1e71b7053SJung-uk Kim /*
2*b077aed3SPierre Pronchery * Copyright 2004-2021 The OpenSSL Project Authors. All Rights Reserved.
3e71b7053SJung-uk Kim *
4*b077aed3SPierre Pronchery * Licensed under the Apache License 2.0 (the "License"). You may not use
5e71b7053SJung-uk Kim * this file except in compliance with the License. You can obtain a copy
6e71b7053SJung-uk Kim * in the file LICENSE in the source distribution or at
7e71b7053SJung-uk Kim * https://www.openssl.org/source/license.html
83b4e3dcbSSimon L. B. Nielsen */
9e71b7053SJung-uk Kim
10*b077aed3SPierre Pronchery /*
11*b077aed3SPierre Pronchery * SHA256 low level APIs are deprecated for public use, but still ok for
12*b077aed3SPierre Pronchery * internal use.
13*b077aed3SPierre Pronchery */
14*b077aed3SPierre Pronchery #include "internal/deprecated.h"
15*b077aed3SPierre Pronchery
163b4e3dcbSSimon L. B. Nielsen #include <openssl/opensslconf.h>
173b4e3dcbSSimon L. B. Nielsen
183b4e3dcbSSimon L. B. Nielsen #include <stdlib.h>
193b4e3dcbSSimon L. B. Nielsen #include <string.h>
203b4e3dcbSSimon L. B. Nielsen
213b4e3dcbSSimon L. B. Nielsen #include <openssl/crypto.h>
223b4e3dcbSSimon L. B. Nielsen #include <openssl/sha.h>
233b4e3dcbSSimon L. B. Nielsen #include <openssl/opensslv.h>
24*b077aed3SPierre Pronchery #include "internal/endian.h"
253b4e3dcbSSimon L. B. Nielsen
SHA224_Init(SHA256_CTX * c)26e71b7053SJung-uk Kim int SHA224_Init(SHA256_CTX *c)
273b4e3dcbSSimon L. B. Nielsen {
281f13597dSJung-uk Kim memset(c, 0, sizeof(*c));
296f9291ceSJung-uk Kim c->h[0] = 0xc1059ed8UL;
306f9291ceSJung-uk Kim c->h[1] = 0x367cd507UL;
316f9291ceSJung-uk Kim c->h[2] = 0x3070dd17UL;
326f9291ceSJung-uk Kim c->h[3] = 0xf70e5939UL;
336f9291ceSJung-uk Kim c->h[4] = 0xffc00b31UL;
346f9291ceSJung-uk Kim c->h[5] = 0x68581511UL;
356f9291ceSJung-uk Kim c->h[6] = 0x64f98fa7UL;
366f9291ceSJung-uk Kim c->h[7] = 0xbefa4fa4UL;
371f13597dSJung-uk Kim c->md_len = SHA224_DIGEST_LENGTH;
383b4e3dcbSSimon L. B. Nielsen return 1;
393b4e3dcbSSimon L. B. Nielsen }
403b4e3dcbSSimon L. B. Nielsen
SHA256_Init(SHA256_CTX * c)41e71b7053SJung-uk Kim int SHA256_Init(SHA256_CTX *c)
423b4e3dcbSSimon L. B. Nielsen {
431f13597dSJung-uk Kim memset(c, 0, sizeof(*c));
446f9291ceSJung-uk Kim c->h[0] = 0x6a09e667UL;
456f9291ceSJung-uk Kim c->h[1] = 0xbb67ae85UL;
466f9291ceSJung-uk Kim c->h[2] = 0x3c6ef372UL;
476f9291ceSJung-uk Kim c->h[3] = 0xa54ff53aUL;
486f9291ceSJung-uk Kim c->h[4] = 0x510e527fUL;
496f9291ceSJung-uk Kim c->h[5] = 0x9b05688cUL;
506f9291ceSJung-uk Kim c->h[6] = 0x1f83d9abUL;
516f9291ceSJung-uk Kim c->h[7] = 0x5be0cd19UL;
521f13597dSJung-uk Kim c->md_len = SHA256_DIGEST_LENGTH;
533b4e3dcbSSimon L. B. Nielsen return 1;
543b4e3dcbSSimon L. B. Nielsen }
553b4e3dcbSSimon L. B. Nielsen
SHA224_Update(SHA256_CTX * c,const void * data,size_t len)563b4e3dcbSSimon L. B. Nielsen int SHA224_Update(SHA256_CTX *c, const void *data, size_t len)
576f9291ceSJung-uk Kim {
586f9291ceSJung-uk Kim return SHA256_Update(c, data, len);
596f9291ceSJung-uk Kim }
606f9291ceSJung-uk Kim
SHA224_Final(unsigned char * md,SHA256_CTX * c)613b4e3dcbSSimon L. B. Nielsen int SHA224_Final(unsigned char *md, SHA256_CTX *c)
626f9291ceSJung-uk Kim {
636f9291ceSJung-uk Kim return SHA256_Final(md, c);
646f9291ceSJung-uk Kim }
653b4e3dcbSSimon L. B. Nielsen
663b4e3dcbSSimon L. B. Nielsen #define DATA_ORDER_IS_BIG_ENDIAN
673b4e3dcbSSimon L. B. Nielsen
683b4e3dcbSSimon L. B. Nielsen #define HASH_LONG SHA_LONG
693b4e3dcbSSimon L. B. Nielsen #define HASH_CTX SHA256_CTX
703b4e3dcbSSimon L. B. Nielsen #define HASH_CBLOCK SHA_CBLOCK
71e71b7053SJung-uk Kim
723b4e3dcbSSimon L. B. Nielsen /*
733b4e3dcbSSimon L. B. Nielsen * Note that FIPS180-2 discusses "Truncation of the Hash Function Output."
743b4e3dcbSSimon L. B. Nielsen * default: case below covers for it. It's not clear however if it's
753b4e3dcbSSimon L. B. Nielsen * permitted to truncate to amount of bytes not divisible by 4. I bet not,
763b4e3dcbSSimon L. B. Nielsen * but if it is, then default: case shall be extended. For reference.
77e71b7053SJung-uk Kim * Idea behind separate cases for pre-defined lengths is to let the
783b4e3dcbSSimon L. B. Nielsen * compiler decide if it's appropriate to unroll small loops.
793b4e3dcbSSimon L. B. Nielsen */
803b4e3dcbSSimon L. B. Nielsen #define HASH_MAKE_STRING(c,s) do { \
813b4e3dcbSSimon L. B. Nielsen unsigned long ll; \
821f13597dSJung-uk Kim unsigned int nn; \
833b4e3dcbSSimon L. B. Nielsen switch ((c)->md_len) \
843b4e3dcbSSimon L. B. Nielsen { case SHA224_DIGEST_LENGTH: \
851f13597dSJung-uk Kim for (nn=0;nn<SHA224_DIGEST_LENGTH/4;nn++) \
8609286989SJung-uk Kim { ll=(c)->h[nn]; (void)HOST_l2c(ll,(s)); } \
873b4e3dcbSSimon L. B. Nielsen break; \
883b4e3dcbSSimon L. B. Nielsen case SHA256_DIGEST_LENGTH: \
891f13597dSJung-uk Kim for (nn=0;nn<SHA256_DIGEST_LENGTH/4;nn++) \
9009286989SJung-uk Kim { ll=(c)->h[nn]; (void)HOST_l2c(ll,(s)); } \
913b4e3dcbSSimon L. B. Nielsen break; \
923b4e3dcbSSimon L. B. Nielsen default: \
933b4e3dcbSSimon L. B. Nielsen if ((c)->md_len > SHA256_DIGEST_LENGTH) \
943b4e3dcbSSimon L. B. Nielsen return 0; \
951f13597dSJung-uk Kim for (nn=0;nn<(c)->md_len/4;nn++) \
9609286989SJung-uk Kim { ll=(c)->h[nn]; (void)HOST_l2c(ll,(s)); } \
973b4e3dcbSSimon L. B. Nielsen break; \
983b4e3dcbSSimon L. B. Nielsen } \
993b4e3dcbSSimon L. B. Nielsen } while (0)
1003b4e3dcbSSimon L. B. Nielsen
1013b4e3dcbSSimon L. B. Nielsen #define HASH_UPDATE SHA256_Update
1023b4e3dcbSSimon L. B. Nielsen #define HASH_TRANSFORM SHA256_Transform
1033b4e3dcbSSimon L. B. Nielsen #define HASH_FINAL SHA256_Final
1043b4e3dcbSSimon L. B. Nielsen #define HASH_BLOCK_DATA_ORDER sha256_block_data_order
105db522d3aSSimon L. B. Nielsen #ifndef SHA256_ASM
106db522d3aSSimon L. B. Nielsen static
107db522d3aSSimon L. B. Nielsen #endif
1083b4e3dcbSSimon L. B. Nielsen void sha256_block_data_order(SHA256_CTX *ctx, const void *in, size_t num);
1093b4e3dcbSSimon L. B. Nielsen
11017f01e99SJung-uk Kim #include "crypto/md32_common.h"
1113b4e3dcbSSimon L. B. Nielsen
112db522d3aSSimon L. B. Nielsen #ifndef SHA256_ASM
1133b4e3dcbSSimon L. B. Nielsen static const SHA_LONG K256[64] = {
1143b4e3dcbSSimon L. B. Nielsen 0x428a2f98UL, 0x71374491UL, 0xb5c0fbcfUL, 0xe9b5dba5UL,
1153b4e3dcbSSimon L. B. Nielsen 0x3956c25bUL, 0x59f111f1UL, 0x923f82a4UL, 0xab1c5ed5UL,
1163b4e3dcbSSimon L. B. Nielsen 0xd807aa98UL, 0x12835b01UL, 0x243185beUL, 0x550c7dc3UL,
1173b4e3dcbSSimon L. B. Nielsen 0x72be5d74UL, 0x80deb1feUL, 0x9bdc06a7UL, 0xc19bf174UL,
1183b4e3dcbSSimon L. B. Nielsen 0xe49b69c1UL, 0xefbe4786UL, 0x0fc19dc6UL, 0x240ca1ccUL,
1193b4e3dcbSSimon L. B. Nielsen 0x2de92c6fUL, 0x4a7484aaUL, 0x5cb0a9dcUL, 0x76f988daUL,
1203b4e3dcbSSimon L. B. Nielsen 0x983e5152UL, 0xa831c66dUL, 0xb00327c8UL, 0xbf597fc7UL,
1213b4e3dcbSSimon L. B. Nielsen 0xc6e00bf3UL, 0xd5a79147UL, 0x06ca6351UL, 0x14292967UL,
1223b4e3dcbSSimon L. B. Nielsen 0x27b70a85UL, 0x2e1b2138UL, 0x4d2c6dfcUL, 0x53380d13UL,
1233b4e3dcbSSimon L. B. Nielsen 0x650a7354UL, 0x766a0abbUL, 0x81c2c92eUL, 0x92722c85UL,
1243b4e3dcbSSimon L. B. Nielsen 0xa2bfe8a1UL, 0xa81a664bUL, 0xc24b8b70UL, 0xc76c51a3UL,
1253b4e3dcbSSimon L. B. Nielsen 0xd192e819UL, 0xd6990624UL, 0xf40e3585UL, 0x106aa070UL,
1263b4e3dcbSSimon L. B. Nielsen 0x19a4c116UL, 0x1e376c08UL, 0x2748774cUL, 0x34b0bcb5UL,
1273b4e3dcbSSimon L. B. Nielsen 0x391c0cb3UL, 0x4ed8aa4aUL, 0x5b9cca4fUL, 0x682e6ff3UL,
1283b4e3dcbSSimon L. B. Nielsen 0x748f82eeUL, 0x78a5636fUL, 0x84c87814UL, 0x8cc70208UL,
1296f9291ceSJung-uk Kim 0x90befffaUL, 0xa4506cebUL, 0xbef9a3f7UL, 0xc67178f2UL
1306f9291ceSJung-uk Kim };
1313b4e3dcbSSimon L. B. Nielsen
1323b4e3dcbSSimon L. B. Nielsen /*
1333b4e3dcbSSimon L. B. Nielsen * FIPS specification refers to right rotations, while our ROTATE macro
1343b4e3dcbSSimon L. B. Nielsen * is left one. This is why you might notice that rotation coefficients
1353b4e3dcbSSimon L. B. Nielsen * differ from those observed in FIPS document by 32-N...
1363b4e3dcbSSimon L. B. Nielsen */
1373b4e3dcbSSimon L. B. Nielsen # define Sigma0(x) (ROTATE((x),30) ^ ROTATE((x),19) ^ ROTATE((x),10))
1383b4e3dcbSSimon L. B. Nielsen # define Sigma1(x) (ROTATE((x),26) ^ ROTATE((x),21) ^ ROTATE((x),7))
1393b4e3dcbSSimon L. B. Nielsen # define sigma0(x) (ROTATE((x),25) ^ ROTATE((x),14) ^ ((x)>>3))
1403b4e3dcbSSimon L. B. Nielsen # define sigma1(x) (ROTATE((x),15) ^ ROTATE((x),13) ^ ((x)>>10))
1413b4e3dcbSSimon L. B. Nielsen
1423b4e3dcbSSimon L. B. Nielsen # define Ch(x,y,z) (((x) & (y)) ^ ((~(x)) & (z)))
1433b4e3dcbSSimon L. B. Nielsen # define Maj(x,y,z) (((x) & (y)) ^ ((x) & (z)) ^ ((y) & (z)))
1443b4e3dcbSSimon L. B. Nielsen
1453b4e3dcbSSimon L. B. Nielsen # ifdef OPENSSL_SMALL_FOOTPRINT
1463b4e3dcbSSimon L. B. Nielsen
sha256_block_data_order(SHA256_CTX * ctx,const void * in,size_t num)1476f9291ceSJung-uk Kim static void sha256_block_data_order(SHA256_CTX *ctx, const void *in,
1486f9291ceSJung-uk Kim size_t num)
1493b4e3dcbSSimon L. B. Nielsen {
1503b4e3dcbSSimon L. B. Nielsen unsigned MD32_REG_T a, b, c, d, e, f, g, h, s0, s1, T1, T2;
151db522d3aSSimon L. B. Nielsen SHA_LONG X[16], l;
1523b4e3dcbSSimon L. B. Nielsen int i;
1533b4e3dcbSSimon L. B. Nielsen const unsigned char *data = in;
1543b4e3dcbSSimon L. B. Nielsen
1553b4e3dcbSSimon L. B. Nielsen while (num--) {
1563b4e3dcbSSimon L. B. Nielsen
1576f9291ceSJung-uk Kim a = ctx->h[0];
1586f9291ceSJung-uk Kim b = ctx->h[1];
1596f9291ceSJung-uk Kim c = ctx->h[2];
1606f9291ceSJung-uk Kim d = ctx->h[3];
1616f9291ceSJung-uk Kim e = ctx->h[4];
1626f9291ceSJung-uk Kim f = ctx->h[5];
1636f9291ceSJung-uk Kim g = ctx->h[6];
1646f9291ceSJung-uk Kim h = ctx->h[7];
1653b4e3dcbSSimon L. B. Nielsen
1666f9291ceSJung-uk Kim for (i = 0; i < 16; i++) {
167e71b7053SJung-uk Kim (void)HOST_c2l(data, l);
1686f9291ceSJung-uk Kim T1 = X[i] = l;
1693b4e3dcbSSimon L. B. Nielsen T1 += h + Sigma1(e) + Ch(e, f, g) + K256[i];
1703b4e3dcbSSimon L. B. Nielsen T2 = Sigma0(a) + Maj(a, b, c);
1716f9291ceSJung-uk Kim h = g;
1726f9291ceSJung-uk Kim g = f;
1736f9291ceSJung-uk Kim f = e;
1746f9291ceSJung-uk Kim e = d + T1;
1756f9291ceSJung-uk Kim d = c;
1766f9291ceSJung-uk Kim c = b;
1776f9291ceSJung-uk Kim b = a;
1786f9291ceSJung-uk Kim a = T1 + T2;
1793b4e3dcbSSimon L. B. Nielsen }
1803b4e3dcbSSimon L. B. Nielsen
1816f9291ceSJung-uk Kim for (; i < 64; i++) {
1826f9291ceSJung-uk Kim s0 = X[(i + 1) & 0x0f];
1836f9291ceSJung-uk Kim s0 = sigma0(s0);
1846f9291ceSJung-uk Kim s1 = X[(i + 14) & 0x0f];
1856f9291ceSJung-uk Kim s1 = sigma1(s1);
1863b4e3dcbSSimon L. B. Nielsen
1873b4e3dcbSSimon L. B. Nielsen T1 = X[i & 0xf] += s0 + s1 + X[(i + 9) & 0xf];
1883b4e3dcbSSimon L. B. Nielsen T1 += h + Sigma1(e) + Ch(e, f, g) + K256[i];
1893b4e3dcbSSimon L. B. Nielsen T2 = Sigma0(a) + Maj(a, b, c);
1906f9291ceSJung-uk Kim h = g;
1916f9291ceSJung-uk Kim g = f;
1926f9291ceSJung-uk Kim f = e;
1936f9291ceSJung-uk Kim e = d + T1;
1946f9291ceSJung-uk Kim d = c;
1956f9291ceSJung-uk Kim c = b;
1966f9291ceSJung-uk Kim b = a;
1976f9291ceSJung-uk Kim a = T1 + T2;
1983b4e3dcbSSimon L. B. Nielsen }
1993b4e3dcbSSimon L. B. Nielsen
2006f9291ceSJung-uk Kim ctx->h[0] += a;
2016f9291ceSJung-uk Kim ctx->h[1] += b;
2026f9291ceSJung-uk Kim ctx->h[2] += c;
2036f9291ceSJung-uk Kim ctx->h[3] += d;
2046f9291ceSJung-uk Kim ctx->h[4] += e;
2056f9291ceSJung-uk Kim ctx->h[5] += f;
2066f9291ceSJung-uk Kim ctx->h[6] += g;
2076f9291ceSJung-uk Kim ctx->h[7] += h;
2083b4e3dcbSSimon L. B. Nielsen
2093b4e3dcbSSimon L. B. Nielsen }
2103b4e3dcbSSimon L. B. Nielsen }
2113b4e3dcbSSimon L. B. Nielsen
2123b4e3dcbSSimon L. B. Nielsen # else
2133b4e3dcbSSimon L. B. Nielsen
2143b4e3dcbSSimon L. B. Nielsen # define ROUND_00_15(i,a,b,c,d,e,f,g,h) do { \
2153b4e3dcbSSimon L. B. Nielsen T1 += h + Sigma1(e) + Ch(e,f,g) + K256[i]; \
2163b4e3dcbSSimon L. B. Nielsen h = Sigma0(a) + Maj(a,b,c); \
2173b4e3dcbSSimon L. B. Nielsen d += T1; h += T1; } while (0)
2183b4e3dcbSSimon L. B. Nielsen
2193b4e3dcbSSimon L. B. Nielsen # define ROUND_16_63(i,a,b,c,d,e,f,g,h,X) do { \
2203b4e3dcbSSimon L. B. Nielsen s0 = X[(i+1)&0x0f]; s0 = sigma0(s0); \
2213b4e3dcbSSimon L. B. Nielsen s1 = X[(i+14)&0x0f]; s1 = sigma1(s1); \
2223b4e3dcbSSimon L. B. Nielsen T1 = X[(i)&0x0f] += s0 + s1 + X[(i+9)&0x0f]; \
2233b4e3dcbSSimon L. B. Nielsen ROUND_00_15(i,a,b,c,d,e,f,g,h); } while (0)
2243b4e3dcbSSimon L. B. Nielsen
sha256_block_data_order(SHA256_CTX * ctx,const void * in,size_t num)2256f9291ceSJung-uk Kim static void sha256_block_data_order(SHA256_CTX *ctx, const void *in,
2266f9291ceSJung-uk Kim size_t num)
2273b4e3dcbSSimon L. B. Nielsen {
2283b4e3dcbSSimon L. B. Nielsen unsigned MD32_REG_T a, b, c, d, e, f, g, h, s0, s1, T1;
2293b4e3dcbSSimon L. B. Nielsen SHA_LONG X[16];
2303b4e3dcbSSimon L. B. Nielsen int i;
2313b4e3dcbSSimon L. B. Nielsen const unsigned char *data = in;
232*b077aed3SPierre Pronchery DECLARE_IS_ENDIAN;
2333b4e3dcbSSimon L. B. Nielsen
2343b4e3dcbSSimon L. B. Nielsen while (num--) {
2353b4e3dcbSSimon L. B. Nielsen
2366f9291ceSJung-uk Kim a = ctx->h[0];
2376f9291ceSJung-uk Kim b = ctx->h[1];
2386f9291ceSJung-uk Kim c = ctx->h[2];
2396f9291ceSJung-uk Kim d = ctx->h[3];
2406f9291ceSJung-uk Kim e = ctx->h[4];
2416f9291ceSJung-uk Kim f = ctx->h[5];
2426f9291ceSJung-uk Kim g = ctx->h[6];
2436f9291ceSJung-uk Kim h = ctx->h[7];
2443b4e3dcbSSimon L. B. Nielsen
245*b077aed3SPierre Pronchery if (!IS_LITTLE_ENDIAN && sizeof(SHA_LONG) == 4
2466f9291ceSJung-uk Kim && ((size_t)in % 4) == 0) {
2473b4e3dcbSSimon L. B. Nielsen const SHA_LONG *W = (const SHA_LONG *)data;
2483b4e3dcbSSimon L. B. Nielsen
2496f9291ceSJung-uk Kim T1 = X[0] = W[0];
2506f9291ceSJung-uk Kim ROUND_00_15(0, a, b, c, d, e, f, g, h);
2516f9291ceSJung-uk Kim T1 = X[1] = W[1];
2526f9291ceSJung-uk Kim ROUND_00_15(1, h, a, b, c, d, e, f, g);
2536f9291ceSJung-uk Kim T1 = X[2] = W[2];
2546f9291ceSJung-uk Kim ROUND_00_15(2, g, h, a, b, c, d, e, f);
2556f9291ceSJung-uk Kim T1 = X[3] = W[3];
2566f9291ceSJung-uk Kim ROUND_00_15(3, f, g, h, a, b, c, d, e);
2576f9291ceSJung-uk Kim T1 = X[4] = W[4];
2586f9291ceSJung-uk Kim ROUND_00_15(4, e, f, g, h, a, b, c, d);
2596f9291ceSJung-uk Kim T1 = X[5] = W[5];
2606f9291ceSJung-uk Kim ROUND_00_15(5, d, e, f, g, h, a, b, c);
2616f9291ceSJung-uk Kim T1 = X[6] = W[6];
2626f9291ceSJung-uk Kim ROUND_00_15(6, c, d, e, f, g, h, a, b);
2636f9291ceSJung-uk Kim T1 = X[7] = W[7];
2646f9291ceSJung-uk Kim ROUND_00_15(7, b, c, d, e, f, g, h, a);
2656f9291ceSJung-uk Kim T1 = X[8] = W[8];
2666f9291ceSJung-uk Kim ROUND_00_15(8, a, b, c, d, e, f, g, h);
2676f9291ceSJung-uk Kim T1 = X[9] = W[9];
2686f9291ceSJung-uk Kim ROUND_00_15(9, h, a, b, c, d, e, f, g);
2696f9291ceSJung-uk Kim T1 = X[10] = W[10];
2706f9291ceSJung-uk Kim ROUND_00_15(10, g, h, a, b, c, d, e, f);
2716f9291ceSJung-uk Kim T1 = X[11] = W[11];
2726f9291ceSJung-uk Kim ROUND_00_15(11, f, g, h, a, b, c, d, e);
2736f9291ceSJung-uk Kim T1 = X[12] = W[12];
2746f9291ceSJung-uk Kim ROUND_00_15(12, e, f, g, h, a, b, c, d);
2756f9291ceSJung-uk Kim T1 = X[13] = W[13];
2766f9291ceSJung-uk Kim ROUND_00_15(13, d, e, f, g, h, a, b, c);
2776f9291ceSJung-uk Kim T1 = X[14] = W[14];
2786f9291ceSJung-uk Kim ROUND_00_15(14, c, d, e, f, g, h, a, b);
2796f9291ceSJung-uk Kim T1 = X[15] = W[15];
2806f9291ceSJung-uk Kim ROUND_00_15(15, b, c, d, e, f, g, h, a);
2813b4e3dcbSSimon L. B. Nielsen
2823b4e3dcbSSimon L. B. Nielsen data += SHA256_CBLOCK;
2836f9291ceSJung-uk Kim } else {
2843b4e3dcbSSimon L. B. Nielsen SHA_LONG l;
2853b4e3dcbSSimon L. B. Nielsen
286e71b7053SJung-uk Kim (void)HOST_c2l(data, l);
2876f9291ceSJung-uk Kim T1 = X[0] = l;
2886f9291ceSJung-uk Kim ROUND_00_15(0, a, b, c, d, e, f, g, h);
289e71b7053SJung-uk Kim (void)HOST_c2l(data, l);
2906f9291ceSJung-uk Kim T1 = X[1] = l;
2916f9291ceSJung-uk Kim ROUND_00_15(1, h, a, b, c, d, e, f, g);
292e71b7053SJung-uk Kim (void)HOST_c2l(data, l);
2936f9291ceSJung-uk Kim T1 = X[2] = l;
2946f9291ceSJung-uk Kim ROUND_00_15(2, g, h, a, b, c, d, e, f);
295e71b7053SJung-uk Kim (void)HOST_c2l(data, l);
2966f9291ceSJung-uk Kim T1 = X[3] = l;
2976f9291ceSJung-uk Kim ROUND_00_15(3, f, g, h, a, b, c, d, e);
298e71b7053SJung-uk Kim (void)HOST_c2l(data, l);
2996f9291ceSJung-uk Kim T1 = X[4] = l;
3006f9291ceSJung-uk Kim ROUND_00_15(4, e, f, g, h, a, b, c, d);
301e71b7053SJung-uk Kim (void)HOST_c2l(data, l);
3026f9291ceSJung-uk Kim T1 = X[5] = l;
3036f9291ceSJung-uk Kim ROUND_00_15(5, d, e, f, g, h, a, b, c);
304e71b7053SJung-uk Kim (void)HOST_c2l(data, l);
3056f9291ceSJung-uk Kim T1 = X[6] = l;
3066f9291ceSJung-uk Kim ROUND_00_15(6, c, d, e, f, g, h, a, b);
307e71b7053SJung-uk Kim (void)HOST_c2l(data, l);
3086f9291ceSJung-uk Kim T1 = X[7] = l;
3096f9291ceSJung-uk Kim ROUND_00_15(7, b, c, d, e, f, g, h, a);
310e71b7053SJung-uk Kim (void)HOST_c2l(data, l);
3116f9291ceSJung-uk Kim T1 = X[8] = l;
3126f9291ceSJung-uk Kim ROUND_00_15(8, a, b, c, d, e, f, g, h);
313e71b7053SJung-uk Kim (void)HOST_c2l(data, l);
3146f9291ceSJung-uk Kim T1 = X[9] = l;
3156f9291ceSJung-uk Kim ROUND_00_15(9, h, a, b, c, d, e, f, g);
316e71b7053SJung-uk Kim (void)HOST_c2l(data, l);
3176f9291ceSJung-uk Kim T1 = X[10] = l;
3186f9291ceSJung-uk Kim ROUND_00_15(10, g, h, a, b, c, d, e, f);
319e71b7053SJung-uk Kim (void)HOST_c2l(data, l);
3206f9291ceSJung-uk Kim T1 = X[11] = l;
3216f9291ceSJung-uk Kim ROUND_00_15(11, f, g, h, a, b, c, d, e);
322e71b7053SJung-uk Kim (void)HOST_c2l(data, l);
3236f9291ceSJung-uk Kim T1 = X[12] = l;
3246f9291ceSJung-uk Kim ROUND_00_15(12, e, f, g, h, a, b, c, d);
325e71b7053SJung-uk Kim (void)HOST_c2l(data, l);
3266f9291ceSJung-uk Kim T1 = X[13] = l;
3276f9291ceSJung-uk Kim ROUND_00_15(13, d, e, f, g, h, a, b, c);
328e71b7053SJung-uk Kim (void)HOST_c2l(data, l);
3296f9291ceSJung-uk Kim T1 = X[14] = l;
3306f9291ceSJung-uk Kim ROUND_00_15(14, c, d, e, f, g, h, a, b);
331e71b7053SJung-uk Kim (void)HOST_c2l(data, l);
3326f9291ceSJung-uk Kim T1 = X[15] = l;
3336f9291ceSJung-uk Kim ROUND_00_15(15, b, c, d, e, f, g, h, a);
3343b4e3dcbSSimon L. B. Nielsen }
3353b4e3dcbSSimon L. B. Nielsen
3366f9291ceSJung-uk Kim for (i = 16; i < 64; i += 8) {
3373b4e3dcbSSimon L. B. Nielsen ROUND_16_63(i + 0, a, b, c, d, e, f, g, h, X);
3383b4e3dcbSSimon L. B. Nielsen ROUND_16_63(i + 1, h, a, b, c, d, e, f, g, X);
3393b4e3dcbSSimon L. B. Nielsen ROUND_16_63(i + 2, g, h, a, b, c, d, e, f, X);
3403b4e3dcbSSimon L. B. Nielsen ROUND_16_63(i + 3, f, g, h, a, b, c, d, e, X);
3413b4e3dcbSSimon L. B. Nielsen ROUND_16_63(i + 4, e, f, g, h, a, b, c, d, X);
3423b4e3dcbSSimon L. B. Nielsen ROUND_16_63(i + 5, d, e, f, g, h, a, b, c, X);
3433b4e3dcbSSimon L. B. Nielsen ROUND_16_63(i + 6, c, d, e, f, g, h, a, b, X);
3443b4e3dcbSSimon L. B. Nielsen ROUND_16_63(i + 7, b, c, d, e, f, g, h, a, X);
3453b4e3dcbSSimon L. B. Nielsen }
3463b4e3dcbSSimon L. B. Nielsen
3476f9291ceSJung-uk Kim ctx->h[0] += a;
3486f9291ceSJung-uk Kim ctx->h[1] += b;
3496f9291ceSJung-uk Kim ctx->h[2] += c;
3506f9291ceSJung-uk Kim ctx->h[3] += d;
3516f9291ceSJung-uk Kim ctx->h[4] += e;
3526f9291ceSJung-uk Kim ctx->h[5] += f;
3536f9291ceSJung-uk Kim ctx->h[6] += g;
3546f9291ceSJung-uk Kim ctx->h[7] += h;
3553b4e3dcbSSimon L. B. Nielsen
3563b4e3dcbSSimon L. B. Nielsen }
3573b4e3dcbSSimon L. B. Nielsen }
3583b4e3dcbSSimon L. B. Nielsen
3593b4e3dcbSSimon L. B. Nielsen # endif
3603b4e3dcbSSimon L. B. Nielsen #endif /* SHA256_ASM */
361