1
/* ***** BEGIN LICENSE BLOCK *****
2
* Version: MPL 1.1/GPL 2.0/LGPL 2.1
4
* The contents of this file are subject to the Mozilla Public License Version
5
* 1.1 (the "License"); you may not use this file except in compliance with
6
* the License. You may obtain a copy of the License at
7
* http://www.mozilla.org/MPL/
9
* Software distributed under the License is distributed on an "AS IS" basis,
10
* WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
11
* for the specific language governing rights and limitations under the
14
* The Original Code is SHA 180-1 Reference Implementation (Optimized).
16
* The Initial Developer of the Original Code is
17
* Paul Kocher of Cryptography Research.
18
* Portions created by the Initial Developer are Copyright (C) 1995-9
19
* the Initial Developer. All Rights Reserved.
23
* Alternatively, the contents of this file may be used under the terms of
24
* either the GNU General Public License Version 2 or later (the "GPL"), or
25
* the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
26
* in which case the provisions of the GPL or the LGPL are applicable instead
27
* of those above. If you wish to allow use of your version of this file only
28
* under the terms of either the GPL or the LGPL, and not to allow others to
29
* use your version of this file under the terms of the MPL, indicate your
30
* decision by deleting the provisions above and replace them with the notice
31
* and other provisions required by the GPL or the LGPL. If you do not delete
32
* the provisions above, a recipient may use your version of this file under
33
* the terms of any one of the MPL, the GPL or the LGPL.
35
* ***** END LICENSE BLOCK ***** */
46
static void shaCompress(volatile SHA_HW_t *X, const PRUint32 * datain);
52
#define SHA_F1(X,Y,Z) ((((Y)^(Z))&(X))^(Z))
53
#define SHA_F2(X,Y,Z) ((X)^(Y)^(Z))
54
#define SHA_F3(X,Y,Z) (((X)&(Y))|((Z)&((X)|(Y))))
55
#define SHA_F4(X,Y,Z) ((X)^(Y)^(Z))
57
#define SHA_MIX(n,a,b,c) XW(n) = SHA_ROTL(XW(a)^XW(b)^XW(c)^XW(n), 1)
60
* SHA: initialize context
63
SHA1_Begin(SHA1Context *ctx)
67
* Initialize H with constants from FIPS180-1.
69
ctx->H[0] = 0x67452301L;
70
ctx->H[1] = 0xefcdab89L;
71
ctx->H[2] = 0x98badcfeL;
72
ctx->H[3] = 0x10325476L;
73
ctx->H[4] = 0xc3d2e1f0L;
76
/* Explanation of H array and index values:
77
* The context's H array is actually the concatenation of two arrays
78
* defined by SHA1, the H array of state variables (5 elements),
79
* and the W array of intermediate values, of which there are 16 elements.
80
* The W array starts at H[5], that is W[0] is H[5].
81
* Although these values are defined as 32-bit values, we use 64-bit
82
* variables to hold them because the AMD64 stores 64 bit values in
83
* memory MUCH faster than it stores any smaller values.
85
* Rather than passing the context structure to shaCompress, we pass
86
* this combined array of H and W values. We do not pass the address
87
* of the first element of this array, but rather pass the address of an
88
* element in the middle of the array, element X. Presently X[0] is H[11].
89
* So we pass the address of H[11] as the address of array X to shaCompress.
90
* Then shaCompress accesses the members of the array using positive AND
93
* Pictorially: (each element is 8 bytes)
94
* H | H0 H1 H2 H3 H4 W0 W1 W2 W3 W4 W5 W6 W7 W8 W9 Wa Wb Wc Wd We Wf |
95
* X |-11-10 -9 -8 -7 -6 -5 -4 -3 -2 -1 X0 X1 X2 X3 X4 X5 X6 X7 X8 X9 |
97
* The byte offset from X[0] to any member of H and W is always
98
* representable in a signed 8-bit value, which will be encoded
99
* as a single byte offset in the X86-64 instruction set.
100
* If we didn't pass the address of H[11], and instead passed the
101
* address of H[0], the offsets to elements H[16] and above would be
102
* greater than 127, not representable in a signed 8-bit value, and the
103
* x86-64 instruction set would encode every such offset as a 32-bit
104
* signed number in each instruction that accessed element H[16] or
105
* higher. This results in much bigger and slower code.
107
#if !defined(SHA_PUT_W_IN_STACK)
108
#define H2X 11 /* X[0] is H[11], and H[0] is X[-11] */
109
#define W2X 6 /* X[0] is W[6], and W[0] is X[-6] */
115
* SHA: Add data to context.
118
SHA1_Update(SHA1Context *ctx, const unsigned char *dataIn, unsigned int len)
120
register unsigned int lenB;
121
register unsigned int togo;
126
/* accumulate the byte count. */
127
lenB = (unsigned int)(ctx->size) & 63U;
132
* Read the data into W and process blocks as they get full
138
memcpy(ctx->B + lenB, dataIn, togo);
141
lenB = (lenB + togo) & 63U;
143
shaCompress(&ctx->H[H2X], ctx->W);
146
#if !defined(SHA_ALLOW_UNALIGNED_ACCESS)
147
if ((ptrdiff_t)dataIn % sizeof(PRUint32)) {
149
memcpy(ctx->B, dataIn, 64);
151
shaCompress(&ctx->H[H2X], ctx->W);
159
shaCompress(&ctx->H[H2X], (PRUint32 *)dataIn);
164
memcpy(ctx->B, dataIn, len);
170
* SHA: Generate hash value from context
173
SHA1_End(SHA1Context *ctx, unsigned char *hashout,
174
unsigned int *pDigestLen, unsigned int maxDigestLen)
176
register PRUint64 size;
177
register PRUint32 lenB;
179
static const unsigned char bulk_pad[64] = { 0x80,0,0,0,0,0,0,0,0,0,
180
0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,
181
0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0 };
184
PORT_Assert (maxDigestLen >= SHA1_LENGTH);
187
* Pad with a binary 1 (e.g. 0x80), then zeroes, then length in bits
191
lenB = (PRUint32)size & 63;
192
SHA1_Update(ctx, bulk_pad, (((55+64) - lenB) & 63) + 1);
193
PORT_Assert(((PRUint32)ctx->size & 63) == 56);
194
/* Convert size from bytes to bits. */
196
ctx->W[14] = SHA_HTONL((PRUint32)(size >> 32));
197
ctx->W[15] = SHA_HTONL((PRUint32)size);
198
shaCompress(&ctx->H[H2X], ctx->W);
204
*pDigestLen = SHA1_LENGTH;
211
* SHA: Compression function, unrolled.
213
* Some operations in shaCompress are done as 5 groups of 16 operations.
214
* Others are done as 4 groups of 20 operations.
215
* The code below shows that structure.
217
* The functions that compute the new values of the 5 state variables
218
* A-E are done in 4 groups of 20 operations (or you may also think
219
* of them as being done in 16 groups of 5 operations). They are
220
* done by the SHA_RNDx macros below, in the right column.
222
* The functions that set the 16 values of the W array are done in
223
* 5 groups of 16 operations. The first group is done by the
224
* LOAD macros below, the latter 4 groups are done by SHA_MIX below,
225
* in the left column.
227
* gcc's optimizer observes that each member of the W array is assigned
228
* a value 5 times in this code. It reduces the number of store
229
* operations done to the W array in the context (that is, in the X array)
230
* by creating a W array on the stack, and storing the W values there for
231
* the first 4 groups of operations on W, and storing the values in the
232
* context's W array only in the fifth group. This is undesirable.
233
* It is MUCH bigger code than simply using the context's W array, because
234
* all the offsets to the W array in the stack are 32-bit signed offsets,
235
* and it is no faster than storing the values in the context's W array.
237
* The original code for sha_fast.c prevented this creation of a separate
238
* W array in the stack by creating a W array of 80 members, each of
239
* whose elements is assigned only once. It also separated the computations
240
* of the W array values and the computations of the values for the 5
241
* state variables into two separate passes, W's, then A-E's so that the
242
* second pass could be done all in registers (except for accessing the W
243
* array) on machines with fewer registers. The method is suboptimal
244
* for machines with enough registers to do it all in one pass, and it
245
* necessitates using many instructions with 32-bit offsets.
247
* This code eliminates the separate W array on the stack by a completely
248
* different means: by declaring the X array volatile. This prevents
249
* the optimizer from trying to reduce the use of the X array by the
250
* creation of a MORE expensive W array on the stack. The result is
251
* that all instructions use signed 8-bit offsets and not 32-bit offsets.
253
* The combination of this code and the -O3 optimizer flag on GCC 3.4.3
254
* results in code that is 3 times faster than the previous NSS sha_fast
258
shaCompress(volatile SHA_HW_t *X, const PRUint32 *inbuf)
260
register SHA_HW_t A, B, C, D, E;
262
#if defined(SHA_NEED_TMP_VARIABLE)
263
register PRUint32 tmp;
266
#if !defined(SHA_PUT_W_IN_STACK)
267
#define XH(n) X[n-H2X]
268
#define XW(n) X[n-W2X]
270
SHA_HW_t w_0, w_1, w_2, w_3, w_4, w_5, w_6, w_7,
271
w_8, w_9, w_10, w_11, w_12, w_13, w_14, w_15;
272
#define XW(n) w_ ## n
276
#define K0 0x5a827999L
277
#define K1 0x6ed9eba1L
278
#define K2 0x8f1bbcdcL
279
#define K3 0xca62c1d6L
281
#define SHA_RND1(a,b,c,d,e,n) \
282
a = SHA_ROTL(b,5)+SHA_F1(c,d,e)+a+XW(n)+K0; c=SHA_ROTL(c,30)
283
#define SHA_RND2(a,b,c,d,e,n) \
284
a = SHA_ROTL(b,5)+SHA_F2(c,d,e)+a+XW(n)+K1; c=SHA_ROTL(c,30)
285
#define SHA_RND3(a,b,c,d,e,n) \
286
a = SHA_ROTL(b,5)+SHA_F3(c,d,e)+a+XW(n)+K2; c=SHA_ROTL(c,30)
287
#define SHA_RND4(a,b,c,d,e,n) \
288
a = SHA_ROTL(b,5)+SHA_F4(c,d,e)+a+XW(n)+K3; c=SHA_ROTL(c,30)
290
#define LOAD(n) XW(n) = SHA_HTONL(inbuf[n])
298
LOAD(0); SHA_RND1(E,A,B,C,D, 0);
299
LOAD(1); SHA_RND1(D,E,A,B,C, 1);
300
LOAD(2); SHA_RND1(C,D,E,A,B, 2);
301
LOAD(3); SHA_RND1(B,C,D,E,A, 3);
302
LOAD(4); SHA_RND1(A,B,C,D,E, 4);
303
LOAD(5); SHA_RND1(E,A,B,C,D, 5);
304
LOAD(6); SHA_RND1(D,E,A,B,C, 6);
305
LOAD(7); SHA_RND1(C,D,E,A,B, 7);
306
LOAD(8); SHA_RND1(B,C,D,E,A, 8);
307
LOAD(9); SHA_RND1(A,B,C,D,E, 9);
308
LOAD(10); SHA_RND1(E,A,B,C,D,10);
309
LOAD(11); SHA_RND1(D,E,A,B,C,11);
310
LOAD(12); SHA_RND1(C,D,E,A,B,12);
311
LOAD(13); SHA_RND1(B,C,D,E,A,13);
312
LOAD(14); SHA_RND1(A,B,C,D,E,14);
313
LOAD(15); SHA_RND1(E,A,B,C,D,15);
315
SHA_MIX( 0, 13, 8, 2); SHA_RND1(D,E,A,B,C, 0);
316
SHA_MIX( 1, 14, 9, 3); SHA_RND1(C,D,E,A,B, 1);
317
SHA_MIX( 2, 15, 10, 4); SHA_RND1(B,C,D,E,A, 2);
318
SHA_MIX( 3, 0, 11, 5); SHA_RND1(A,B,C,D,E, 3);
320
SHA_MIX( 4, 1, 12, 6); SHA_RND2(E,A,B,C,D, 4);
321
SHA_MIX( 5, 2, 13, 7); SHA_RND2(D,E,A,B,C, 5);
322
SHA_MIX( 6, 3, 14, 8); SHA_RND2(C,D,E,A,B, 6);
323
SHA_MIX( 7, 4, 15, 9); SHA_RND2(B,C,D,E,A, 7);
324
SHA_MIX( 8, 5, 0, 10); SHA_RND2(A,B,C,D,E, 8);
325
SHA_MIX( 9, 6, 1, 11); SHA_RND2(E,A,B,C,D, 9);
326
SHA_MIX(10, 7, 2, 12); SHA_RND2(D,E,A,B,C,10);
327
SHA_MIX(11, 8, 3, 13); SHA_RND2(C,D,E,A,B,11);
328
SHA_MIX(12, 9, 4, 14); SHA_RND2(B,C,D,E,A,12);
329
SHA_MIX(13, 10, 5, 15); SHA_RND2(A,B,C,D,E,13);
330
SHA_MIX(14, 11, 6, 0); SHA_RND2(E,A,B,C,D,14);
331
SHA_MIX(15, 12, 7, 1); SHA_RND2(D,E,A,B,C,15);
333
SHA_MIX( 0, 13, 8, 2); SHA_RND2(C,D,E,A,B, 0);
334
SHA_MIX( 1, 14, 9, 3); SHA_RND2(B,C,D,E,A, 1);
335
SHA_MIX( 2, 15, 10, 4); SHA_RND2(A,B,C,D,E, 2);
336
SHA_MIX( 3, 0, 11, 5); SHA_RND2(E,A,B,C,D, 3);
337
SHA_MIX( 4, 1, 12, 6); SHA_RND2(D,E,A,B,C, 4);
338
SHA_MIX( 5, 2, 13, 7); SHA_RND2(C,D,E,A,B, 5);
339
SHA_MIX( 6, 3, 14, 8); SHA_RND2(B,C,D,E,A, 6);
340
SHA_MIX( 7, 4, 15, 9); SHA_RND2(A,B,C,D,E, 7);
342
SHA_MIX( 8, 5, 0, 10); SHA_RND3(E,A,B,C,D, 8);
343
SHA_MIX( 9, 6, 1, 11); SHA_RND3(D,E,A,B,C, 9);
344
SHA_MIX(10, 7, 2, 12); SHA_RND3(C,D,E,A,B,10);
345
SHA_MIX(11, 8, 3, 13); SHA_RND3(B,C,D,E,A,11);
346
SHA_MIX(12, 9, 4, 14); SHA_RND3(A,B,C,D,E,12);
347
SHA_MIX(13, 10, 5, 15); SHA_RND3(E,A,B,C,D,13);
348
SHA_MIX(14, 11, 6, 0); SHA_RND3(D,E,A,B,C,14);
349
SHA_MIX(15, 12, 7, 1); SHA_RND3(C,D,E,A,B,15);
351
SHA_MIX( 0, 13, 8, 2); SHA_RND3(B,C,D,E,A, 0);
352
SHA_MIX( 1, 14, 9, 3); SHA_RND3(A,B,C,D,E, 1);
353
SHA_MIX( 2, 15, 10, 4); SHA_RND3(E,A,B,C,D, 2);
354
SHA_MIX( 3, 0, 11, 5); SHA_RND3(D,E,A,B,C, 3);
355
SHA_MIX( 4, 1, 12, 6); SHA_RND3(C,D,E,A,B, 4);
356
SHA_MIX( 5, 2, 13, 7); SHA_RND3(B,C,D,E,A, 5);
357
SHA_MIX( 6, 3, 14, 8); SHA_RND3(A,B,C,D,E, 6);
358
SHA_MIX( 7, 4, 15, 9); SHA_RND3(E,A,B,C,D, 7);
359
SHA_MIX( 8, 5, 0, 10); SHA_RND3(D,E,A,B,C, 8);
360
SHA_MIX( 9, 6, 1, 11); SHA_RND3(C,D,E,A,B, 9);
361
SHA_MIX(10, 7, 2, 12); SHA_RND3(B,C,D,E,A,10);
362
SHA_MIX(11, 8, 3, 13); SHA_RND3(A,B,C,D,E,11);
364
SHA_MIX(12, 9, 4, 14); SHA_RND4(E,A,B,C,D,12);
365
SHA_MIX(13, 10, 5, 15); SHA_RND4(D,E,A,B,C,13);
366
SHA_MIX(14, 11, 6, 0); SHA_RND4(C,D,E,A,B,14);
367
SHA_MIX(15, 12, 7, 1); SHA_RND4(B,C,D,E,A,15);
369
SHA_MIX( 0, 13, 8, 2); SHA_RND4(A,B,C,D,E, 0);
370
SHA_MIX( 1, 14, 9, 3); SHA_RND4(E,A,B,C,D, 1);
371
SHA_MIX( 2, 15, 10, 4); SHA_RND4(D,E,A,B,C, 2);
372
SHA_MIX( 3, 0, 11, 5); SHA_RND4(C,D,E,A,B, 3);
373
SHA_MIX( 4, 1, 12, 6); SHA_RND4(B,C,D,E,A, 4);
374
SHA_MIX( 5, 2, 13, 7); SHA_RND4(A,B,C,D,E, 5);
375
SHA_MIX( 6, 3, 14, 8); SHA_RND4(E,A,B,C,D, 6);
376
SHA_MIX( 7, 4, 15, 9); SHA_RND4(D,E,A,B,C, 7);
377
SHA_MIX( 8, 5, 0, 10); SHA_RND4(C,D,E,A,B, 8);
378
SHA_MIX( 9, 6, 1, 11); SHA_RND4(B,C,D,E,A, 9);
379
SHA_MIX(10, 7, 2, 12); SHA_RND4(A,B,C,D,E,10);
380
SHA_MIX(11, 8, 3, 13); SHA_RND4(E,A,B,C,D,11);
381
SHA_MIX(12, 9, 4, 14); SHA_RND4(D,E,A,B,C,12);
382
SHA_MIX(13, 10, 5, 15); SHA_RND4(C,D,E,A,B,13);
383
SHA_MIX(14, 11, 6, 0); SHA_RND4(B,C,D,E,A,14);
384
SHA_MIX(15, 12, 7, 1); SHA_RND4(A,B,C,D,E,15);
393
/*************************************************************************
394
** Code below this line added to make SHA code support BLAPI interface
398
SHA1_NewContext(void)
402
/* no need to ZNew, SHA1_Begin will init the context */
403
cx = PORT_New(SHA1Context);
407
/* Zero and free the context */
409
SHA1_DestroyContext(SHA1Context *cx, PRBool freeit)
411
memset(cx, 0, sizeof *cx);
418
SHA1_HashBuf(unsigned char *dest, const unsigned char *src, uint32 src_length)
424
SHA1_Update(&ctx, src, src_length);
425
SHA1_End(&ctx, dest, &outLen, SHA1_LENGTH);
429
/* Hash a null-terminated character string. */
431
SHA1_Hash(unsigned char *dest, const char *src)
433
return SHA1_HashBuf(dest, (const unsigned char *)src, PORT_Strlen (src));
437
* need to support save/restore state in pkcs11. Stores all the info necessary
438
* for a structure into just a stream of bytes.
441
SHA1_FlattenSize(SHA1Context *cx)
443
return sizeof(SHA1Context);
447
SHA1_Flatten(SHA1Context *cx,unsigned char *space)
449
PORT_Memcpy(space,cx, sizeof(SHA1Context));
454
SHA1_Resurrect(unsigned char *space,void *arg)
456
SHA1Context *cx = SHA1_NewContext();
457
if (cx == NULL) return NULL;
459
PORT_Memcpy(cx,space, sizeof(SHA1Context));
463
void SHA1_Clone(SHA1Context *dest, SHA1Context *src)
465
memcpy(dest, src, sizeof *dest);
469
SHA1_TraceState(SHA1Context *ctx)
471
PORT_SetError(PR_NOT_IMPLEMENTED_ERROR);