Back to index

lightning-sunbird  0.9+nobinonly
sha_fast.c
Go to the documentation of this file.
00001 /* ***** BEGIN LICENSE BLOCK *****
00002  * Version: MPL 1.1/GPL 2.0/LGPL 2.1
00003  *
00004  * The contents of this file are subject to the Mozilla Public License Version
00005  * 1.1 (the "License"); you may not use this file except in compliance with
00006  * the License. You may obtain a copy of the License at
00007  * http://www.mozilla.org/MPL/
00008  *
00009  * Software distributed under the License is distributed on an "AS IS" basis,
00010  * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
00011  * for the specific language governing rights and limitations under the
00012  * License.
00013  *
00014  * The Original Code is SHA 180-1 Reference Implementation (Optimized).
00015  *
00016  * The Initial Developer of the Original Code is
00017  * Paul Kocher of Cryptography Research.
00018  * Portions created by the Initial Developer are Copyright (C) 1995-9
00019  * the Initial Developer. All Rights Reserved.
00020  *
00021  * Contributor(s):
00022  *
00023  * Alternatively, the contents of this file may be used under the terms of
00024  * either the GNU General Public License Version 2 or later (the "GPL"), or
00025  * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
00026  * in which case the provisions of the GPL or the LGPL are applicable instead
00027  * of those above. If you wish to allow use of your version of this file only
00028  * under the terms of either the GPL or the LGPL, and not to allow others to
00029  * use your version of this file under the terms of the MPL, indicate your
00030  * decision by deleting the provisions above and replace them with the notice
00031  * and other provisions required by the GPL or the LGPL. If you do not delete
00032  * the provisions above, a recipient may use your version of this file under
00033  * the terms of any one of the MPL, the GPL or the LGPL.
00034  *
00035  * ***** END LICENSE BLOCK ***** */
00036 #include <memory.h>
00037 #include "blapi.h"
00038 #include "sha_fast.h"
00039 #include "prerror.h"
00040 
00041 #ifdef TRACING_SSL
00042 #include "ssl.h"
00043 #include "ssltrace.h"
00044 #endif
00045 
00046 static void shaCompress(volatile SHA_HW_t *X, const PRUint32 * datain);
00047 
00048 #define W u.w
00049 #define B u.b
00050 
00051 
00052 #define SHA_F1(X,Y,Z) ((((Y)^(Z))&(X))^(Z))
00053 #define SHA_F2(X,Y,Z) ((X)^(Y)^(Z))
00054 #define SHA_F3(X,Y,Z) (((X)&(Y))|((Z)&((X)|(Y))))
00055 #define SHA_F4(X,Y,Z) ((X)^(Y)^(Z))
00056 
00057 #define SHA_MIX(n,a,b,c)    XW(n) = SHA_ROTL(XW(a)^XW(b)^XW(c)^XW(n), 1)
00058 
00059 /*
00060  *  SHA: initialize context
00061  */
00062 void 
00063 SHA1_Begin(SHA1Context *ctx)
00064 {
00065   ctx->size = 0;
00066   /*
00067    *  Initialize H with constants from FIPS180-1.
00068    */
00069   ctx->H[0] = 0x67452301L;
00070   ctx->H[1] = 0xefcdab89L;
00071   ctx->H[2] = 0x98badcfeL;
00072   ctx->H[3] = 0x10325476L;
00073   ctx->H[4] = 0xc3d2e1f0L;
00074 }
00075 
00076 /* Explanation of H array and index values:
00077  * The context's H array is actually the concatenation of two arrays 
00078  * defined by SHA1, the H array of state variables (5 elements),
00079  * and the W array of intermediate values, of which there are 16 elements.
00080  * The W array starts at H[5], that is W[0] is H[5].
00081  * Although these values are defined as 32-bit values, we use 64-bit
00082  * variables to hold them because the AMD64 stores 64 bit values in
00083  * memory MUCH faster than it stores any smaller values.
00084  *
00085  * Rather than passing the context structure to shaCompress, we pass
00086  * this combined array of H and W values.  We do not pass the address
00087  * of the first element of this array, but rather pass the address of an
00088  * element in the middle of the array, element X.  Presently X[0] is H[11].
00089  * So we pass the address of H[11] as the address of array X to shaCompress.
00090  * Then shaCompress accesses the members of the array using positive AND 
00091  * negative indexes.  
00092  *
00093  * Pictorially: (each element is 8 bytes)
00094  * H | H0 H1 H2 H3 H4 W0 W1 W2 W3 W4 W5 W6 W7 W8 W9 Wa Wb Wc Wd We Wf |
00095  * X |-11-10 -9 -8 -7 -6 -5 -4 -3 -2 -1 X0 X1 X2 X3 X4 X5 X6 X7 X8 X9 |
00096  * 
00097  * The byte offset from X[0] to any member of H and W is always 
00098  * representable in a signed 8-bit value, which will be encoded 
00099  * as a single byte offset in the X86-64 instruction set.  
00100  * If we didn't pass the address of H[11], and instead passed the 
00101  * address of H[0], the offsets to elements H[16] and above would be
00102  * greater than 127, not representable in a signed 8-bit value, and the 
00103  * x86-64 instruction set would encode every such offset as a 32-bit 
00104  * signed number in each instruction that accessed element H[16] or 
00105  * higher.  This results in much bigger and slower code. 
00106  */
00107 #if !defined(SHA_PUT_W_IN_STACK)
00108 #define H2X 11 /* X[0] is H[11], and H[0] is X[-11] */
00109 #define W2X  6 /* X[0] is W[6],  and W[0] is X[-6]  */
00110 #else
00111 #define H2X 0
00112 #endif
00113 
00114 /*
00115  *  SHA: Add data to context.
00116  */
00117 void 
00118 SHA1_Update(SHA1Context *ctx, const unsigned char *dataIn, unsigned int len) 
00119 {
00120   register unsigned int lenB;
00121   register unsigned int togo;
00122 
00123   if (!len)
00124     return;
00125 
00126   /* accumulate the byte count. */
00127   lenB = (unsigned int)(ctx->size) & 63U;
00128 
00129   ctx->size += len;
00130 
00131   /*
00132    *  Read the data into W and process blocks as they get full
00133    */
00134   if (lenB > 0) {
00135     togo = 64U - lenB;
00136     if (len < togo)
00137       togo = len;
00138     memcpy(ctx->B + lenB, dataIn, togo);
00139     len    -= togo;
00140     dataIn += togo;
00141     lenB    = (lenB + togo) & 63U;
00142     if (!lenB) {
00143       shaCompress(&ctx->H[H2X], ctx->W);
00144     }
00145   }
00146 #if !defined(SHA_ALLOW_UNALIGNED_ACCESS)
00147   if ((ptrdiff_t)dataIn % sizeof(PRUint32)) {
00148     while (len >= 64U) {
00149       memcpy(ctx->B, dataIn, 64);
00150       len    -= 64U;
00151       shaCompress(&ctx->H[H2X], ctx->W);
00152       dataIn += 64U;
00153     }
00154   } else 
00155 #endif
00156   {
00157     while (len >= 64U) {
00158       len    -= 64U;
00159       shaCompress(&ctx->H[H2X], (PRUint32 *)dataIn);
00160       dataIn += 64U;
00161     }
00162   }
00163   if (len) {
00164     memcpy(ctx->B, dataIn, len);
00165   }
00166 }
00167 
00168 
00169 /*
00170  *  SHA: Generate hash value from context
00171  */
00172 void 
00173 SHA1_End(SHA1Context *ctx, unsigned char *hashout,
00174          unsigned int *pDigestLen, unsigned int maxDigestLen)
00175 {
00176   register PRUint64 size;
00177   register PRUint32 lenB;
00178 
00179   static const unsigned char bulk_pad[64] = { 0x80,0,0,0,0,0,0,0,0,0,
00180           0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,
00181           0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0  };
00182 #define tmp lenB
00183 
00184   PORT_Assert (maxDigestLen >= SHA1_LENGTH);
00185 
00186   /*
00187    *  Pad with a binary 1 (e.g. 0x80), then zeroes, then length in bits
00188    */
00189   size = ctx->size;
00190 
00191   lenB = (PRUint32)size & 63;
00192   SHA1_Update(ctx, bulk_pad, (((55+64) - lenB) & 63) + 1);
00193   PORT_Assert(((PRUint32)ctx->size & 63) == 56);
00194   /* Convert size from bytes to bits. */
00195   size <<= 3;
00196   ctx->W[14] = SHA_HTONL((PRUint32)(size >> 32));
00197   ctx->W[15] = SHA_HTONL((PRUint32)size);
00198   shaCompress(&ctx->H[H2X], ctx->W);
00199 
00200   /*
00201    *  Output hash
00202    */
00203   SHA_STORE_RESULT;
00204   *pDigestLen = SHA1_LENGTH;
00205 
00206 }
00207 
00208 #undef B
00209 #undef tmp
00210 /*
00211  *  SHA: Compression function, unrolled.
00212  *
00213  * Some operations in shaCompress are done as 5 groups of 16 operations.
00214  * Others are done as 4 groups of 20 operations.
00215  * The code below shows that structure.
00216  *
00217  * The functions that compute the new values of the 5 state variables
00218  * A-E are done in 4 groups of 20 operations (or you may also think
00219  * of them as being done in 16 groups of 5 operations).  They are
00220  * done by the SHA_RNDx macros below, in the right column.
00221  *
00222  * The functions that set the 16 values of the W array are done in 
00223  * 5 groups of 16 operations.  The first group is done by the 
00224  * LOAD macros below, the latter 4 groups are done by SHA_MIX below,
00225  * in the left column.
00226  *
00227  * gcc's optimizer observes that each member of the W array is assigned
00228  * a value 5 times in this code.  It reduces the number of store 
00229  * operations done to the W array in the context (that is, in the X array)
00230  * by creating a W array on the stack, and storing the W values there for 
00231  * the first 4 groups of operations on W, and storing the values in the 
00232  * context's W array only in the fifth group.  This is undesirable.
00233  * It is MUCH bigger code than simply using the context's W array, because 
00234  * all the offsets to the W array in the stack are 32-bit signed offsets, 
00235  * and it is no faster than storing the values in the context's W array. 
00236  *
00237  * The original code for sha_fast.c prevented this creation of a separate 
00238  * W array in the stack by creating a W array of 80 members, each of
00239  * whose elements is assigned only once. It also separated the computations
00240  * of the W array values and the computations of the values for the 5
00241  * state variables into two separate passes, W's, then A-E's so that the 
00242  * second pass could be done all in registers (except for accessing the W
00243  * array) on machines with fewer registers.  The method is suboptimal
00244  * for machines with enough registers to do it all in one pass, and it
00245  * necessitates using many instructions with 32-bit offsets.
00246  *
00247  * This code eliminates the separate W array on the stack by a completely
00248  * different means: by declaring the X array volatile.  This prevents
00249  * the optimizer from trying to reduce the use of the X array by the
00250  * creation of a MORE expensive W array on the stack. The result is
00251  * that all instructions use signed 8-bit offsets and not 32-bit offsets.
00252  *
00253  * The combination of this code and the -O3 optimizer flag on GCC 3.4.3
00254  * results in code that is 3 times faster than the previous NSS sha_fast
00255  * code on AMD64.
00256  */
00257 static void 
00258 shaCompress(volatile SHA_HW_t *X, const PRUint32 *inbuf) 
00259 {
00260   register SHA_HW_t A, B, C, D, E;
00261 
00262 #if defined(SHA_NEED_TMP_VARIABLE)
00263   register PRUint32 tmp;
00264 #endif
00265 
00266 #if !defined(SHA_PUT_W_IN_STACK)
00267 #define XH(n) X[n-H2X]
00268 #define XW(n) X[n-W2X]
00269 #else
00270   SHA_HW_t w_0, w_1, w_2, w_3, w_4, w_5, w_6, w_7,
00271            w_8, w_9, w_10, w_11, w_12, w_13, w_14, w_15;
00272 #define XW(n) w_ ## n
00273 #define XH(n) X[n]
00274 #endif
00275 
00276 #define K0 0x5a827999L
00277 #define K1 0x6ed9eba1L
00278 #define K2 0x8f1bbcdcL
00279 #define K3 0xca62c1d6L
00280 
00281 #define SHA_RND1(a,b,c,d,e,n) \
00282   a = SHA_ROTL(b,5)+SHA_F1(c,d,e)+a+XW(n)+K0; c=SHA_ROTL(c,30) 
00283 #define SHA_RND2(a,b,c,d,e,n) \
00284   a = SHA_ROTL(b,5)+SHA_F2(c,d,e)+a+XW(n)+K1; c=SHA_ROTL(c,30) 
00285 #define SHA_RND3(a,b,c,d,e,n) \
00286   a = SHA_ROTL(b,5)+SHA_F3(c,d,e)+a+XW(n)+K2; c=SHA_ROTL(c,30) 
00287 #define SHA_RND4(a,b,c,d,e,n) \
00288   a = SHA_ROTL(b,5)+SHA_F4(c,d,e)+a+XW(n)+K3; c=SHA_ROTL(c,30) 
00289 
00290 #define LOAD(n) XW(n) = SHA_HTONL(inbuf[n])
00291 
00292   A = XH(0);
00293   B = XH(1);
00294   C = XH(2);
00295   D = XH(3);
00296   E = XH(4);
00297 
00298   LOAD(0);              SHA_RND1(E,A,B,C,D, 0);
00299   LOAD(1);              SHA_RND1(D,E,A,B,C, 1);
00300   LOAD(2);              SHA_RND1(C,D,E,A,B, 2);
00301   LOAD(3);              SHA_RND1(B,C,D,E,A, 3);
00302   LOAD(4);              SHA_RND1(A,B,C,D,E, 4);
00303   LOAD(5);              SHA_RND1(E,A,B,C,D, 5);
00304   LOAD(6);              SHA_RND1(D,E,A,B,C, 6);
00305   LOAD(7);              SHA_RND1(C,D,E,A,B, 7);
00306   LOAD(8);              SHA_RND1(B,C,D,E,A, 8);
00307   LOAD(9);              SHA_RND1(A,B,C,D,E, 9);
00308   LOAD(10);             SHA_RND1(E,A,B,C,D,10);
00309   LOAD(11);             SHA_RND1(D,E,A,B,C,11);
00310   LOAD(12);             SHA_RND1(C,D,E,A,B,12);
00311   LOAD(13);             SHA_RND1(B,C,D,E,A,13);
00312   LOAD(14);             SHA_RND1(A,B,C,D,E,14);
00313   LOAD(15);             SHA_RND1(E,A,B,C,D,15);
00314 
00315   SHA_MIX( 0, 13,  8,  2); SHA_RND1(D,E,A,B,C, 0);
00316   SHA_MIX( 1, 14,  9,  3); SHA_RND1(C,D,E,A,B, 1);
00317   SHA_MIX( 2, 15, 10,  4); SHA_RND1(B,C,D,E,A, 2);
00318   SHA_MIX( 3,  0, 11,  5); SHA_RND1(A,B,C,D,E, 3);
00319 
00320   SHA_MIX( 4,  1, 12,  6); SHA_RND2(E,A,B,C,D, 4);
00321   SHA_MIX( 5,  2, 13,  7); SHA_RND2(D,E,A,B,C, 5);
00322   SHA_MIX( 6,  3, 14,  8); SHA_RND2(C,D,E,A,B, 6);
00323   SHA_MIX( 7,  4, 15,  9); SHA_RND2(B,C,D,E,A, 7);
00324   SHA_MIX( 8,  5,  0, 10); SHA_RND2(A,B,C,D,E, 8);
00325   SHA_MIX( 9,  6,  1, 11); SHA_RND2(E,A,B,C,D, 9);
00326   SHA_MIX(10,  7,  2, 12); SHA_RND2(D,E,A,B,C,10);
00327   SHA_MIX(11,  8,  3, 13); SHA_RND2(C,D,E,A,B,11);
00328   SHA_MIX(12,  9,  4, 14); SHA_RND2(B,C,D,E,A,12);
00329   SHA_MIX(13, 10,  5, 15); SHA_RND2(A,B,C,D,E,13);
00330   SHA_MIX(14, 11,  6,  0); SHA_RND2(E,A,B,C,D,14);
00331   SHA_MIX(15, 12,  7,  1); SHA_RND2(D,E,A,B,C,15);
00332 
00333   SHA_MIX( 0, 13,  8,  2); SHA_RND2(C,D,E,A,B, 0);
00334   SHA_MIX( 1, 14,  9,  3); SHA_RND2(B,C,D,E,A, 1);
00335   SHA_MIX( 2, 15, 10,  4); SHA_RND2(A,B,C,D,E, 2);
00336   SHA_MIX( 3,  0, 11,  5); SHA_RND2(E,A,B,C,D, 3);
00337   SHA_MIX( 4,  1, 12,  6); SHA_RND2(D,E,A,B,C, 4);
00338   SHA_MIX( 5,  2, 13,  7); SHA_RND2(C,D,E,A,B, 5);
00339   SHA_MIX( 6,  3, 14,  8); SHA_RND2(B,C,D,E,A, 6);
00340   SHA_MIX( 7,  4, 15,  9); SHA_RND2(A,B,C,D,E, 7);
00341 
00342   SHA_MIX( 8,  5,  0, 10); SHA_RND3(E,A,B,C,D, 8);
00343   SHA_MIX( 9,  6,  1, 11); SHA_RND3(D,E,A,B,C, 9);
00344   SHA_MIX(10,  7,  2, 12); SHA_RND3(C,D,E,A,B,10);
00345   SHA_MIX(11,  8,  3, 13); SHA_RND3(B,C,D,E,A,11);
00346   SHA_MIX(12,  9,  4, 14); SHA_RND3(A,B,C,D,E,12);
00347   SHA_MIX(13, 10,  5, 15); SHA_RND3(E,A,B,C,D,13);
00348   SHA_MIX(14, 11,  6,  0); SHA_RND3(D,E,A,B,C,14);
00349   SHA_MIX(15, 12,  7,  1); SHA_RND3(C,D,E,A,B,15);
00350 
00351   SHA_MIX( 0, 13,  8,  2); SHA_RND3(B,C,D,E,A, 0);
00352   SHA_MIX( 1, 14,  9,  3); SHA_RND3(A,B,C,D,E, 1);
00353   SHA_MIX( 2, 15, 10,  4); SHA_RND3(E,A,B,C,D, 2);
00354   SHA_MIX( 3,  0, 11,  5); SHA_RND3(D,E,A,B,C, 3);
00355   SHA_MIX( 4,  1, 12,  6); SHA_RND3(C,D,E,A,B, 4);
00356   SHA_MIX( 5,  2, 13,  7); SHA_RND3(B,C,D,E,A, 5);
00357   SHA_MIX( 6,  3, 14,  8); SHA_RND3(A,B,C,D,E, 6);
00358   SHA_MIX( 7,  4, 15,  9); SHA_RND3(E,A,B,C,D, 7);
00359   SHA_MIX( 8,  5,  0, 10); SHA_RND3(D,E,A,B,C, 8);
00360   SHA_MIX( 9,  6,  1, 11); SHA_RND3(C,D,E,A,B, 9);
00361   SHA_MIX(10,  7,  2, 12); SHA_RND3(B,C,D,E,A,10);
00362   SHA_MIX(11,  8,  3, 13); SHA_RND3(A,B,C,D,E,11);
00363 
00364   SHA_MIX(12,  9,  4, 14); SHA_RND4(E,A,B,C,D,12);
00365   SHA_MIX(13, 10,  5, 15); SHA_RND4(D,E,A,B,C,13);
00366   SHA_MIX(14, 11,  6,  0); SHA_RND4(C,D,E,A,B,14);
00367   SHA_MIX(15, 12,  7,  1); SHA_RND4(B,C,D,E,A,15);
00368 
00369   SHA_MIX( 0, 13,  8,  2); SHA_RND4(A,B,C,D,E, 0);
00370   SHA_MIX( 1, 14,  9,  3); SHA_RND4(E,A,B,C,D, 1);
00371   SHA_MIX( 2, 15, 10,  4); SHA_RND4(D,E,A,B,C, 2);
00372   SHA_MIX( 3,  0, 11,  5); SHA_RND4(C,D,E,A,B, 3);
00373   SHA_MIX( 4,  1, 12,  6); SHA_RND4(B,C,D,E,A, 4);
00374   SHA_MIX( 5,  2, 13,  7); SHA_RND4(A,B,C,D,E, 5);
00375   SHA_MIX( 6,  3, 14,  8); SHA_RND4(E,A,B,C,D, 6);
00376   SHA_MIX( 7,  4, 15,  9); SHA_RND4(D,E,A,B,C, 7);
00377   SHA_MIX( 8,  5,  0, 10); SHA_RND4(C,D,E,A,B, 8);
00378   SHA_MIX( 9,  6,  1, 11); SHA_RND4(B,C,D,E,A, 9);
00379   SHA_MIX(10,  7,  2, 12); SHA_RND4(A,B,C,D,E,10);
00380   SHA_MIX(11,  8,  3, 13); SHA_RND4(E,A,B,C,D,11);
00381   SHA_MIX(12,  9,  4, 14); SHA_RND4(D,E,A,B,C,12);
00382   SHA_MIX(13, 10,  5, 15); SHA_RND4(C,D,E,A,B,13);
00383   SHA_MIX(14, 11,  6,  0); SHA_RND4(B,C,D,E,A,14);
00384   SHA_MIX(15, 12,  7,  1); SHA_RND4(A,B,C,D,E,15);
00385 
00386   XH(0) += A;
00387   XH(1) += B;
00388   XH(2) += C;
00389   XH(3) += D;
00390   XH(4) += E;
00391 }
00392 
00393 /*************************************************************************
00394 ** Code below this line added to make SHA code support BLAPI interface
00395 */
00396 
00397 SHA1Context *
00398 SHA1_NewContext(void)
00399 {
00400     SHA1Context *cx;
00401 
00402     /* no need to ZNew, SHA1_Begin will init the context */
00403     cx = PORT_New(SHA1Context);
00404     return cx;
00405 }
00406 
00407 /* Zero and free the context */
00408 void
00409 SHA1_DestroyContext(SHA1Context *cx, PRBool freeit)
00410 {
00411     memset(cx, 0, sizeof *cx);
00412     if (freeit) {
00413         PORT_Free(cx);
00414     }
00415 }
00416 
00417 SECStatus
00418 SHA1_HashBuf(unsigned char *dest, const unsigned char *src, uint32 src_length)
00419 {
00420     SHA1Context ctx;
00421     unsigned int outLen;
00422 
00423     SHA1_Begin(&ctx);
00424     SHA1_Update(&ctx, src, src_length);
00425     SHA1_End(&ctx, dest, &outLen, SHA1_LENGTH);
00426     return SECSuccess;
00427 }
00428 
00429 /* Hash a null-terminated character string. */
00430 SECStatus
00431 SHA1_Hash(unsigned char *dest, const char *src)
00432 {
00433     return SHA1_HashBuf(dest, (const unsigned char *)src, PORT_Strlen (src));
00434 }
00435 
00436 /*
00437  * need to support save/restore state in pkcs11. Stores all the info necessary
00438  * for a structure into just a stream of bytes.
00439  */
00440 unsigned int
00441 SHA1_FlattenSize(SHA1Context *cx)
00442 {
00443     return sizeof(SHA1Context);
00444 }
00445 
00446 SECStatus
00447 SHA1_Flatten(SHA1Context *cx,unsigned char *space)
00448 {
00449     PORT_Memcpy(space,cx, sizeof(SHA1Context));
00450     return SECSuccess;
00451 }
00452 
00453 SHA1Context *
00454 SHA1_Resurrect(unsigned char *space,void *arg)
00455 {
00456     SHA1Context *cx = SHA1_NewContext();
00457     if (cx == NULL) return NULL;
00458 
00459     PORT_Memcpy(cx,space, sizeof(SHA1Context));
00460     return cx;
00461 }
00462 
00463 void SHA1_Clone(SHA1Context *dest, SHA1Context *src) 
00464 {
00465     memcpy(dest, src, sizeof *dest);
00466 }
00467 
00468 void
00469 SHA1_TraceState(SHA1Context *ctx)
00470 {
00471     PORT_SetError(PR_NOT_IMPLEMENTED_ERROR);
00472 }