/src/openssl32/crypto/sha/sha256.c

Source (jump to first uncovered line)
/*
 * Copyright 2004-2023 The OpenSSL Project Authors. All Rights Reserved.
 *
 * Licensed under the Apache License 2.0 (the "License").  You may not use
 * this file except in compliance with the License.  You can obtain a copy
 * in the file LICENSE in the source distribution or at
 * https://www.openssl.org/source/license.html
 */

/*
 * SHA256 low level APIs are deprecated for public use, but still ok for
 * internal use.
 */
#include "internal/deprecated.h"

#include <openssl/opensslconf.h>

#include <stdlib.h>
#include <string.h>

#include <openssl/crypto.h>
#include <openssl/sha.h>
#include <openssl/opensslv.h>
#include "internal/endian.h"
#include "crypto/sha.h"

int SHA224_Init(SHA256_CTX *c)
{
    memset(c, 0, sizeof(*c));
    c->h[0] = 0xc1059ed8UL;
    c->h[1] = 0x367cd507UL;
    c->h[2] = 0x3070dd17UL;
    c->h[3] = 0xf70e5939UL;
    c->h[4] = 0xffc00b31UL;
    c->h[5] = 0x68581511UL;
    c->h[6] = 0x64f98fa7UL;
    c->h[7] = 0xbefa4fa4UL;
    c->md_len = SHA224_DIGEST_LENGTH;
    return 1;
}

int SHA256_Init(SHA256_CTX *c)
{
    memset(c, 0, sizeof(*c));
    c->h[0] = 0x6a09e667UL;
    c->h[1] = 0xbb67ae85UL;
    c->h[2] = 0x3c6ef372UL;
    c->h[3] = 0xa54ff53aUL;
    c->h[4] = 0x510e527fUL;
    c->h[5] = 0x9b05688cUL;
    c->h[6] = 0x1f83d9abUL;
    c->h[7] = 0x5be0cd19UL;
    c->md_len = SHA256_DIGEST_LENGTH;
    return 1;
}

int ossl_sha256_192_init(SHA256_CTX *c)
{
    SHA256_Init(c);
    c->md_len = SHA256_192_DIGEST_LENGTH;
    return 1;
}

int SHA224_Update(SHA256_CTX *c, const void *data, size_t len)
{
    return SHA256_Update(c, data, len);
}

int SHA224_Final(unsigned char *md, SHA256_CTX *c)
{
    return SHA256_Final(md, c);
}

#define DATA_ORDER_IS_BIG_ENDIAN

#define HASH_LONG               SHA_LONG
#define HASH_CTX                SHA256_CTX
#define HASH_CBLOCK             SHA_CBLOCK

/*
 * Note that FIPS180-2 discusses "Truncation of the Hash Function Output."
 * default: case below covers for it. It's not clear however if it's
 * permitted to truncate to amount of bytes not divisible by 4. I bet not,
 * but if it is, then default: case shall be extended. For reference.
 * Idea behind separate cases for pre-defined lengths is to let the
 * compiler decide if it's appropriate to unroll small loops.
 */
#define HASH_MAKE_STRING(c,s)   do {    \
        unsigned long ll;               \
        unsigned int  nn;               \
        switch ((c)->md_len)            \
        {   case SHA256_192_DIGEST_LENGTH: \
                for (nn=0;nn<SHA256_192_DIGEST_LENGTH/4;nn++)   \
                {   ll=(c)->h[nn]; (void)HOST_l2c(ll,(s));   }  \
                break;                  \
            case SHA224_DIGEST_LENGTH:  \
                for (nn=0;nn<SHA224_DIGEST_LENGTH/4;nn++)       \
                {   ll=(c)->h[nn]; (void)HOST_l2c(ll,(s));   }  \
                break;                  \
            case SHA256_DIGEST_LENGTH:  \
                for (nn=0;nn<SHA256_DIGEST_LENGTH/4;nn++)       \
                {   ll=(c)->h[nn]; (void)HOST_l2c(ll,(s));   }  \
                break;                  \
            default:                    \
                if ((c)->md_len > SHA256_DIGEST_LENGTH) \
                    return 0;                           \
                for (nn=0;nn<(c)->md_len/4;nn++)                \
                {   ll=(c)->h[nn]; (void)HOST_l2c(ll,(s));   }  \
                break;                  \
        }                               \
        } while (0)

#define HASH_UPDATE             SHA256_Update
#define HASH_TRANSFORM          SHA256_Transform
#define HASH_FINAL              SHA256_Final
#define HASH_BLOCK_DATA_ORDER   sha256_block_data_order
#ifndef SHA256_ASM
static
#endif
void sha256_block_data_order(SHA256_CTX *ctx, const void *in, size_t num);

#include "crypto/md32_common.h"

#ifndef SHA256_ASM
static const SHA_LONG K256[64] = {
    0x428a2f98UL, 0x71374491UL, 0xb5c0fbcfUL, 0xe9b5dba5UL,
    0x3956c25bUL, 0x59f111f1UL, 0x923f82a4UL, 0xab1c5ed5UL,
    0xd807aa98UL, 0x12835b01UL, 0x243185beUL, 0x550c7dc3UL,
    0x72be5d74UL, 0x80deb1feUL, 0x9bdc06a7UL, 0xc19bf174UL,
    0xe49b69c1UL, 0xefbe4786UL, 0x0fc19dc6UL, 0x240ca1ccUL,
    0x2de92c6fUL, 0x4a7484aaUL, 0x5cb0a9dcUL, 0x76f988daUL,
    0x983e5152UL, 0xa831c66dUL, 0xb00327c8UL, 0xbf597fc7UL,
    0xc6e00bf3UL, 0xd5a79147UL, 0x06ca6351UL, 0x14292967UL,
    0x27b70a85UL, 0x2e1b2138UL, 0x4d2c6dfcUL, 0x53380d13UL,
    0x650a7354UL, 0x766a0abbUL, 0x81c2c92eUL, 0x92722c85UL,
    0xa2bfe8a1UL, 0xa81a664bUL, 0xc24b8b70UL, 0xc76c51a3UL,
    0xd192e819UL, 0xd6990624UL, 0xf40e3585UL, 0x106aa070UL,
    0x19a4c116UL, 0x1e376c08UL, 0x2748774cUL, 0x34b0bcb5UL,
    0x391c0cb3UL, 0x4ed8aa4aUL, 0x5b9cca4fUL, 0x682e6ff3UL,
    0x748f82eeUL, 0x78a5636fUL, 0x84c87814UL, 0x8cc70208UL,
    0x90befffaUL, 0xa4506cebUL, 0xbef9a3f7UL, 0xc67178f2UL
};

# ifndef PEDANTIC
#  if defined(__GNUC__) && __GNUC__>=2 && \
      !defined(OPENSSL_NO_ASM) && !defined(OPENSSL_NO_INLINE_ASM)
#   if defined(__riscv_zknh)
#    define Sigma0(x) ({ MD32_REG_T ret;            \
                        asm ("sha256sum0 %0, %1"    \
                        : "=r"(ret)                 \
                        : "r"(x)); ret;             })
#    define Sigma1(x) ({ MD32_REG_T ret;            \
                        asm ("sha256sum1 %0, %1"    \
                        : "=r"(ret)                 \
                        : "r"(x)); ret;             })
#    define sigma0(x) ({ MD32_REG_T ret;            \
                        asm ("sha256sig0 %0, %1"    \
                        : "=r"(ret)                 \
                        : "r"(x)); ret;             })
#    define sigma1(x) ({ MD32_REG_T ret;            \
                        asm ("sha256sig1 %0, %1"    \
                        : "=r"(ret)                 \
                        : "r"(x)); ret;             })
#   endif
#   if defined(__riscv_zbt) || defined(__riscv_zpn)
#    define Ch(x,y,z) ({  MD32_REG_T ret;                           \
                        asm (".insn r4 0x33, 1, 0x3, %0, %2, %1, %3"\
                        : "=r"(ret)                                 \
                        : "r"(x), "r"(y), "r"(z)); ret;             })
#    define Maj(x,y,z) ({ MD32_REG_T ret;                           \
                        asm (".insn r4 0x33, 1, 0x3, %0, %2, %1, %3"\
                        : "=r"(ret)                                 \
                        : "r"(x^z), "r"(y), "r"(x)); ret;           })
#   endif
#  endif
# endif

/*
 * FIPS specification refers to right rotations, while our ROTATE macro
 * is left one. This is why you might notice that rotation coefficients
 * differ from those observed in FIPS document by 32-N...
 */
# ifndef Sigma0
#  define Sigma0(x)       (ROTATE((x),30) ^ ROTATE((x),19) ^ ROTATE((x),10))
# endif
# ifndef Sigma1
#  define Sigma1(x)       (ROTATE((x),26) ^ ROTATE((x),21) ^ ROTATE((x),7))
# endif
# ifndef sigma0
#  define sigma0(x)       (ROTATE((x),25) ^ ROTATE((x),14) ^ ((x)>>3))
# endif
# ifndef sigma1
#  define sigma1(x)       (ROTATE((x),15) ^ ROTATE((x),13) ^ ((x)>>10))
# endif
# ifndef Ch
#  define Ch(x,y,z)       (((x) & (y)) ^ ((~(x)) & (z)))
# endif
# ifndef Maj
#  define Maj(x,y,z)      (((x) & (y)) ^ ((x) & (z)) ^ ((y) & (z)))
# endif

# ifdef OPENSSL_SMALL_FOOTPRINT

static void sha256_block_data_order(SHA256_CTX *ctx, const void *in,
                                    size_t num)
{
    unsigned MD32_REG_T a, b, c, d, e, f, g, h, s0, s1, T1, T2;
    SHA_LONG X[16], l;
    int i;
    const unsigned char *data = in;

    while (num--) {

        a = ctx->h[0];
        b = ctx->h[1];
        c = ctx->h[2];
        d = ctx->h[3];
        e = ctx->h[4];
        f = ctx->h[5];
        g = ctx->h[6];
        h = ctx->h[7];

        for (i = 0; i < 16; i++) {
            (void)HOST_c2l(data, l);
            T1 = X[i] = l;
            T1 += h + Sigma1(e) + Ch(e, f, g) + K256[i];
            T2 = Sigma0(a) + Maj(a, b, c);
            h = g;
            g = f;
            f = e;
            e = d + T1;
            d = c;
            c = b;
            b = a;
            a = T1 + T2;
        }

        for (; i < 64; i++) {
            s0 = X[(i + 1) & 0x0f];
            s0 = sigma0(s0);
            s1 = X[(i + 14) & 0x0f];
            s1 = sigma1(s1);

            T1 = X[i & 0xf] += s0 + s1 + X[(i + 9) & 0xf];
            T1 += h + Sigma1(e) + Ch(e, f, g) + K256[i];
            T2 = Sigma0(a) + Maj(a, b, c);
            h = g;
            g = f;
            f = e;
            e = d + T1;
            d = c;
            c = b;
            b = a;
            a = T1 + T2;
        }

        ctx->h[0] += a;
        ctx->h[1] += b;
        ctx->h[2] += c;
        ctx->h[3] += d;
        ctx->h[4] += e;
        ctx->h[5] += f;
        ctx->h[6] += g;
        ctx->h[7] += h;

    }
}

# else

#  define ROUND_00_15(i,a,b,c,d,e,f,g,h)          do {    \
        T1 += h + Sigma1(e) + Ch(e,f,g) + K256[i];      \
        h = Sigma0(a) + Maj(a,b,c);                     \
        d += T1;        h += T1;                } while (0)

#  define ROUND_16_63(i,a,b,c,d,e,f,g,h,X)        do {    \
        s0 = X[(i+1)&0x0f];     s0 = sigma0(s0);        \
        s1 = X[(i+14)&0x0f];    s1 = sigma1(s1);        \
        T1 = X[(i)&0x0f] += s0 + s1 + X[(i+9)&0x0f];    \
        ROUND_00_15(i,a,b,c,d,e,f,g,h);         } while (0)

static void sha256_block_data_order(SHA256_CTX *ctx, const void *in,
                                    size_t num)
{
    unsigned MD32_REG_T a, b, c, d, e, f, g, h, s0, s1, T1;
    SHA_LONG X[16];
    int i;
    const unsigned char *data = in;
    DECLARE_IS_ENDIAN;

    while (num--) {

        a = ctx->h[0];
        b = ctx->h[1];
        c = ctx->h[2];
        d = ctx->h[3];
        e = ctx->h[4];
        f = ctx->h[5];
        g = ctx->h[6];
        h = ctx->h[7];

        if (!IS_LITTLE_ENDIAN && sizeof(SHA_LONG) == 4
            && ((size_t)in % 4) == 0) {
            const SHA_LONG *W = (const SHA_LONG *)data;

            T1 = X[0] = W[0];
            ROUND_00_15(0, a, b, c, d, e, f, g, h);
            T1 = X[1] = W[1];
            ROUND_00_15(1, h, a, b, c, d, e, f, g);
            T1 = X[2] = W[2];
            ROUND_00_15(2, g, h, a, b, c, d, e, f);
            T1 = X[3] = W[3];
            ROUND_00_15(3, f, g, h, a, b, c, d, e);
            T1 = X[4] = W[4];
            ROUND_00_15(4, e, f, g, h, a, b, c, d);
            T1 = X[5] = W[5];
            ROUND_00_15(5, d, e, f, g, h, a, b, c);
            T1 = X[6] = W[6];
            ROUND_00_15(6, c, d, e, f, g, h, a, b);
            T1 = X[7] = W[7];
            ROUND_00_15(7, b, c, d, e, f, g, h, a);
            T1 = X[8] = W[8];
            ROUND_00_15(8, a, b, c, d, e, f, g, h);
            T1 = X[9] = W[9];
            ROUND_00_15(9, h, a, b, c, d, e, f, g);
            T1 = X[10] = W[10];
            ROUND_00_15(10, g, h, a, b, c, d, e, f);
            T1 = X[11] = W[11];
            ROUND_00_15(11, f, g, h, a, b, c, d, e);
            T1 = X[12] = W[12];
            ROUND_00_15(12, e, f, g, h, a, b, c, d);
            T1 = X[13] = W[13];
            ROUND_00_15(13, d, e, f, g, h, a, b, c);
            T1 = X[14] = W[14];
            ROUND_00_15(14, c, d, e, f, g, h, a, b);
            T1 = X[15] = W[15];
            ROUND_00_15(15, b, c, d, e, f, g, h, a);

            data += SHA256_CBLOCK;
        } else {
            SHA_LONG l;

            (void)HOST_c2l(data, l);
            T1 = X[0] = l;
            ROUND_00_15(0, a, b, c, d, e, f, g, h);
            (void)HOST_c2l(data, l);
            T1 = X[1] = l;
            ROUND_00_15(1, h, a, b, c, d, e, f, g);
            (void)HOST_c2l(data, l);
            T1 = X[2] = l;
            ROUND_00_15(2, g, h, a, b, c, d, e, f);
            (void)HOST_c2l(data, l);
            T1 = X[3] = l;
            ROUND_00_15(3, f, g, h, a, b, c, d, e);
            (void)HOST_c2l(data, l);
            T1 = X[4] = l;
            ROUND_00_15(4, e, f, g, h, a, b, c, d);
            (void)HOST_c2l(data, l);
            T1 = X[5] = l;
            ROUND_00_15(5, d, e, f, g, h, a, b, c);
            (void)HOST_c2l(data, l);
            T1 = X[6] = l;
            ROUND_00_15(6, c, d, e, f, g, h, a, b);
            (void)HOST_c2l(data, l);
            T1 = X[7] = l;
            ROUND_00_15(7, b, c, d, e, f, g, h, a);
            (void)HOST_c2l(data, l);
            T1 = X[8] = l;
            ROUND_00_15(8, a, b, c, d, e, f, g, h);
            (void)HOST_c2l(data, l);
            T1 = X[9] = l;
            ROUND_00_15(9, h, a, b, c, d, e, f, g);
            (void)HOST_c2l(data, l);
            T1 = X[10] = l;
            ROUND_00_15(10, g, h, a, b, c, d, e, f);
            (void)HOST_c2l(data, l);
            T1 = X[11] = l;
            ROUND_00_15(11, f, g, h, a, b, c, d, e);
            (void)HOST_c2l(data, l);
            T1 = X[12] = l;
            ROUND_00_15(12, e, f, g, h, a, b, c, d);
            (void)HOST_c2l(data, l);
            T1 = X[13] = l;
            ROUND_00_15(13, d, e, f, g, h, a, b, c);
            (void)HOST_c2l(data, l);
            T1 = X[14] = l;
            ROUND_00_15(14, c, d, e, f, g, h, a, b);
            (void)HOST_c2l(data, l);
            T1 = X[15] = l;
            ROUND_00_15(15, b, c, d, e, f, g, h, a);
        }

        for (i = 16; i < 64; i += 8) {
            ROUND_16_63(i + 0, a, b, c, d, e, f, g, h, X);
            ROUND_16_63(i + 1, h, a, b, c, d, e, f, g, X);
            ROUND_16_63(i + 2, g, h, a, b, c, d, e, f, X);
            ROUND_16_63(i + 3, f, g, h, a, b, c, d, e, X);
            ROUND_16_63(i + 4, e, f, g, h, a, b, c, d, X);
            ROUND_16_63(i + 5, d, e, f, g, h, a, b, c, X);
            ROUND_16_63(i + 6, c, d, e, f, g, h, a, b, X);
            ROUND_16_63(i + 7, b, c, d, e, f, g, h, a, X);
        }

        ctx->h[0] += a;
        ctx->h[1] += b;
        ctx->h[2] += c;
        ctx->h[3] += d;
        ctx->h[4] += e;
        ctx->h[5] += f;
        ctx->h[6] += g;
        ctx->h[7] += h;

    }
}

# endif
#endif                         /* SHA256_ASM */

Coverage Report

Created: 2025-06-13 06:58

Line	Count	Source (jump to first uncovered line)
1		/*
2		* Copyright 2004-2023 The OpenSSL Project Authors. All Rights Reserved.
3		*
4		* Licensed under the Apache License 2.0 (the "License"). You may not use
5		* this file except in compliance with the License. You can obtain a copy
6		* in the file LICENSE in the source distribution or at
7		* https://www.openssl.org/source/license.html
8		*/
9
10		/*
11		* SHA256 low level APIs are deprecated for public use, but still ok for
12		* internal use.
13		*/
14		#include "internal/deprecated.h"
15
16		#include <openssl/opensslconf.h>
17
18		#include <stdlib.h>
19		#include <string.h>
20
21		#include <openssl/crypto.h>
22		#include <openssl/sha.h>
23		#include <openssl/opensslv.h>
24		#include "internal/endian.h"
25		#include "crypto/sha.h"
26
27		int SHA224_Init(SHA256_CTX *c)
28	199k	{
29	199k	memset(c, 0, sizeof(*c));
30	199k	c->h[0] = 0xc1059ed8UL;
31	199k	c->h[1] = 0x367cd507UL;
32	199k	c->h[2] = 0x3070dd17UL;
33	199k	c->h[3] = 0xf70e5939UL;
34	199k	c->h[4] = 0xffc00b31UL;
35	199k	c->h[5] = 0x68581511UL;
36	199k	c->h[6] = 0x64f98fa7UL;
37	199k	c->h[7] = 0xbefa4fa4UL;
38	199k	c->md_len = SHA224_DIGEST_LENGTH;
39	199k	return 1;
40	199k	}
41
42		int SHA256_Init(SHA256_CTX *c)
43	228M	{
44	228M	memset(c, 0, sizeof(*c));
45	228M	c->h[0] = 0x6a09e667UL;
46	228M	c->h[1] = 0xbb67ae85UL;
47	228M	c->h[2] = 0x3c6ef372UL;
48	228M	c->h[3] = 0xa54ff53aUL;
49	228M	c->h[4] = 0x510e527fUL;
50	228M	c->h[5] = 0x9b05688cUL;
51	228M	c->h[6] = 0x1f83d9abUL;
52	228M	c->h[7] = 0x5be0cd19UL;
53	228M	c->md_len = SHA256_DIGEST_LENGTH;
54	228M	return 1;
55	228M	}
56
57		int ossl_sha256_192_init(SHA256_CTX *c)
58	0	{
59	0	SHA256_Init(c);
60	0	c->md_len = SHA256_192_DIGEST_LENGTH;
61	0	return 1;
62	0	}
63
64		int SHA224_Update(SHA256_CTX c, const void data, size_t len)
65	198k	{
66	198k	return SHA256_Update(c, data, len);
67	198k	}
68
69		int SHA224_Final(unsigned char md, SHA256_CTX c)
70	198k	{
71	198k	return SHA256_Final(md, c);
72	198k	}
73
74		#define DATA_ORDER_IS_BIG_ENDIAN
75
76	913M	#define HASH_LONG SHA_LONG
77		#define HASH_CTX SHA256_CTX
78	3.42G	#define HASH_CBLOCK SHA_CBLOCK
79
80		/*
81		* Note that FIPS180-2 discusses "Truncation of the Hash Function Output."
82		* default: case below covers for it. It's not clear however if it's
83		* permitted to truncate to amount of bytes not divisible by 4. I bet not,
84		* but if it is, then default: case shall be extended. For reference.
85		* Idea behind separate cases for pre-defined lengths is to let the
86		* compiler decide if it's appropriate to unroll small loops.
87		*/
88	228M	#define HASH_MAKE_STRING(c,s) do { \
89	228M	unsigned long ll; \
90	228M	unsigned int nn; \
91	228M	switch ((c)->md_len) \
92	228M	{ case SHA256_192_DIGEST_LENGTH: \
93	0	for (nn=0;nn<SHA256_192_DIGEST_LENGTH/4;nn++) \
94	0	{ ll=(c)->h[nn]; (void)HOST_l2c(ll,(s)); } \
95	0	break; \
96	95.5k	case SHA224_DIGEST_LENGTH: \
97	764k	for (nn=0;nn<SHA224_DIGEST_LENGTH/4;nn++) \
98	669k	{ ll=(c)->h[nn]; (void)HOST_l2c(ll,(s)); } \
99	95.5k	break; \
100	228M	case SHA256_DIGEST_LENGTH: \
101	2.05G	for (nn=0;nn<SHA256_DIGEST_LENGTH/4;nn++) \
102	1.82G	{ ll=(c)->h[nn]; (void)HOST_l2c(ll,(s)); } \
103	228M	break; \
104	0	default: \
105	0	if ((c)->md_len > SHA256_DIGEST_LENGTH) \
106	0	return 0; \
107	0	for (nn=0;nn<(c)->md_len/4;nn++) \
108	0	{ ll=(c)->h[nn]; (void)HOST_l2c(ll,(s)); } \
109	0	break; \
110	228M	} \
111	228M	} while (0)
112
113		#define HASH_UPDATE SHA256_Update
114		#define HASH_TRANSFORM SHA256_Transform
115		#define HASH_FINAL SHA256_Final
116	457M	#define HASH_BLOCK_DATA_ORDER sha256_block_data_order
117		#ifndef SHA256_ASM
118		static
119		#endif
120		void sha256_block_data_order(SHA256_CTX ctx, const void in, size_t num);
121
122		#include "crypto/md32_common.h"
123
124		#ifndef SHA256_ASM
125		static const SHA_LONG K256[64] = {
126		0x428a2f98UL, 0x71374491UL, 0xb5c0fbcfUL, 0xe9b5dba5UL,
127		0x3956c25bUL, 0x59f111f1UL, 0x923f82a4UL, 0xab1c5ed5UL,
128		0xd807aa98UL, 0x12835b01UL, 0x243185beUL, 0x550c7dc3UL,
129		0x72be5d74UL, 0x80deb1feUL, 0x9bdc06a7UL, 0xc19bf174UL,
130		0xe49b69c1UL, 0xefbe4786UL, 0x0fc19dc6UL, 0x240ca1ccUL,
131		0x2de92c6fUL, 0x4a7484aaUL, 0x5cb0a9dcUL, 0x76f988daUL,
132		0x983e5152UL, 0xa831c66dUL, 0xb00327c8UL, 0xbf597fc7UL,
133		0xc6e00bf3UL, 0xd5a79147UL, 0x06ca6351UL, 0x14292967UL,
134		0x27b70a85UL, 0x2e1b2138UL, 0x4d2c6dfcUL, 0x53380d13UL,
135		0x650a7354UL, 0x766a0abbUL, 0x81c2c92eUL, 0x92722c85UL,
136		0xa2bfe8a1UL, 0xa81a664bUL, 0xc24b8b70UL, 0xc76c51a3UL,
137		0xd192e819UL, 0xd6990624UL, 0xf40e3585UL, 0x106aa070UL,
138		0x19a4c116UL, 0x1e376c08UL, 0x2748774cUL, 0x34b0bcb5UL,
139		0x391c0cb3UL, 0x4ed8aa4aUL, 0x5b9cca4fUL, 0x682e6ff3UL,
140		0x748f82eeUL, 0x78a5636fUL, 0x84c87814UL, 0x8cc70208UL,
141		0x90befffaUL, 0xa4506cebUL, 0xbef9a3f7UL, 0xc67178f2UL
142		};
143
144		# ifndef PEDANTIC
145		# if defined(__GNUC__) && __GNUC__>=2 && \
146		!defined(OPENSSL_NO_ASM) && !defined(OPENSSL_NO_INLINE_ASM)
147		# if defined(__riscv_zknh)
148		# define Sigma0(x) ({ MD32_REG_T ret; \
149		asm ("sha256sum0 %0, %1" \
150		: "=r"(ret) \
151		: "r"(x)); ret; })
152		# define Sigma1(x) ({ MD32_REG_T ret; \
153		asm ("sha256sum1 %0, %1" \
154		: "=r"(ret) \
155		: "r"(x)); ret; })
156		# define sigma0(x) ({ MD32_REG_T ret; \
157		asm ("sha256sig0 %0, %1" \
158		: "=r"(ret) \
159		: "r"(x)); ret; })
160		# define sigma1(x) ({ MD32_REG_T ret; \
161		asm ("sha256sig1 %0, %1" \
162		: "=r"(ret) \
163		: "r"(x)); ret; })
164		# endif
165		# if defined(__riscv_zbt) \|\| defined(__riscv_zpn)
166		# define Ch(x,y,z) ({ MD32_REG_T ret; \
167		asm (".insn r4 0x33, 1, 0x3, %0, %2, %1, %3"\
168		: "=r"(ret) \
169		: "r"(x), "r"(y), "r"(z)); ret; })
170		# define Maj(x,y,z) ({ MD32_REG_T ret; \
171		asm (".insn r4 0x33, 1, 0x3, %0, %2, %1, %3"\
172		: "=r"(ret) \
173		: "r"(x^z), "r"(y), "r"(x)); ret; })
174		# endif
175		# endif
176		# endif
177
178		/*
179		* FIPS specification refers to right rotations, while our ROTATE macro
180		* is left one. This is why you might notice that rotation coefficients
181		* differ from those observed in FIPS document by 32-N...
182		*/
183		# ifndef Sigma0
184		# define Sigma0(x) (ROTATE((x),30) ^ ROTATE((x),19) ^ ROTATE((x),10))
185		# endif
186		# ifndef Sigma1
187		# define Sigma1(x) (ROTATE((x),26) ^ ROTATE((x),21) ^ ROTATE((x),7))
188		# endif
189		# ifndef sigma0
190		# define sigma0(x) (ROTATE((x),25) ^ ROTATE((x),14) ^ ((x)>>3))
191		# endif
192		# ifndef sigma1
193		# define sigma1(x) (ROTATE((x),15) ^ ROTATE((x),13) ^ ((x)>>10))
194		# endif
195		# ifndef Ch
196		# define Ch(x,y,z) (((x) & (y)) ^ ((~(x)) & (z)))
197		# endif
198		# ifndef Maj
199		# define Maj(x,y,z) (((x) & (y)) ^ ((x) & (z)) ^ ((y) & (z)))
200		# endif
201
202		# ifdef OPENSSL_SMALL_FOOTPRINT
203
204		static void sha256_block_data_order(SHA256_CTX ctx, const void in,
205		size_t num)
206		{
207		unsigned MD32_REG_T a, b, c, d, e, f, g, h, s0, s1, T1, T2;
208		SHA_LONG X[16], l;
209		int i;
210		const unsigned char *data = in;
211
212		while (num--) {
213
214		a = ctx->h[0];
215		b = ctx->h[1];
216		c = ctx->h[2];
217		d = ctx->h[3];
218		e = ctx->h[4];
219		f = ctx->h[5];
220		g = ctx->h[6];
221		h = ctx->h[7];
222
223		for (i = 0; i < 16; i++) {
224		(void)HOST_c2l(data, l);
225		T1 = X[i] = l;
226		T1 += h + Sigma1(e) + Ch(e, f, g) + K256[i];
227		T2 = Sigma0(a) + Maj(a, b, c);
228		h = g;
229		g = f;
230		f = e;
231		e = d + T1;
232		d = c;
233		c = b;
234		b = a;
235		a = T1 + T2;
236		}
237
238		for (; i < 64; i++) {
239		s0 = X[(i + 1) & 0x0f];
240		s0 = sigma0(s0);
241		s1 = X[(i + 14) & 0x0f];
242		s1 = sigma1(s1);
243
244		T1 = X[i & 0xf] += s0 + s1 + X[(i + 9) & 0xf];
245		T1 += h + Sigma1(e) + Ch(e, f, g) + K256[i];
246		T2 = Sigma0(a) + Maj(a, b, c);
247		h = g;
248		g = f;
249		f = e;
250		e = d + T1;
251		d = c;
252		c = b;
253		b = a;
254		a = T1 + T2;
255		}
256
257		ctx->h[0] += a;
258		ctx->h[1] += b;
259		ctx->h[2] += c;
260		ctx->h[3] += d;
261		ctx->h[4] += e;
262		ctx->h[5] += f;
263		ctx->h[6] += g;
264		ctx->h[7] += h;
265
266		}
267		}
268
269		# else
270
271		# define ROUND_00_15(i,a,b,c,d,e,f,g,h) do { \
272		T1 += h + Sigma1(e) + Ch(e,f,g) + K256[i]; \
273		h = Sigma0(a) + Maj(a,b,c); \
274		d += T1; h += T1; } while (0)
275
276		# define ROUND_16_63(i,a,b,c,d,e,f,g,h,X) do { \
277		s0 = X[(i+1)&0x0f]; s0 = sigma0(s0); \
278		s1 = X[(i+14)&0x0f]; s1 = sigma1(s1); \
279		T1 = X[(i)&0x0f] += s0 + s1 + X[(i+9)&0x0f]; \
280		ROUND_00_15(i,a,b,c,d,e,f,g,h); } while (0)
281
282		static void sha256_block_data_order(SHA256_CTX ctx, const void in,
283		size_t num)
284		{
285		unsigned MD32_REG_T a, b, c, d, e, f, g, h, s0, s1, T1;
286		SHA_LONG X[16];
287		int i;
288		const unsigned char *data = in;
289		DECLARE_IS_ENDIAN;
290
291		while (num--) {
292
293		a = ctx->h[0];
294		b = ctx->h[1];
295		c = ctx->h[2];
296		d = ctx->h[3];
297		e = ctx->h[4];
298		f = ctx->h[5];
299		g = ctx->h[6];
300		h = ctx->h[7];
301
302		if (!IS_LITTLE_ENDIAN && sizeof(SHA_LONG) == 4
303		&& ((size_t)in % 4) == 0) {
304		const SHA_LONG W = (const SHA_LONG )data;
305
306		T1 = X[0] = W[0];
307		ROUND_00_15(0, a, b, c, d, e, f, g, h);
308		T1 = X[1] = W[1];
309		ROUND_00_15(1, h, a, b, c, d, e, f, g);
310		T1 = X[2] = W[2];
311		ROUND_00_15(2, g, h, a, b, c, d, e, f);
312		T1 = X[3] = W[3];
313		ROUND_00_15(3, f, g, h, a, b, c, d, e);
314		T1 = X[4] = W[4];
315		ROUND_00_15(4, e, f, g, h, a, b, c, d);
316		T1 = X[5] = W[5];
317		ROUND_00_15(5, d, e, f, g, h, a, b, c);
318		T1 = X[6] = W[6];
319		ROUND_00_15(6, c, d, e, f, g, h, a, b);
320		T1 = X[7] = W[7];
321		ROUND_00_15(7, b, c, d, e, f, g, h, a);
322		T1 = X[8] = W[8];
323		ROUND_00_15(8, a, b, c, d, e, f, g, h);
324		T1 = X[9] = W[9];
325		ROUND_00_15(9, h, a, b, c, d, e, f, g);
326		T1 = X[10] = W[10];
327		ROUND_00_15(10, g, h, a, b, c, d, e, f);
328		T1 = X[11] = W[11];
329		ROUND_00_15(11, f, g, h, a, b, c, d, e);
330		T1 = X[12] = W[12];
331		ROUND_00_15(12, e, f, g, h, a, b, c, d);
332		T1 = X[13] = W[13];
333		ROUND_00_15(13, d, e, f, g, h, a, b, c);
334		T1 = X[14] = W[14];
335		ROUND_00_15(14, c, d, e, f, g, h, a, b);
336		T1 = X[15] = W[15];
337		ROUND_00_15(15, b, c, d, e, f, g, h, a);
338
339		data += SHA256_CBLOCK;
340		} else {
341		SHA_LONG l;
342
343		(void)HOST_c2l(data, l);
344		T1 = X[0] = l;
345		ROUND_00_15(0, a, b, c, d, e, f, g, h);
346		(void)HOST_c2l(data, l);
347		T1 = X[1] = l;
348		ROUND_00_15(1, h, a, b, c, d, e, f, g);
349		(void)HOST_c2l(data, l);
350		T1 = X[2] = l;
351		ROUND_00_15(2, g, h, a, b, c, d, e, f);
352		(void)HOST_c2l(data, l);
353		T1 = X[3] = l;
354		ROUND_00_15(3, f, g, h, a, b, c, d, e);
355		(void)HOST_c2l(data, l);
356		T1 = X[4] = l;
357		ROUND_00_15(4, e, f, g, h, a, b, c, d);
358		(void)HOST_c2l(data, l);
359		T1 = X[5] = l;
360		ROUND_00_15(5, d, e, f, g, h, a, b, c);
361		(void)HOST_c2l(data, l);
362		T1 = X[6] = l;
363		ROUND_00_15(6, c, d, e, f, g, h, a, b);
364		(void)HOST_c2l(data, l);
365		T1 = X[7] = l;
366		ROUND_00_15(7, b, c, d, e, f, g, h, a);
367		(void)HOST_c2l(data, l);
368		T1 = X[8] = l;
369		ROUND_00_15(8, a, b, c, d, e, f, g, h);
370		(void)HOST_c2l(data, l);
371		T1 = X[9] = l;
372		ROUND_00_15(9, h, a, b, c, d, e, f, g);
373		(void)HOST_c2l(data, l);
374		T1 = X[10] = l;
375		ROUND_00_15(10, g, h, a, b, c, d, e, f);
376		(void)HOST_c2l(data, l);
377		T1 = X[11] = l;
378		ROUND_00_15(11, f, g, h, a, b, c, d, e);
379		(void)HOST_c2l(data, l);
380		T1 = X[12] = l;
381		ROUND_00_15(12, e, f, g, h, a, b, c, d);
382		(void)HOST_c2l(data, l);
383		T1 = X[13] = l;
384		ROUND_00_15(13, d, e, f, g, h, a, b, c);
385		(void)HOST_c2l(data, l);
386		T1 = X[14] = l;
387		ROUND_00_15(14, c, d, e, f, g, h, a, b);
388		(void)HOST_c2l(data, l);
389		T1 = X[15] = l;
390		ROUND_00_15(15, b, c, d, e, f, g, h, a);
391		}
392
393		for (i = 16; i < 64; i += 8) {
394		ROUND_16_63(i + 0, a, b, c, d, e, f, g, h, X);
395		ROUND_16_63(i + 1, h, a, b, c, d, e, f, g, X);
396		ROUND_16_63(i + 2, g, h, a, b, c, d, e, f, X);
397		ROUND_16_63(i + 3, f, g, h, a, b, c, d, e, X);
398		ROUND_16_63(i + 4, e, f, g, h, a, b, c, d, X);
399		ROUND_16_63(i + 5, d, e, f, g, h, a, b, c, X);
400		ROUND_16_63(i + 6, c, d, e, f, g, h, a, b, X);
401		ROUND_16_63(i + 7, b, c, d, e, f, g, h, a, X);
402		}
403
404		ctx->h[0] += a;
405		ctx->h[1] += b;
406		ctx->h[2] += c;
407		ctx->h[3] += d;
408		ctx->h[4] += e;
409		ctx->h[5] += f;
410		ctx->h[6] += g;
411		ctx->h[7] += h;
412
413		}
414		}
415
416		# endif
417		#endif /* SHA256_ASM */