Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(1866)

Side by Side Diff: nss/lib/freebl/sha_fast.c

Issue 2078763002: Delete bundled copy of NSS and replace with README. (Closed) Base URL: https://chromium.googlesource.com/chromium/deps/nss@master
Patch Set: Delete bundled copy of NSS and replace with README. Created 4 years, 6 months ago
Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.
Jump to:
View unified diff | Download patch
« no previous file with comments | « nss/lib/freebl/sha_fast.h ('k') | nss/lib/freebl/shsign.h » ('j') | no next file with comments »
Toggle Intra-line Diffs ('i') | Expand Comments ('e') | Collapse Comments ('c') | Show Comments Hide Comments ('s')
OLDNEW
(Empty)
1 /* This Source Code Form is subject to the terms of the Mozilla Public
2 * License, v. 2.0. If a copy of the MPL was not distributed with this
3 * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
4
5 #ifdef FREEBL_NO_DEPEND
6 #include "stubs.h"
7 #endif
8
9 #include <memory.h>
10 #include "blapi.h"
11 #include "sha_fast.h"
12 #include "prerror.h"
13
14 #ifdef TRACING_SSL
15 #include "ssl.h"
16 #include "ssltrace.h"
17 #endif
18
19 static void shaCompress(volatile SHA_HW_t *X, const PRUint32 * datain);
20
21 #define W u.w
22 #define B u.b
23
24
25 #define SHA_F1(X,Y,Z) ((((Y)^(Z))&(X))^(Z))
26 #define SHA_F2(X,Y,Z) ((X)^(Y)^(Z))
27 #define SHA_F3(X,Y,Z) (((X)&(Y))|((Z)&((X)|(Y))))
28 #define SHA_F4(X,Y,Z) ((X)^(Y)^(Z))
29
30 #define SHA_MIX(n,a,b,c) XW(n) = SHA_ROTL(XW(a)^XW(b)^XW(c)^XW(n), 1)
31
32 /*
33 * SHA: initialize context
34 */
35 void
36 SHA1_Begin(SHA1Context *ctx)
37 {
38 ctx->size = 0;
39 /*
40 * Initialize H with constants from FIPS180-1.
41 */
42 ctx->H[0] = 0x67452301L;
43 ctx->H[1] = 0xefcdab89L;
44 ctx->H[2] = 0x98badcfeL;
45 ctx->H[3] = 0x10325476L;
46 ctx->H[4] = 0xc3d2e1f0L;
47 }
48
49 /* Explanation of H array and index values:
50 * The context's H array is actually the concatenation of two arrays
51 * defined by SHA1, the H array of state variables (5 elements),
52 * and the W array of intermediate values, of which there are 16 elements.
53 * The W array starts at H[5], that is W[0] is H[5].
54 * Although these values are defined as 32-bit values, we use 64-bit
55 * variables to hold them because the AMD64 stores 64 bit values in
56 * memory MUCH faster than it stores any smaller values.
57 *
58 * Rather than passing the context structure to shaCompress, we pass
59 * this combined array of H and W values. We do not pass the address
60 * of the first element of this array, but rather pass the address of an
61 * element in the middle of the array, element X. Presently X[0] is H[11].
62 * So we pass the address of H[11] as the address of array X to shaCompress.
63 * Then shaCompress accesses the members of the array using positive AND
64 * negative indexes.
65 *
66 * Pictorially: (each element is 8 bytes)
67 * H | H0 H1 H2 H3 H4 W0 W1 W2 W3 W4 W5 W6 W7 W8 W9 Wa Wb Wc Wd We Wf |
68 * X |-11-10 -9 -8 -7 -6 -5 -4 -3 -2 -1 X0 X1 X2 X3 X4 X5 X6 X7 X8 X9 |
69 *
70 * The byte offset from X[0] to any member of H and W is always
71 * representable in a signed 8-bit value, which will be encoded
72 * as a single byte offset in the X86-64 instruction set.
73 * If we didn't pass the address of H[11], and instead passed the
74 * address of H[0], the offsets to elements H[16] and above would be
75 * greater than 127, not representable in a signed 8-bit value, and the
76 * x86-64 instruction set would encode every such offset as a 32-bit
77 * signed number in each instruction that accessed element H[16] or
78 * higher. This results in much bigger and slower code.
79 */
80 #if !defined(SHA_PUT_W_IN_STACK)
81 #define H2X 11 /* X[0] is H[11], and H[0] is X[-11] */
82 #define W2X 6 /* X[0] is W[6], and W[0] is X[-6] */
83 #else
84 #define H2X 0
85 #endif
86
87 /*
88 * SHA: Add data to context.
89 */
90 void
91 SHA1_Update(SHA1Context *ctx, const unsigned char *dataIn, unsigned int len)
92 {
93 register unsigned int lenB;
94 register unsigned int togo;
95
96 if (!len)
97 return;
98
99 /* accumulate the byte count. */
100 lenB = (unsigned int)(ctx->size) & 63U;
101
102 ctx->size += len;
103
104 /*
105 * Read the data into W and process blocks as they get full
106 */
107 if (lenB > 0) {
108 togo = 64U - lenB;
109 if (len < togo)
110 togo = len;
111 memcpy(ctx->B + lenB, dataIn, togo);
112 len -= togo;
113 dataIn += togo;
114 lenB = (lenB + togo) & 63U;
115 if (!lenB) {
116 shaCompress(&ctx->H[H2X], ctx->W);
117 }
118 }
119 #if !defined(SHA_ALLOW_UNALIGNED_ACCESS)
120 if ((ptrdiff_t)dataIn % sizeof(PRUint32)) {
121 while (len >= 64U) {
122 memcpy(ctx->B, dataIn, 64);
123 len -= 64U;
124 shaCompress(&ctx->H[H2X], ctx->W);
125 dataIn += 64U;
126 }
127 } else
128 #endif
129 {
130 while (len >= 64U) {
131 len -= 64U;
132 shaCompress(&ctx->H[H2X], (PRUint32 *)dataIn);
133 dataIn += 64U;
134 }
135 }
136 if (len) {
137 memcpy(ctx->B, dataIn, len);
138 }
139 }
140
141
142 /*
143 * SHA: Generate hash value from context
144 */
145 void
146 SHA1_End(SHA1Context *ctx, unsigned char *hashout,
147 unsigned int *pDigestLen, unsigned int maxDigestLen)
148 {
149 register PRUint64 size;
150 register PRUint32 lenB;
151
152 static const unsigned char bulk_pad[64] = { 0x80,0,0,0,0,0,0,0,0,0,
153 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,
154 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0 };
155 #define tmp lenB
156
157 PORT_Assert (maxDigestLen >= SHA1_LENGTH);
158
159 /*
160 * Pad with a binary 1 (e.g. 0x80), then zeroes, then length in bits
161 */
162 size = ctx->size;
163
164 lenB = (PRUint32)size & 63;
165 SHA1_Update(ctx, bulk_pad, (((55+64) - lenB) & 63) + 1);
166 PORT_Assert(((PRUint32)ctx->size & 63) == 56);
167 /* Convert size from bytes to bits. */
168 size <<= 3;
169 ctx->W[14] = SHA_HTONL((PRUint32)(size >> 32));
170 ctx->W[15] = SHA_HTONL((PRUint32)size);
171 shaCompress(&ctx->H[H2X], ctx->W);
172
173 /*
174 * Output hash
175 */
176 SHA_STORE_RESULT;
177 if (pDigestLen) {
178 *pDigestLen = SHA1_LENGTH;
179 }
180 #undef tmp
181 }
182
183 void
184 SHA1_EndRaw(SHA1Context *ctx, unsigned char *hashout,
185 unsigned int *pDigestLen, unsigned int maxDigestLen)
186 {
187 #if defined(SHA_NEED_TMP_VARIABLE)
188 register PRUint32 tmp;
189 #endif
190 PORT_Assert (maxDigestLen >= SHA1_LENGTH);
191
192 SHA_STORE_RESULT;
193 if (pDigestLen)
194 *pDigestLen = SHA1_LENGTH;
195 }
196
197 #undef B
198 /*
199 * SHA: Compression function, unrolled.
200 *
201 * Some operations in shaCompress are done as 5 groups of 16 operations.
202 * Others are done as 4 groups of 20 operations.
203 * The code below shows that structure.
204 *
205 * The functions that compute the new values of the 5 state variables
206 * A-E are done in 4 groups of 20 operations (or you may also think
207 * of them as being done in 16 groups of 5 operations). They are
208 * done by the SHA_RNDx macros below, in the right column.
209 *
210 * The functions that set the 16 values of the W array are done in
211 * 5 groups of 16 operations. The first group is done by the
212 * LOAD macros below, the latter 4 groups are done by SHA_MIX below,
213 * in the left column.
214 *
215 * gcc's optimizer observes that each member of the W array is assigned
216 * a value 5 times in this code. It reduces the number of store
217 * operations done to the W array in the context (that is, in the X array)
218 * by creating a W array on the stack, and storing the W values there for
219 * the first 4 groups of operations on W, and storing the values in the
220 * context's W array only in the fifth group. This is undesirable.
221 * It is MUCH bigger code than simply using the context's W array, because
222 * all the offsets to the W array in the stack are 32-bit signed offsets,
223 * and it is no faster than storing the values in the context's W array.
224 *
225 * The original code for sha_fast.c prevented this creation of a separate
226 * W array in the stack by creating a W array of 80 members, each of
227 * whose elements is assigned only once. It also separated the computations
228 * of the W array values and the computations of the values for the 5
229 * state variables into two separate passes, W's, then A-E's so that the
230 * second pass could be done all in registers (except for accessing the W
231 * array) on machines with fewer registers. The method is suboptimal
232 * for machines with enough registers to do it all in one pass, and it
233 * necessitates using many instructions with 32-bit offsets.
234 *
235 * This code eliminates the separate W array on the stack by a completely
236 * different means: by declaring the X array volatile. This prevents
237 * the optimizer from trying to reduce the use of the X array by the
238 * creation of a MORE expensive W array on the stack. The result is
239 * that all instructions use signed 8-bit offsets and not 32-bit offsets.
240 *
241 * The combination of this code and the -O3 optimizer flag on GCC 3.4.3
242 * results in code that is 3 times faster than the previous NSS sha_fast
243 * code on AMD64.
244 */
245 static void
246 shaCompress(volatile SHA_HW_t *X, const PRUint32 *inbuf)
247 {
248 register SHA_HW_t A, B, C, D, E;
249
250 #if defined(SHA_NEED_TMP_VARIABLE)
251 register PRUint32 tmp;
252 #endif
253
254 #if !defined(SHA_PUT_W_IN_STACK)
255 #define XH(n) X[n-H2X]
256 #define XW(n) X[n-W2X]
257 #else
258 SHA_HW_t w_0, w_1, w_2, w_3, w_4, w_5, w_6, w_7,
259 w_8, w_9, w_10, w_11, w_12, w_13, w_14, w_15;
260 #define XW(n) w_ ## n
261 #define XH(n) X[n]
262 #endif
263
264 #define K0 0x5a827999L
265 #define K1 0x6ed9eba1L
266 #define K2 0x8f1bbcdcL
267 #define K3 0xca62c1d6L
268
269 #define SHA_RND1(a,b,c,d,e,n) \
270 a = SHA_ROTL(b,5)+SHA_F1(c,d,e)+a+XW(n)+K0; c=SHA_ROTL(c,30)
271 #define SHA_RND2(a,b,c,d,e,n) \
272 a = SHA_ROTL(b,5)+SHA_F2(c,d,e)+a+XW(n)+K1; c=SHA_ROTL(c,30)
273 #define SHA_RND3(a,b,c,d,e,n) \
274 a = SHA_ROTL(b,5)+SHA_F3(c,d,e)+a+XW(n)+K2; c=SHA_ROTL(c,30)
275 #define SHA_RND4(a,b,c,d,e,n) \
276 a = SHA_ROTL(b,5)+SHA_F4(c,d,e)+a+XW(n)+K3; c=SHA_ROTL(c,30)
277
278 #define LOAD(n) XW(n) = SHA_HTONL(inbuf[n])
279
280 A = XH(0);
281 B = XH(1);
282 C = XH(2);
283 D = XH(3);
284 E = XH(4);
285
286 LOAD(0); SHA_RND1(E,A,B,C,D, 0);
287 LOAD(1); SHA_RND1(D,E,A,B,C, 1);
288 LOAD(2); SHA_RND1(C,D,E,A,B, 2);
289 LOAD(3); SHA_RND1(B,C,D,E,A, 3);
290 LOAD(4); SHA_RND1(A,B,C,D,E, 4);
291 LOAD(5); SHA_RND1(E,A,B,C,D, 5);
292 LOAD(6); SHA_RND1(D,E,A,B,C, 6);
293 LOAD(7); SHA_RND1(C,D,E,A,B, 7);
294 LOAD(8); SHA_RND1(B,C,D,E,A, 8);
295 LOAD(9); SHA_RND1(A,B,C,D,E, 9);
296 LOAD(10); SHA_RND1(E,A,B,C,D,10);
297 LOAD(11); SHA_RND1(D,E,A,B,C,11);
298 LOAD(12); SHA_RND1(C,D,E,A,B,12);
299 LOAD(13); SHA_RND1(B,C,D,E,A,13);
300 LOAD(14); SHA_RND1(A,B,C,D,E,14);
301 LOAD(15); SHA_RND1(E,A,B,C,D,15);
302
303 SHA_MIX( 0, 13, 8, 2); SHA_RND1(D,E,A,B,C, 0);
304 SHA_MIX( 1, 14, 9, 3); SHA_RND1(C,D,E,A,B, 1);
305 SHA_MIX( 2, 15, 10, 4); SHA_RND1(B,C,D,E,A, 2);
306 SHA_MIX( 3, 0, 11, 5); SHA_RND1(A,B,C,D,E, 3);
307
308 SHA_MIX( 4, 1, 12, 6); SHA_RND2(E,A,B,C,D, 4);
309 SHA_MIX( 5, 2, 13, 7); SHA_RND2(D,E,A,B,C, 5);
310 SHA_MIX( 6, 3, 14, 8); SHA_RND2(C,D,E,A,B, 6);
311 SHA_MIX( 7, 4, 15, 9); SHA_RND2(B,C,D,E,A, 7);
312 SHA_MIX( 8, 5, 0, 10); SHA_RND2(A,B,C,D,E, 8);
313 SHA_MIX( 9, 6, 1, 11); SHA_RND2(E,A,B,C,D, 9);
314 SHA_MIX(10, 7, 2, 12); SHA_RND2(D,E,A,B,C,10);
315 SHA_MIX(11, 8, 3, 13); SHA_RND2(C,D,E,A,B,11);
316 SHA_MIX(12, 9, 4, 14); SHA_RND2(B,C,D,E,A,12);
317 SHA_MIX(13, 10, 5, 15); SHA_RND2(A,B,C,D,E,13);
318 SHA_MIX(14, 11, 6, 0); SHA_RND2(E,A,B,C,D,14);
319 SHA_MIX(15, 12, 7, 1); SHA_RND2(D,E,A,B,C,15);
320
321 SHA_MIX( 0, 13, 8, 2); SHA_RND2(C,D,E,A,B, 0);
322 SHA_MIX( 1, 14, 9, 3); SHA_RND2(B,C,D,E,A, 1);
323 SHA_MIX( 2, 15, 10, 4); SHA_RND2(A,B,C,D,E, 2);
324 SHA_MIX( 3, 0, 11, 5); SHA_RND2(E,A,B,C,D, 3);
325 SHA_MIX( 4, 1, 12, 6); SHA_RND2(D,E,A,B,C, 4);
326 SHA_MIX( 5, 2, 13, 7); SHA_RND2(C,D,E,A,B, 5);
327 SHA_MIX( 6, 3, 14, 8); SHA_RND2(B,C,D,E,A, 6);
328 SHA_MIX( 7, 4, 15, 9); SHA_RND2(A,B,C,D,E, 7);
329
330 SHA_MIX( 8, 5, 0, 10); SHA_RND3(E,A,B,C,D, 8);
331 SHA_MIX( 9, 6, 1, 11); SHA_RND3(D,E,A,B,C, 9);
332 SHA_MIX(10, 7, 2, 12); SHA_RND3(C,D,E,A,B,10);
333 SHA_MIX(11, 8, 3, 13); SHA_RND3(B,C,D,E,A,11);
334 SHA_MIX(12, 9, 4, 14); SHA_RND3(A,B,C,D,E,12);
335 SHA_MIX(13, 10, 5, 15); SHA_RND3(E,A,B,C,D,13);
336 SHA_MIX(14, 11, 6, 0); SHA_RND3(D,E,A,B,C,14);
337 SHA_MIX(15, 12, 7, 1); SHA_RND3(C,D,E,A,B,15);
338
339 SHA_MIX( 0, 13, 8, 2); SHA_RND3(B,C,D,E,A, 0);
340 SHA_MIX( 1, 14, 9, 3); SHA_RND3(A,B,C,D,E, 1);
341 SHA_MIX( 2, 15, 10, 4); SHA_RND3(E,A,B,C,D, 2);
342 SHA_MIX( 3, 0, 11, 5); SHA_RND3(D,E,A,B,C, 3);
343 SHA_MIX( 4, 1, 12, 6); SHA_RND3(C,D,E,A,B, 4);
344 SHA_MIX( 5, 2, 13, 7); SHA_RND3(B,C,D,E,A, 5);
345 SHA_MIX( 6, 3, 14, 8); SHA_RND3(A,B,C,D,E, 6);
346 SHA_MIX( 7, 4, 15, 9); SHA_RND3(E,A,B,C,D, 7);
347 SHA_MIX( 8, 5, 0, 10); SHA_RND3(D,E,A,B,C, 8);
348 SHA_MIX( 9, 6, 1, 11); SHA_RND3(C,D,E,A,B, 9);
349 SHA_MIX(10, 7, 2, 12); SHA_RND3(B,C,D,E,A,10);
350 SHA_MIX(11, 8, 3, 13); SHA_RND3(A,B,C,D,E,11);
351
352 SHA_MIX(12, 9, 4, 14); SHA_RND4(E,A,B,C,D,12);
353 SHA_MIX(13, 10, 5, 15); SHA_RND4(D,E,A,B,C,13);
354 SHA_MIX(14, 11, 6, 0); SHA_RND4(C,D,E,A,B,14);
355 SHA_MIX(15, 12, 7, 1); SHA_RND4(B,C,D,E,A,15);
356
357 SHA_MIX( 0, 13, 8, 2); SHA_RND4(A,B,C,D,E, 0);
358 SHA_MIX( 1, 14, 9, 3); SHA_RND4(E,A,B,C,D, 1);
359 SHA_MIX( 2, 15, 10, 4); SHA_RND4(D,E,A,B,C, 2);
360 SHA_MIX( 3, 0, 11, 5); SHA_RND4(C,D,E,A,B, 3);
361 SHA_MIX( 4, 1, 12, 6); SHA_RND4(B,C,D,E,A, 4);
362 SHA_MIX( 5, 2, 13, 7); SHA_RND4(A,B,C,D,E, 5);
363 SHA_MIX( 6, 3, 14, 8); SHA_RND4(E,A,B,C,D, 6);
364 SHA_MIX( 7, 4, 15, 9); SHA_RND4(D,E,A,B,C, 7);
365 SHA_MIX( 8, 5, 0, 10); SHA_RND4(C,D,E,A,B, 8);
366 SHA_MIX( 9, 6, 1, 11); SHA_RND4(B,C,D,E,A, 9);
367 SHA_MIX(10, 7, 2, 12); SHA_RND4(A,B,C,D,E,10);
368 SHA_MIX(11, 8, 3, 13); SHA_RND4(E,A,B,C,D,11);
369 SHA_MIX(12, 9, 4, 14); SHA_RND4(D,E,A,B,C,12);
370 SHA_MIX(13, 10, 5, 15); SHA_RND4(C,D,E,A,B,13);
371 SHA_MIX(14, 11, 6, 0); SHA_RND4(B,C,D,E,A,14);
372 SHA_MIX(15, 12, 7, 1); SHA_RND4(A,B,C,D,E,15);
373
374 XH(0) += A;
375 XH(1) += B;
376 XH(2) += C;
377 XH(3) += D;
378 XH(4) += E;
379 }
380
381 /*************************************************************************
382 ** Code below this line added to make SHA code support BLAPI interface
383 */
384
385 SHA1Context *
386 SHA1_NewContext(void)
387 {
388 SHA1Context *cx;
389
390 /* no need to ZNew, SHA1_Begin will init the context */
391 cx = PORT_New(SHA1Context);
392 return cx;
393 }
394
395 /* Zero and free the context */
396 void
397 SHA1_DestroyContext(SHA1Context *cx, PRBool freeit)
398 {
399 memset(cx, 0, sizeof *cx);
400 if (freeit) {
401 PORT_Free(cx);
402 }
403 }
404
405 SECStatus
406 SHA1_HashBuf(unsigned char *dest, const unsigned char *src, PRUint32 src_length)
407 {
408 SHA1Context ctx;
409 unsigned int outLen;
410
411 SHA1_Begin(&ctx);
412 SHA1_Update(&ctx, src, src_length);
413 SHA1_End(&ctx, dest, &outLen, SHA1_LENGTH);
414 memset(&ctx, 0, sizeof ctx);
415 return SECSuccess;
416 }
417
418 /* Hash a null-terminated character string. */
419 SECStatus
420 SHA1_Hash(unsigned char *dest, const char *src)
421 {
422 return SHA1_HashBuf(dest, (const unsigned char *)src, PORT_Strlen (src));
423 }
424
425 /*
426 * need to support save/restore state in pkcs11. Stores all the info necessary
427 * for a structure into just a stream of bytes.
428 */
429 unsigned int
430 SHA1_FlattenSize(SHA1Context *cx)
431 {
432 return sizeof(SHA1Context);
433 }
434
435 SECStatus
436 SHA1_Flatten(SHA1Context *cx,unsigned char *space)
437 {
438 PORT_Memcpy(space,cx, sizeof(SHA1Context));
439 return SECSuccess;
440 }
441
442 SHA1Context *
443 SHA1_Resurrect(unsigned char *space,void *arg)
444 {
445 SHA1Context *cx = SHA1_NewContext();
446 if (cx == NULL) return NULL;
447
448 PORT_Memcpy(cx,space, sizeof(SHA1Context));
449 return cx;
450 }
451
452 void SHA1_Clone(SHA1Context *dest, SHA1Context *src)
453 {
454 memcpy(dest, src, sizeof *dest);
455 }
456
457 void
458 SHA1_TraceState(SHA1Context *ctx)
459 {
460 PORT_SetError(PR_NOT_IMPLEMENTED_ERROR);
461 }
OLDNEW
« no previous file with comments | « nss/lib/freebl/sha_fast.h ('k') | nss/lib/freebl/shsign.h » ('j') | no next file with comments »

Powered by Google App Engine
This is Rietveld 408576698