/src/openssl33/crypto/sha/sha256.c

Source (jump to first uncovered line)
/*
 * Copyright 2004-2023 The OpenSSL Project Authors. All Rights Reserved.
 *
 * Licensed under the Apache License 2.0 (the "License").  You may not use
 * this file except in compliance with the License.  You can obtain a copy
 * in the file LICENSE in the source distribution or at
 * https://www.openssl.org/source/license.html
 */

/*
 * SHA256 low level APIs are deprecated for public use, but still ok for
 * internal use.
 */
#include "internal/deprecated.h"

#include <openssl/opensslconf.h>

#include <stdlib.h>
#include <string.h>

#include <openssl/crypto.h>
#include <openssl/sha.h>
#include <openssl/opensslv.h>
#include "internal/endian.h"
#include "crypto/sha.h"

int SHA224_Init(SHA256_CTX *c)
{
    memset(c, 0, sizeof(*c));
    c->h[0] = 0xc1059ed8UL;
    c->h[1] = 0x367cd507UL;
    c->h[2] = 0x3070dd17UL;
    c->h[3] = 0xf70e5939UL;
    c->h[4] = 0xffc00b31UL;
    c->h[5] = 0x68581511UL;
    c->h[6] = 0x64f98fa7UL;
    c->h[7] = 0xbefa4fa4UL;
    c->md_len = SHA224_DIGEST_LENGTH;
    return 1;
}

int SHA256_Init(SHA256_CTX *c)
{
    memset(c, 0, sizeof(*c));
    c->h[0] = 0x6a09e667UL;
    c->h[1] = 0xbb67ae85UL;
    c->h[2] = 0x3c6ef372UL;
    c->h[3] = 0xa54ff53aUL;
    c->h[4] = 0x510e527fUL;
    c->h[5] = 0x9b05688cUL;
    c->h[6] = 0x1f83d9abUL;
    c->h[7] = 0x5be0cd19UL;
    c->md_len = SHA256_DIGEST_LENGTH;
    return 1;
}

int ossl_sha256_192_init(SHA256_CTX *c)
{
    SHA256_Init(c);
    c->md_len = SHA256_192_DIGEST_LENGTH;
    return 1;
}

int SHA224_Update(SHA256_CTX *c, const void *data, size_t len)
{
    return SHA256_Update(c, data, len);
}

int SHA224_Final(unsigned char *md, SHA256_CTX *c)
{
    return SHA256_Final(md, c);
}

#define DATA_ORDER_IS_BIG_ENDIAN

#define HASH_LONG               SHA_LONG
#define HASH_CTX                SHA256_CTX
#define HASH_CBLOCK             SHA_CBLOCK

/*
 * Note that FIPS180-2 discusses "Truncation of the Hash Function Output."
 * default: case below covers for it. It's not clear however if it's
 * permitted to truncate to amount of bytes not divisible by 4. I bet not,
 * but if it is, then default: case shall be extended. For reference.
 * Idea behind separate cases for pre-defined lengths is to let the
 * compiler decide if it's appropriate to unroll small loops.
 */
#define HASH_MAKE_STRING(c,s)   do {    \
        unsigned long ll;               \
        unsigned int  nn;               \
        switch ((c)->md_len)            \
        {   case SHA256_192_DIGEST_LENGTH: \
                for (nn=0;nn<SHA256_192_DIGEST_LENGTH/4;nn++)   \
                {   ll=(c)->h[nn]; (void)HOST_l2c(ll,(s));   }  \
                break;                  \
            case SHA224_DIGEST_LENGTH:  \
                for (nn=0;nn<SHA224_DIGEST_LENGTH/4;nn++)       \
                {   ll=(c)->h[nn]; (void)HOST_l2c(ll,(s));   }  \
                break;                  \
            case SHA256_DIGEST_LENGTH:  \
                for (nn=0;nn<SHA256_DIGEST_LENGTH/4;nn++)       \
                {   ll=(c)->h[nn]; (void)HOST_l2c(ll,(s));   }  \
                break;                  \
            default:                    \
                if ((c)->md_len > SHA256_DIGEST_LENGTH) \
                    return 0;                           \
                for (nn=0;nn<(c)->md_len/4;nn++)                \
                {   ll=(c)->h[nn]; (void)HOST_l2c(ll,(s));   }  \
                break;                  \
        }                               \
        } while (0)

#define HASH_UPDATE             SHA256_Update
#define HASH_TRANSFORM          SHA256_Transform
#define HASH_FINAL              SHA256_Final
#define HASH_BLOCK_DATA_ORDER   sha256_block_data_order
#ifndef SHA256_ASM
static
#else
# ifdef INCLUDE_C_SHA256
void sha256_block_data_order_c(SHA256_CTX *ctx, const void *in, size_t num);
# endif /* INCLUDE_C_SHA256 */
#endif /* SHA256_ASM */
void sha256_block_data_order(SHA256_CTX *ctx, const void *in, size_t num);

#include "crypto/md32_common.h"

#if !defined(SHA256_ASM) || defined(INCLUDE_C_SHA256)
static const SHA_LONG K256[64] = {
    0x428a2f98UL, 0x71374491UL, 0xb5c0fbcfUL, 0xe9b5dba5UL,
    0x3956c25bUL, 0x59f111f1UL, 0x923f82a4UL, 0xab1c5ed5UL,
    0xd807aa98UL, 0x12835b01UL, 0x243185beUL, 0x550c7dc3UL,
    0x72be5d74UL, 0x80deb1feUL, 0x9bdc06a7UL, 0xc19bf174UL,
    0xe49b69c1UL, 0xefbe4786UL, 0x0fc19dc6UL, 0x240ca1ccUL,
    0x2de92c6fUL, 0x4a7484aaUL, 0x5cb0a9dcUL, 0x76f988daUL,
    0x983e5152UL, 0xa831c66dUL, 0xb00327c8UL, 0xbf597fc7UL,
    0xc6e00bf3UL, 0xd5a79147UL, 0x06ca6351UL, 0x14292967UL,
    0x27b70a85UL, 0x2e1b2138UL, 0x4d2c6dfcUL, 0x53380d13UL,
    0x650a7354UL, 0x766a0abbUL, 0x81c2c92eUL, 0x92722c85UL,
    0xa2bfe8a1UL, 0xa81a664bUL, 0xc24b8b70UL, 0xc76c51a3UL,
    0xd192e819UL, 0xd6990624UL, 0xf40e3585UL, 0x106aa070UL,
    0x19a4c116UL, 0x1e376c08UL, 0x2748774cUL, 0x34b0bcb5UL,
    0x391c0cb3UL, 0x4ed8aa4aUL, 0x5b9cca4fUL, 0x682e6ff3UL,
    0x748f82eeUL, 0x78a5636fUL, 0x84c87814UL, 0x8cc70208UL,
    0x90befffaUL, 0xa4506cebUL, 0xbef9a3f7UL, 0xc67178f2UL
};

# ifndef PEDANTIC
#  if defined(__GNUC__) && __GNUC__>=2 && \
      !defined(OPENSSL_NO_ASM) && !defined(OPENSSL_NO_INLINE_ASM)
#   if defined(__riscv_zknh)
#    define Sigma0(x) ({ MD32_REG_T ret;            \
                        asm ("sha256sum0 %0, %1"    \
                        : "=r"(ret)                 \
                        : "r"(x)); ret;             })
#    define Sigma1(x) ({ MD32_REG_T ret;            \
                        asm ("sha256sum1 %0, %1"    \
                        : "=r"(ret)                 \
                        : "r"(x)); ret;             })
#    define sigma0(x) ({ MD32_REG_T ret;            \
                        asm ("sha256sig0 %0, %1"    \
                        : "=r"(ret)                 \
                        : "r"(x)); ret;             })
#    define sigma1(x) ({ MD32_REG_T ret;            \
                        asm ("sha256sig1 %0, %1"    \
                        : "=r"(ret)                 \
                        : "r"(x)); ret;             })
#   endif
#   if defined(__riscv_zbt) || defined(__riscv_zpn)
#    define Ch(x,y,z) ({  MD32_REG_T ret;                           \
                        asm (".insn r4 0x33, 1, 0x3, %0, %2, %1, %3"\
                        : "=r"(ret)                                 \
                        : "r"(x), "r"(y), "r"(z)); ret;             })
#    define Maj(x,y,z) ({ MD32_REG_T ret;                           \
                        asm (".insn r4 0x33, 1, 0x3, %0, %2, %1, %3"\
                        : "=r"(ret)                                 \
                        : "r"(x^z), "r"(y), "r"(x)); ret;           })
#   endif
#  endif
# endif

/*
 * FIPS specification refers to right rotations, while our ROTATE macro
 * is left one. This is why you might notice that rotation coefficients
 * differ from those observed in FIPS document by 32-N...
 */
# ifndef Sigma0
#  define Sigma0(x)       (ROTATE((x),30) ^ ROTATE((x),19) ^ ROTATE((x),10))
# endif
# ifndef Sigma1
#  define Sigma1(x)       (ROTATE((x),26) ^ ROTATE((x),21) ^ ROTATE((x),7))
# endif
# ifndef sigma0
#  define sigma0(x)       (ROTATE((x),25) ^ ROTATE((x),14) ^ ((x)>>3))
# endif
# ifndef sigma1
#  define sigma1(x)       (ROTATE((x),15) ^ ROTATE((x),13) ^ ((x)>>10))
# endif
# ifndef Ch
#  define Ch(x,y,z)       (((x) & (y)) ^ ((~(x)) & (z)))
# endif
# ifndef Maj
#  define Maj(x,y,z)      (((x) & (y)) ^ ((x) & (z)) ^ ((y) & (z)))
# endif

# ifdef OPENSSL_SMALL_FOOTPRINT

static void sha256_block_data_order(SHA256_CTX *ctx, const void *in,
                                    size_t num)
{
    unsigned MD32_REG_T a, b, c, d, e, f, g, h, s0, s1, T1, T2;
    SHA_LONG X[16], l;
    int i;
    const unsigned char *data = in;

    while (num--) {

        a = ctx->h[0];
        b = ctx->h[1];
        c = ctx->h[2];
        d = ctx->h[3];
        e = ctx->h[4];
        f = ctx->h[5];
        g = ctx->h[6];
        h = ctx->h[7];

        for (i = 0; i < 16; i++) {
            (void)HOST_c2l(data, l);
            T1 = X[i] = l;
            T1 += h + Sigma1(e) + Ch(e, f, g) + K256[i];
            T2 = Sigma0(a) + Maj(a, b, c);
            h = g;
            g = f;
            f = e;
            e = d + T1;
            d = c;
            c = b;
            b = a;
            a = T1 + T2;
        }

        for (; i < 64; i++) {
            s0 = X[(i + 1) & 0x0f];
            s0 = sigma0(s0);
            s1 = X[(i + 14) & 0x0f];
            s1 = sigma1(s1);

            T1 = X[i & 0xf] += s0 + s1 + X[(i + 9) & 0xf];
            T1 += h + Sigma1(e) + Ch(e, f, g) + K256[i];
            T2 = Sigma0(a) + Maj(a, b, c);
            h = g;
            g = f;
            f = e;
            e = d + T1;
            d = c;
            c = b;
            b = a;
            a = T1 + T2;
        }

        ctx->h[0] += a;
        ctx->h[1] += b;
        ctx->h[2] += c;
        ctx->h[3] += d;
        ctx->h[4] += e;
        ctx->h[5] += f;
        ctx->h[6] += g;
        ctx->h[7] += h;

    }
}

# else

#  define ROUND_00_15(i,a,b,c,d,e,f,g,h)          do {    \
        T1 += h + Sigma1(e) + Ch(e,f,g) + K256[i];      \
        h = Sigma0(a) + Maj(a,b,c);                     \
        d += T1;        h += T1;                } while (0)

#  define ROUND_16_63(i,a,b,c,d,e,f,g,h,X)        do {    \
        s0 = X[(i+1)&0x0f];     s0 = sigma0(s0);        \
        s1 = X[(i+14)&0x0f];    s1 = sigma1(s1);        \
        T1 = X[(i)&0x0f] += s0 + s1 + X[(i+9)&0x0f];    \
        ROUND_00_15(i,a,b,c,d,e,f,g,h);         } while (0)

#ifdef INCLUDE_C_SHA256
void sha256_block_data_order_c(SHA256_CTX *ctx, const void *in, size_t num)
#else
static void sha256_block_data_order(SHA256_CTX *ctx, const void *in,
                                    size_t num)
#endif
{
    unsigned MD32_REG_T a, b, c, d, e, f, g, h, s0, s1, T1;
    SHA_LONG X[16];
    int i;
    const unsigned char *data = in;
    DECLARE_IS_ENDIAN;

    while (num--) {

        a = ctx->h[0];
        b = ctx->h[1];
        c = ctx->h[2];
        d = ctx->h[3];
        e = ctx->h[4];
        f = ctx->h[5];
        g = ctx->h[6];
        h = ctx->h[7];

        if (!IS_LITTLE_ENDIAN && sizeof(SHA_LONG) == 4
            && ((size_t)in % 4) == 0) {
            const SHA_LONG *W = (const SHA_LONG *)data;

            T1 = X[0] = W[0];
            ROUND_00_15(0, a, b, c, d, e, f, g, h);
            T1 = X[1] = W[1];
            ROUND_00_15(1, h, a, b, c, d, e, f, g);
            T1 = X[2] = W[2];
            ROUND_00_15(2, g, h, a, b, c, d, e, f);
            T1 = X[3] = W[3];
            ROUND_00_15(3, f, g, h, a, b, c, d, e);
            T1 = X[4] = W[4];
            ROUND_00_15(4, e, f, g, h, a, b, c, d);
            T1 = X[5] = W[5];
            ROUND_00_15(5, d, e, f, g, h, a, b, c);
            T1 = X[6] = W[6];
            ROUND_00_15(6, c, d, e, f, g, h, a, b);
            T1 = X[7] = W[7];
            ROUND_00_15(7, b, c, d, e, f, g, h, a);
            T1 = X[8] = W[8];
            ROUND_00_15(8, a, b, c, d, e, f, g, h);
            T1 = X[9] = W[9];
            ROUND_00_15(9, h, a, b, c, d, e, f, g);
            T1 = X[10] = W[10];
            ROUND_00_15(10, g, h, a, b, c, d, e, f);
            T1 = X[11] = W[11];
            ROUND_00_15(11, f, g, h, a, b, c, d, e);
            T1 = X[12] = W[12];
            ROUND_00_15(12, e, f, g, h, a, b, c, d);
            T1 = X[13] = W[13];
            ROUND_00_15(13, d, e, f, g, h, a, b, c);
            T1 = X[14] = W[14];
            ROUND_00_15(14, c, d, e, f, g, h, a, b);
            T1 = X[15] = W[15];
            ROUND_00_15(15, b, c, d, e, f, g, h, a);

            data += SHA256_CBLOCK;
        } else {
            SHA_LONG l;

            (void)HOST_c2l(data, l);
            T1 = X[0] = l;
            ROUND_00_15(0, a, b, c, d, e, f, g, h);
            (void)HOST_c2l(data, l);
            T1 = X[1] = l;
            ROUND_00_15(1, h, a, b, c, d, e, f, g);
            (void)HOST_c2l(data, l);
            T1 = X[2] = l;
            ROUND_00_15(2, g, h, a, b, c, d, e, f);
            (void)HOST_c2l(data, l);
            T1 = X[3] = l;
            ROUND_00_15(3, f, g, h, a, b, c, d, e);
            (void)HOST_c2l(data, l);
            T1 = X[4] = l;
            ROUND_00_15(4, e, f, g, h, a, b, c, d);
            (void)HOST_c2l(data, l);
            T1 = X[5] = l;
            ROUND_00_15(5, d, e, f, g, h, a, b, c);
            (void)HOST_c2l(data, l);
            T1 = X[6] = l;
            ROUND_00_15(6, c, d, e, f, g, h, a, b);
            (void)HOST_c2l(data, l);
            T1 = X[7] = l;
            ROUND_00_15(7, b, c, d, e, f, g, h, a);
            (void)HOST_c2l(data, l);
            T1 = X[8] = l;
            ROUND_00_15(8, a, b, c, d, e, f, g, h);
            (void)HOST_c2l(data, l);
            T1 = X[9] = l;
            ROUND_00_15(9, h, a, b, c, d, e, f, g);
            (void)HOST_c2l(data, l);
            T1 = X[10] = l;
            ROUND_00_15(10, g, h, a, b, c, d, e, f);
            (void)HOST_c2l(data, l);
            T1 = X[11] = l;
            ROUND_00_15(11, f, g, h, a, b, c, d, e);
            (void)HOST_c2l(data, l);
            T1 = X[12] = l;
            ROUND_00_15(12, e, f, g, h, a, b, c, d);
            (void)HOST_c2l(data, l);
            T1 = X[13] = l;
            ROUND_00_15(13, d, e, f, g, h, a, b, c);
            (void)HOST_c2l(data, l);
            T1 = X[14] = l;
            ROUND_00_15(14, c, d, e, f, g, h, a, b);
            (void)HOST_c2l(data, l);
            T1 = X[15] = l;
            ROUND_00_15(15, b, c, d, e, f, g, h, a);
        }

        for (i = 16; i < 64; i += 8) {
            ROUND_16_63(i + 0, a, b, c, d, e, f, g, h, X);
            ROUND_16_63(i + 1, h, a, b, c, d, e, f, g, X);
            ROUND_16_63(i + 2, g, h, a, b, c, d, e, f, X);
            ROUND_16_63(i + 3, f, g, h, a, b, c, d, e, X);
            ROUND_16_63(i + 4, e, f, g, h, a, b, c, d, X);
            ROUND_16_63(i + 5, d, e, f, g, h, a, b, c, X);
            ROUND_16_63(i + 6, c, d, e, f, g, h, a, b, X);
            ROUND_16_63(i + 7, b, c, d, e, f, g, h, a, X);
        }

        ctx->h[0] += a;
        ctx->h[1] += b;
        ctx->h[2] += c;
        ctx->h[3] += d;
        ctx->h[4] += e;
        ctx->h[5] += f;
        ctx->h[6] += g;
        ctx->h[7] += h;

    }
}

# endif
#endif                         /* SHA256_ASM */

Coverage Report

Created: 2025-08-28 07:07

Line	Count	Source (jump to first uncovered line)
1		/*
2		* Copyright 2004-2023 The OpenSSL Project Authors. All Rights Reserved.
3		*
4		* Licensed under the Apache License 2.0 (the "License"). You may not use
5		* this file except in compliance with the License. You can obtain a copy
6		* in the file LICENSE in the source distribution or at
7		* https://www.openssl.org/source/license.html
8		*/
9
10		/*
11		* SHA256 low level APIs are deprecated for public use, but still ok for
12		* internal use.
13		*/
14		#include "internal/deprecated.h"
15
16		#include <openssl/opensslconf.h>
17
18		#include <stdlib.h>
19		#include <string.h>
20
21		#include <openssl/crypto.h>
22		#include <openssl/sha.h>
23		#include <openssl/opensslv.h>
24		#include "internal/endian.h"
25		#include "crypto/sha.h"
26
27		int SHA224_Init(SHA256_CTX *c)
28	231k	{
29	231k	memset(c, 0, sizeof(*c));
30	231k	c->h[0] = 0xc1059ed8UL;
31	231k	c->h[1] = 0x367cd507UL;
32	231k	c->h[2] = 0x3070dd17UL;
33	231k	c->h[3] = 0xf70e5939UL;
34	231k	c->h[4] = 0xffc00b31UL;
35	231k	c->h[5] = 0x68581511UL;
36	231k	c->h[6] = 0x64f98fa7UL;
37	231k	c->h[7] = 0xbefa4fa4UL;
38	231k	c->md_len = SHA224_DIGEST_LENGTH;
39	231k	return 1;
40	231k	}
41
42		int SHA256_Init(SHA256_CTX *c)
43	518M	{
44	518M	memset(c, 0, sizeof(*c));
45	518M	c->h[0] = 0x6a09e667UL;
46	518M	c->h[1] = 0xbb67ae85UL;
47	518M	c->h[2] = 0x3c6ef372UL;
48	518M	c->h[3] = 0xa54ff53aUL;
49	518M	c->h[4] = 0x510e527fUL;
50	518M	c->h[5] = 0x9b05688cUL;
51	518M	c->h[6] = 0x1f83d9abUL;
52	518M	c->h[7] = 0x5be0cd19UL;
53	518M	c->md_len = SHA256_DIGEST_LENGTH;
54	518M	return 1;
55	518M	}
56
57		int ossl_sha256_192_init(SHA256_CTX *c)
58	0	{
59	0	SHA256_Init(c);
60	0	c->md_len = SHA256_192_DIGEST_LENGTH;
61	0	return 1;
62	0	}
63
64		int SHA224_Update(SHA256_CTX c, const void data, size_t len)
65	230k	{
66	230k	return SHA256_Update(c, data, len);
67	230k	}
68
69		int SHA224_Final(unsigned char md, SHA256_CTX c)
70	229k	{
71	229k	return SHA256_Final(md, c);
72	229k	}
73
74		#define DATA_ORDER_IS_BIG_ENDIAN
75
76	1.14G	#define HASH_LONG SHA_LONG
77		#define HASH_CTX SHA256_CTX
78	5.44G	#define HASH_CBLOCK SHA_CBLOCK
79
80		/*
81		* Note that FIPS180-2 discusses "Truncation of the Hash Function Output."
82		* default: case below covers for it. It's not clear however if it's
83		* permitted to truncate to amount of bytes not divisible by 4. I bet not,
84		* but if it is, then default: case shall be extended. For reference.
85		* Idea behind separate cases for pre-defined lengths is to let the
86		* compiler decide if it's appropriate to unroll small loops.
87		*/
88	518M	#define HASH_MAKE_STRING(c,s) do { \
89	518M	unsigned long ll; \
90	518M	unsigned int nn; \
91	518M	switch ((c)->md_len) \
92	518M	{ case SHA256_192_DIGEST_LENGTH: \
93	0	for (nn=0;nn<SHA256_192_DIGEST_LENGTH/4;nn++) \
94	0	{ ll=(c)->h[nn]; (void)HOST_l2c(ll,(s)); } \
95	0	break; \
96	209k	case SHA224_DIGEST_LENGTH: \
97	1.67M	for (nn=0;nn<SHA224_DIGEST_LENGTH/4;nn++) \
98	1.46M	{ ll=(c)->h[nn]; (void)HOST_l2c(ll,(s)); } \
99	209k	break; \
100	518M	case SHA256_DIGEST_LENGTH: \
101	4.66G	for (nn=0;nn<SHA256_DIGEST_LENGTH/4;nn++) \
102	4.14G	{ ll=(c)->h[nn]; (void)HOST_l2c(ll,(s)); } \
103	518M	break; \
104	0	default: \
105	0	if ((c)->md_len > SHA256_DIGEST_LENGTH) \
106	0	return 0; \
107	0	for (nn=0;nn<(c)->md_len/4;nn++) \
108	0	{ ll=(c)->h[nn]; (void)HOST_l2c(ll,(s)); } \
109	0	break; \
110	518M	} \
111	518M	} while (0)
112
113		#define HASH_UPDATE SHA256_Update
114		#define HASH_TRANSFORM SHA256_Transform
115		#define HASH_FINAL SHA256_Final
116	804M	#define HASH_BLOCK_DATA_ORDER sha256_block_data_order
117		#ifndef SHA256_ASM
118		static
119		#else
120		# ifdef INCLUDE_C_SHA256
121		void sha256_block_data_order_c(SHA256_CTX ctx, const void in, size_t num);
122		# endif /* INCLUDE_C_SHA256 */
123		#endif /* SHA256_ASM */
124		void sha256_block_data_order(SHA256_CTX ctx, const void in, size_t num);
125
126		#include "crypto/md32_common.h"
127
128		#if !defined(SHA256_ASM) \|\| defined(INCLUDE_C_SHA256)
129		static const SHA_LONG K256[64] = {
130		0x428a2f98UL, 0x71374491UL, 0xb5c0fbcfUL, 0xe9b5dba5UL,
131		0x3956c25bUL, 0x59f111f1UL, 0x923f82a4UL, 0xab1c5ed5UL,
132		0xd807aa98UL, 0x12835b01UL, 0x243185beUL, 0x550c7dc3UL,
133		0x72be5d74UL, 0x80deb1feUL, 0x9bdc06a7UL, 0xc19bf174UL,
134		0xe49b69c1UL, 0xefbe4786UL, 0x0fc19dc6UL, 0x240ca1ccUL,
135		0x2de92c6fUL, 0x4a7484aaUL, 0x5cb0a9dcUL, 0x76f988daUL,
136		0x983e5152UL, 0xa831c66dUL, 0xb00327c8UL, 0xbf597fc7UL,
137		0xc6e00bf3UL, 0xd5a79147UL, 0x06ca6351UL, 0x14292967UL,
138		0x27b70a85UL, 0x2e1b2138UL, 0x4d2c6dfcUL, 0x53380d13UL,
139		0x650a7354UL, 0x766a0abbUL, 0x81c2c92eUL, 0x92722c85UL,
140		0xa2bfe8a1UL, 0xa81a664bUL, 0xc24b8b70UL, 0xc76c51a3UL,
141		0xd192e819UL, 0xd6990624UL, 0xf40e3585UL, 0x106aa070UL,
142		0x19a4c116UL, 0x1e376c08UL, 0x2748774cUL, 0x34b0bcb5UL,
143		0x391c0cb3UL, 0x4ed8aa4aUL, 0x5b9cca4fUL, 0x682e6ff3UL,
144		0x748f82eeUL, 0x78a5636fUL, 0x84c87814UL, 0x8cc70208UL,
145		0x90befffaUL, 0xa4506cebUL, 0xbef9a3f7UL, 0xc67178f2UL
146		};
147
148		# ifndef PEDANTIC
149		# if defined(__GNUC__) && __GNUC__>=2 && \
150		!defined(OPENSSL_NO_ASM) && !defined(OPENSSL_NO_INLINE_ASM)
151		# if defined(__riscv_zknh)
152		# define Sigma0(x) ({ MD32_REG_T ret; \
153		asm ("sha256sum0 %0, %1" \
154		: "=r"(ret) \
155		: "r"(x)); ret; })
156		# define Sigma1(x) ({ MD32_REG_T ret; \
157		asm ("sha256sum1 %0, %1" \
158		: "=r"(ret) \
159		: "r"(x)); ret; })
160		# define sigma0(x) ({ MD32_REG_T ret; \
161		asm ("sha256sig0 %0, %1" \
162		: "=r"(ret) \
163		: "r"(x)); ret; })
164		# define sigma1(x) ({ MD32_REG_T ret; \
165		asm ("sha256sig1 %0, %1" \
166		: "=r"(ret) \
167		: "r"(x)); ret; })
168		# endif
169		# if defined(__riscv_zbt) \|\| defined(__riscv_zpn)
170		# define Ch(x,y,z) ({ MD32_REG_T ret; \
171		asm (".insn r4 0x33, 1, 0x3, %0, %2, %1, %3"\
172		: "=r"(ret) \
173		: "r"(x), "r"(y), "r"(z)); ret; })
174		# define Maj(x,y,z) ({ MD32_REG_T ret; \
175		asm (".insn r4 0x33, 1, 0x3, %0, %2, %1, %3"\
176		: "=r"(ret) \
177		: "r"(x^z), "r"(y), "r"(x)); ret; })
178		# endif
179		# endif
180		# endif
181
182		/*
183		* FIPS specification refers to right rotations, while our ROTATE macro
184		* is left one. This is why you might notice that rotation coefficients
185		* differ from those observed in FIPS document by 32-N...
186		*/
187		# ifndef Sigma0
188		# define Sigma0(x) (ROTATE((x),30) ^ ROTATE((x),19) ^ ROTATE((x),10))
189		# endif
190		# ifndef Sigma1
191		# define Sigma1(x) (ROTATE((x),26) ^ ROTATE((x),21) ^ ROTATE((x),7))
192		# endif
193		# ifndef sigma0
194		# define sigma0(x) (ROTATE((x),25) ^ ROTATE((x),14) ^ ((x)>>3))
195		# endif
196		# ifndef sigma1
197		# define sigma1(x) (ROTATE((x),15) ^ ROTATE((x),13) ^ ((x)>>10))
198		# endif
199		# ifndef Ch
200		# define Ch(x,y,z) (((x) & (y)) ^ ((~(x)) & (z)))
201		# endif
202		# ifndef Maj
203		# define Maj(x,y,z) (((x) & (y)) ^ ((x) & (z)) ^ ((y) & (z)))
204		# endif
205
206		# ifdef OPENSSL_SMALL_FOOTPRINT
207
208		static void sha256_block_data_order(SHA256_CTX ctx, const void in,
209		size_t num)
210		{
211		unsigned MD32_REG_T a, b, c, d, e, f, g, h, s0, s1, T1, T2;
212		SHA_LONG X[16], l;
213		int i;
214		const unsigned char *data = in;
215
216		while (num--) {
217
218		a = ctx->h[0];
219		b = ctx->h[1];
220		c = ctx->h[2];
221		d = ctx->h[3];
222		e = ctx->h[4];
223		f = ctx->h[5];
224		g = ctx->h[6];
225		h = ctx->h[7];
226
227		for (i = 0; i < 16; i++) {
228		(void)HOST_c2l(data, l);
229		T1 = X[i] = l;
230		T1 += h + Sigma1(e) + Ch(e, f, g) + K256[i];
231		T2 = Sigma0(a) + Maj(a, b, c);
232		h = g;
233		g = f;
234		f = e;
235		e = d + T1;
236		d = c;
237		c = b;
238		b = a;
239		a = T1 + T2;
240		}
241
242		for (; i < 64; i++) {
243		s0 = X[(i + 1) & 0x0f];
244		s0 = sigma0(s0);
245		s1 = X[(i + 14) & 0x0f];
246		s1 = sigma1(s1);
247
248		T1 = X[i & 0xf] += s0 + s1 + X[(i + 9) & 0xf];
249		T1 += h + Sigma1(e) + Ch(e, f, g) + K256[i];
250		T2 = Sigma0(a) + Maj(a, b, c);
251		h = g;
252		g = f;
253		f = e;
254		e = d + T1;
255		d = c;
256		c = b;
257		b = a;
258		a = T1 + T2;
259		}
260
261		ctx->h[0] += a;
262		ctx->h[1] += b;
263		ctx->h[2] += c;
264		ctx->h[3] += d;
265		ctx->h[4] += e;
266		ctx->h[5] += f;
267		ctx->h[6] += g;
268		ctx->h[7] += h;
269
270		}
271		}
272
273		# else
274
275		# define ROUND_00_15(i,a,b,c,d,e,f,g,h) do { \
276		T1 += h + Sigma1(e) + Ch(e,f,g) + K256[i]; \
277		h = Sigma0(a) + Maj(a,b,c); \
278		d += T1; h += T1; } while (0)
279
280		# define ROUND_16_63(i,a,b,c,d,e,f,g,h,X) do { \
281		s0 = X[(i+1)&0x0f]; s0 = sigma0(s0); \
282		s1 = X[(i+14)&0x0f]; s1 = sigma1(s1); \
283		T1 = X[(i)&0x0f] += s0 + s1 + X[(i+9)&0x0f]; \
284		ROUND_00_15(i,a,b,c,d,e,f,g,h); } while (0)
285
286		#ifdef INCLUDE_C_SHA256
287		void sha256_block_data_order_c(SHA256_CTX ctx, const void in, size_t num)
288		#else
289		static void sha256_block_data_order(SHA256_CTX ctx, const void in,
290		size_t num)
291		#endif
292		{
293		unsigned MD32_REG_T a, b, c, d, e, f, g, h, s0, s1, T1;
294		SHA_LONG X[16];
295		int i;
296		const unsigned char *data = in;
297		DECLARE_IS_ENDIAN;
298
299		while (num--) {
300
301		a = ctx->h[0];
302		b = ctx->h[1];
303		c = ctx->h[2];
304		d = ctx->h[3];
305		e = ctx->h[4];
306		f = ctx->h[5];
307		g = ctx->h[6];
308		h = ctx->h[7];
309
310		if (!IS_LITTLE_ENDIAN && sizeof(SHA_LONG) == 4
311		&& ((size_t)in % 4) == 0) {
312		const SHA_LONG W = (const SHA_LONG )data;
313
314		T1 = X[0] = W[0];
315		ROUND_00_15(0, a, b, c, d, e, f, g, h);
316		T1 = X[1] = W[1];
317		ROUND_00_15(1, h, a, b, c, d, e, f, g);
318		T1 = X[2] = W[2];
319		ROUND_00_15(2, g, h, a, b, c, d, e, f);
320		T1 = X[3] = W[3];
321		ROUND_00_15(3, f, g, h, a, b, c, d, e);
322		T1 = X[4] = W[4];
323		ROUND_00_15(4, e, f, g, h, a, b, c, d);
324		T1 = X[5] = W[5];
325		ROUND_00_15(5, d, e, f, g, h, a, b, c);
326		T1 = X[6] = W[6];
327		ROUND_00_15(6, c, d, e, f, g, h, a, b);
328		T1 = X[7] = W[7];
329		ROUND_00_15(7, b, c, d, e, f, g, h, a);
330		T1 = X[8] = W[8];
331		ROUND_00_15(8, a, b, c, d, e, f, g, h);
332		T1 = X[9] = W[9];
333		ROUND_00_15(9, h, a, b, c, d, e, f, g);
334		T1 = X[10] = W[10];
335		ROUND_00_15(10, g, h, a, b, c, d, e, f);
336		T1 = X[11] = W[11];
337		ROUND_00_15(11, f, g, h, a, b, c, d, e);
338		T1 = X[12] = W[12];
339		ROUND_00_15(12, e, f, g, h, a, b, c, d);
340		T1 = X[13] = W[13];
341		ROUND_00_15(13, d, e, f, g, h, a, b, c);
342		T1 = X[14] = W[14];
343		ROUND_00_15(14, c, d, e, f, g, h, a, b);
344		T1 = X[15] = W[15];
345		ROUND_00_15(15, b, c, d, e, f, g, h, a);
346
347		data += SHA256_CBLOCK;
348		} else {
349		SHA_LONG l;
350
351		(void)HOST_c2l(data, l);
352		T1 = X[0] = l;
353		ROUND_00_15(0, a, b, c, d, e, f, g, h);
354		(void)HOST_c2l(data, l);
355		T1 = X[1] = l;
356		ROUND_00_15(1, h, a, b, c, d, e, f, g);
357		(void)HOST_c2l(data, l);
358		T1 = X[2] = l;
359		ROUND_00_15(2, g, h, a, b, c, d, e, f);
360		(void)HOST_c2l(data, l);
361		T1 = X[3] = l;
362		ROUND_00_15(3, f, g, h, a, b, c, d, e);
363		(void)HOST_c2l(data, l);
364		T1 = X[4] = l;
365		ROUND_00_15(4, e, f, g, h, a, b, c, d);
366		(void)HOST_c2l(data, l);
367		T1 = X[5] = l;
368		ROUND_00_15(5, d, e, f, g, h, a, b, c);
369		(void)HOST_c2l(data, l);
370		T1 = X[6] = l;
371		ROUND_00_15(6, c, d, e, f, g, h, a, b);
372		(void)HOST_c2l(data, l);
373		T1 = X[7] = l;
374		ROUND_00_15(7, b, c, d, e, f, g, h, a);
375		(void)HOST_c2l(data, l);
376		T1 = X[8] = l;
377		ROUND_00_15(8, a, b, c, d, e, f, g, h);
378		(void)HOST_c2l(data, l);
379		T1 = X[9] = l;
380		ROUND_00_15(9, h, a, b, c, d, e, f, g);
381		(void)HOST_c2l(data, l);
382		T1 = X[10] = l;
383		ROUND_00_15(10, g, h, a, b, c, d, e, f);
384		(void)HOST_c2l(data, l);
385		T1 = X[11] = l;
386		ROUND_00_15(11, f, g, h, a, b, c, d, e);
387		(void)HOST_c2l(data, l);
388		T1 = X[12] = l;
389		ROUND_00_15(12, e, f, g, h, a, b, c, d);
390		(void)HOST_c2l(data, l);
391		T1 = X[13] = l;
392		ROUND_00_15(13, d, e, f, g, h, a, b, c);
393		(void)HOST_c2l(data, l);
394		T1 = X[14] = l;
395		ROUND_00_15(14, c, d, e, f, g, h, a, b);
396		(void)HOST_c2l(data, l);
397		T1 = X[15] = l;
398		ROUND_00_15(15, b, c, d, e, f, g, h, a);
399		}
400
401		for (i = 16; i < 64; i += 8) {
402		ROUND_16_63(i + 0, a, b, c, d, e, f, g, h, X);
403		ROUND_16_63(i + 1, h, a, b, c, d, e, f, g, X);
404		ROUND_16_63(i + 2, g, h, a, b, c, d, e, f, X);
405		ROUND_16_63(i + 3, f, g, h, a, b, c, d, e, X);
406		ROUND_16_63(i + 4, e, f, g, h, a, b, c, d, X);
407		ROUND_16_63(i + 5, d, e, f, g, h, a, b, c, X);
408		ROUND_16_63(i + 6, c, d, e, f, g, h, a, b, X);
409		ROUND_16_63(i + 7, b, c, d, e, f, g, h, a, X);
410		}
411
412		ctx->h[0] += a;
413		ctx->h[1] += b;
414		ctx->h[2] += c;
415		ctx->h[3] += d;
416		ctx->h[4] += e;
417		ctx->h[5] += f;
418		ctx->h[6] += g;
419		ctx->h[7] += h;
420
421		}
422		}
423
424		# endif
425		#endif /* SHA256_ASM */