diff options
| author | jsing <> | 2023-07-02 14:57:58 +0000 |
|---|---|---|
| committer | jsing <> | 2023-07-02 14:57:58 +0000 |
| commit | a3cc69bae1783f6f5c92f365722ad4b7cc487c76 (patch) | |
| tree | f910f6b234ed46ca74d6c617718a8656b02e0802 /src | |
| parent | f423c45466f535333e2258196bba9b1045625133 (diff) | |
| download | openbsd-a3cc69bae1783f6f5c92f365722ad4b7cc487c76.tar.gz openbsd-a3cc69bae1783f6f5c92f365722ad4b7cc487c76.tar.bz2 openbsd-a3cc69bae1783f6f5c92f365722ad4b7cc487c76.zip | |
Demacro SHA-512.
Use static inline functions instead of macros to implement SHA-512. At
the same time, make two key changes - firstly, rather than trying to
outsmart the compiler and shuffle variables around, write the algorithm
the way it is documented and actually swap the variable contents. Secondly,
instead of interleaving the message schedule update and the round, do the
full message schedule update first, then process the round.
Overall, we get safer and more readable code. Additionally, the compiler
can generate smaller and faster code (with a gain of 5-10% across a range
of architectures).
ok beck@ tb@
Diffstat (limited to 'src')
| -rw-r--r-- | src/lib/libcrypto/sha/sha512.c | 166 |
1 files changed, 112 insertions, 54 deletions
diff --git a/src/lib/libcrypto/sha/sha512.c b/src/lib/libcrypto/sha/sha512.c index 0bc6039326..6dc91cb0f5 100644 --- a/src/lib/libcrypto/sha/sha512.c +++ b/src/lib/libcrypto/sha/sha512.c | |||
| @@ -1,4 +1,4 @@ | |||
| 1 | /* $OpenBSD: sha512.c,v 1.39 2023/05/27 09:18:17 jsing Exp $ */ | 1 | /* $OpenBSD: sha512.c,v 1.40 2023/07/02 14:57:58 jsing Exp $ */ |
| 2 | /* ==================================================================== | 2 | /* ==================================================================== |
| 3 | * Copyright (c) 1998-2011 The OpenSSL Project. All rights reserved. | 3 | * Copyright (c) 1998-2011 The OpenSSL Project. All rights reserved. |
| 4 | * | 4 | * |
| @@ -66,7 +66,7 @@ | |||
| 66 | 66 | ||
| 67 | #if !defined(OPENSSL_NO_SHA) && !defined(OPENSSL_NO_SHA512) | 67 | #if !defined(OPENSSL_NO_SHA) && !defined(OPENSSL_NO_SHA512) |
| 68 | 68 | ||
| 69 | /* Ensure that SHA_LONG64 is 64 bits. */ | 69 | /* Ensure that SHA_LONG64 and uint64_t are equivalent. */ |
| 70 | CTASSERT(sizeof(SHA_LONG64) == sizeof(uint64_t)); | 70 | CTASSERT(sizeof(SHA_LONG64) == sizeof(uint64_t)); |
| 71 | 71 | ||
| 72 | #ifdef SHA512_ASM | 72 | #ifdef SHA512_ASM |
| @@ -117,36 +117,77 @@ static const SHA_LONG64 K512[80] = { | |||
| 117 | U64(0x5fcb6fab3ad6faec), U64(0x6c44198c4a475817), | 117 | U64(0x5fcb6fab3ad6faec), U64(0x6c44198c4a475817), |
| 118 | }; | 118 | }; |
| 119 | 119 | ||
| 120 | #define ROTR(x, s) crypto_ror_u64(x, s) | 120 | static inline SHA_LONG64 |
| 121 | Sigma0(SHA_LONG64 x) | ||
| 122 | { | ||
| 123 | return crypto_ror_u64(x, 28) ^ crypto_ror_u64(x, 34) ^ | ||
| 124 | crypto_ror_u64(x, 39); | ||
| 125 | } | ||
| 121 | 126 | ||
| 122 | #define Sigma0(x) (ROTR((x),28) ^ ROTR((x),34) ^ ROTR((x),39)) | 127 | static inline SHA_LONG64 |
| 123 | #define Sigma1(x) (ROTR((x),14) ^ ROTR((x),18) ^ ROTR((x),41)) | 128 | Sigma1(SHA_LONG64 x) |
| 124 | #define sigma0(x) (ROTR((x),1) ^ ROTR((x),8) ^ ((x)>>7)) | 129 | { |
| 125 | #define sigma1(x) (ROTR((x),19) ^ ROTR((x),61) ^ ((x)>>6)) | 130 | return crypto_ror_u64(x, 14) ^ crypto_ror_u64(x, 18) ^ |
| 131 | crypto_ror_u64(x, 41); | ||
| 132 | } | ||
| 126 | 133 | ||
| 127 | #define Ch(x, y, z) (((x) & (y)) ^ ((~(x)) & (z))) | 134 | static inline SHA_LONG64 |
| 128 | #define Maj(x, y, z) (((x) & (y)) ^ ((x) & (z)) ^ ((y) & (z))) | 135 | sigma0(SHA_LONG64 x) |
| 136 | { | ||
| 137 | return crypto_ror_u64(x, 1) ^ crypto_ror_u64(x, 8) ^ (x >> 7); | ||
| 138 | } | ||
| 129 | 139 | ||
| 130 | #define ROUND_00_15(i, a, b, c, d, e, f, g, h, Wt) do { \ | 140 | static inline SHA_LONG64 |
| 131 | T1 = h + Sigma1(e) + Ch(e, f, g) + K512[i] + Wt; \ | 141 | sigma1(SHA_LONG64 x) |
| 132 | T2 = Sigma0(a) + Maj(a, b, c); \ | 142 | { |
| 133 | d += T1; \ | 143 | return crypto_ror_u64(x, 19) ^ crypto_ror_u64(x, 61) ^ (x >> 6); |
| 134 | h = T1 + T2; \ | 144 | } |
| 135 | } while (0) | ||
| 136 | 145 | ||
| 137 | #define ROUND_16_80(i, j, a, b, c, d, e, f, g, h, X) do { \ | 146 | static inline SHA_LONG64 |
| 138 | s0 = sigma0(X[(j + 1) & 0x0f]); \ | 147 | Ch(SHA_LONG64 x, SHA_LONG64 y, SHA_LONG64 z) |
| 139 | s1 = sigma1(X[(j + 14) & 0x0f]); \ | 148 | { |
| 140 | X[(j) & 0x0f] += s0 + s1 + X[(j + 9) & 0x0f]; \ | 149 | return (x & y) ^ (~x & z); |
| 141 | ROUND_00_15(i + j, a, b, c, d, e, f, g, h, X[(j) & 0x0f]); \ | 150 | } |
| 142 | } while (0) | 151 | |
| 152 | static inline SHA_LONG64 | ||
| 153 | Maj(SHA_LONG64 x, SHA_LONG64 y, SHA_LONG64 z) | ||
| 154 | { | ||
| 155 | return (x & y) ^ (x & z) ^ (y & z); | ||
| 156 | } | ||
| 157 | |||
| 158 | static inline void | ||
| 159 | sha512_msg_schedule_update(SHA_LONG64 *W0, SHA_LONG64 W1, | ||
| 160 | SHA_LONG64 W9, SHA_LONG64 W14) | ||
| 161 | { | ||
| 162 | *W0 = sigma1(W14) + W9 + sigma0(W1) + *W0; | ||
| 163 | } | ||
| 164 | |||
| 165 | static inline void | ||
| 166 | sha512_round(SHA_LONG64 *a, SHA_LONG64 *b, SHA_LONG64 *c, SHA_LONG64 *d, | ||
| 167 | SHA_LONG64 *e, SHA_LONG64 *f, SHA_LONG64 *g, SHA_LONG64 *h, | ||
| 168 | SHA_LONG64 Kt, SHA_LONG64 Wt) | ||
| 169 | { | ||
| 170 | SHA_LONG64 T1, T2; | ||
| 171 | |||
| 172 | T1 = *h + Sigma1(*e) + Ch(*e, *f, *g) + Kt + Wt; | ||
| 173 | T2 = Sigma0(*a) + Maj(*a, *b, *c); | ||
| 174 | |||
| 175 | *h = *g; | ||
| 176 | *g = *f; | ||
| 177 | *f = *e; | ||
| 178 | *e = *d + T1; | ||
| 179 | *d = *c; | ||
| 180 | *c = *b; | ||
| 181 | *b = *a; | ||
| 182 | *a = T1 + T2; | ||
| 183 | } | ||
| 143 | 184 | ||
| 144 | static void | 185 | static void |
| 145 | sha512_block_data_order(SHA512_CTX *ctx, const void *_in, size_t num) | 186 | sha512_block_data_order(SHA512_CTX *ctx, const void *_in, size_t num) |
| 146 | { | 187 | { |
| 147 | const uint8_t *in = _in; | 188 | const uint8_t *in = _in; |
| 148 | const SHA_LONG64 *in64; | 189 | const SHA_LONG64 *in64; |
| 149 | SHA_LONG64 a, b, c, d, e, f, g, h, s0, s1, T1, T2; | 190 | SHA_LONG64 a, b, c, d, e, f, g, h; |
| 150 | SHA_LONG64 X[16]; | 191 | SHA_LONG64 X[16]; |
| 151 | int i; | 192 | int i; |
| 152 | 193 | ||
| @@ -200,40 +241,57 @@ sha512_block_data_order(SHA512_CTX *ctx, const void *_in, size_t num) | |||
| 200 | } | 241 | } |
| 201 | in += SHA512_CBLOCK; | 242 | in += SHA512_CBLOCK; |
| 202 | 243 | ||
| 203 | ROUND_00_15(0, a, b, c, d, e, f, g, h, X[0]); | 244 | sha512_round(&a, &b, &c, &d, &e, &f, &g, &h, K512[0], X[0]); |
| 204 | ROUND_00_15(1, h, a, b, c, d, e, f, g, X[1]); | 245 | sha512_round(&a, &b, &c, &d, &e, &f, &g, &h, K512[1], X[1]); |
| 205 | ROUND_00_15(2, g, h, a, b, c, d, e, f, X[2]); | 246 | sha512_round(&a, &b, &c, &d, &e, &f, &g, &h, K512[2], X[2]); |
| 206 | ROUND_00_15(3, f, g, h, a, b, c, d, e, X[3]); | 247 | sha512_round(&a, &b, &c, &d, &e, &f, &g, &h, K512[3], X[3]); |
| 207 | ROUND_00_15(4, e, f, g, h, a, b, c, d, X[4]); | 248 | sha512_round(&a, &b, &c, &d, &e, &f, &g, &h, K512[4], X[4]); |
| 208 | ROUND_00_15(5, d, e, f, g, h, a, b, c, X[5]); | 249 | sha512_round(&a, &b, &c, &d, &e, &f, &g, &h, K512[5], X[5]); |
| 209 | ROUND_00_15(6, c, d, e, f, g, h, a, b, X[6]); | 250 | sha512_round(&a, &b, &c, &d, &e, &f, &g, &h, K512[6], X[6]); |
| 210 | ROUND_00_15(7, b, c, d, e, f, g, h, a, X[7]); | 251 | sha512_round(&a, &b, &c, &d, &e, &f, &g, &h, K512[7], X[7]); |
| 211 | ROUND_00_15(8, a, b, c, d, e, f, g, h, X[8]); | 252 | sha512_round(&a, &b, &c, &d, &e, &f, &g, &h, K512[8], X[8]); |
| 212 | ROUND_00_15(9, h, a, b, c, d, e, f, g, X[9]); | 253 | sha512_round(&a, &b, &c, &d, &e, &f, &g, &h, K512[9], X[9]); |
| 213 | ROUND_00_15(10, g, h, a, b, c, d, e, f, X[10]); | 254 | sha512_round(&a, &b, &c, &d, &e, &f, &g, &h, K512[10], X[10]); |
| 214 | ROUND_00_15(11, f, g, h, a, b, c, d, e, X[11]); | 255 | sha512_round(&a, &b, &c, &d, &e, &f, &g, &h, K512[11], X[11]); |
| 215 | ROUND_00_15(12, e, f, g, h, a, b, c, d, X[12]); | 256 | sha512_round(&a, &b, &c, &d, &e, &f, &g, &h, K512[12], X[12]); |
| 216 | ROUND_00_15(13, d, e, f, g, h, a, b, c, X[13]); | 257 | sha512_round(&a, &b, &c, &d, &e, &f, &g, &h, K512[13], X[13]); |
| 217 | ROUND_00_15(14, c, d, e, f, g, h, a, b, X[14]); | 258 | sha512_round(&a, &b, &c, &d, &e, &f, &g, &h, K512[14], X[14]); |
| 218 | ROUND_00_15(15, b, c, d, e, f, g, h, a, X[15]); | 259 | sha512_round(&a, &b, &c, &d, &e, &f, &g, &h, K512[15], X[15]); |
| 219 | 260 | ||
| 220 | for (i = 16; i < 80; i += 16) { | 261 | for (i = 16; i < 80; i += 16) { |
| 221 | ROUND_16_80(i, 0, a, b, c, d, e, f, g, h, X); | 262 | sha512_msg_schedule_update(&X[0], X[1], X[9], X[14]); |
| 222 | ROUND_16_80(i, 1, h, a, b, c, d, e, f, g, X); | 263 | sha512_msg_schedule_update(&X[1], X[2], X[10], X[15]); |
| 223 | ROUND_16_80(i, 2, g, h, a, b, c, d, e, f, X); | 264 | sha512_msg_schedule_update(&X[2], X[3], X[11], X[0]); |
| 224 | ROUND_16_80(i, 3, f, g, h, a, b, c, d, e, X); | 265 | sha512_msg_schedule_update(&X[3], X[4], X[12], X[1]); |
| 225 | ROUND_16_80(i, 4, e, f, g, h, a, b, c, d, X); | 266 | sha512_msg_schedule_update(&X[4], X[5], X[13], X[2]); |
| 226 | ROUND_16_80(i, 5, d, e, f, g, h, a, b, c, X); | 267 | sha512_msg_schedule_update(&X[5], X[6], X[14], X[3]); |
| 227 | ROUND_16_80(i, 6, c, d, e, f, g, h, a, b, X); | 268 | sha512_msg_schedule_update(&X[6], X[7], X[15], X[4]); |
| 228 | ROUND_16_80(i, 7, b, c, d, e, f, g, h, a, X); | 269 | sha512_msg_schedule_update(&X[7], X[8], X[0], X[5]); |
| 229 | ROUND_16_80(i, 8, a, b, c, d, e, f, g, h, X); | 270 | sha512_msg_schedule_update(&X[8], X[9], X[1], X[6]); |
| 230 | ROUND_16_80(i, 9, h, a, b, c, d, e, f, g, X); | 271 | sha512_msg_schedule_update(&X[9], X[10], X[2], X[7]); |
| 231 | ROUND_16_80(i, 10, g, h, a, b, c, d, e, f, X); | 272 | sha512_msg_schedule_update(&X[10], X[11], X[3], X[8]); |
| 232 | ROUND_16_80(i, 11, f, g, h, a, b, c, d, e, X); | 273 | sha512_msg_schedule_update(&X[11], X[12], X[4], X[9]); |
| 233 | ROUND_16_80(i, 12, e, f, g, h, a, b, c, d, X); | 274 | sha512_msg_schedule_update(&X[12], X[13], X[5], X[10]); |
| 234 | ROUND_16_80(i, 13, d, e, f, g, h, a, b, c, X); | 275 | sha512_msg_schedule_update(&X[13], X[14], X[6], X[11]); |
| 235 | ROUND_16_80(i, 14, c, d, e, f, g, h, a, b, X); | 276 | sha512_msg_schedule_update(&X[14], X[15], X[7], X[12]); |
| 236 | ROUND_16_80(i, 15, b, c, d, e, f, g, h, a, X); | 277 | sha512_msg_schedule_update(&X[15], X[0], X[8], X[13]); |
| 278 | |||
| 279 | sha512_round(&a, &b, &c, &d, &e, &f, &g, &h, K512[i + 0], X[0]); | ||
| 280 | sha512_round(&a, &b, &c, &d, &e, &f, &g, &h, K512[i + 1], X[1]); | ||
| 281 | sha512_round(&a, &b, &c, &d, &e, &f, &g, &h, K512[i + 2], X[2]); | ||
| 282 | sha512_round(&a, &b, &c, &d, &e, &f, &g, &h, K512[i + 3], X[3]); | ||
| 283 | sha512_round(&a, &b, &c, &d, &e, &f, &g, &h, K512[i + 4], X[4]); | ||
| 284 | sha512_round(&a, &b, &c, &d, &e, &f, &g, &h, K512[i + 5], X[5]); | ||
| 285 | sha512_round(&a, &b, &c, &d, &e, &f, &g, &h, K512[i + 6], X[6]); | ||
| 286 | sha512_round(&a, &b, &c, &d, &e, &f, &g, &h, K512[i + 7], X[7]); | ||
| 287 | sha512_round(&a, &b, &c, &d, &e, &f, &g, &h, K512[i + 8], X[8]); | ||
| 288 | sha512_round(&a, &b, &c, &d, &e, &f, &g, &h, K512[i + 9], X[9]); | ||
| 289 | sha512_round(&a, &b, &c, &d, &e, &f, &g, &h, K512[i + 10], X[10]); | ||
| 290 | sha512_round(&a, &b, &c, &d, &e, &f, &g, &h, K512[i + 11], X[11]); | ||
| 291 | sha512_round(&a, &b, &c, &d, &e, &f, &g, &h, K512[i + 12], X[12]); | ||
| 292 | sha512_round(&a, &b, &c, &d, &e, &f, &g, &h, K512[i + 13], X[13]); | ||
| 293 | sha512_round(&a, &b, &c, &d, &e, &f, &g, &h, K512[i + 14], X[14]); | ||
| 294 | sha512_round(&a, &b, &c, &d, &e, &f, &g, &h, K512[i + 15], X[15]); | ||
| 237 | } | 295 | } |
| 238 | 296 | ||
| 239 | ctx->h[0] += a; | 297 | ctx->h[0] += a; |