/src/openssl31/crypto/sha/sha256.c

Source (jump to first uncovered line)
/*
 * Copyright 2004-2022 The OpenSSL Project Authors. All Rights Reserved.
 *
 * Licensed under the Apache License 2.0 (the "License").  You may not use
 * this file except in compliance with the License.  You can obtain a copy
 * in the file LICENSE in the source distribution or at
 * https://www.openssl.org/source/license.html
 */

/*
 * SHA256 low level APIs are deprecated for public use, but still ok for
 * internal use.
 */
#include "internal/deprecated.h"

#include <openssl/opensslconf.h>

#include <stdlib.h>
#include <string.h>

#include <openssl/crypto.h>
#include <openssl/sha.h>
#include <openssl/opensslv.h>
#include "internal/endian.h"

int SHA224_Init(SHA256_CTX *c)
{
    memset(c, 0, sizeof(*c));
    c->h[0] = 0xc1059ed8UL;
    c->h[1] = 0x367cd507UL;
    c->h[2] = 0x3070dd17UL;
    c->h[3] = 0xf70e5939UL;
    c->h[4] = 0xffc00b31UL;
    c->h[5] = 0x68581511UL;
    c->h[6] = 0x64f98fa7UL;
    c->h[7] = 0xbefa4fa4UL;
    c->md_len = SHA224_DIGEST_LENGTH;
    return 1;
}

int SHA256_Init(SHA256_CTX *c)
{
    memset(c, 0, sizeof(*c));
    c->h[0] = 0x6a09e667UL;
    c->h[1] = 0xbb67ae85UL;
    c->h[2] = 0x3c6ef372UL;
    c->h[3] = 0xa54ff53aUL;
    c->h[4] = 0x510e527fUL;
    c->h[5] = 0x9b05688cUL;
    c->h[6] = 0x1f83d9abUL;
    c->h[7] = 0x5be0cd19UL;
    c->md_len = SHA256_DIGEST_LENGTH;
    return 1;
}

int SHA224_Update(SHA256_CTX *c, const void *data, size_t len)
{
    return SHA256_Update(c, data, len);
}

int SHA224_Final(unsigned char *md, SHA256_CTX *c)
{
    return SHA256_Final(md, c);
}

#define DATA_ORDER_IS_BIG_ENDIAN

#define HASH_LONG               SHA_LONG
#define HASH_CTX                SHA256_CTX
#define HASH_CBLOCK             SHA_CBLOCK

/*
 * Note that FIPS180-2 discusses "Truncation of the Hash Function Output."
 * default: case below covers for it. It's not clear however if it's
 * permitted to truncate to amount of bytes not divisible by 4. I bet not,
 * but if it is, then default: case shall be extended. For reference.
 * Idea behind separate cases for pre-defined lengths is to let the
 * compiler decide if it's appropriate to unroll small loops.
 */
#define HASH_MAKE_STRING(c,s)   do {    \
        unsigned long ll;               \
        unsigned int  nn;               \
        switch ((c)->md_len)            \
        {   case SHA224_DIGEST_LENGTH:  \
                for (nn=0;nn<SHA224_DIGEST_LENGTH/4;nn++)       \
                {   ll=(c)->h[nn]; (void)HOST_l2c(ll,(s));   }  \
                break;                  \
            case SHA256_DIGEST_LENGTH:  \
                for (nn=0;nn<SHA256_DIGEST_LENGTH/4;nn++)       \
                {   ll=(c)->h[nn]; (void)HOST_l2c(ll,(s));   }  \
                break;                  \
            default:                    \
                if ((c)->md_len > SHA256_DIGEST_LENGTH) \
                    return 0;                           \
                for (nn=0;nn<(c)->md_len/4;nn++)                \
                {   ll=(c)->h[nn]; (void)HOST_l2c(ll,(s));   }  \
                break;                  \
        }                               \
        } while (0)

#define HASH_UPDATE             SHA256_Update
#define HASH_TRANSFORM          SHA256_Transform
#define HASH_FINAL              SHA256_Final
#define HASH_BLOCK_DATA_ORDER   sha256_block_data_order
#ifndef SHA256_ASM
static
#endif
void sha256_block_data_order(SHA256_CTX *ctx, const void *in, size_t num);

#include "crypto/md32_common.h"

#ifndef SHA256_ASM
static const SHA_LONG K256[64] = {
    0x428a2f98UL, 0x71374491UL, 0xb5c0fbcfUL, 0xe9b5dba5UL,
    0x3956c25bUL, 0x59f111f1UL, 0x923f82a4UL, 0xab1c5ed5UL,
    0xd807aa98UL, 0x12835b01UL, 0x243185beUL, 0x550c7dc3UL,
    0x72be5d74UL, 0x80deb1feUL, 0x9bdc06a7UL, 0xc19bf174UL,
    0xe49b69c1UL, 0xefbe4786UL, 0x0fc19dc6UL, 0x240ca1ccUL,
    0x2de92c6fUL, 0x4a7484aaUL, 0x5cb0a9dcUL, 0x76f988daUL,
    0x983e5152UL, 0xa831c66dUL, 0xb00327c8UL, 0xbf597fc7UL,
    0xc6e00bf3UL, 0xd5a79147UL, 0x06ca6351UL, 0x14292967UL,
    0x27b70a85UL, 0x2e1b2138UL, 0x4d2c6dfcUL, 0x53380d13UL,
    0x650a7354UL, 0x766a0abbUL, 0x81c2c92eUL, 0x92722c85UL,
    0xa2bfe8a1UL, 0xa81a664bUL, 0xc24b8b70UL, 0xc76c51a3UL,
    0xd192e819UL, 0xd6990624UL, 0xf40e3585UL, 0x106aa070UL,
    0x19a4c116UL, 0x1e376c08UL, 0x2748774cUL, 0x34b0bcb5UL,
    0x391c0cb3UL, 0x4ed8aa4aUL, 0x5b9cca4fUL, 0x682e6ff3UL,
    0x748f82eeUL, 0x78a5636fUL, 0x84c87814UL, 0x8cc70208UL,
    0x90befffaUL, 0xa4506cebUL, 0xbef9a3f7UL, 0xc67178f2UL
};

# ifndef PEDANTIC
#  if defined(__GNUC__) && __GNUC__>=2 && \
      !defined(OPENSSL_NO_ASM) && !defined(OPENSSL_NO_INLINE_ASM)
#   if defined(__riscv_zknh)
#    define Sigma0(x) ({ MD32_REG_T ret;            \
                        asm ("sha256sum0 %0, %1"    \
                        : "=r"(ret)                 \
                        : "r"(x)); ret;             })
#    define Sigma1(x) ({ MD32_REG_T ret;            \
                        asm ("sha256sum1 %0, %1"    \
                        : "=r"(ret)                 \
                        : "r"(x)); ret;             })
#    define sigma0(x) ({ MD32_REG_T ret;            \
                        asm ("sha256sig0 %0, %1"    \
                        : "=r"(ret)                 \
                        : "r"(x)); ret;             })
#    define sigma1(x) ({ MD32_REG_T ret;            \
                        asm ("sha256sig1 %0, %1"    \
                        : "=r"(ret)                 \
                        : "r"(x)); ret;             })
#   endif
#   if defined(__riscv_zbt) || defined(__riscv_zpn)
#    define Ch(x,y,z) ({  MD32_REG_T ret;                           \
                        asm (".insn r4 0x33, 1, 0x3, %0, %2, %1, %3"\
                        : "=r"(ret)                                 \
                        : "r"(x), "r"(y), "r"(z)); ret;             })
#    define Maj(x,y,z) ({ MD32_REG_T ret;                           \
                        asm (".insn r4 0x33, 1, 0x3, %0, %2, %1, %3"\
                        : "=r"(ret)                                 \
                        : "r"(x^z), "r"(y), "r"(x)); ret;           })
#   endif
#  endif
# endif

/*
 * FIPS specification refers to right rotations, while our ROTATE macro
 * is left one. This is why you might notice that rotation coefficients
 * differ from those observed in FIPS document by 32-N...
 */
# ifndef Sigma0
#  define Sigma0(x)       (ROTATE((x),30) ^ ROTATE((x),19) ^ ROTATE((x),10))
# endif
# ifndef Sigma1
#  define Sigma1(x)       (ROTATE((x),26) ^ ROTATE((x),21) ^ ROTATE((x),7))
# endif
# ifndef sigma0
#  define sigma0(x)       (ROTATE((x),25) ^ ROTATE((x),14) ^ ((x)>>3))
# endif
# ifndef sigma1
#  define sigma1(x)       (ROTATE((x),15) ^ ROTATE((x),13) ^ ((x)>>10))
# endif
# ifndef Ch
#  define Ch(x,y,z)       (((x) & (y)) ^ ((~(x)) & (z)))
# endif
# ifndef Maj
#  define Maj(x,y,z)      (((x) & (y)) ^ ((x) & (z)) ^ ((y) & (z)))
# endif

# ifdef OPENSSL_SMALL_FOOTPRINT

static void sha256_block_data_order(SHA256_CTX *ctx, const void *in,
                                    size_t num)
{
    unsigned MD32_REG_T a, b, c, d, e, f, g, h, s0, s1, T1, T2;
    SHA_LONG X[16], l;
    int i;
    const unsigned char *data = in;

    while (num--) {

        a = ctx->h[0];
        b = ctx->h[1];
        c = ctx->h[2];
        d = ctx->h[3];
        e = ctx->h[4];
        f = ctx->h[5];
        g = ctx->h[6];
        h = ctx->h[7];

        for (i = 0; i < 16; i++) {
            (void)HOST_c2l(data, l);
            T1 = X[i] = l;
            T1 += h + Sigma1(e) + Ch(e, f, g) + K256[i];
            T2 = Sigma0(a) + Maj(a, b, c);
            h = g;
            g = f;
            f = e;
            e = d + T1;
            d = c;
            c = b;
            b = a;
            a = T1 + T2;
        }

        for (; i < 64; i++) {
            s0 = X[(i + 1) & 0x0f];
            s0 = sigma0(s0);
            s1 = X[(i + 14) & 0x0f];
            s1 = sigma1(s1);

            T1 = X[i & 0xf] += s0 + s1 + X[(i + 9) & 0xf];
            T1 += h + Sigma1(e) + Ch(e, f, g) + K256[i];
            T2 = Sigma0(a) + Maj(a, b, c);
            h = g;
            g = f;
            f = e;
            e = d + T1;
            d = c;
            c = b;
            b = a;
            a = T1 + T2;
        }

        ctx->h[0] += a;
        ctx->h[1] += b;
        ctx->h[2] += c;
        ctx->h[3] += d;
        ctx->h[4] += e;
        ctx->h[5] += f;
        ctx->h[6] += g;
        ctx->h[7] += h;

    }
}

# else

#  define ROUND_00_15(i,a,b,c,d,e,f,g,h)          do {    \
        T1 += h + Sigma1(e) + Ch(e,f,g) + K256[i];      \
        h = Sigma0(a) + Maj(a,b,c);                     \
        d += T1;        h += T1;                } while (0)

#  define ROUND_16_63(i,a,b,c,d,e,f,g,h,X)        do {    \
        s0 = X[(i+1)&0x0f];     s0 = sigma0(s0);        \
        s1 = X[(i+14)&0x0f];    s1 = sigma1(s1);        \
        T1 = X[(i)&0x0f] += s0 + s1 + X[(i+9)&0x0f];    \
        ROUND_00_15(i,a,b,c,d,e,f,g,h);         } while (0)

static void sha256_block_data_order(SHA256_CTX *ctx, const void *in,
                                    size_t num)
{
    unsigned MD32_REG_T a, b, c, d, e, f, g, h, s0, s1, T1;
    SHA_LONG X[16];
    int i;
    const unsigned char *data = in;
    DECLARE_IS_ENDIAN;

    while (num--) {

        a = ctx->h[0];
        b = ctx->h[1];
        c = ctx->h[2];
        d = ctx->h[3];
        e = ctx->h[4];
        f = ctx->h[5];
        g = ctx->h[6];
        h = ctx->h[7];

        if (!IS_LITTLE_ENDIAN && sizeof(SHA_LONG) == 4
            && ((size_t)in % 4) == 0) {
            const SHA_LONG *W = (const SHA_LONG *)data;

            T1 = X[0] = W[0];
            ROUND_00_15(0, a, b, c, d, e, f, g, h);
            T1 = X[1] = W[1];
            ROUND_00_15(1, h, a, b, c, d, e, f, g);
            T1 = X[2] = W[2];
            ROUND_00_15(2, g, h, a, b, c, d, e, f);
            T1 = X[3] = W[3];
            ROUND_00_15(3, f, g, h, a, b, c, d, e);
            T1 = X[4] = W[4];
            ROUND_00_15(4, e, f, g, h, a, b, c, d);
            T1 = X[5] = W[5];
            ROUND_00_15(5, d, e, f, g, h, a, b, c);
            T1 = X[6] = W[6];
            ROUND_00_15(6, c, d, e, f, g, h, a, b);
            T1 = X[7] = W[7];
            ROUND_00_15(7, b, c, d, e, f, g, h, a);
            T1 = X[8] = W[8];
            ROUND_00_15(8, a, b, c, d, e, f, g, h);
            T1 = X[9] = W[9];
            ROUND_00_15(9, h, a, b, c, d, e, f, g);
            T1 = X[10] = W[10];
            ROUND_00_15(10, g, h, a, b, c, d, e, f);
            T1 = X[11] = W[11];
            ROUND_00_15(11, f, g, h, a, b, c, d, e);
            T1 = X[12] = W[12];
            ROUND_00_15(12, e, f, g, h, a, b, c, d);
            T1 = X[13] = W[13];
            ROUND_00_15(13, d, e, f, g, h, a, b, c);
            T1 = X[14] = W[14];
            ROUND_00_15(14, c, d, e, f, g, h, a, b);
            T1 = X[15] = W[15];
            ROUND_00_15(15, b, c, d, e, f, g, h, a);

            data += SHA256_CBLOCK;
        } else {
            SHA_LONG l;

            (void)HOST_c2l(data, l);
            T1 = X[0] = l;
            ROUND_00_15(0, a, b, c, d, e, f, g, h);
            (void)HOST_c2l(data, l);
            T1 = X[1] = l;
            ROUND_00_15(1, h, a, b, c, d, e, f, g);
            (void)HOST_c2l(data, l);
            T1 = X[2] = l;
            ROUND_00_15(2, g, h, a, b, c, d, e, f);
            (void)HOST_c2l(data, l);
            T1 = X[3] = l;
            ROUND_00_15(3, f, g, h, a, b, c, d, e);
            (void)HOST_c2l(data, l);
            T1 = X[4] = l;
            ROUND_00_15(4, e, f, g, h, a, b, c, d);
            (void)HOST_c2l(data, l);
            T1 = X[5] = l;
            ROUND_00_15(5, d, e, f, g, h, a, b, c);
            (void)HOST_c2l(data, l);
            T1 = X[6] = l;
            ROUND_00_15(6, c, d, e, f, g, h, a, b);
            (void)HOST_c2l(data, l);
            T1 = X[7] = l;
            ROUND_00_15(7, b, c, d, e, f, g, h, a);
            (void)HOST_c2l(data, l);
            T1 = X[8] = l;
            ROUND_00_15(8, a, b, c, d, e, f, g, h);
            (void)HOST_c2l(data, l);
            T1 = X[9] = l;
            ROUND_00_15(9, h, a, b, c, d, e, f, g);
            (void)HOST_c2l(data, l);
            T1 = X[10] = l;
            ROUND_00_15(10, g, h, a, b, c, d, e, f);
            (void)HOST_c2l(data, l);
            T1 = X[11] = l;
            ROUND_00_15(11, f, g, h, a, b, c, d, e);
            (void)HOST_c2l(data, l);
            T1 = X[12] = l;
            ROUND_00_15(12, e, f, g, h, a, b, c, d);
            (void)HOST_c2l(data, l);
            T1 = X[13] = l;
            ROUND_00_15(13, d, e, f, g, h, a, b, c);
            (void)HOST_c2l(data, l);
            T1 = X[14] = l;
            ROUND_00_15(14, c, d, e, f, g, h, a, b);
            (void)HOST_c2l(data, l);
            T1 = X[15] = l;
            ROUND_00_15(15, b, c, d, e, f, g, h, a);
        }

        for (i = 16; i < 64; i += 8) {
            ROUND_16_63(i + 0, a, b, c, d, e, f, g, h, X);
            ROUND_16_63(i + 1, h, a, b, c, d, e, f, g, X);
            ROUND_16_63(i + 2, g, h, a, b, c, d, e, f, X);
            ROUND_16_63(i + 3, f, g, h, a, b, c, d, e, X);
            ROUND_16_63(i + 4, e, f, g, h, a, b, c, d, X);
            ROUND_16_63(i + 5, d, e, f, g, h, a, b, c, X);
            ROUND_16_63(i + 6, c, d, e, f, g, h, a, b, X);
            ROUND_16_63(i + 7, b, c, d, e, f, g, h, a, X);
        }

        ctx->h[0] += a;
        ctx->h[1] += b;
        ctx->h[2] += c;
        ctx->h[3] += d;
        ctx->h[4] += e;
        ctx->h[5] += f;
        ctx->h[6] += g;
        ctx->h[7] += h;

    }
}

# endif
#endif                         /* SHA256_ASM */

Coverage Report

Created: 2025-06-13 06:58

Line	Count	Source (jump to first uncovered line)
1		/*
2		* Copyright 2004-2022 The OpenSSL Project Authors. All Rights Reserved.
3		*
4		* Licensed under the Apache License 2.0 (the "License"). You may not use
5		* this file except in compliance with the License. You can obtain a copy
6		* in the file LICENSE in the source distribution or at
7		* https://www.openssl.org/source/license.html
8		*/
9
10		/*
11		* SHA256 low level APIs are deprecated for public use, but still ok for
12		* internal use.
13		*/
14		#include "internal/deprecated.h"
15
16		#include <openssl/opensslconf.h>
17
18		#include <stdlib.h>
19		#include <string.h>
20
21		#include <openssl/crypto.h>
22		#include <openssl/sha.h>
23		#include <openssl/opensslv.h>
24		#include "internal/endian.h"
25
26		int SHA224_Init(SHA256_CTX *c)
27	199k	{
28	199k	memset(c, 0, sizeof(*c));
29	199k	c->h[0] = 0xc1059ed8UL;
30	199k	c->h[1] = 0x367cd507UL;
31	199k	c->h[2] = 0x3070dd17UL;
32	199k	c->h[3] = 0xf70e5939UL;
33	199k	c->h[4] = 0xffc00b31UL;
34	199k	c->h[5] = 0x68581511UL;
35	199k	c->h[6] = 0x64f98fa7UL;
36	199k	c->h[7] = 0xbefa4fa4UL;
37	199k	c->md_len = SHA224_DIGEST_LENGTH;
38	199k	return 1;
39	199k	}
40
41		int SHA256_Init(SHA256_CTX *c)
42	228M	{
43	228M	memset(c, 0, sizeof(*c));
44	228M	c->h[0] = 0x6a09e667UL;
45	228M	c->h[1] = 0xbb67ae85UL;
46	228M	c->h[2] = 0x3c6ef372UL;
47	228M	c->h[3] = 0xa54ff53aUL;
48	228M	c->h[4] = 0x510e527fUL;
49	228M	c->h[5] = 0x9b05688cUL;
50	228M	c->h[6] = 0x1f83d9abUL;
51	228M	c->h[7] = 0x5be0cd19UL;
52	228M	c->md_len = SHA256_DIGEST_LENGTH;
53	228M	return 1;
54	228M	}
55
56		int SHA224_Update(SHA256_CTX c, const void data, size_t len)
57	198k	{
58	198k	return SHA256_Update(c, data, len);
59	198k	}
60
61		int SHA224_Final(unsigned char md, SHA256_CTX c)
62	198k	{
63	198k	return SHA256_Final(md, c);
64	198k	}
65
66		#define DATA_ORDER_IS_BIG_ENDIAN
67
68	913M	#define HASH_LONG SHA_LONG
69		#define HASH_CTX SHA256_CTX
70	2.28G	#define HASH_CBLOCK SHA_CBLOCK
71
72		/*
73		* Note that FIPS180-2 discusses "Truncation of the Hash Function Output."
74		* default: case below covers for it. It's not clear however if it's
75		* permitted to truncate to amount of bytes not divisible by 4. I bet not,
76		* but if it is, then default: case shall be extended. For reference.
77		* Idea behind separate cases for pre-defined lengths is to let the
78		* compiler decide if it's appropriate to unroll small loops.
79		*/
80	237k	#define HASH_MAKE_STRING(c,s) do { \
81	237k	unsigned long ll; \
82	237k	unsigned int nn; \
83	237k	switch ((c)->md_len) \
84	237k	{ case SHA224_DIGEST_LENGTH: \
85	819k	for (nn=0;nn<SHA224_DIGEST_LENGTH/4;nn++) \
86	717k	{ ll=(c)->h[nn]; (void)HOST_l2c(ll,(s)); } \
87	102k	break; \
88	135k	case SHA256_DIGEST_LENGTH: \
89	1.21M	for (nn=0;nn<SHA256_DIGEST_LENGTH/4;nn++) \
90	1.08M	{ ll=(c)->h[nn]; (void)HOST_l2c(ll,(s)); } \
91	135k	break; \
92	0	default: \
93	0	if ((c)->md_len > SHA256_DIGEST_LENGTH) \
94	0	return 0; \
95	0	for (nn=0;nn<(c)->md_len/4;nn++) \
96	0	{ ll=(c)->h[nn]; (void)HOST_l2c(ll,(s)); } \
97	0	break; \
98	237k	} \
99	237k	} while (0)
100
101		#define HASH_UPDATE SHA256_Update
102		#define HASH_TRANSFORM SHA256_Transform
103		#define HASH_FINAL SHA256_Final
104	229M	#define HASH_BLOCK_DATA_ORDER sha256_block_data_order
105		#ifndef SHA256_ASM
106		static
107		#endif
108		void sha256_block_data_order(SHA256_CTX ctx, const void in, size_t num);
109
110		#include "crypto/md32_common.h"
111
112		#ifndef SHA256_ASM
113		static const SHA_LONG K256[64] = {
114		0x428a2f98UL, 0x71374491UL, 0xb5c0fbcfUL, 0xe9b5dba5UL,
115		0x3956c25bUL, 0x59f111f1UL, 0x923f82a4UL, 0xab1c5ed5UL,
116		0xd807aa98UL, 0x12835b01UL, 0x243185beUL, 0x550c7dc3UL,
117		0x72be5d74UL, 0x80deb1feUL, 0x9bdc06a7UL, 0xc19bf174UL,
118		0xe49b69c1UL, 0xefbe4786UL, 0x0fc19dc6UL, 0x240ca1ccUL,
119		0x2de92c6fUL, 0x4a7484aaUL, 0x5cb0a9dcUL, 0x76f988daUL,
120		0x983e5152UL, 0xa831c66dUL, 0xb00327c8UL, 0xbf597fc7UL,
121		0xc6e00bf3UL, 0xd5a79147UL, 0x06ca6351UL, 0x14292967UL,
122		0x27b70a85UL, 0x2e1b2138UL, 0x4d2c6dfcUL, 0x53380d13UL,
123		0x650a7354UL, 0x766a0abbUL, 0x81c2c92eUL, 0x92722c85UL,
124		0xa2bfe8a1UL, 0xa81a664bUL, 0xc24b8b70UL, 0xc76c51a3UL,
125		0xd192e819UL, 0xd6990624UL, 0xf40e3585UL, 0x106aa070UL,
126		0x19a4c116UL, 0x1e376c08UL, 0x2748774cUL, 0x34b0bcb5UL,
127		0x391c0cb3UL, 0x4ed8aa4aUL, 0x5b9cca4fUL, 0x682e6ff3UL,
128		0x748f82eeUL, 0x78a5636fUL, 0x84c87814UL, 0x8cc70208UL,
129		0x90befffaUL, 0xa4506cebUL, 0xbef9a3f7UL, 0xc67178f2UL
130		};
131
132		# ifndef PEDANTIC
133		# if defined(__GNUC__) && __GNUC__>=2 && \
134		!defined(OPENSSL_NO_ASM) && !defined(OPENSSL_NO_INLINE_ASM)
135		# if defined(__riscv_zknh)
136		# define Sigma0(x) ({ MD32_REG_T ret; \
137		asm ("sha256sum0 %0, %1" \
138		: "=r"(ret) \
139		: "r"(x)); ret; })
140		# define Sigma1(x) ({ MD32_REG_T ret; \
141		asm ("sha256sum1 %0, %1" \
142		: "=r"(ret) \
143		: "r"(x)); ret; })
144		# define sigma0(x) ({ MD32_REG_T ret; \
145		asm ("sha256sig0 %0, %1" \
146		: "=r"(ret) \
147		: "r"(x)); ret; })
148		# define sigma1(x) ({ MD32_REG_T ret; \
149		asm ("sha256sig1 %0, %1" \
150		: "=r"(ret) \
151		: "r"(x)); ret; })
152		# endif
153		# if defined(__riscv_zbt) \|\| defined(__riscv_zpn)
154		# define Ch(x,y,z) ({ MD32_REG_T ret; \
155		asm (".insn r4 0x33, 1, 0x3, %0, %2, %1, %3"\
156		: "=r"(ret) \
157		: "r"(x), "r"(y), "r"(z)); ret; })
158		# define Maj(x,y,z) ({ MD32_REG_T ret; \
159		asm (".insn r4 0x33, 1, 0x3, %0, %2, %1, %3"\
160		: "=r"(ret) \
161		: "r"(x^z), "r"(y), "r"(x)); ret; })
162		# endif
163		# endif
164		# endif
165
166		/*
167		* FIPS specification refers to right rotations, while our ROTATE macro
168		* is left one. This is why you might notice that rotation coefficients
169		* differ from those observed in FIPS document by 32-N...
170		*/
171		# ifndef Sigma0
172		# define Sigma0(x) (ROTATE((x),30) ^ ROTATE((x),19) ^ ROTATE((x),10))
173		# endif
174		# ifndef Sigma1
175		# define Sigma1(x) (ROTATE((x),26) ^ ROTATE((x),21) ^ ROTATE((x),7))
176		# endif
177		# ifndef sigma0
178		# define sigma0(x) (ROTATE((x),25) ^ ROTATE((x),14) ^ ((x)>>3))
179		# endif
180		# ifndef sigma1
181		# define sigma1(x) (ROTATE((x),15) ^ ROTATE((x),13) ^ ((x)>>10))
182		# endif
183		# ifndef Ch
184		# define Ch(x,y,z) (((x) & (y)) ^ ((~(x)) & (z)))
185		# endif
186		# ifndef Maj
187		# define Maj(x,y,z) (((x) & (y)) ^ ((x) & (z)) ^ ((y) & (z)))
188		# endif
189
190		# ifdef OPENSSL_SMALL_FOOTPRINT
191
192		static void sha256_block_data_order(SHA256_CTX ctx, const void in,
193		size_t num)
194		{
195		unsigned MD32_REG_T a, b, c, d, e, f, g, h, s0, s1, T1, T2;
196		SHA_LONG X[16], l;
197		int i;
198		const unsigned char *data = in;
199
200		while (num--) {
201
202		a = ctx->h[0];
203		b = ctx->h[1];
204		c = ctx->h[2];
205		d = ctx->h[3];
206		e = ctx->h[4];
207		f = ctx->h[5];
208		g = ctx->h[6];
209		h = ctx->h[7];
210
211		for (i = 0; i < 16; i++) {
212		(void)HOST_c2l(data, l);
213		T1 = X[i] = l;
214		T1 += h + Sigma1(e) + Ch(e, f, g) + K256[i];
215		T2 = Sigma0(a) + Maj(a, b, c);
216		h = g;
217		g = f;
218		f = e;
219		e = d + T1;
220		d = c;
221		c = b;
222		b = a;
223		a = T1 + T2;
224		}
225
226		for (; i < 64; i++) {
227		s0 = X[(i + 1) & 0x0f];
228		s0 = sigma0(s0);
229		s1 = X[(i + 14) & 0x0f];
230		s1 = sigma1(s1);
231
232		T1 = X[i & 0xf] += s0 + s1 + X[(i + 9) & 0xf];
233		T1 += h + Sigma1(e) + Ch(e, f, g) + K256[i];
234		T2 = Sigma0(a) + Maj(a, b, c);
235		h = g;
236		g = f;
237		f = e;
238		e = d + T1;
239		d = c;
240		c = b;
241		b = a;
242		a = T1 + T2;
243		}
244
245		ctx->h[0] += a;
246		ctx->h[1] += b;
247		ctx->h[2] += c;
248		ctx->h[3] += d;
249		ctx->h[4] += e;
250		ctx->h[5] += f;
251		ctx->h[6] += g;
252		ctx->h[7] += h;
253
254		}
255		}
256
257		# else
258
259		# define ROUND_00_15(i,a,b,c,d,e,f,g,h) do { \
260		T1 += h + Sigma1(e) + Ch(e,f,g) + K256[i]; \
261		h = Sigma0(a) + Maj(a,b,c); \
262		d += T1; h += T1; } while (0)
263
264		# define ROUND_16_63(i,a,b,c,d,e,f,g,h,X) do { \
265		s0 = X[(i+1)&0x0f]; s0 = sigma0(s0); \
266		s1 = X[(i+14)&0x0f]; s1 = sigma1(s1); \
267		T1 = X[(i)&0x0f] += s0 + s1 + X[(i+9)&0x0f]; \
268		ROUND_00_15(i,a,b,c,d,e,f,g,h); } while (0)
269
270		static void sha256_block_data_order(SHA256_CTX ctx, const void in,
271		size_t num)
272		{
273		unsigned MD32_REG_T a, b, c, d, e, f, g, h, s0, s1, T1;
274		SHA_LONG X[16];
275		int i;
276		const unsigned char *data = in;
277		DECLARE_IS_ENDIAN;
278
279		while (num--) {
280
281		a = ctx->h[0];
282		b = ctx->h[1];
283		c = ctx->h[2];
284		d = ctx->h[3];
285		e = ctx->h[4];
286		f = ctx->h[5];
287		g = ctx->h[6];
288		h = ctx->h[7];
289
290		if (!IS_LITTLE_ENDIAN && sizeof(SHA_LONG) == 4
291		&& ((size_t)in % 4) == 0) {
292		const SHA_LONG W = (const SHA_LONG )data;
293
294		T1 = X[0] = W[0];
295		ROUND_00_15(0, a, b, c, d, e, f, g, h);
296		T1 = X[1] = W[1];
297		ROUND_00_15(1, h, a, b, c, d, e, f, g);
298		T1 = X[2] = W[2];
299		ROUND_00_15(2, g, h, a, b, c, d, e, f);
300		T1 = X[3] = W[3];
301		ROUND_00_15(3, f, g, h, a, b, c, d, e);
302		T1 = X[4] = W[4];
303		ROUND_00_15(4, e, f, g, h, a, b, c, d);
304		T1 = X[5] = W[5];
305		ROUND_00_15(5, d, e, f, g, h, a, b, c);
306		T1 = X[6] = W[6];
307		ROUND_00_15(6, c, d, e, f, g, h, a, b);
308		T1 = X[7] = W[7];
309		ROUND_00_15(7, b, c, d, e, f, g, h, a);
310		T1 = X[8] = W[8];
311		ROUND_00_15(8, a, b, c, d, e, f, g, h);
312		T1 = X[9] = W[9];
313		ROUND_00_15(9, h, a, b, c, d, e, f, g);
314		T1 = X[10] = W[10];
315		ROUND_00_15(10, g, h, a, b, c, d, e, f);
316		T1 = X[11] = W[11];
317		ROUND_00_15(11, f, g, h, a, b, c, d, e);
318		T1 = X[12] = W[12];
319		ROUND_00_15(12, e, f, g, h, a, b, c, d);
320		T1 = X[13] = W[13];
321		ROUND_00_15(13, d, e, f, g, h, a, b, c);
322		T1 = X[14] = W[14];
323		ROUND_00_15(14, c, d, e, f, g, h, a, b);
324		T1 = X[15] = W[15];
325		ROUND_00_15(15, b, c, d, e, f, g, h, a);
326
327		data += SHA256_CBLOCK;
328		} else {
329		SHA_LONG l;
330
331		(void)HOST_c2l(data, l);
332		T1 = X[0] = l;
333		ROUND_00_15(0, a, b, c, d, e, f, g, h);
334		(void)HOST_c2l(data, l);
335		T1 = X[1] = l;
336		ROUND_00_15(1, h, a, b, c, d, e, f, g);
337		(void)HOST_c2l(data, l);
338		T1 = X[2] = l;
339		ROUND_00_15(2, g, h, a, b, c, d, e, f);
340		(void)HOST_c2l(data, l);
341		T1 = X[3] = l;
342		ROUND_00_15(3, f, g, h, a, b, c, d, e);
343		(void)HOST_c2l(data, l);
344		T1 = X[4] = l;
345		ROUND_00_15(4, e, f, g, h, a, b, c, d);
346		(void)HOST_c2l(data, l);
347		T1 = X[5] = l;
348		ROUND_00_15(5, d, e, f, g, h, a, b, c);
349		(void)HOST_c2l(data, l);
350		T1 = X[6] = l;
351		ROUND_00_15(6, c, d, e, f, g, h, a, b);
352		(void)HOST_c2l(data, l);
353		T1 = X[7] = l;
354		ROUND_00_15(7, b, c, d, e, f, g, h, a);
355		(void)HOST_c2l(data, l);
356		T1 = X[8] = l;
357		ROUND_00_15(8, a, b, c, d, e, f, g, h);
358		(void)HOST_c2l(data, l);
359		T1 = X[9] = l;
360		ROUND_00_15(9, h, a, b, c, d, e, f, g);
361		(void)HOST_c2l(data, l);
362		T1 = X[10] = l;
363		ROUND_00_15(10, g, h, a, b, c, d, e, f);
364		(void)HOST_c2l(data, l);
365		T1 = X[11] = l;
366		ROUND_00_15(11, f, g, h, a, b, c, d, e);
367		(void)HOST_c2l(data, l);
368		T1 = X[12] = l;
369		ROUND_00_15(12, e, f, g, h, a, b, c, d);
370		(void)HOST_c2l(data, l);
371		T1 = X[13] = l;
372		ROUND_00_15(13, d, e, f, g, h, a, b, c);
373		(void)HOST_c2l(data, l);
374		T1 = X[14] = l;
375		ROUND_00_15(14, c, d, e, f, g, h, a, b);
376		(void)HOST_c2l(data, l);
377		T1 = X[15] = l;
378		ROUND_00_15(15, b, c, d, e, f, g, h, a);
379		}
380
381		for (i = 16; i < 64; i += 8) {
382		ROUND_16_63(i + 0, a, b, c, d, e, f, g, h, X);
383		ROUND_16_63(i + 1, h, a, b, c, d, e, f, g, X);
384		ROUND_16_63(i + 2, g, h, a, b, c, d, e, f, X);
385		ROUND_16_63(i + 3, f, g, h, a, b, c, d, e, X);
386		ROUND_16_63(i + 4, e, f, g, h, a, b, c, d, X);
387		ROUND_16_63(i + 5, d, e, f, g, h, a, b, c, X);
388		ROUND_16_63(i + 6, c, d, e, f, g, h, a, b, X);
389		ROUND_16_63(i + 7, b, c, d, e, f, g, h, a, X);
390		}
391
392		ctx->h[0] += a;
393		ctx->h[1] += b;
394		ctx->h[2] += c;
395		ctx->h[3] += d;
396		ctx->h[4] += e;
397		ctx->h[5] += f;
398		ctx->h[6] += g;
399		ctx->h[7] += h;
400
401		}
402		}
403
404		# endif
405		#endif /* SHA256_ASM */