| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |
|
|
|
|
|
|
| |
Use be32toh(), htobe32() and crypto_{load,store}_htobe32() as appropriate.
Also use the same while() loop that is used for other hash functions.
ok joshua@ tb@
|
| |
|
|
|
|
|
|
|
| |
cet.h is needed for other platforms to emit the relevant .gnu.properties
sections that are necessary for them to enable IBT. It also avoids issues
with older toolchains on macOS that explode on encountering endbr64.
based on a diff by kettenis
ok beck kettenis
|
| |
|
|
|
| |
Now that we're no longer dependent on md32_common.h, stop including it.
Remove various defines that only existed for md32_common.h usage.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
Replace macros with static inline functions, as well as writing out the
variable rotations instead of trying to outsmart the compiler. Also pull
the message schedule update up and complete it prior to commencement of
the round. Also use rotate right, rather than transposed rotate left.
Overall this is more readable and more closely follows the specification.
On some platforms (e.g. aarch64) there is no noteable change in
performance, while on others there is a significant improvement (more than
25% on arm).
ok miod@ tb@
|
| |
|
|
|
|
|
|
|
| |
This is a hack that is only enabled on a handful of 64 bit platforms, as
a workaround for poor compiler optimisation. If you're running an archiac
compiler on an archiac architecture, then you can deal with slightly lower
performance.
ok tb@
|
| |
|
|
| |
ok tb@
|
| | |
|
| | |
|
| |
|
|
| |
No change to generated assembly.
|
| |
|
|
| |
No functional change.
|
| | |
|
| |
|
|
|
|
|
|
| |
Copy the update, transform and final functions from md32_common.h, manually
expanding the macros for SHA1. This will allow for further clean up to
occur.
No change in generated assembly.
|
| |
|
|
|
|
|
| |
If input data is 32 bit aligned use be32toh() directly, otherwise use
crypto_load_be32toh(), cleaning up all of the HOST_c2l() usage.
ok beck@
|
| |
|
|
|
|
|
| |
Avoid reach around and initialisation outside of the macro, cleaning up
the call sites to remove the initialisation.
ok beck@
|
| |
|
|
| |
ok beck@
|
| |
|
|
| |
ok beck@
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Use static inline functions instead of macros to implement SHA-512. At
the same time, make two key changes - firstly, rather than trying to
outsmart the compiler and shuffle variables around, write the algorithm
the way it is documented and actually swap the variable contents. Secondly,
instead of interleaving the message schedule update and the round, do the
full message schedule update first, then process the round.
Overall, we get safer and more readable code. Additionally, the compiler
can generate smaller and faster code (with a gain of 5-10% across a range
of architectures).
ok beck@ tb@
|
| | |
|
| |
|
|
| |
No change in generated assembly.
|
| |
|
|
| |
No intended functional change.
|
| | |
|
| | |
|
| |
|
|
| |
No change to generated assembly.
|
| |
|
|
|
|
|
|
|
|
| |
m32_common.h is a typical OpenSSL macro horror show - copy the update,
transform and final functions from md32_common.h, manually expanding the
macros for SHA256. This will allow for further clean up to occur.
No change in generated assembly.
ok beck@ tb@
|
| |
|
|
|
|
|
|
|
|
|
| |
This recommits r1.37 of sha512.c, however uses uint8_t * instead of void *
for the crypto_load_* functions and primarily uses const uint8_t * to track
input, only casting to const SHA_LONG64 * once we know that it is suitably
aligned. This prevents the compiler from implying alignment based on type.
Tested by tb@ and deraadt@ on platforms with gcc and strict alignment.
ok tb@
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
All assembly implementations are required to perform their own alignment
handling. In the case of the C implementation, on strict alignment
platforms, unaligned data will be copied into an aligned buffer. However,
most platforms then perform byte-by-byte reads (via the PULL64 macros).
Instead, remove SHA512_BLOCK_CAN_MANAGE_UNALIGNED_DATA and alignment
handling to sha512_block_data_order() - if the data is aligned then simply
perform 64 bit loads and then do endian conversion via be64toh(). If the
data is unaligned then use memcpy() and be64toh() (in the form of
crypto_load_be64toh()). Overall this reduces complexity and can improve
performance (on aarch64 we get a ~10% performance gain with aligned input
and about ~1-2% gain on armv7), while the same movq/bswapq is generated
for amd64 and movl/bswapl for i386.
ok tb@
|
| |
|
|
|
|
|
|
|
|
|
| |
Avoid reach around and initialisation outside of the macro, cleaning up
the call sites to remove the initialisation. Use a T2 variable to more
closely follow the documented algorithm and remove the gorgeous compound
statement X = Y += A + B + C.
There is no change to the clang generated assembly on aarch64.
ok tb@
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
We currently have three C implementations for SHA-512 - a version that is
optimised for CPUs with minimal registers (specifically i386), a regular
implementation and a semi-unrolled implementation. Testing on a ~15 year
old i386 CPU, the fastest version is actually the semi-unrolled version
(not to mention that we still currently have an i586 assembly
implementation that is used on i386 instead...).
More decent architectures do not seem to care between the regular and
semi-unrolled version, presumably since they are effectively doing the
same thing in hardware during execution.
Remove all except the semi-unrolled version.
ok tb@
|
| | |
|
| | |
|
| |
|
|
| |
ok jsing, and kind of tb an earlier version
|
| |
|
|
| |
ok tb@
|
| |
|
|
| |
ok tb@
|
| |
|
|
| |
While here, use KECCAK_BYTE_WIDTH instead of hardcoding the value.
|
| |
|
|
| |
Also buy a vowel for rsiz.
|
| | |
|
| | |
|
| | |
|
| | |
|
| |
|
|
|
| |
These will make EVP integration easier, as well as being used in the SHA3
implementation itself.
|
| | |
|
| | |
|
| | |
|
| | |
|
| | |
|
| | |
|
| |
|
|
|
| |
Remove various comments that are unhelpful or obvious. Reformat remaining
comments per style(9).
|
| | |
|
| | |
|
