, c, d, e, f, g, h, a);
            (void)HOST_c2l(data, l);
            T1 = X[8] = l;
            ROUND_00_15(8, a, b, c, d, e, f, g, h);
            (void)HOST_c2l(data, l);
            T1 = X[9] = l;
            ROUND_00_15(9, h, a, b, c, d, e, f, g);
            (void)HOST_c2l(data, l);
            T1 = X[10] = l;
            ROUND_00_15(10, g, h, a, b, c, d, e, f);
            (void)HOST_c2l(data, l);
            T1 = X[11] = l;
            ROUND_00_15(11, f, g, h, a, b, c, d, e);
            (void)HOST_c2l(data, l);
            T1 = X[12] = l;
            ROUND_00_15(12, e, f, g, h, a, b, c, d);
            (void)HOST_c2l(data, l);
            T1 = X[13] = l;
            ROUND_00_15(13, d, e, f, g, h, a, b, c);
            (void)HOST_c2l(data, l);
            T1 = X[14] = l;
            ROUND_00_15(14, c, d, e, f, g, h, a, b);
            (void)HOST_c2l(data, l);
            T1 = X[15] = l;
            ROUND_00_15(15, b, c, d, e, f, g, h, a);
        }

        for (i = 16; i < 64; i += 8) {
            ROUND_16_63(i + 0, a, b, c, d, e, f, g, h, X);
            ROUND_16_63(i + 1, h, a, b, c, d, e, f, g, X);
            ROUND_16_63(i + 2, g, h, a, b, c, d, e, f, X);
            ROUND_16_63(i + 3, f, g, h, a, b, c, d, e, X);
            ROUND_16_63(i + 4, e, f, g, h, a, b, c, d, X);
            ROUND_16_63(i + 5, d, e, f, g, h, a, b, c, X);
            ROUND_16_63(i + 6, c, d, e, f, g, h, a, b, X);
            ROUND_16_63(i + 7, b, c, d, e, f, g, h, a, X);
        }

        ctx->h[0] += a;
        ctx->h[1] += b;
        ctx->h[2] += c;
        ctx->h[3] += d;
        ctx->h[4] += e;
        ctx->h[5] += f;
        ctx->h[6] += g;
        ctx->h[7] += h;

    }
}

# endif
#endif                         /* SHA256_ASM */

Coverage Report

Created: 2025-06-13 06:58

Line	Count	Source (jump to first uncovered line)
1		/*
2		* Copyright 2004-2021 The OpenSSL Project Authors. All Rights Reserved.
3		*
4		* Licensed under the Apache License 2.0 (the "License"). You may not use
5		* this file except in compliance with the License. You can obtain a copy
6		* in the file LICENSE in the source distribution or at
7		* https://www.openssl.org/source/license.html
8		*/
9
10		/*
11		* SHA256 low level APIs are deprecated for public use, but still ok for
12		* internal use.
13		*/
14		#include "internal/deprecated.h"
15
16		#include <openssl/opensslconf.h>
17
18		#include <stdlib.h>
19		#include <string.h>
20
21		#include <openssl/crypto.h>
22		#include <openssl/sha.h>
23		#include <openssl/opensslv.h>
24		#include "internal/endian.h"
25
26		int SHA224_Init(SHA256_CTX *c)
27	199k	{
28	199k	memset(c, 0, sizeof(*c));
29	199k	c->h[0] = 0xc1059ed8UL;
30	199k	c->h[1] = 0x367cd507UL;
31	199k	c->h[2] = 0x3070dd17UL;
32	199k	c->h[3] = 0xf70e5939UL;
33	199k	c->h[4] = 0xffc00b31UL;
34	199k	c->h[5] = 0x68581511UL;
35	199k	c->h[6] = 0x64f98fa7UL;
36	199k	c->h[7] = 0xbefa4fa4UL;
37	199k	c->md_len = SHA224_DIGEST_LENGTH;
38	199k	return 1;
39	199k	}
40
41		int SHA256_Init(SHA256_CTX *c)
42	228M	{
43	228M	memset(c, 0, sizeof(*c));
44	228M	c->h[0] = 0x6a09e667UL;
45	228M	c->h[1] = 0xbb67ae85UL;
46	228M	c->h[2] = 0x3c6ef372UL;
47	228M	c->h[3] = 0xa54ff53aUL;
48	228M	c->h[4] = 0x510e527fUL;
49	228M	c->h[5] = 0x9b05688cUL;
50	228M	c->h[6] = 0x1f83d9abUL;
51	228M	c->h[7] = 0x5be0cd19UL;
52	228M	c->md_len = SHA256_DIGEST_LENGTH;
53	228M	return 1;
54	228M	}
55
56		int SHA224_Update(SHA256_CTX c, const void data, size_t len)
57	198k	{
58	198k	return SHA256_Update(c, data, len);
59	198k	}
60
61		int SHA224_Final(unsigned char md, SHA256_CTX c)
62	198k	{
63	198k	return SHA256_Final(md, c);
64	198k	}
65
66		#define DATA_ORDER_IS_BIG_ENDIAN
67
68	913M	#define HASH_LONG SHA_LONG
69		#define HASH_CTX SHA256_CTX
70	2.28G	#define HASH_CBLOCK SHA_CBLOCK
71
72		/*
73		* Note that FIPS180-2 discusses "Truncation of the Hash Function Output."
74		* default: case below covers for it. It's not clear however if it's
75		* permitted to truncate to amount of bytes not divisible by 4. I bet not,
76		* but if it is, then default: case shall be extended. For reference.
77		* Idea behind separate cases for pre-defined lengths is to let the
78		* compiler decide if it's appropriate to unroll small loops.
79		*/
80	237k	#define HASH_MAKE_STRING(c,s) do { \
81	237k	unsigned long ll; \
82	237k	unsigned int nn; \
83	237k	switch ((c)->md_len) \
84	237k	{ case SHA224_DIGEST_LENGTH: \
85	819k	for (nn=0;nn<SHA224_DIGEST_LENGTH/4;nn++) \
86	717k	{ ll=(c)->h[nn]; (void)HOST_l2c(ll,(s)); } \
87	102k	break; \
88	135k	case SHA256_DIGEST_LENGTH: \
89	1.21M	for (nn=0;nn<SHA256_DIGEST_LENGTH/4;nn++) \
90	1.08M	{ ll=(c)->h[nn]; (void)HOST_l2c(ll,(s)); } \
91	135k	break; \
92	0	default: \
93	0	if ((c)->md_len > SHA256_DIGEST_LENGTH) \
94	0	return 0; \
95	0	for (nn=0;nn<(c)->md_len/4;nn++) \
96	0	{ ll=(c)->h[nn]; (void)HOST_l2c(ll,(s)); } \
97	0	break; \
98	237k	} \
99	237k	} while (0)
100
101		#define HASH_UPDATE SHA256_Update
102		#define HASH_TRANSFORM SHA256_Transform
103		#define HASH_FINAL SHA256_Final
104	229M	#define HASH_BLOCK_DATA_ORDER sha256_block_data_order
105		#ifndef SHA256_ASM
106		static
107		#endif
108		void sha256_block_data_order(SHA256_CTX ctx, const void in, size_t num);
109
110		#include "crypto/md32_common.h"
111
112		#ifndef SHA256_ASM
113		static const SHA_LONG K256[64] = {
114		0x428a2f98UL, 0x71374491UL, 0xb5c0fbcfUL, 0xe9b5dba5UL,
115		0x3956c25bUL, 0x59f111f1UL, 0x923f82a4UL, 0xab1c5ed5UL,
116		0xd807aa98UL, 0x12835b01UL, 0x243185beUL, 0x550c7dc3UL,
117		0x72be5d74UL, 0x80deb1feUL, 0x9bdc06a7UL, 0xc19bf174UL,
118		0xe49b69c1UL, 0xefbe4786UL, 0x0fc19dc6UL, 0x240ca1ccUL,
119		0x2de92c6fUL, 0x4a7484aaUL, 0x5cb0a9dcUL, 0x76f988daUL,
120		0x983e5152UL, 0xa831c66dUL, 0xb00327c8UL, 0xbf597fc7UL,
121		0xc6e00bf3UL, 0xd5a79147UL, 0x06ca6351UL, 0x14292967UL,
122		0x27b70a85UL, 0x2e1b2138UL, 0x4d2c6dfcUL, 0x53380d13UL,
123		0x650a7354UL, 0x766a0abbUL, 0x81c2c92eUL, 0x92722c85UL,
124		0xa2bfe8a1UL, 0xa81a664bUL, 0xc24b8b70UL, 0xc76c51a3UL,
125		0xd192e819UL, 0xd6990624UL, 0xf40e3585UL, 0x106aa070UL,
126		0x19a4c116UL, 0x1e376c08UL, 0x2748774cUL, 0x34b0bcb5UL,
127		0x391c0cb3UL, 0x4ed8aa4aUL, 0x5b9cca4fUL, 0x682e6ff3UL,
128		0x748f82eeUL, 0x78a5636fUL, 0x84c87814UL, 0x8cc70208UL,
129		0x90befffaUL, 0xa4506cebUL, 0xbef9a3f7UL, 0xc67178f2UL
130		};
131
132		/*
133		* FIPS specification refers to right rotations, while our ROTATE macro
134		* is left one. This is why you might notice that rotation coefficients
135		* differ from those observed in FIPS document by 32-N...
136		*/
137		# define Sigma0(x) (ROTATE((x),30) ^ ROTATE((x),19) ^ ROTATE((x),10))
138		# define Sigma1(x) (ROTATE((x),26) ^ ROTATE((x),21) ^ ROTATE((x),7))
139		# define sigma0(x) (ROTATE((x),25) ^ ROTATE((x),14) ^ ((x)>>3))
140		# define sigma1(x) (ROTATE((x),15) ^ ROTATE((x),13) ^ ((x)>>10))
141
142		# define Ch(x,y,z) (((x) & (y)) ^ ((~(x)) & (z)))
143		# define Maj(x,y,z) (((x) & (y)) ^ ((x) & (z)) ^ ((y) & (z)))
144
145		# ifdef OPENSSL_SMALL_FOOTPRINT
146
147		static void sha256_block_data_order(SHA256_CTX ctx, const void in,
148		size_t num)
149		{
150		unsigned MD32_REG_T a, b, c, d, e, f, g, h, s0, s1, T1, T2;
151		SHA_LONG X[16], l;
152		int i;
153		const unsigned char *data = in;
154
155		while (num--) {
156
157		a = ctx->h[0];
158		b = ctx->h[1];
159		c = ctx->h[2];
160		d = ctx->h[3];
161		e = ctx->h[4];
162		f = ctx->h[5];
163		g = ctx->h[6];
164		h = ctx->h[7];
165
166		for (i = 0; i < 16; i++) {
167		(void)HOST_c2l(data, l);
168		T1 = X[i] = l;
169		T1 += h + Sigma1(e) + Ch(e, f, g) + K256[i];
170		T2 = Sigma0(a) + Maj(a, b, c);
171		h = g;
172		g = f;
173		f = e;
174		e = d + T1;
175		d = c;
176		c = b;
177		b = a;
178		a = T1 + T2;
179		}
180
181		for (; i < 64; i++) {
182		s0 = X[(i + 1) & 0x0f];
183		s0 = sigma0(s0);
184		s1 = X[(i + 14) & 0x0f];
185		s1 = sigma1(s1);
186
187		T1 = X[i & 0xf] += s0 + s1 + X[(i + 9) & 0xf];
188		T1 += h + Sigma1(e) + Ch(e, f, g) + K256[i];
189		T2 = Sigma0(a) + Maj(a, b, c);
190		h = g;
191		g = f;
192		f = e;
193		e = d + T1;
194		d = c;
195		c = b;
196		b = a;
197		a = T1 + T2;
198		}
199
200		ctx->h[0] += a;
201		ctx->h[1] += b;
202		ctx->h[2] += c;
203		ctx->h[3] += d;
204		ctx->h[4] += e;
205		ctx->h[5] += f;
206		ctx->h[6] += g;
207		ctx->h[7] += h;
208
209		}
210		}
211
212		# else
213
214		# define ROUND_00_15(i,a,b,c,d,e,f,g,h) do { \
215		T1 += h + Sigma1(e) + Ch(e,f,g) + K256[i]; \
216		h = Sigma0(a) + Maj(a,b,c); \
217		d += T1; h += T1; } while (0)
218
219		# define ROUND_16_63(i,a,b,c,d,e,f,g,h,X) do { \
220		s0 = X[(i+1)&0x0f]; s0 = sigma0(s0); \
221		s1 = X[(i+14)&0x0f]; s1 = sigma1(s1); \
222		T1 = X[(i)&0x0f] += s0 + s1 + X[(i+9)&0x0f]; \
223		ROUND_00_15(i,a,b,c,d,e,f,g,h); } while (0)
224
225		static void sha256_block_data_order(SHA256_CTX ctx, const void in,
226		size_t num)
227		{
228		unsigned MD32_REG_T a, b, c, d, e, f, g, h, s0, s1, T1;
229		SHA_LONG X[16];
230		int i;
231		const unsigned char *data = in;
232		DECLARE_IS_ENDIAN;
233
234		while (num--) {
235
236		a = ctx->h[0];
237		b = ctx->h[1];
238		c = ctx->h[2];
239		d = ctx->h[3];
240		e = ctx->h[4];
241		f = ctx->h[5];
242		g = ctx->h[6];
243		h = ctx->h[7];
244
245		if (!IS_LITTLE_ENDIAN && sizeof(SHA_LONG) == 4
246		&& ((size_t)in % 4) == 0) {
247		const SHA_LONG W = (const SHA_LONG )data;
248
249		T1 = X[0] = W[0];
250		ROUND_00_15(0, a, b, c, d, e, f, g, h);
251		T1 = X[1] = W[1];
252		ROUND_00_15(1, h, a, b, c, d, e, f, g);
253		T1 = X[2] = W[2];
254		ROUND_00_15(2, g, h, a, b, c, d, e, f);
255		T1 = X[3] = W[3];
256		ROUND_00_15(3, f, g, h, a, b, c, d, e);
257		T1 = X[4] = W[4];
258		ROUND_00_15(4, e, f, g, h, a, b, c, d);
259		T1 = X[5] = W[5];
260		ROUND_00_15(5, d, e, f, g, h, a, b, c);
261		T1 = X[6] = W[6];
262		ROUND_00_15(6, c, d, e, f, g, h, a, b);
263		T1 = X[7] = W[7];
264		ROUND_00_15(7, b, c, d, e, f, g, h, a);
265		T1 = X[8] = W[8];
266		ROUND_00_15(8, a, b, c, d, e, f, g, h);
267		T1 = X[9] = W[9];
268		ROUND_00_15(9, h, a, b, c, d, e, f, g);
269		T1 = X[10] = W[10];
270		ROUND_00_15(10, g, h, a, b, c, d, e, f);
271		T1 = X[11] = W[11];
272		ROUND_00_15(11, f, g, h, a, b, c, d, e);
273		T1 = X[12] = W[12];
274		ROUND_00_15(12, e, f, g, h, a, b, c, d);
275		T1 = X[13] = W[13];
276		ROUND_00_15(13, d, e, f, g, h, a, b, c);
277		T1 = X[14] = W[14];
278		ROUND_00_15(14, c, d, e, f, g, h, a, b);
279		T1 = X[15] = W[15];
280		ROUND_00_15(15, b, c, d, e, f, g, h, a);
281
282		data += SHA256_CBLOCK;
283		} else {
284		SHA_LONG l;
285
286		(void)HOST_c2l(data, l);
287		T1 = X[0] = l;
288		ROUND_00_15(0, a, b, c, d, e, f, g, h);
289		(void)HOST_c2l(data, l);
290		T1 = X[1] = l;
291		ROUND_00_15(1, h, a, b, c, d, e, f, g);
292		(void)HOST_c2l(data, l);
293		T1 = X[2] = l;
294		ROUND_00_15(2, g, h, a, b, c, d, e, f);
295		(void)HOST_c2l(data, l);
296		T1 = X[3] = l;
297		ROUND_00_15(3, f, g, h, a, b, c, d, e);
298		(void)HOST_c2l(data, l);
299		T1 = X[4] = l;
300		ROUND_00_15(4, e, f, g, h, a, b, c, d);
301		(void)HOST_c2l(data, l);
302		T1 = X[5] = l;
303		ROUND_00_15(5, d, e, f, g, h, a, b, c);
304		(void)HOST_c2l(data, l);
305		T1 = X[6] = l;
306		ROUND_00_15(6, c, d, e, f, g, h, a, b);
307		(void)HOST_c2l(data, l);
308		T1 = X[7] = l;
309		ROUND_00_15(7, b, c, d, e, f, g, h, a);
310		(void)HOST_c2l(data, l);
311		T1 = X[8] = l;
312		ROUND_00_15(8, a, b, c, d, e, f, g, h);
313		(void)HOST_c2l(data, l);
314		T1 = X[9] = l;
315		ROUND_00_15(9, h, a, b, c, d, e, f, g);
316		(void)HOST_c2l(data, l);
317		T1 = X[10] = l;
318		ROUND_00_15(10, g, h, a, b, c, d, e, f);
319		(void)HOST_c2l(data, l);
320		T1 = X[11] = l;
321		ROUND_00_15(11, f, g, h, a, b, c, d, e);
322		(void)HOST_c2l(data, l);
323		T1 = X[12] = l;
324		ROUND_00_15(12, e, f, g, h, a, b, c, d);
325		(void)HOST_c2l(data, l);
326		T1 = X[13] = l;
327		ROUND_00_15(13, d, e, f, g, h, a, b, c);
328		(void)HOST_c2l(data, l);
329		T1 = X[14] = l;
330		ROUND_00_15(14, c, d, e, f, g, h, a, b);
331		(void)HOST_c2l(data, l);
332		T1 = X[15] = l;
333		ROUND_00_15(15, b, c, d, e, f, g, h, a);
334		}
335
336		for (i = 16; i < 64; i += 8) {
337		ROUND_16_63(i + 0, a, b, c, d, e, f, g, h, X);
338		ROUND_16_63(i + 1, h, a, b, c, d, e, f, g, X);
339		ROUND_16_63(i + 2, g, h, a, b, c, d, e, f, X);
340		ROUND_16_63(i + 3, f, g, h, a, b, c, d, e, X);
341		ROUND_16_63(i + 4, e, f, g, h, a, b, c, d, X);
342		ROUND_16_63(i + 5, d, e, f, g, h, a, b, c, X);
343		ROUND_16_63(i + 6, c, d, e, f, g, h, a, b, X);
344		ROUND_16_63(i + 7, b, c, d, e, f, g, h, a, X);
345		}
346
347		ctx->h[0] += a;
348		ctx->h[1] += b;
349		ctx->h[2] += c;
350		ctx->h[3] += d;
351		ctx->h[4] += e;
352		ctx->h[5] += f;
353		ctx->h[6] += g;
354		ctx->h[7] += h;
355
356		}
357		}
358
359		# endif
360		#endif /* SHA256_ASM */