/* sha256.c

 *

 * Copyright (C) 2006-2023 wolfSSL Inc.

 *

 * This file is part of wolfSSL.

 *

 * wolfSSL is free software; you can redistribute it and/or modify

 * it under the terms of the GNU General Public License as published by

 * the Free Software Foundation; either version 2 of the License, or

 * (at your option) any later version.

 *

 * wolfSSL is distributed in the hope that it will be useful,

 * but WITHOUT ANY WARRANTY; without even the implied warranty of

 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the

 * GNU General Public License for more details.

 *

 * You should have received a copy of the GNU General Public License

 * along with this program; if not, write to the Free Software

 * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1335, USA

 */

/* For more info on the algorithm, see https://tools.ietf.org/html/rfc6234

 *

 * For more information on NIST FIPS PUB 180-4, see

 * https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.180-4.pdf

 */

/*

DESCRIPTION

This library provides the interface to SHA-256 secure hash algorithms.

SHA-256 performs processing on message blocks to produce a final hash digest

output. It can be used to hash a message, M, having a length of L bits,

where 0 <= L < 2^64.

Note that in some cases, hardware acceleration may be enabled, depending

on the specific device platform.

*/

#ifdef HAVE_CONFIG_H

    #include <config.h>

#endif

#include <wolfssl/wolfcrypt/settings.h>

#include <wolfssl/wolfcrypt/types.h>

/*

 * SHA256 Build Options:

 * USE_SLOW_SHA256:            Reduces code size by not partially unrolling

                                (~2KB smaller and ~25% slower) (default OFF)

 * WOLFSSL_SHA256_BY_SPEC:     Uses the Ch/Maj based on SHA256 specification

                                (default ON)

 * WOLFSSL_SHA256_ALT_CH_MAJ:  Alternate Ch/Maj that is easier for compilers to

                                optimize and recognize as SHA256 (default OFF)

 * SHA256_MANY_REGISTERS:      A SHA256 version that keeps all data in registers

                                and partial unrolled (default OFF)

 */

/* Default SHA256 to use Ch/Maj based on specification */

#if !defined(WOLFSSL_SHA256_BY_SPEC) && !defined(WOLFSSL_SHA256_ALT_CH_MAJ)

    #define WOLFSSL_SHA256_BY_SPEC

#endif

#if !defined(NO_SHA256) && !defined(WOLFSSL_ARMASM)

#if defined(HAVE_FIPS) && defined(HAVE_FIPS_VERSION) && (HAVE_FIPS_VERSION >= 2)

    /* set NO_WRAPPERS before headers, use direct internal f()s not wrappers */

    #define FIPS_NO_WRAPPERS

    #ifdef USE_WINDOWS_API

        #pragma code_seg(".fipsA$d")

        #pragma const_seg(".fipsB$d")

    #endif

#endif

#include <wolfssl/wolfcrypt/sha256.h>

#include <wolfssl/wolfcrypt/error-crypt.h>

#include <wolfssl/wolfcrypt/cpuid.h>

#include <wolfssl/wolfcrypt/hash.h>

#ifdef WOLF_CRYPTO_CB

    #include <wolfssl/wolfcrypt/cryptocb.h>

#endif

#ifdef WOLFSSL_IMXRT1170_CAAM

    #include <wolfssl/wolfcrypt/port/caam/wolfcaam_fsl_nxp.h>

#endif

/* determine if we are using Espressif SHA hardware acceleration */

#undef WOLFSSL_USE_ESP32WROOM32_CRYPT_HASH_HW

#if defined(WOLFSSL_ESP32WROOM32_CRYPT) && \

    !defined(NO_WOLFSSL_ESP32WROOM32_CRYPT_HASH)

    /* define a single keyword for simplicity & readability

     *

     * by default the HW acceleration is on for ESP32-WROOM32

     * but individual components can be turned off.

     */

    #define WOLFSSL_USE_ESP32WROOM32_CRYPT_HASH_HW

#else

    #undef WOLFSSL_USE_ESP32WROOM32_CRYPT_HASH_HW

#endif

#ifdef WOLFSSL_ESPIDF

    /* Define the ESP_LOGx(TAG, "" value for output messages here.

    **

    ** Beware of possible conflict in test.c (that one now named TEST_TAG)

    */

    static const char* TAG = "wc_sha256";

#endif

/* fips wrapper calls, user can call direct */

#if defined(HAVE_FIPS) && \

    (!defined(HAVE_FIPS_VERSION) || (HAVE_FIPS_VERSION < 2))

    int wc_InitSha256(wc_Sha256* sha)

    {

        if (sha == NULL) {

            return BAD_FUNC_ARG;

        }

        return InitSha256_fips(sha);

    }

    int wc_InitSha256_ex(wc_Sha256* sha, void* heap, int devId)

    {

        (void)heap;

        (void)devId;

        if (sha == NULL) {

            return BAD_FUNC_ARG;

        }

        return InitSha256_fips(sha);

    }

    int wc_Sha256Update(wc_Sha256* sha, const byte* data, word32 len)

    {

        if (sha == NULL ||  (data == NULL && len > 0)) {

            return BAD_FUNC_ARG;

        }

        if (data == NULL && len == 0) {

            /* valid, but do nothing */

            return 0;

        }

        return Sha256Update_fips(sha, data, len);

    }

    int wc_Sha256Final(wc_Sha256* sha, byte* out)

    {

        if (sha == NULL || out == NULL) {

            return BAD_FUNC_ARG;

        }

        return Sha256Final_fips(sha, out);

    }

    void wc_Sha256Free(wc_Sha256* sha)

    {

        (void)sha;

        /* Not supported in FIPS */

    }

#else /* else build without fips, or for FIPS v2 */

#if defined(WOLFSSL_TI_HASH)

    /* #include <wolfcrypt/src/port/ti/ti-hash.c> included by wc_port.c */

#elif defined(WOLFSSL_CRYPTOCELL)

    /* wc_port.c includes wolfcrypt/src/port/arm/cryptoCellHash.c */

#elif defined(WOLFSSL_PSOC6_CRYPTO)

#else

#include <wolfssl/wolfcrypt/logging.h>

#ifdef NO_INLINE

    #include <wolfssl/wolfcrypt/misc.h>

#else

    #define WOLFSSL_MISC_INCLUDED

    #include <wolfcrypt/src/misc.c>

#endif

#ifdef WOLFSSL_DEVCRYPTO_HASH

    #include <wolfssl/wolfcrypt/port/devcrypto/wc_devcrypto.h>

#endif

#if defined(WOLFSSL_SE050) && defined(WOLFSSL_SE050_HASH)

    #include <wolfssl/wolfcrypt/port/nxp/se050_port.h>

#endif

#if defined(WOLFSSL_X86_64_BUILD) && defined(USE_INTEL_SPEEDUP)

    #if defined(__GNUC__) && ((__GNUC__ < 4) || \

                              (__GNUC__ == 4 && __GNUC_MINOR__ <= 8))

        #undef  NO_AVX2_SUPPORT

        #define NO_AVX2_SUPPORT

    #endif

    #if defined(__clang__) && ((__clang_major__ < 3) || \

                               (__clang_major__ == 3 && __clang_minor__ <= 5))

        #define NO_AVX2_SUPPORT

    #elif defined(__clang__) && defined(NO_AVX2_SUPPORT)

        #undef NO_AVX2_SUPPORT

    #endif

    #define HAVE_INTEL_AVX1

    #ifndef NO_AVX2_SUPPORT

        #define HAVE_INTEL_AVX2

    #endif

#else

    #undef HAVE_INTEL_AVX1

    #undef HAVE_INTEL_AVX2

#endif /* WOLFSSL_X86_64_BUILD && USE_INTEL_SPEEDUP */

#if defined(HAVE_INTEL_AVX2)

    #define HAVE_INTEL_RORX

#endif

#if !defined(WOLFSSL_PIC32MZ_HASH) && !defined(STM32_HASH_SHA2) && \

    (!defined(WOLFSSL_IMX6_CAAM) || defined(NO_IMX6_CAAM_HASH) || \

     defined(WOLFSSL_QNX_CAAM)) && \

    !defined(WOLFSSL_AFALG_HASH) && !defined(WOLFSSL_DEVCRYPTO_HASH) && \

    (!defined(WOLFSSL_ESP32WROOM32_CRYPT) || defined(NO_WOLFSSL_ESP32WROOM32_CRYPT_HASH)) && \

    (!defined(WOLFSSL_RENESAS_TSIP_CRYPT) || defined(NO_WOLFSSL_RENESAS_TSIP_CRYPT_HASH)) && \

    !defined(WOLFSSL_PSOC6_CRYPTO) && !defined(WOLFSSL_IMXRT_DCP) && !defined(WOLFSSL_SILABS_SE_ACCEL) && \

    !defined(WOLFSSL_KCAPI_HASH) && !defined(WOLFSSL_SE050_HASH) && \

    ((!defined(WOLFSSL_RENESAS_SCEPROTECT) && \

        !defined(WOLFSSL_RENESAS_SCEPROTECT_CRYPTONLY)) \

      || defined(NO_WOLFSSL_RENESAS_SCEPROTECT_HASH)) && \

    (!defined(WOLFSSL_HAVE_PSA) || defined(WOLFSSL_PSA_NO_HASH)) && \

    !defined(WOLFSSL_RENESAS_RX64_HASH)

static int InitSha256(wc_Sha256* sha256)

{

    int ret = 0;

    if (sha256 == NULL)

        return BAD_FUNC_ARG;

    XMEMSET(sha256->digest, 0, sizeof(sha256->digest));

    sha256->digest[0] = 0x6A09E667L;

    sha256->digest[1] = 0xBB67AE85L;

    sha256->digest[2] = 0x3C6EF372L;

    sha256->digest[3] = 0xA54FF53AL;

    sha256->digest[4] = 0x510E527FL;

    sha256->digest[5] = 0x9B05688CL;

    sha256->digest[6] = 0x1F83D9ABL;

    sha256->digest[7] = 0x5BE0CD19L;

    sha256->buffLen = 0;

    sha256->loLen   = 0;

    sha256->hiLen   = 0;

#ifdef WOLFSSL_HASH_FLAGS

    sha256->flags = 0;

#endif

#ifdef WOLFSSL_HASH_KEEP

    sha256->msg  = NULL;

    sha256->len  = 0;

    sha256->used = 0;

#endif

#ifdef WOLF_CRYPTO_CB

    sha256->devId = wc_CryptoCb_DefaultDevID();

#endif

#ifdef WOLFSSL_MAXQ10XX_CRYPTO

    XMEMSET(&sha256->maxq_ctx, 0, sizeof(sha256->maxq_ctx));

#endif

    return ret;

}

#endif

/* Hardware Acceleration */

#if defined(WOLFSSL_X86_64_BUILD) && defined(USE_INTEL_SPEEDUP) && \

                          (defined(HAVE_INTEL_AVX1) || defined(HAVE_INTEL_AVX2))

    /* in case intel instructions aren't available, plus we need the K[] global */

    #define NEED_SOFT_SHA256

    /*****

    Intel AVX1/AVX2 Macro Control Structure

    #define HAVE_INTEL_AVX1

    #define HAVE_INTEL_AVX2

    #define HAVE_INTEL_RORX

    int InitSha256(wc_Sha256* sha256) {

         Save/Recover XMM, YMM

         ...

    }

    #if defined(HAVE_INTEL_AVX1)|| defined(HAVE_INTEL_AVX2)

      Transform_Sha256(); Function prototype

    #else

      Transform_Sha256() {   }

      int Sha256Final() {

         Save/Recover XMM, YMM

         ...

      }

    #endif

    #if defined(HAVE_INTEL_AVX1)|| defined(HAVE_INTEL_AVX2)

        #if defined(HAVE_INTEL_RORX

             #define RND with rorx instruction

        #else

            #define RND

        #endif

    #endif

    #if defined(HAVE_INTEL_AVX1)

       #define XMM Instructions/inline asm

       int Transform_Sha256() {

           Stitched Message Sched/Round

        }

    #elif defined(HAVE_INTEL_AVX2)

      #define YMM Instructions/inline asm

      int Transform_Sha256() {

          More granular Stitched Message Sched/Round

      }

    #endif

    */

    /* Each platform needs to query info type 1 from cpuid to see if aesni is

     * supported. Also, let's setup a macro for proper linkage w/o ABI conflicts

     */

    /* #if defined(HAVE_INTEL_AVX1/2) at the tail of sha256 */

    static int Transform_Sha256(wc_Sha256* sha256, const byte* data);

#ifdef __cplusplus

    extern "C" {

#endif

    #if defined(HAVE_INTEL_AVX1)

        extern int Transform_Sha256_AVX1(wc_Sha256 *sha256, const byte* data);

        extern int Transform_Sha256_AVX1_Len(wc_Sha256* sha256,

                                             const byte* data, word32 len);

    #endif

    #if defined(HAVE_INTEL_AVX2)

        extern int Transform_Sha256_AVX2(wc_Sha256 *sha256, const byte* data);

        extern int Transform_Sha256_AVX2_Len(wc_Sha256* sha256,

                                             const byte* data, word32 len);

        #ifdef HAVE_INTEL_RORX

        extern int Transform_Sha256_AVX1_RORX(wc_Sha256 *sha256, const byte* data);

        extern int Transform_Sha256_AVX1_RORX_Len(wc_Sha256* sha256,

                                                  const byte* data, word32 len);

        extern int Transform_Sha256_AVX2_RORX(wc_Sha256 *sha256, const byte* data);

        extern int Transform_Sha256_AVX2_RORX_Len(wc_Sha256* sha256,

                                                  const byte* data, word32 len);

        #endif /* HAVE_INTEL_RORX */

    #endif /* HAVE_INTEL_AVX2 */

#ifdef __cplusplus

    }  /* extern "C" */

#endif

    static int (*Transform_Sha256_p)(wc_Sha256* sha256, const byte* data);

                                                       /* = _Transform_Sha256 */

    static int (*Transform_Sha256_Len_p)(wc_Sha256* sha256, const byte* data,

                                         word32 len);

                                                                    /* = NULL */

    static int transform_check = 0;

    static word32 intel_flags;

    static int Transform_Sha256_is_vectorized = 0;

    static WC_INLINE int inline_XTRANSFORM(wc_Sha256* S, const byte* D) {

        int ret;

        ret = (*Transform_Sha256_p)(S, D);

        return ret;

    }

#define XTRANSFORM(...) inline_XTRANSFORM(__VA_ARGS__)

    static WC_INLINE int inline_XTRANSFORM_LEN(wc_Sha256* S, const byte* D, word32 L) {

        int ret;

        ret = (*Transform_Sha256_Len_p)(S, D, L);

        return ret;

    }

#define XTRANSFORM_LEN(...) inline_XTRANSFORM_LEN(__VA_ARGS__)

    static void Sha256_SetTransform(void)

    {

        if (transform_check)

            return;

        intel_flags = cpuid_get_flags();

    #ifdef HAVE_INTEL_AVX2

        if (1 && IS_INTEL_AVX2(intel_flags)) {

        #ifdef HAVE_INTEL_RORX

            if (IS_INTEL_BMI2(intel_flags)) {

                Transform_Sha256_p = Transform_Sha256_AVX2_RORX;

                Transform_Sha256_Len_p = Transform_Sha256_AVX2_RORX_Len;

                Transform_Sha256_is_vectorized = 1;

            }

            else

        #endif

            if (1)

            {

                Transform_Sha256_p = Transform_Sha256_AVX2;

                Transform_Sha256_Len_p = Transform_Sha256_AVX2_Len;

                Transform_Sha256_is_vectorized = 1;

            }

        #ifdef HAVE_INTEL_RORX

            else {

                Transform_Sha256_p = Transform_Sha256_AVX1_RORX;

                Transform_Sha256_Len_p = Transform_Sha256_AVX1_RORX_Len;

                Transform_Sha256_is_vectorized = 1;

            }

        #endif

        }

        else

    #endif

    #ifdef HAVE_INTEL_AVX1

        if (IS_INTEL_AVX1(intel_flags)) {

            Transform_Sha256_p = Transform_Sha256_AVX1;

            Transform_Sha256_Len_p = Transform_Sha256_AVX1_Len;

            Transform_Sha256_is_vectorized = 1;

        }

        else

    #endif

        {

            Transform_Sha256_p = Transform_Sha256;

            Transform_Sha256_Len_p = NULL;

            Transform_Sha256_is_vectorized = 0;

        }

        transform_check = 1;

    }

#if !defined(WOLFSSL_KCAPI_HASH)

    int wc_InitSha256_ex(wc_Sha256* sha256, void* heap, int devId)

    {

        int ret = 0;

        if (sha256 == NULL)

            return BAD_FUNC_ARG;

        sha256->heap = heap;

    #ifdef WOLF_CRYPTO_CB

        sha256->devId = devId;

        sha256->devCtx = NULL;

    #endif

    #ifdef WOLFSSL_SMALL_STACK_CACHE

        sha256->W = NULL;

    #endif

        ret = InitSha256(sha256);

        if (ret != 0)

            return ret;

        /* choose best Transform function under this runtime environment */

        Sha256_SetTransform();

    #if defined(WOLFSSL_ASYNC_CRYPT) && defined(WC_ASYNC_ENABLE_SHA256)

        ret = wolfAsync_DevCtxInit(&sha256->asyncDev,

                            WOLFSSL_ASYNC_MARKER_SHA256, sha256->heap, devId);

    #else

        (void)devId;

    #endif /* WOLFSSL_ASYNC_CRYPT */

        return ret;

    }

#endif /* !WOLFSSL_KCAPI_HASH */

#elif defined(FREESCALE_LTC_SHA)

    int wc_InitSha256_ex(wc_Sha256* sha256, void* heap, int devId)

    {

        (void)heap;

        (void)devId;

        LTC_HASH_Init(LTC_BASE, &sha256->ctx, kLTC_Sha256, NULL, 0);

        return 0;

    }

#elif defined(FREESCALE_MMCAU_SHA)

    #ifdef FREESCALE_MMCAU_CLASSIC_SHA

        #include "cau_api.h"

    #else

        #include "fsl_mmcau.h"

    #endif

    #define XTRANSFORM(S, D)         Transform_Sha256((S),(D))

    #define XTRANSFORM_LEN(S, D, L)  Transform_Sha256_Len((S),(D),(L))

    #ifndef WC_HASH_DATA_ALIGNMENT

        /* these hardware API's require 4 byte (word32) alignment */

        #define WC_HASH_DATA_ALIGNMENT 4

    #endif

    int wc_InitSha256_ex(wc_Sha256* sha256, void* heap, int devId)

    {

        int ret = 0;

        (void)heap;

        (void)devId;

        ret = wolfSSL_CryptHwMutexLock();

        if (ret != 0) {

            return ret;

        }

    #ifdef FREESCALE_MMCAU_CLASSIC_SHA

        cau_sha256_initialize_output(sha256->digest);

    #else

        MMCAU_SHA256_InitializeOutput((uint32_t*)sha256->digest);

    #endif

        wolfSSL_CryptHwMutexUnLock();

        sha256->buffLen = 0;

        sha256->loLen   = 0;

        sha256->hiLen   = 0;

    #ifdef WOLFSSL_SMALL_STACK_CACHE

        sha256->W = NULL;

    #endif

        return ret;

    }

    static int Transform_Sha256(wc_Sha256* sha256, const byte* data)

    {

        int ret = wolfSSL_CryptHwMutexLock();

        if (ret == 0) {

    #ifdef FREESCALE_MMCAU_CLASSIC_SHA

            cau_sha256_hash_n((byte*)data, 1, sha256->digest);

    #else

            MMCAU_SHA256_HashN((byte*)data, 1, (uint32_t*)sha256->digest);

    #endif

            wolfSSL_CryptHwMutexUnLock();

        }

        return ret;

    }

    static int Transform_Sha256_Len(wc_Sha256* sha256, const byte* data,

        word32 len)

    {

        int ret = wolfSSL_CryptHwMutexLock();

        if (ret == 0) {

        #if defined(WC_HASH_DATA_ALIGNMENT) && WC_HASH_DATA_ALIGNMENT > 0

            if ((wc_ptr_t)data % WC_HASH_DATA_ALIGNMENT) {

                /* data pointer is NOT aligned,

                 * so copy and perform one block at a time */

                byte* local = (byte*)sha256->buffer;

                while (len >= WC_SHA256_BLOCK_SIZE) {

                    XMEMCPY(local, data, WC_SHA256_BLOCK_SIZE);

                #ifdef FREESCALE_MMCAU_CLASSIC_SHA

                    cau_sha256_hash_n(local, 1, sha256->digest);

                #else

                    MMCAU_SHA256_HashN(local, 1, (uint32_t*)sha256->digest);

                #endif

                    data += WC_SHA256_BLOCK_SIZE;

                    len  -= WC_SHA256_BLOCK_SIZE;

                }

            }

            else

        #endif

            {

    #ifdef FREESCALE_MMCAU_CLASSIC_SHA

            cau_sha256_hash_n((byte*)data, len/WC_SHA256_BLOCK_SIZE,

                sha256->digest);

    #else

            MMCAU_SHA256_HashN((byte*)data, len/WC_SHA256_BLOCK_SIZE,

                (uint32_t*)sha256->digest);

    #endif

            }

            wolfSSL_CryptHwMutexUnLock();

        }

        return ret;

    }

#elif defined(WOLFSSL_PIC32MZ_HASH)

    #include <wolfssl/wolfcrypt/port/pic32/pic32mz-crypt.h>

#elif defined(STM32_HASH_SHA2)

    /* Supports CubeMX HAL or Standard Peripheral Library */

    int wc_InitSha256_ex(wc_Sha256* sha256, void* heap, int devId)

    {

        if (sha256 == NULL)

            return BAD_FUNC_ARG;

        (void)devId;

        (void)heap;

        XMEMSET(sha256, 0, sizeof(wc_Sha256));

        wc_Stm32_Hash_Init(&sha256->stmCtx);

        return 0;

    }

    int wc_Sha256Update(wc_Sha256* sha256, const byte* data, word32 len)

    {

        int ret = 0;

        if (sha256 == NULL || (data == NULL && len > 0)) {

            return BAD_FUNC_ARG;

        }

        ret = wolfSSL_CryptHwMutexLock();

        if (ret == 0) {

            ret = wc_Stm32_Hash_Update(&sha256->stmCtx,

                HASH_AlgoSelection_SHA256, data, len, WC_SHA256_BLOCK_SIZE);

            wolfSSL_CryptHwMutexUnLock();

        }

        return ret;

    }

    int wc_Sha256Final(wc_Sha256* sha256, byte* hash)

    {

        int ret = 0;

        if (sha256 == NULL || hash == NULL) {

            return BAD_FUNC_ARG;

        }

        ret = wolfSSL_CryptHwMutexLock();

        if (ret == 0) {

            ret = wc_Stm32_Hash_Final(&sha256->stmCtx,

                HASH_AlgoSelection_SHA256, hash, WC_SHA256_DIGEST_SIZE);

            wolfSSL_CryptHwMutexUnLock();

        }

        (void)wc_InitSha256(sha256); /* reset state */

        return ret;

    }

#elif defined(WOLFSSL_IMX6_CAAM) && !defined(NO_IMX6_CAAM_HASH) && \

    !defined(WOLFSSL_QNX_CAAM)

    /* functions defined in wolfcrypt/src/port/caam/caam_sha256.c */

#elif defined(WOLFSSL_SE050) && defined(WOLFSSL_SE050_HASH)

    int wc_InitSha256_ex(wc_Sha256* sha256, void* heap, int devId)

    {

        if (sha256 == NULL) {

            return BAD_FUNC_ARG;

        }

        (void)devId;

        return se050_hash_init(&sha256->se050Ctx, heap);

    }

    int wc_Sha256Update(wc_Sha256* sha256, const byte* data, word32 len)

    {

        return se050_hash_update(&sha256->se050Ctx, data, len);

    }

    int wc_Sha256Final(wc_Sha256* sha256, byte* hash)

    {

        int ret = 0;

        ret = se050_hash_final(&sha256->se050Ctx, hash, WC_SHA256_DIGEST_SIZE,

                               kAlgorithm_SSS_SHA256);

        return ret;

    }

    int wc_Sha256FinalRaw(wc_Sha256* sha256, byte* hash)

    {

        int ret = 0;

        ret = se050_hash_final(&sha256->se050Ctx, hash, WC_SHA256_DIGEST_SIZE,

                               kAlgorithm_SSS_SHA256);

        return ret;

    }

#elif defined(WOLFSSL_AFALG_HASH)

    /* implemented in wolfcrypt/src/port/af_alg/afalg_hash.c */

#elif defined(WOLFSSL_DEVCRYPTO_HASH)

    /* implemented in wolfcrypt/src/port/devcrypto/devcrypt_hash.c */

#elif defined(WOLFSSL_SCE) && !defined(WOLFSSL_SCE_NO_HASH)

    #include "hal_data.h"

    #ifndef WOLFSSL_SCE_SHA256_HANDLE

        #define WOLFSSL_SCE_SHA256_HANDLE g_sce_hash_0

    #endif

    #define WC_SHA256_DIGEST_WORD_SIZE 16

    #define XTRANSFORM(S, D) wc_Sha256SCE_XTRANSFORM((S), (D))

    static int wc_Sha256SCE_XTRANSFORM(wc_Sha256* sha256, const byte* data)

    {

        if (WOLFSSL_SCE_GSCE_HANDLE.p_cfg->endian_flag ==

                CRYPTO_WORD_ENDIAN_LITTLE)

        {

            ByteReverseWords((word32*)data, (word32*)data,

                    WC_SHA256_BLOCK_SIZE);

            ByteReverseWords(sha256->digest, sha256->digest,

                    WC_SHA256_DIGEST_SIZE);

        }

        if (WOLFSSL_SCE_SHA256_HANDLE.p_api->hashUpdate(

                    WOLFSSL_SCE_SHA256_HANDLE.p_ctrl, (word32*)data,

                    WC_SHA256_DIGEST_WORD_SIZE, sha256->digest) != SSP_SUCCESS){

            WOLFSSL_MSG("Unexpected hardware return value");

            return WC_HW_E;

        }

        if (WOLFSSL_SCE_GSCE_HANDLE.p_cfg->endian_flag ==

                CRYPTO_WORD_ENDIAN_LITTLE)

        {

            ByteReverseWords((word32*)data, (word32*)data,

                    WC_SHA256_BLOCK_SIZE);

            ByteReverseWords(sha256->digest, sha256->digest,

                    WC_SHA256_DIGEST_SIZE);

        }

        return 0;

    }

    int wc_InitSha256_ex(wc_Sha256* sha256, void* heap, int devId)

    {

        int ret = 0;

        if (sha256 == NULL)

            return BAD_FUNC_ARG;

        sha256->heap = heap;

        ret = InitSha256(sha256);

        if (ret != 0)

            return ret;

        (void)devId;

        return ret;

    }

#elif defined(WOLFSSL_USE_ESP32WROOM32_CRYPT_HASH_HW)

    /* HW may fail since there's only one, so we still need SW */

    #define NEED_SOFT_SHA256

    /*

    ** soft SHA needs initialization digest, but HW does not.

    */

    static int InitSha256(wc_Sha256* sha256)

    {

        int ret = 0; /* zero = success */

        if (sha256 == NULL) {

            return BAD_FUNC_ARG;

        }

        sha256->digest[0] = 0x6A09E667L;

        sha256->digest[1] = 0xBB67AE85L;

        sha256->digest[2] = 0x3C6EF372L;

        sha256->digest[3] = 0xA54FF53AL;

        sha256->digest[4] = 0x510E527FL;

        sha256->digest[5] = 0x9B05688CL;

        sha256->digest[6] = 0x1F83D9ABL;

        sha256->digest[7] = 0x5BE0CD19L;

        sha256->buffLen = 0;

        sha256->loLen   = 0;

        sha256->hiLen   = 0;

        ret = esp_sha_init(&(sha256->ctx), WC_HASH_TYPE_SHA256);

        return ret;

    }

    /*

    ** wolfCrypt InitSha256 external wrapper.

    **

    ** we'll assume this is ALWAYS for a new, uninitialized sha256

    */

    int wc_InitSha256_ex(wc_Sha256* sha256, void* heap, int devId)

    {

        (void)devId;

        if (sha256 == NULL) {

            return BAD_FUNC_ARG;

        }

    #ifdef WOLFSSL_USE_ESP32WROOM32_CRYPT_HASH_HW

        /* We know this is a fresh, uninitialized item, so set to INIT */

        if (sha256->ctx.mode != ESP32_SHA_INIT) {

            ESP_LOGV(TAG, "Set ctx mode from prior value: "

                               "%d", sha256->ctx.mode);

        }

        sha256->ctx.mode = ESP32_SHA_INIT;

    #endif

        return InitSha256(sha256);

    }

#elif defined(WOLFSSL_RENESAS_TSIP_CRYPT) && \

    !defined(NO_WOLFSSL_RENESAS_TSIP_CRYPT_HASH)

    /* implemented in wolfcrypt/src/port/Renesas/renesas_tsip_sha.c */

#elif (defined(WOLFSSL_RENESAS_SCEPROTECT) || \

        defined(WOLFSSL_RENESAS_SCEPROTECT_CRYPTONLY)) && \

    !defined(NO_WOLFSSL_RENESAS_SCEPROTECT_HASH)

    /* implemented in wolfcrypt/src/port/Renesas/renesas_sce_sha.c */

#elif defined(WOLFSSL_PSOC6_CRYPTO)

    /* implemented in wolfcrypt/src/port/cypress/psoc6_crypto.c */

#elif defined(WOLFSSL_IMXRT_DCP)

    #include <wolfssl/wolfcrypt/port/nxp/dcp_port.h>

    /* implemented in wolfcrypt/src/port/nxp/dcp_port.c */

#elif defined(WOLFSSL_SILABS_SE_ACCEL)

    /* implemented in wolfcrypt/src/port/silabs/silabs_hash.c */

#elif defined(WOLFSSL_KCAPI_HASH)

    /* implemented in wolfcrypt/src/port/kcapi/kcapi_hash.c */

#elif defined(WOLFSSL_HAVE_PSA) && !defined(WOLFSSL_PSA_NO_HASH)

    /* implemented in wolfcrypt/src/port/psa/psa_hash.c */

#elif defined(WOLFSSL_RENESAS_RX64_HASH)

    /* implemented in wolfcrypt/src/port/Renesas/renesas_rx64_hw_sha.c */

#else

    #define NEED_SOFT_SHA256

    int wc_InitSha256_ex(wc_Sha256* sha256, void* heap, int devId)

    {

        int ret = 0;

        if (sha256 == NULL)

            return BAD_FUNC_ARG;

        ret = InitSha256(sha256);

        if (ret != 0)

            return ret;

        sha256->heap = heap;

    #ifdef WOLF_CRYPTO_CB

        sha256->devId = devId;

        sha256->devCtx = NULL;

    #endif

    #ifdef WOLFSSL_SMALL_STACK_CACHE

        sha256->W = NULL;

    #endif

    #if defined(WOLFSSL_ASYNC_CRYPT) && defined(WC_ASYNC_ENABLE_SHA256)

        ret = wolfAsync_DevCtxInit(&sha256->asyncDev,

                            WOLFSSL_ASYNC_MARKER_SHA256, sha256->heap, devId);

    #else

        (void)devId;

    #endif /* WOLFSSL_ASYNC_CRYPT */

    #ifdef WOLFSSL_IMXRT1170_CAAM

         ret = wc_CAAM_HashInit(&sha256->hndl, &sha256->ctx, WC_HASH_TYPE_SHA256);

    #endif

        return ret;

    }

#endif /* End Hardware Acceleration */

#ifdef NEED_SOFT_SHA256

    static const FLASH_QUALIFIER ALIGN32 word32 K[64] = {

        0x428A2F98L, 0x71374491L, 0xB5C0FBCFL, 0xE9B5DBA5L, 0x3956C25BL,

        0x59F111F1L, 0x923F82A4L, 0xAB1C5ED5L, 0xD807AA98L, 0x12835B01L,

        0x243185BEL, 0x550C7DC3L, 0x72BE5D74L, 0x80DEB1FEL, 0x9BDC06A7L,

        0xC19BF174L, 0xE49B69C1L, 0xEFBE4786L, 0x0FC19DC6L, 0x240CA1CCL,

        0x2DE92C6FL, 0x4A7484AAL, 0x5CB0A9DCL, 0x76F988DAL, 0x983E5152L,

        0xA831C66DL, 0xB00327C8L, 0xBF597FC7L, 0xC6E00BF3L, 0xD5A79147L,

        0x06CA6351L, 0x14292967L, 0x27B70A85L, 0x2E1B2138L, 0x4D2C6DFCL,

        0x53380D13L, 0x650A7354L, 0x766A0ABBL, 0x81C2C92EL, 0x92722C85L,

        0xA2BFE8A1L, 0xA81A664BL, 0xC24B8B70L, 0xC76C51A3L, 0xD192E819L,

        0xD6990624L, 0xF40E3585L, 0x106AA070L, 0x19A4C116L, 0x1E376C08L,

        0x2748774CL, 0x34B0BCB5L, 0x391C0CB3L, 0x4ED8AA4AL, 0x5B9CCA4FL,

        0x682E6FF3L, 0x748F82EEL, 0x78A5636FL, 0x84C87814L, 0x8CC70208L,

        0x90BEFFFAL, 0xA4506CEBL, 0xBEF9A3F7L, 0xC67178F2L

    };

/* Both versions of Ch and Maj are logically the same, but with the second set

    the compilers can recognize them better for optimization */

#ifdef WOLFSSL_SHA256_BY_SPEC

    /* SHA256 math based on specification */

    #define Ch(x,y,z)       ((z) ^ ((x) & ((y) ^ (z))))

    #define Maj(x,y,z)      ((((x) | (y)) & (z)) | ((x) & (y)))

#else

    /* SHA256 math reworked for easier compiler optimization */

    #define Ch(x,y,z)       ((((y) ^ (z)) & (x)) ^ (z))

    #define Maj(x,y,z)      ((((x) ^ (y)) & ((y) ^ (z))) ^ (y))

#endif

    #define R(x, n)         (((x) & 0xFFFFFFFFU) >> (n))

    #define S(x, n)         rotrFixed(x, n)

    #define Sigma0(x)       (S(x, 2)  ^ S(x, 13) ^ S(x, 22))

    #define Sigma1(x)       (S(x, 6)  ^ S(x, 11) ^ S(x, 25))

    #define Gamma0(x)       (S(x, 7)  ^ S(x, 18) ^ R(x, 3))

    #define Gamma1(x)       (S(x, 17) ^ S(x, 19) ^ R(x, 10))

    #define a(i) S[(0-(i)) & 7]

    #define b(i) S[(1-(i)) & 7]

    #define c(i) S[(2-(i)) & 7]

    #define d(i) S[(3-(i)) & 7]

    #define e(i) S[(4-(i)) & 7]

    #define f(i) S[(5-(i)) & 7]

    #define g(i) S[(6-(i)) & 7]

    #define h(i) S[(7-(i)) & 7]

    #ifndef XTRANSFORM

         #define XTRANSFORM(S, D)         Transform_Sha256((S),(D))

    #endif

#ifndef SHA256_MANY_REGISTERS

    #define RND(j) \

         t0 = h(j) + Sigma1(e(j)) + Ch(e(j), f(j), g(j)) + K[i+(j)] + W[i+(j)]; \

         t1 = Sigma0(a(j)) + Maj(a(j), b(j), c(j)); \

         d(j) += t0; \

         h(j)  = t0 + t1

    static int Transform_Sha256(wc_Sha256* sha256, const byte* data)

    {

        word32 S[8], t0, t1;

        int i;

    #ifdef WOLFSSL_SMALL_STACK_CACHE

        word32* W = sha256->W;

        if (W == NULL) {

            W = (word32*)XMALLOC(sizeof(word32) * WC_SHA256_BLOCK_SIZE, NULL,

                                                           DYNAMIC_TYPE_DIGEST);

            if (W == NULL)

                return MEMORY_E;

            sha256->W = W;

        }

    #elif defined(WOLFSSL_SMALL_STACK)

        word32* W;

        W = (word32*)XMALLOC(sizeof(word32) * WC_SHA256_BLOCK_SIZE, NULL,

                                                       DYNAMIC_TYPE_TMP_BUFFER);

        if (W == NULL)

            return MEMORY_E;

    #else

        word32 W[WC_SHA256_BLOCK_SIZE];

    #endif

        /* Copy context->state[] to working vars */

        for (i = 0; i < 8; i++)

            S[i] = sha256->digest[i];

        for (i = 0; i < 16; i++)

            W[i] = *((const word32*)&data[i*(int)sizeof(word32)]);

        for (i = 16; i < WC_SHA256_BLOCK_SIZE; i++)

            W[i] = Gamma1(W[i-2]) + W[i-7] + Gamma0(W[i-15]) + W[i-16];

    #ifdef USE_SLOW_SHA256

        /* not unrolled - ~2k smaller and ~25% slower */

        for (i = 0; i < WC_SHA256_BLOCK_SIZE; i += 8) {

            int j;

            for (j = 0; j < 8; j++) { /* braces needed here for macros {} */

                RND(j);

            }

        }

    #else

        /* partially loop unrolled */

        for (i = 0; i < WC_SHA256_BLOCK_SIZE; i += 8) {

            RND(0); RND(1); RND(2); RND(3);

            RND(4); RND(5); RND(6); RND(7);

        }

    #endif /* USE_SLOW_SHA256 */

        /* Add the working vars back into digest state[] */

        for (i = 0; i < 8; i++) {

            sha256->digest[i] += S[i];

        }

    #if defined(WOLFSSL_SMALL_STACK) && !defined(WOLFSSL_SMALL_STACK_CACHE)

        XFREE(W, NULL, DYNAMIC_TYPE_TMP_BUFFER);

    #endif

        return 0;

    }

#else

    /* SHA256 version that keeps all data in registers */

    #define SCHED1(j) (W[j] = *((word32*)&data[j*sizeof(word32)]))

    #define SCHED(j) (               \

                   W[ j     & 15] += \

            Gamma1(W[(j-2)  & 15])+  \

                   W[(j-7)  & 15] +  \

            Gamma0(W[(j-15) & 15])   \

        )

    #define RND1(j) \

         t0 = h(j) + Sigma1(e(j)) + Ch(e(j), f(j), g(j)) + K[i+j] + SCHED1(j); \

         t1 = Sigma0(a(j)) + Maj(a(j), b(j), c(j)); \

         d(j) += t0; \

         h(j)  = t0 + t1

    #define RNDN(j) \

         t0 = h(j) + Sigma1(e(j)) + Ch(e(j), f(j), g(j)) + K[i+j] + SCHED(j); \

         t1 = Sigma0(a(j)) + Maj(a(j), b(j), c(j)); \

         d(j) += t0; \

         h(j)  = t0 + t1

    static int Transform_Sha256(wc_Sha256* sha256, const byte* data)

    {

        word32 S[8], t0, t1;

        int i;

        word32 W[WC_SHA256_BLOCK_SIZE/sizeof(word32)];

        /* Copy digest to working vars */

        S[0] = sha256->digest[0];

        S[1] = sha256->digest[1];

        S[2] = sha256->digest[2];

        S[3] = sha256->digest[3];

        S[4] = sha256->digest[4];

        S[5] = sha256->digest[5];

        S[6] = sha256->digest[6];

        S[7] = sha256->digest[7];

        i = 0;

        RND1( 0); RND1( 1); RND1( 2); RND1( 3);

        RND1( 4); RND1( 5); RND1( 6); RND1( 7);

        RND1( 8); RND1( 9); RND1(10); RND1(11);

        RND1(12); RND1(13); RND1(14); RND1(15);

        /* 64 operations, partially loop unrolled */

        for (i = 16; i < 64; i += 16) {

            RNDN( 0); RNDN( 1); RNDN( 2); RNDN( 3);

            RNDN( 4); RNDN( 5); RNDN( 6); RNDN( 7);

            RNDN( 8); RNDN( 9); RNDN(10); RNDN(11);

            RNDN(12); RNDN(13); RNDN(14); RNDN(15);

        }

        /* Add the working vars back into digest */

        sha256->digest[0] += S[0];

        sha256->digest[1] += S[1];

        sha256->digest[2] += S[2];

        sha256->digest[3] += S[3];

        sha256->digest[4] += S[4];

        sha256->digest[5] += S[5];

        sha256->digest[6] += S[6];

        sha256->digest[7] += S[7];

        return 0;

    }

#endif /* SHA256_MANY_REGISTERS */

#endif

/* End wc_ software implementation */

#ifdef XTRANSFORM

    static WC_INLINE void AddLength(wc_Sha256* sha256, word32 len)

    {

        word32 tmp = sha256->loLen;

        if ((sha256->loLen += len) < tmp) {

            sha256->hiLen++;                       /* carry low to high */

        }

    }

    /* do block size increments/updates */

    static WC_INLINE int Sha256Update(wc_Sha256* sha256, const byte* data, word32 len)

    {

        int ret = 0;

        word32 blocksLen;

        byte* local;

        if (sha256 == NULL || (data == NULL && len > 0)) {

            return BAD_FUNC_ARG;

        }

        if (data == NULL && len == 0) {

            /* valid, but do nothing */

            return 0;

        }

        /* check that internal buffLen is valid */

        if (sha256->buffLen >= WC_SHA256_BLOCK_SIZE) {

            return BUFFER_E;

        }

        /* add length for final */

        AddLength(sha256, len);

        local = (byte*)sha256->buffer;

        /* process any remainder from previous operation */

        if (sha256->buffLen > 0) {

            blocksLen = min(len, WC_SHA256_BLOCK_SIZE - sha256->buffLen);

            XMEMCPY(&local[sha256->buffLen], data, blocksLen);

            sha256->buffLen += blocksLen;

            data            += blocksLen;

            len             -= blocksLen;

            if (sha256->buffLen == WC_SHA256_BLOCK_SIZE) {