[efi-boot-shim.git] / Cryptlib / OpenSSL / crypto / sha / sha256.c

/*
 * Copyright 2004-2016 The OpenSSL Project Authors. All Rights Reserved.
 *
 * Licensed under the OpenSSL license (the "License").  You may not use
 * this file except in compliance with the License.  You can obtain a copy
 * in the file LICENSE in the source distribution or at
 * https://www.openssl.org/source/license.html
 */

#include <openssl/opensslconf.h>

#include <stdlib.h>
#include <string.h>

#include <openssl/crypto.h>
#include <openssl/sha.h>
#include <openssl/opensslv.h>

int SHA224_Init(SHA256_CTX *c)
{
    memset(c, 0, sizeof(*c));
    c->h[0] = 0xc1059ed8UL;
    c->h[1] = 0x367cd507UL;
    c->h[2] = 0x3070dd17UL;
    c->h[3] = 0xf70e5939UL;
    c->h[4] = 0xffc00b31UL;
    c->h[5] = 0x68581511UL;
    c->h[6] = 0x64f98fa7UL;
    c->h[7] = 0xbefa4fa4UL;
    c->md_len = SHA224_DIGEST_LENGTH;
    return 1;
}

int SHA256_Init(SHA256_CTX *c)
{
    memset(c, 0, sizeof(*c));
    c->h[0] = 0x6a09e667UL;
    c->h[1] = 0xbb67ae85UL;
    c->h[2] = 0x3c6ef372UL;
    c->h[3] = 0xa54ff53aUL;
    c->h[4] = 0x510e527fUL;
    c->h[5] = 0x9b05688cUL;
    c->h[6] = 0x1f83d9abUL;
    c->h[7] = 0x5be0cd19UL;
    c->md_len = SHA256_DIGEST_LENGTH;
    return 1;
}

unsigned char *SHA224(const unsigned char *d, size_t n, unsigned char *md)
{
    SHA256_CTX c;
    static unsigned char m[SHA224_DIGEST_LENGTH];

    if (md == NULL)
        md = m;
    SHA224_Init(&c);
    SHA256_Update(&c, d, n);
    SHA256_Final(md, &c);
    OPENSSL_cleanse(&c, sizeof(c));
    return (md);
}

unsigned char *SHA256(const unsigned char *d, size_t n, unsigned char *md)
{
    SHA256_CTX c;
    static unsigned char m[SHA256_DIGEST_LENGTH];

    if (md == NULL)
        md = m;
    SHA256_Init(&c);
    SHA256_Update(&c, d, n);
    SHA256_Final(md, &c);
    OPENSSL_cleanse(&c, sizeof(c));
    return (md);
}

int SHA224_Update(SHA256_CTX *c, const void *data, size_t len)
{
    return SHA256_Update(c, data, len);
}

int SHA224_Final(unsigned char *md, SHA256_CTX *c)
{
    return SHA256_Final(md, c);
}

#define DATA_ORDER_IS_BIG_ENDIAN

#define HASH_LONG               SHA_LONG
#define HASH_CTX                SHA256_CTX
#define HASH_CBLOCK             SHA_CBLOCK

/*
 * Note that FIPS180-2 discusses "Truncation of the Hash Function Output."
 * default: case below covers for it. It's not clear however if it's
 * permitted to truncate to amount of bytes not divisible by 4. I bet not,
 * but if it is, then default: case shall be extended. For reference.
 * Idea behind separate cases for pre-defined lengths is to let the
 * compiler decide if it's appropriate to unroll small loops.
 */
#define HASH_MAKE_STRING(c,s)   do {    \
        unsigned long ll;               \
        unsigned int  nn;               \
        switch ((c)->md_len)            \
        {   case SHA224_DIGEST_LENGTH:  \
                for (nn=0;nn<SHA224_DIGEST_LENGTH/4;nn++)       \
                {   ll=(c)->h[nn]; (void)HOST_l2c(ll,(s));   }  \
                break;                  \
            case SHA256_DIGEST_LENGTH:  \
                for (nn=0;nn<SHA256_DIGEST_LENGTH/4;nn++)       \
                {   ll=(c)->h[nn]; (void)HOST_l2c(ll,(s));   }  \
                break;                  \
            default:                    \
                if ((c)->md_len > SHA256_DIGEST_LENGTH) \
                    return 0;                           \
                for (nn=0;nn<(c)->md_len/4;nn++)                \
                {   ll=(c)->h[nn]; (void)HOST_l2c(ll,(s));   }  \
                break;                  \
        }                               \
        } while (0)

#define HASH_UPDATE             SHA256_Update
#define HASH_TRANSFORM          SHA256_Transform
#define HASH_FINAL              SHA256_Final
#define HASH_BLOCK_DATA_ORDER   sha256_block_data_order
#ifndef SHA256_ASM
static
#endif
void sha256_block_data_order(SHA256_CTX *ctx, const void *in, size_t num);

#include "internal/md32_common.h"

#ifndef SHA256_ASM
static const SHA_LONG K256[64] = {
    0x428a2f98UL, 0x71374491UL, 0xb5c0fbcfUL, 0xe9b5dba5UL,
    0x3956c25bUL, 0x59f111f1UL, 0x923f82a4UL, 0xab1c5ed5UL,
    0xd807aa98UL, 0x12835b01UL, 0x243185beUL, 0x550c7dc3UL,
    0x72be5d74UL, 0x80deb1feUL, 0x9bdc06a7UL, 0xc19bf174UL,
    0xe49b69c1UL, 0xefbe4786UL, 0x0fc19dc6UL, 0x240ca1ccUL,
    0x2de92c6fUL, 0x4a7484aaUL, 0x5cb0a9dcUL, 0x76f988daUL,
    0x983e5152UL, 0xa831c66dUL, 0xb00327c8UL, 0xbf597fc7UL,
    0xc6e00bf3UL, 0xd5a79147UL, 0x06ca6351UL, 0x14292967UL,
    0x27b70a85UL, 0x2e1b2138UL, 0x4d2c6dfcUL, 0x53380d13UL,
    0x650a7354UL, 0x766a0abbUL, 0x81c2c92eUL, 0x92722c85UL,
    0xa2bfe8a1UL, 0xa81a664bUL, 0xc24b8b70UL, 0xc76c51a3UL,
    0xd192e819UL, 0xd6990624UL, 0xf40e3585UL, 0x106aa070UL,
    0x19a4c116UL, 0x1e376c08UL, 0x2748774cUL, 0x34b0bcb5UL,
    0x391c0cb3UL, 0x4ed8aa4aUL, 0x5b9cca4fUL, 0x682e6ff3UL,
    0x748f82eeUL, 0x78a5636fUL, 0x84c87814UL, 0x8cc70208UL,
    0x90befffaUL, 0xa4506cebUL, 0xbef9a3f7UL, 0xc67178f2UL
};

/*
 * FIPS specification refers to right rotations, while our ROTATE macro
 * is left one. This is why you might notice that rotation coefficients
 * differ from those observed in FIPS document by 32-N...
 */
# define Sigma0(x)       (ROTATE((x),30) ^ ROTATE((x),19) ^ ROTATE((x),10))
# define Sigma1(x)       (ROTATE((x),26) ^ ROTATE((x),21) ^ ROTATE((x),7))
# define sigma0(x)       (ROTATE((x),25) ^ ROTATE((x),14) ^ ((x)>>3))
# define sigma1(x)       (ROTATE((x),15) ^ ROTATE((x),13) ^ ((x)>>10))

# define Ch(x,y,z)       (((x) & (y)) ^ ((~(x)) & (z)))
# define Maj(x,y,z)      (((x) & (y)) ^ ((x) & (z)) ^ ((y) & (z)))

# ifdef OPENSSL_SMALL_FOOTPRINT

static void sha256_block_data_order(SHA256_CTX *ctx, const void *in,
                                    size_t num)
{
    unsigned MD32_REG_T a, b, c, d, e, f, g, h, s0, s1, T1, T2;
    SHA_LONG X[16], l;
    int i;
    const unsigned char *data = in;

    while (num--) {

        a = ctx->h[0];
        b = ctx->h[1];
        c = ctx->h[2];
        d = ctx->h[3];
        e = ctx->h[4];
        f = ctx->h[5];
        g = ctx->h[6];
        h = ctx->h[7];

        for (i = 0; i < 16; i++) {
            (void)HOST_c2l(data, l);
            T1 = X[i] = l;
            T1 += h + Sigma1(e) + Ch(e, f, g) + K256[i];
            T2 = Sigma0(a) + Maj(a, b, c);
            h = g;
            g = f;
            f = e;
            e = d + T1;
            d = c;
            c = b;
            b = a;
            a = T1 + T2;
        }

        for (; i < 64; i++) {
            s0 = X[(i + 1) & 0x0f];
            s0 = sigma0(s0);
            s1 = X[(i + 14) & 0x0f];
            s1 = sigma1(s1);

            T1 = X[i & 0xf] += s0 + s1 + X[(i + 9) & 0xf];
            T1 += h + Sigma1(e) + Ch(e, f, g) + K256[i];
            T2 = Sigma0(a) + Maj(a, b, c);
            h = g;
            g = f;
            f = e;
            e = d + T1;
            d = c;
            c = b;
            b = a;
            a = T1 + T2;
        }

        ctx->h[0] += a;
        ctx->h[1] += b;
        ctx->h[2] += c;
        ctx->h[3] += d;
        ctx->h[4] += e;
        ctx->h[5] += f;
        ctx->h[6] += g;
        ctx->h[7] += h;

    }
}

# else

#  define ROUND_00_15(i,a,b,c,d,e,f,g,h)          do {    \
        T1 += h + Sigma1(e) + Ch(e,f,g) + K256[i];      \
        h = Sigma0(a) + Maj(a,b,c);                     \
        d += T1;        h += T1;                } while (0)

#  define ROUND_16_63(i,a,b,c,d,e,f,g,h,X)        do {    \
        s0 = X[(i+1)&0x0f];     s0 = sigma0(s0);        \
        s1 = X[(i+14)&0x0f];    s1 = sigma1(s1);        \
        T1 = X[(i)&0x0f] += s0 + s1 + X[(i+9)&0x0f];    \
        ROUND_00_15(i,a,b,c,d,e,f,g,h);         } while (0)

static void sha256_block_data_order(SHA256_CTX *ctx, const void *in,
                                    size_t num)
{
    unsigned MD32_REG_T a, b, c, d, e, f, g, h, s0, s1, T1;
    SHA_LONG X[16];
    int i;
    const unsigned char *data = in;
    const union {
        long one;
        char little;
    } is_endian = {
        1
    };

    while (num--) {

        a = ctx->h[0];
        b = ctx->h[1];
        c = ctx->h[2];
        d = ctx->h[3];
        e = ctx->h[4];
        f = ctx->h[5];
        g = ctx->h[6];
        h = ctx->h[7];

        if (!is_endian.little && sizeof(SHA_LONG) == 4
            && ((size_t)in % 4) == 0) {
            const SHA_LONG *W = (const SHA_LONG *)data;

            T1 = X[0] = W[0];
            ROUND_00_15(0, a, b, c, d, e, f, g, h);
            T1 = X[1] = W[1];
            ROUND_00_15(1, h, a, b, c, d, e, f, g);
            T1 = X[2] = W[2];
            ROUND_00_15(2, g, h, a, b, c, d, e, f);
            T1 = X[3] = W[3];
            ROUND_00_15(3, f, g, h, a, b, c, d, e);
            T1 = X[4] = W[4];
            ROUND_00_15(4, e, f, g, h, a, b, c, d);
            T1 = X[5] = W[5];
            ROUND_00_15(5, d, e, f, g, h, a, b, c);
            T1 = X[6] = W[6];
            ROUND_00_15(6, c, d, e, f, g, h, a, b);
            T1 = X[7] = W[7];
            ROUND_00_15(7, b, c, d, e, f, g, h, a);
            T1 = X[8] = W[8];
            ROUND_00_15(8, a, b, c, d, e, f, g, h);
            T1 = X[9] = W[9];
            ROUND_00_15(9, h, a, b, c, d, e, f, g);
            T1 = X[10] = W[10];
            ROUND_00_15(10, g, h, a, b, c, d, e, f);
            T1 = X[11] = W[11];
            ROUND_00_15(11, f, g, h, a, b, c, d, e);
            T1 = X[12] = W[12];
            ROUND_00_15(12, e, f, g, h, a, b, c, d);
            T1 = X[13] = W[13];
            ROUND_00_15(13, d, e, f, g, h, a, b, c);
            T1 = X[14] = W[14];
            ROUND_00_15(14, c, d, e, f, g, h, a, b);
            T1 = X[15] = W[15];
            ROUND_00_15(15, b, c, d, e, f, g, h, a);

            data += SHA256_CBLOCK;
        } else {
            SHA_LONG l;

            (void)HOST_c2l(data, l);
            T1 = X[0] = l;
            ROUND_00_15(0, a, b, c, d, e, f, g, h);
            (void)HOST_c2l(data, l);
            T1 = X[1] = l;
            ROUND_00_15(1, h, a, b, c, d, e, f, g);
            (void)HOST_c2l(data, l);
            T1 = X[2] = l;
            ROUND_00_15(2, g, h, a, b, c, d, e, f);
            (void)HOST_c2l(data, l);
            T1 = X[3] = l;
            ROUND_00_15(3, f, g, h, a, b, c, d, e);
            (void)HOST_c2l(data, l);
            T1 = X[4] = l;
            ROUND_00_15(4, e, f, g, h, a, b, c, d);
            (void)HOST_c2l(data, l);
            T1 = X[5] = l;
            ROUND_00_15(5, d, e, f, g, h, a, b, c);
            (void)HOST_c2l(data, l);
            T1 = X[6] = l;
            ROUND_00_15(6, c, d, e, f, g, h, a, b);
            (void)HOST_c2l(data, l);
            T1 = X[7] = l;
            ROUND_00_15(7, b, c, d, e, f, g, h, a);
            (void)HOST_c2l(data, l);
            T1 = X[8] = l;
            ROUND_00_15(8, a, b, c, d, e, f, g, h);
            (void)HOST_c2l(data, l);
            T1 = X[9] = l;
            ROUND_00_15(9, h, a, b, c, d, e, f, g);
            (void)HOST_c2l(data, l);
            T1 = X[10] = l;
            ROUND_00_15(10, g, h, a, b, c, d, e, f);
            (void)HOST_c2l(data, l);
            T1 = X[11] = l;
            ROUND_00_15(11, f, g, h, a, b, c, d, e);
            (void)HOST_c2l(data, l);
            T1 = X[12] = l;
            ROUND_00_15(12, e, f, g, h, a, b, c, d);
            (void)HOST_c2l(data, l);
            T1 = X[13] = l;
            ROUND_00_15(13, d, e, f, g, h, a, b, c);
            (void)HOST_c2l(data, l);
            T1 = X[14] = l;
            ROUND_00_15(14, c, d, e, f, g, h, a, b);
            (void)HOST_c2l(data, l);
            T1 = X[15] = l;
            ROUND_00_15(15, b, c, d, e, f, g, h, a);
        }

        for (i = 16; i < 64; i += 8) {
            ROUND_16_63(i + 0, a, b, c, d, e, f, g, h, X);
            ROUND_16_63(i + 1, h, a, b, c, d, e, f, g, X);
            ROUND_16_63(i + 2, g, h, a, b, c, d, e, f, X);
            ROUND_16_63(i + 3, f, g, h, a, b, c, d, e, X);
            ROUND_16_63(i + 4, e, f, g, h, a, b, c, d, X);
            ROUND_16_63(i + 5, d, e, f, g, h, a, b, c, X);
            ROUND_16_63(i + 6, c, d, e, f, g, h, a, b, X);
            ROUND_16_63(i + 7, b, c, d, e, f, g, h, a, X);
        }

        ctx->h[0] += a;
        ctx->h[1] += b;
        ctx->h[2] += c;
        ctx->h[3] += d;
        ctx->h[4] += e;
        ctx->h[5] += f;
        ctx->h[6] += g;
        ctx->h[7] += h;

    }
}

# endif
#endif                         /* SHA256_ASM */
Commit	Line	Data
7bf7a6d0 MTL	1	/*
	2	* Copyright 2004-2016 The OpenSSL Project Authors. All Rights Reserved.
	3	*
	4	* Licensed under the OpenSSL license (the "License"). You may not use
	5	* this file except in compliance with the License. You can obtain a copy
	6	* in the file LICENSE in the source distribution or at
	7	* https://www.openssl.org/source/license.html
3e575651	8	*/
d3819813	9
7bf7a6d0	10	#include <openssl/opensslconf.h>
d3819813	11
7bf7a6d0 MTL	12	#include <stdlib.h>
7bf7a6d0 MTL	13	#include <string.h>
d3819813	14
7bf7a6d0 MTL	15	#include <openssl/crypto.h>
	16	#include <openssl/sha.h>
	17	#include <openssl/opensslv.h>
b6f94dbe	18
7bf7a6d0	19	int SHA224_Init(SHA256_CTX *c)
d3819813 MTL	20	{
	21	memset(c, 0, sizeof(*c));
	22	c->h[0] = 0xc1059ed8UL;
	23	c->h[1] = 0x367cd507UL;
	24	c->h[2] = 0x3070dd17UL;
	25	c->h[3] = 0xf70e5939UL;
	26	c->h[4] = 0xffc00b31UL;
	27	c->h[5] = 0x68581511UL;
	28	c->h[6] = 0x64f98fa7UL;
	29	c->h[7] = 0xbefa4fa4UL;
	30	c->md_len = SHA224_DIGEST_LENGTH;
	31	return 1;
	32	}
	33
7bf7a6d0	34	int SHA256_Init(SHA256_CTX *c)
d3819813 MTL	35	{
	36	memset(c, 0, sizeof(*c));
	37	c->h[0] = 0x6a09e667UL;
	38	c->h[1] = 0xbb67ae85UL;
	39	c->h[2] = 0x3c6ef372UL;
	40	c->h[3] = 0xa54ff53aUL;
	41	c->h[4] = 0x510e527fUL;
	42	c->h[5] = 0x9b05688cUL;
	43	c->h[6] = 0x1f83d9abUL;
	44	c->h[7] = 0x5be0cd19UL;
	45	c->md_len = SHA256_DIGEST_LENGTH;
	46	return 1;
	47	}
3e575651 SL	48
3e575651 SL	49	unsigned char SHA224(const unsigned char d, size_t n, unsigned char *md)
d3819813 MTL	50	{
	51	SHA256_CTX c;
	52	static unsigned char m[SHA224_DIGEST_LENGTH];
	53
	54	if (md == NULL)
	55	md = m;
	56	SHA224_Init(&c);
	57	SHA256_Update(&c, d, n);
	58	SHA256_Final(md, &c);
	59	OPENSSL_cleanse(&c, sizeof(c));
	60	return (md);
	61	}
3e575651 SL	62
3e575651 SL	63	unsigned char SHA256(const unsigned char d, size_t n, unsigned char *md)
d3819813 MTL	64	{
	65	SHA256_CTX c;
	66	static unsigned char m[SHA256_DIGEST_LENGTH];
	67
	68	if (md == NULL)
	69	md = m;
	70	SHA256_Init(&c);
	71	SHA256_Update(&c, d, n);
	72	SHA256_Final(md, &c);
	73	OPENSSL_cleanse(&c, sizeof(c));
	74	return (md);
	75	}
3e575651 SL	76
3e575651 SL	77	int SHA224_Update(SHA256_CTX c, const void data, size_t len)
d3819813 MTL	78	{
	79	return SHA256_Update(c, data, len);
	80	}
3e575651	81
d3819813 MTL	82	int SHA224_Final(unsigned char md, SHA256_CTX c)
	83	{
	84	return SHA256_Final(md, c);
	85	}
	86
7bf7a6d0 MTL	87	#define DATA_ORDER_IS_BIG_ENDIAN
	88
	89	#define HASH_LONG SHA_LONG
	90	#define HASH_CTX SHA256_CTX
	91	#define HASH_CBLOCK SHA_CBLOCK
3e575651	92
3e575651 SL	93	/*
	94	* Note that FIPS180-2 discusses "Truncation of the Hash Function Output."
	95	* default: case below covers for it. It's not clear however if it's
	96	* permitted to truncate to amount of bytes not divisible by 4. I bet not,
	97	* but if it is, then default: case shall be extended. For reference.
7bf7a6d0	98	* Idea behind separate cases for pre-defined lengths is to let the
3e575651 SL	99	* compiler decide if it's appropriate to unroll small loops.
3e575651 SL	100	*/
7bf7a6d0	101	#define HASH_MAKE_STRING(c,s) do { \
d3819813 MTL	102	unsigned long ll; \
	103	unsigned int nn; \
	104	switch ((c)->md_len) \
	105	{ case SHA224_DIGEST_LENGTH: \
	106	for (nn=0;nn<SHA224_DIGEST_LENGTH/4;nn++) \
	107	{ ll=(c)->h[nn]; (void)HOST_l2c(ll,(s)); } \
	108	break; \
	109	case SHA256_DIGEST_LENGTH: \
	110	for (nn=0;nn<SHA256_DIGEST_LENGTH/4;nn++) \
	111	{ ll=(c)->h[nn]; (void)HOST_l2c(ll,(s)); } \
	112	break; \
	113	default: \
	114	if ((c)->md_len > SHA256_DIGEST_LENGTH) \
	115	return 0; \
	116	for (nn=0;nn<(c)->md_len/4;nn++) \
	117	{ ll=(c)->h[nn]; (void)HOST_l2c(ll,(s)); } \
	118	break; \
	119	} \
	120	} while (0)
	121
7bf7a6d0 MTL	122	#define HASH_UPDATE SHA256_Update
	123	#define HASH_TRANSFORM SHA256_Transform
	124	#define HASH_FINAL SHA256_Final
	125	#define HASH_BLOCK_DATA_ORDER sha256_block_data_order
	126	#ifndef SHA256_ASM
3e575651	127	static
7bf7a6d0	128	#endif
d3819813	129	void sha256_block_data_order(SHA256_CTX ctx, const void in, size_t num);
3e575651	130
7bf7a6d0	131	#include "internal/md32_common.h"
3e575651	132
7bf7a6d0	133	#ifndef SHA256_ASM
3e575651	134	static const SHA_LONG K256[64] = {
d3819813 MTL	135	0x428a2f98UL, 0x71374491UL, 0xb5c0fbcfUL, 0xe9b5dba5UL,
	136	0x3956c25bUL, 0x59f111f1UL, 0x923f82a4UL, 0xab1c5ed5UL,
	137	0xd807aa98UL, 0x12835b01UL, 0x243185beUL, 0x550c7dc3UL,
	138	0x72be5d74UL, 0x80deb1feUL, 0x9bdc06a7UL, 0xc19bf174UL,
	139	0xe49b69c1UL, 0xefbe4786UL, 0x0fc19dc6UL, 0x240ca1ccUL,
	140	0x2de92c6fUL, 0x4a7484aaUL, 0x5cb0a9dcUL, 0x76f988daUL,
	141	0x983e5152UL, 0xa831c66dUL, 0xb00327c8UL, 0xbf597fc7UL,
	142	0xc6e00bf3UL, 0xd5a79147UL, 0x06ca6351UL, 0x14292967UL,
	143	0x27b70a85UL, 0x2e1b2138UL, 0x4d2c6dfcUL, 0x53380d13UL,
	144	0x650a7354UL, 0x766a0abbUL, 0x81c2c92eUL, 0x92722c85UL,
	145	0xa2bfe8a1UL, 0xa81a664bUL, 0xc24b8b70UL, 0xc76c51a3UL,
	146	0xd192e819UL, 0xd6990624UL, 0xf40e3585UL, 0x106aa070UL,
	147	0x19a4c116UL, 0x1e376c08UL, 0x2748774cUL, 0x34b0bcb5UL,
	148	0x391c0cb3UL, 0x4ed8aa4aUL, 0x5b9cca4fUL, 0x682e6ff3UL,
	149	0x748f82eeUL, 0x78a5636fUL, 0x84c87814UL, 0x8cc70208UL,
	150	0x90befffaUL, 0xa4506cebUL, 0xbef9a3f7UL, 0xc67178f2UL
	151	};
3e575651 SL	152
	153	/*
	154	* FIPS specification refers to right rotations, while our ROTATE macro
	155	* is left one. This is why you might notice that rotation coefficients
	156	* differ from those observed in FIPS document by 32-N...
	157	*/
7bf7a6d0 MTL	158	# define Sigma0(x) (ROTATE((x),30) ^ ROTATE((x),19) ^ ROTATE((x),10))
	159	# define Sigma1(x) (ROTATE((x),26) ^ ROTATE((x),21) ^ ROTATE((x),7))
	160	# define sigma0(x) (ROTATE((x),25) ^ ROTATE((x),14) ^ ((x)>>3))
	161	# define sigma1(x) (ROTATE((x),15) ^ ROTATE((x),13) ^ ((x)>>10))
d3819813	162
7bf7a6d0 MTL	163	# define Ch(x,y,z) (((x) & (y)) ^ ((~(x)) & (z)))
7bf7a6d0 MTL	164	# define Maj(x,y,z) (((x) & (y)) ^ ((x) & (z)) ^ ((y) & (z)))
d3819813	165
7bf7a6d0	166	# ifdef OPENSSL_SMALL_FOOTPRINT
d3819813 MTL	167
	168	static void sha256_block_data_order(SHA256_CTX ctx, const void in,
	169	size_t num)
	170	{
	171	unsigned MD32_REG_T a, b, c, d, e, f, g, h, s0, s1, T1, T2;
	172	SHA_LONG X[16], l;
	173	int i;
	174	const unsigned char *data = in;
	175
	176	while (num--) {
	177
	178	a = ctx->h[0];
	179	b = ctx->h[1];
	180	c = ctx->h[2];
	181	d = ctx->h[3];
	182	e = ctx->h[4];
	183	f = ctx->h[5];
	184	g = ctx->h[6];
	185	h = ctx->h[7];
	186
	187	for (i = 0; i < 16; i++) {
7bf7a6d0	188	(void)HOST_c2l(data, l);
d3819813 MTL	189	T1 = X[i] = l;
	190	T1 += h + Sigma1(e) + Ch(e, f, g) + K256[i];
	191	T2 = Sigma0(a) + Maj(a, b, c);
	192	h = g;
	193	g = f;
	194	f = e;
	195	e = d + T1;
	196	d = c;
	197	c = b;
	198	b = a;
	199	a = T1 + T2;
	200	}
	201
	202	for (; i < 64; i++) {
	203	s0 = X[(i + 1) & 0x0f];
	204	s0 = sigma0(s0);
	205	s1 = X[(i + 14) & 0x0f];
	206	s1 = sigma1(s1);
	207
	208	T1 = X[i & 0xf] += s0 + s1 + X[(i + 9) & 0xf];
	209	T1 += h + Sigma1(e) + Ch(e, f, g) + K256[i];
	210	T2 = Sigma0(a) + Maj(a, b, c);
	211	h = g;
	212	g = f;
	213	f = e;
	214	e = d + T1;
	215	d = c;
	216	c = b;
	217	b = a;
	218	a = T1 + T2;
	219	}
	220
	221	ctx->h[0] += a;
	222	ctx->h[1] += b;
	223	ctx->h[2] += c;
	224	ctx->h[3] += d;
	225	ctx->h[4] += e;
	226	ctx->h[5] += f;
	227	ctx->h[6] += g;
	228	ctx->h[7] += h;
	229
	230	}
3e575651 SL	231	}
3e575651 SL	232
7bf7a6d0	233	# else
d3819813	234
7bf7a6d0	235	# define ROUND_00_15(i,a,b,c,d,e,f,g,h) do { \
d3819813 MTL	236	T1 += h + Sigma1(e) + Ch(e,f,g) + K256[i]; \
	237	h = Sigma0(a) + Maj(a,b,c); \
	238	d += T1; h += T1; } while (0)
	239
7bf7a6d0	240	# define ROUND_16_63(i,a,b,c,d,e,f,g,h,X) do { \
d3819813 MTL	241	s0 = X[(i+1)&0x0f]; s0 = sigma0(s0); \
	242	s1 = X[(i+14)&0x0f]; s1 = sigma1(s1); \
	243	T1 = X[(i)&0x0f] += s0 + s1 + X[(i+9)&0x0f]; \
	244	ROUND_00_15(i,a,b,c,d,e,f,g,h); } while (0)
	245
	246	static void sha256_block_data_order(SHA256_CTX ctx, const void in,
	247	size_t num)
	248	{
	249	unsigned MD32_REG_T a, b, c, d, e, f, g, h, s0, s1, T1;
	250	SHA_LONG X[16];
	251	int i;
	252	const unsigned char *data = in;
	253	const union {
	254	long one;
	255	char little;
	256	} is_endian = {
	257	1
	258	};
	259
	260	while (num--) {
	261
	262	a = ctx->h[0];
	263	b = ctx->h[1];
	264	c = ctx->h[2];
	265	d = ctx->h[3];
	266	e = ctx->h[4];
	267	f = ctx->h[5];
	268	g = ctx->h[6];
	269	h = ctx->h[7];
	270
	271	if (!is_endian.little && sizeof(SHA_LONG) == 4
	272	&& ((size_t)in % 4) == 0) {
	273	const SHA_LONG W = (const SHA_LONG )data;
	274
	275	T1 = X[0] = W[0];
	276	ROUND_00_15(0, a, b, c, d, e, f, g, h);
	277	T1 = X[1] = W[1];
	278	ROUND_00_15(1, h, a, b, c, d, e, f, g);
	279	T1 = X[2] = W[2];
	280	ROUND_00_15(2, g, h, a, b, c, d, e, f);
	281	T1 = X[3] = W[3];
	282	ROUND_00_15(3, f, g, h, a, b, c, d, e);
	283	T1 = X[4] = W[4];
	284	ROUND_00_15(4, e, f, g, h, a, b, c, d);
	285	T1 = X[5] = W[5];
	286	ROUND_00_15(5, d, e, f, g, h, a, b, c);
	287	T1 = X[6] = W[6];
	288	ROUND_00_15(6, c, d, e, f, g, h, a, b);
	289	T1 = X[7] = W[7];
	290	ROUND_00_15(7, b, c, d, e, f, g, h, a);
	291	T1 = X[8] = W[8];
	292	ROUND_00_15(8, a, b, c, d, e, f, g, h);
	293	T1 = X[9] = W[9];
	294	ROUND_00_15(9, h, a, b, c, d, e, f, g);
	295	T1 = X[10] = W[10];
	296	ROUND_00_15(10, g, h, a, b, c, d, e, f);
	297	T1 = X[11] = W[11];
	298	ROUND_00_15(11, f, g, h, a, b, c, d, e);
	299	T1 = X[12] = W[12];
	300	ROUND_00_15(12, e, f, g, h, a, b, c, d);
	301	T1 = X[13] = W[13];
	302	ROUND_00_15(13, d, e, f, g, h, a, b, c);
	303	T1 = X[14] = W[14];
	304	ROUND_00_15(14, c, d, e, f, g, h, a, b);
305	T1 = X[15] = W[15];
306	ROUND_00_15(15, b, c, d, e, f, g, h, a);
307
308	data += SHA256_CBLOCK;
309	} else {
310	SHA_LONG l;
311
7bf7a6d0	312	(void)HOST_c2l(data, l);
d3819813 MTL	313	T1 = X[0] = l;
d3819813 MTL	314	ROUND_00_15(0, a, b, c, d, e, f, g, h);
7bf7a6d0	315	(void)HOST_c2l(data, l);
d3819813 MTL	316	T1 = X[1] = l;
d3819813 MTL	317	ROUND_00_15(1, h, a, b, c, d, e, f, g);
7bf7a6d0	318	(void)HOST_c2l(data, l);
d3819813 MTL	319	T1 = X[2] = l;
d3819813 MTL	320	ROUND_00_15(2, g, h, a, b, c, d, e, f);
7bf7a6d0	321	(void)HOST_c2l(data, l);
d3819813 MTL	322	T1 = X[3] = l;
d3819813 MTL	323	ROUND_00_15(3, f, g, h, a, b, c, d, e);
7bf7a6d0	324	(void)HOST_c2l(data, l);
d3819813 MTL	325	T1 = X[4] = l;
d3819813 MTL	326	ROUND_00_15(4, e, f, g, h, a, b, c, d);
7bf7a6d0	327	(void)HOST_c2l(data, l);
d3819813 MTL	328	T1 = X[5] = l;
d3819813 MTL	329	ROUND_00_15(5, d, e, f, g, h, a, b, c);
7bf7a6d0	330	(void)HOST_c2l(data, l);
d3819813 MTL	331	T1 = X[6] = l;
d3819813 MTL	332	ROUND_00_15(6, c, d, e, f, g, h, a, b);
7bf7a6d0	333	(void)HOST_c2l(data, l);
d3819813 MTL	334	T1 = X[7] = l;
d3819813 MTL	335	ROUND_00_15(7, b, c, d, e, f, g, h, a);
7bf7a6d0	336	(void)HOST_c2l(data, l);
d3819813 MTL	337	T1 = X[8] = l;
d3819813 MTL	338	ROUND_00_15(8, a, b, c, d, e, f, g, h);
7bf7a6d0	339	(void)HOST_c2l(data, l);
d3819813 MTL	340	T1 = X[9] = l;
d3819813 MTL	341	ROUND_00_15(9, h, a, b, c, d, e, f, g);
7bf7a6d0	342	(void)HOST_c2l(data, l);
d3819813 MTL	343	T1 = X[10] = l;
d3819813 MTL	344	ROUND_00_15(10, g, h, a, b, c, d, e, f);
7bf7a6d0	345	(void)HOST_c2l(data, l);
d3819813 MTL	346	T1 = X[11] = l;
d3819813 MTL	347	ROUND_00_15(11, f, g, h, a, b, c, d, e);
7bf7a6d0	348	(void)HOST_c2l(data, l);
d3819813 MTL	349	T1 = X[12] = l;
d3819813 MTL	350	ROUND_00_15(12, e, f, g, h, a, b, c, d);
7bf7a6d0	351	(void)HOST_c2l(data, l);
d3819813 MTL	352	T1 = X[13] = l;
d3819813 MTL	353	ROUND_00_15(13, d, e, f, g, h, a, b, c);
7bf7a6d0	354	(void)HOST_c2l(data, l);
d3819813 MTL	355	T1 = X[14] = l;
d3819813 MTL	356	ROUND_00_15(14, c, d, e, f, g, h, a, b);
7bf7a6d0	357	(void)HOST_c2l(data, l);
d3819813 MTL	358	T1 = X[15] = l;
	359	ROUND_00_15(15, b, c, d, e, f, g, h, a);
	360	}
	361
	362	for (i = 16; i < 64; i += 8) {
	363	ROUND_16_63(i + 0, a, b, c, d, e, f, g, h, X);
	364	ROUND_16_63(i + 1, h, a, b, c, d, e, f, g, X);
	365	ROUND_16_63(i + 2, g, h, a, b, c, d, e, f, X);
	366	ROUND_16_63(i + 3, f, g, h, a, b, c, d, e, X);
	367	ROUND_16_63(i + 4, e, f, g, h, a, b, c, d, X);
	368	ROUND_16_63(i + 5, d, e, f, g, h, a, b, c, X);
	369	ROUND_16_63(i + 6, c, d, e, f, g, h, a, b, X);
	370	ROUND_16_63(i + 7, b, c, d, e, f, g, h, a, X);
	371	}
	372
	373	ctx->h[0] += a;
	374	ctx->h[1] += b;
	375	ctx->h[2] += c;
	376	ctx->h[3] += d;
	377	ctx->h[4] += e;
	378	ctx->h[5] += f;
	379	ctx->h[6] += g;
	380	ctx->h[7] += h;
	381
	382	}
	383	}
	384
7bf7a6d0 MTL	385	# endif
7bf7a6d0 MTL	386	#endif /* SHA256_ASM */