/src/botan/src/lib/hash/sha2_32/sha2_32.cpp
Line | Count | Source (jump to first uncovered line) |
1 | | /* |
2 | | * SHA-{224,256} |
3 | | * (C) 1999-2010,2017 Jack Lloyd |
4 | | * 2007 FlexSecure GmbH |
5 | | * |
6 | | * Botan is released under the Simplified BSD License (see license.txt) |
7 | | */ |
8 | | |
9 | | #include <botan/internal/sha2_32.h> |
10 | | #include <botan/internal/loadstor.h> |
11 | | #include <botan/internal/rotate.h> |
12 | | #include <botan/internal/bit_ops.h> |
13 | | #include <botan/internal/cpuid.h> |
14 | | |
15 | | namespace Botan { |
16 | | |
17 | | namespace { |
18 | | |
19 | | std::string sha256_provider() |
20 | 0 | { |
21 | 0 | #if defined(BOTAN_HAS_SHA2_32_X86) |
22 | 0 | if(CPUID::has_intel_sha()) |
23 | 0 | { |
24 | 0 | return "shani"; |
25 | 0 | } |
26 | 0 | #endif |
27 | | |
28 | 0 | #if defined(BOTAN_HAS_SHA2_32_X86_BMI2) |
29 | 0 | if(CPUID::has_bmi2()) |
30 | 0 | { |
31 | 0 | return "bmi2"; |
32 | 0 | } |
33 | 0 | #endif |
34 | | |
35 | | #if defined(BOTAN_HAS_SHA2_32_ARMV8) |
36 | | if(CPUID::has_arm_sha2()) |
37 | | { |
38 | | return "armv8"; |
39 | | } |
40 | | #endif |
41 | | |
42 | 0 | return "base"; |
43 | 0 | } |
44 | | |
45 | | } |
46 | | |
47 | | std::unique_ptr<HashFunction> SHA_224::copy_state() const |
48 | 0 | { |
49 | 0 | return std::make_unique<SHA_224>(*this); |
50 | 0 | } |
51 | | |
52 | | std::unique_ptr<HashFunction> SHA_256::copy_state() const |
53 | 0 | { |
54 | 0 | return std::make_unique<SHA_256>(*this); |
55 | 0 | } |
56 | | |
57 | | /* |
58 | | * SHA-256 F1 Function |
59 | | * |
60 | | * Use a macro as many compilers won't inline a function this big, |
61 | | * even though it is much faster if inlined. |
62 | | */ |
63 | 0 | #define SHA2_32_F(A, B, C, D, E, F, G, H, M1, M2, M3, M4, magic) do { \ |
64 | 0 | uint32_t A_rho = rotr<2>(A) ^ rotr<13>(A) ^ rotr<22>(A); \ |
65 | 0 | uint32_t E_rho = rotr<6>(E) ^ rotr<11>(E) ^ rotr<25>(E); \ |
66 | 0 | uint32_t M2_sigma = rotr<17>(M2) ^ rotr<19>(M2) ^ (M2 >> 10); \ |
67 | 0 | uint32_t M4_sigma = rotr<7>(M4) ^ rotr<18>(M4) ^ (M4 >> 3); \ |
68 | 0 | H += magic + E_rho + choose(E, F, G) + M1; \ |
69 | 0 | D += H; \ |
70 | 0 | H += A_rho + majority(A, B, C); \ |
71 | 0 | M1 += M2_sigma + M3 + M4_sigma; \ |
72 | 0 | } while(0); |
73 | | |
74 | | /* |
75 | | * SHA-224 / SHA-256 compression function |
76 | | */ |
77 | | void SHA_256::compress_digest(secure_vector<uint32_t>& digest, |
78 | | const uint8_t input[], size_t blocks) |
79 | 779k | { |
80 | 779k | #if defined(BOTAN_HAS_SHA2_32_X86) |
81 | 779k | if(CPUID::has_intel_sha()) |
82 | 0 | { |
83 | 0 | return SHA_256::compress_digest_x86(digest, input, blocks); |
84 | 0 | } |
85 | 779k | #endif |
86 | | |
87 | 779k | #if defined(BOTAN_HAS_SHA2_32_X86_BMI2) |
88 | 779k | if(CPUID::has_bmi2()) |
89 | 779k | { |
90 | 779k | return SHA_256::compress_digest_x86_bmi2(digest, input, blocks); |
91 | 779k | } |
92 | 0 | #endif |
93 | | |
94 | | #if defined(BOTAN_HAS_SHA2_32_ARMV8) |
95 | | if(CPUID::has_arm_sha2()) |
96 | | { |
97 | | return SHA_256::compress_digest_armv8(digest, input, blocks); |
98 | | } |
99 | | #endif |
100 | | |
101 | 0 | uint32_t A = digest[0], B = digest[1], C = digest[2], |
102 | 0 | D = digest[3], E = digest[4], F = digest[5], |
103 | 0 | G = digest[6], H = digest[7]; |
104 | |
|
105 | 0 | for(size_t i = 0; i != blocks; ++i) |
106 | 0 | { |
107 | 0 | uint32_t W00 = load_be<uint32_t>(input, 0); |
108 | 0 | uint32_t W01 = load_be<uint32_t>(input, 1); |
109 | 0 | uint32_t W02 = load_be<uint32_t>(input, 2); |
110 | 0 | uint32_t W03 = load_be<uint32_t>(input, 3); |
111 | 0 | uint32_t W04 = load_be<uint32_t>(input, 4); |
112 | 0 | uint32_t W05 = load_be<uint32_t>(input, 5); |
113 | 0 | uint32_t W06 = load_be<uint32_t>(input, 6); |
114 | 0 | uint32_t W07 = load_be<uint32_t>(input, 7); |
115 | 0 | uint32_t W08 = load_be<uint32_t>(input, 8); |
116 | 0 | uint32_t W09 = load_be<uint32_t>(input, 9); |
117 | 0 | uint32_t W10 = load_be<uint32_t>(input, 10); |
118 | 0 | uint32_t W11 = load_be<uint32_t>(input, 11); |
119 | 0 | uint32_t W12 = load_be<uint32_t>(input, 12); |
120 | 0 | uint32_t W13 = load_be<uint32_t>(input, 13); |
121 | 0 | uint32_t W14 = load_be<uint32_t>(input, 14); |
122 | 0 | uint32_t W15 = load_be<uint32_t>(input, 15); |
123 | |
|
124 | 0 | SHA2_32_F(A, B, C, D, E, F, G, H, W00, W14, W09, W01, 0x428A2F98); |
125 | 0 | SHA2_32_F(H, A, B, C, D, E, F, G, W01, W15, W10, W02, 0x71374491); |
126 | 0 | SHA2_32_F(G, H, A, B, C, D, E, F, W02, W00, W11, W03, 0xB5C0FBCF); |
127 | 0 | SHA2_32_F(F, G, H, A, B, C, D, E, W03, W01, W12, W04, 0xE9B5DBA5); |
128 | 0 | SHA2_32_F(E, F, G, H, A, B, C, D, W04, W02, W13, W05, 0x3956C25B); |
129 | 0 | SHA2_32_F(D, E, F, G, H, A, B, C, W05, W03, W14, W06, 0x59F111F1); |
130 | 0 | SHA2_32_F(C, D, E, F, G, H, A, B, W06, W04, W15, W07, 0x923F82A4); |
131 | 0 | SHA2_32_F(B, C, D, E, F, G, H, A, W07, W05, W00, W08, 0xAB1C5ED5); |
132 | 0 | SHA2_32_F(A, B, C, D, E, F, G, H, W08, W06, W01, W09, 0xD807AA98); |
133 | 0 | SHA2_32_F(H, A, B, C, D, E, F, G, W09, W07, W02, W10, 0x12835B01); |
134 | 0 | SHA2_32_F(G, H, A, B, C, D, E, F, W10, W08, W03, W11, 0x243185BE); |
135 | 0 | SHA2_32_F(F, G, H, A, B, C, D, E, W11, W09, W04, W12, 0x550C7DC3); |
136 | 0 | SHA2_32_F(E, F, G, H, A, B, C, D, W12, W10, W05, W13, 0x72BE5D74); |
137 | 0 | SHA2_32_F(D, E, F, G, H, A, B, C, W13, W11, W06, W14, 0x80DEB1FE); |
138 | 0 | SHA2_32_F(C, D, E, F, G, H, A, B, W14, W12, W07, W15, 0x9BDC06A7); |
139 | 0 | SHA2_32_F(B, C, D, E, F, G, H, A, W15, W13, W08, W00, 0xC19BF174); |
140 | |
|
141 | 0 | SHA2_32_F(A, B, C, D, E, F, G, H, W00, W14, W09, W01, 0xE49B69C1); |
142 | 0 | SHA2_32_F(H, A, B, C, D, E, F, G, W01, W15, W10, W02, 0xEFBE4786); |
143 | 0 | SHA2_32_F(G, H, A, B, C, D, E, F, W02, W00, W11, W03, 0x0FC19DC6); |
144 | 0 | SHA2_32_F(F, G, H, A, B, C, D, E, W03, W01, W12, W04, 0x240CA1CC); |
145 | 0 | SHA2_32_F(E, F, G, H, A, B, C, D, W04, W02, W13, W05, 0x2DE92C6F); |
146 | 0 | SHA2_32_F(D, E, F, G, H, A, B, C, W05, W03, W14, W06, 0x4A7484AA); |
147 | 0 | SHA2_32_F(C, D, E, F, G, H, A, B, W06, W04, W15, W07, 0x5CB0A9DC); |
148 | 0 | SHA2_32_F(B, C, D, E, F, G, H, A, W07, W05, W00, W08, 0x76F988DA); |
149 | 0 | SHA2_32_F(A, B, C, D, E, F, G, H, W08, W06, W01, W09, 0x983E5152); |
150 | 0 | SHA2_32_F(H, A, B, C, D, E, F, G, W09, W07, W02, W10, 0xA831C66D); |
151 | 0 | SHA2_32_F(G, H, A, B, C, D, E, F, W10, W08, W03, W11, 0xB00327C8); |
152 | 0 | SHA2_32_F(F, G, H, A, B, C, D, E, W11, W09, W04, W12, 0xBF597FC7); |
153 | 0 | SHA2_32_F(E, F, G, H, A, B, C, D, W12, W10, W05, W13, 0xC6E00BF3); |
154 | 0 | SHA2_32_F(D, E, F, G, H, A, B, C, W13, W11, W06, W14, 0xD5A79147); |
155 | 0 | SHA2_32_F(C, D, E, F, G, H, A, B, W14, W12, W07, W15, 0x06CA6351); |
156 | 0 | SHA2_32_F(B, C, D, E, F, G, H, A, W15, W13, W08, W00, 0x14292967); |
157 | |
|
158 | 0 | SHA2_32_F(A, B, C, D, E, F, G, H, W00, W14, W09, W01, 0x27B70A85); |
159 | 0 | SHA2_32_F(H, A, B, C, D, E, F, G, W01, W15, W10, W02, 0x2E1B2138); |
160 | 0 | SHA2_32_F(G, H, A, B, C, D, E, F, W02, W00, W11, W03, 0x4D2C6DFC); |
161 | 0 | SHA2_32_F(F, G, H, A, B, C, D, E, W03, W01, W12, W04, 0x53380D13); |
162 | 0 | SHA2_32_F(E, F, G, H, A, B, C, D, W04, W02, W13, W05, 0x650A7354); |
163 | 0 | SHA2_32_F(D, E, F, G, H, A, B, C, W05, W03, W14, W06, 0x766A0ABB); |
164 | 0 | SHA2_32_F(C, D, E, F, G, H, A, B, W06, W04, W15, W07, 0x81C2C92E); |
165 | 0 | SHA2_32_F(B, C, D, E, F, G, H, A, W07, W05, W00, W08, 0x92722C85); |
166 | 0 | SHA2_32_F(A, B, C, D, E, F, G, H, W08, W06, W01, W09, 0xA2BFE8A1); |
167 | 0 | SHA2_32_F(H, A, B, C, D, E, F, G, W09, W07, W02, W10, 0xA81A664B); |
168 | 0 | SHA2_32_F(G, H, A, B, C, D, E, F, W10, W08, W03, W11, 0xC24B8B70); |
169 | 0 | SHA2_32_F(F, G, H, A, B, C, D, E, W11, W09, W04, W12, 0xC76C51A3); |
170 | 0 | SHA2_32_F(E, F, G, H, A, B, C, D, W12, W10, W05, W13, 0xD192E819); |
171 | 0 | SHA2_32_F(D, E, F, G, H, A, B, C, W13, W11, W06, W14, 0xD6990624); |
172 | 0 | SHA2_32_F(C, D, E, F, G, H, A, B, W14, W12, W07, W15, 0xF40E3585); |
173 | 0 | SHA2_32_F(B, C, D, E, F, G, H, A, W15, W13, W08, W00, 0x106AA070); |
174 | |
|
175 | 0 | SHA2_32_F(A, B, C, D, E, F, G, H, W00, W14, W09, W01, 0x19A4C116); |
176 | 0 | SHA2_32_F(H, A, B, C, D, E, F, G, W01, W15, W10, W02, 0x1E376C08); |
177 | 0 | SHA2_32_F(G, H, A, B, C, D, E, F, W02, W00, W11, W03, 0x2748774C); |
178 | 0 | SHA2_32_F(F, G, H, A, B, C, D, E, W03, W01, W12, W04, 0x34B0BCB5); |
179 | 0 | SHA2_32_F(E, F, G, H, A, B, C, D, W04, W02, W13, W05, 0x391C0CB3); |
180 | 0 | SHA2_32_F(D, E, F, G, H, A, B, C, W05, W03, W14, W06, 0x4ED8AA4A); |
181 | 0 | SHA2_32_F(C, D, E, F, G, H, A, B, W06, W04, W15, W07, 0x5B9CCA4F); |
182 | 0 | SHA2_32_F(B, C, D, E, F, G, H, A, W07, W05, W00, W08, 0x682E6FF3); |
183 | 0 | SHA2_32_F(A, B, C, D, E, F, G, H, W08, W06, W01, W09, 0x748F82EE); |
184 | 0 | SHA2_32_F(H, A, B, C, D, E, F, G, W09, W07, W02, W10, 0x78A5636F); |
185 | 0 | SHA2_32_F(G, H, A, B, C, D, E, F, W10, W08, W03, W11, 0x84C87814); |
186 | 0 | SHA2_32_F(F, G, H, A, B, C, D, E, W11, W09, W04, W12, 0x8CC70208); |
187 | 0 | SHA2_32_F(E, F, G, H, A, B, C, D, W12, W10, W05, W13, 0x90BEFFFA); |
188 | 0 | SHA2_32_F(D, E, F, G, H, A, B, C, W13, W11, W06, W14, 0xA4506CEB); |
189 | 0 | SHA2_32_F(C, D, E, F, G, H, A, B, W14, W12, W07, W15, 0xBEF9A3F7); |
190 | 0 | SHA2_32_F(B, C, D, E, F, G, H, A, W15, W13, W08, W00, 0xC67178F2); |
191 | |
|
192 | 0 | A = (digest[0] += A); |
193 | 0 | B = (digest[1] += B); |
194 | 0 | C = (digest[2] += C); |
195 | 0 | D = (digest[3] += D); |
196 | 0 | E = (digest[4] += E); |
197 | 0 | F = (digest[5] += F); |
198 | 0 | G = (digest[6] += G); |
199 | 0 | H = (digest[7] += H); |
200 | |
|
201 | 0 | input += 64; |
202 | 0 | } |
203 | 0 | } |
204 | | |
205 | | std::string SHA_224::provider() const |
206 | 0 | { |
207 | 0 | return sha256_provider(); |
208 | 0 | } |
209 | | |
210 | | std::string SHA_256::provider() const |
211 | 0 | { |
212 | 0 | return sha256_provider(); |
213 | 0 | } |
214 | | |
215 | | /* |
216 | | * SHA-224 compression function |
217 | | */ |
218 | | void SHA_224::compress_n(const uint8_t input[], size_t blocks) |
219 | 44 | { |
220 | 44 | SHA_256::compress_digest(m_digest, input, blocks); |
221 | 44 | } |
222 | | |
223 | | /* |
224 | | * Copy out the digest |
225 | | */ |
226 | | void SHA_224::copy_out(uint8_t output[]) |
227 | 20 | { |
228 | 20 | copy_out_vec_be(output, output_length(), m_digest); |
229 | 20 | } |
230 | | |
231 | | /* |
232 | | * Clear memory of sensitive data |
233 | | */ |
234 | | void SHA_224::clear() |
235 | 44 | { |
236 | 44 | MDx_HashFunction::clear(); |
237 | 44 | m_digest[0] = 0xC1059ED8; |
238 | 44 | m_digest[1] = 0x367CD507; |
239 | 44 | m_digest[2] = 0x3070DD17; |
240 | 44 | m_digest[3] = 0xF70E5939; |
241 | 44 | m_digest[4] = 0xFFC00B31; |
242 | 44 | m_digest[5] = 0x68581511; |
243 | 44 | m_digest[6] = 0x64F98FA7; |
244 | 44 | m_digest[7] = 0xBEFA4FA4; |
245 | 44 | } |
246 | | |
247 | | /* |
248 | | * SHA-256 compression function |
249 | | */ |
250 | | void SHA_256::compress_n(const uint8_t input[], size_t blocks) |
251 | 779k | { |
252 | 779k | SHA_256::compress_digest(m_digest, input, blocks); |
253 | 779k | } |
254 | | |
255 | | /* |
256 | | * Copy out the digest |
257 | | */ |
258 | | void SHA_256::copy_out(uint8_t output[]) |
259 | 357k | { |
260 | 357k | copy_out_vec_be(output, output_length(), m_digest); |
261 | 357k | } |
262 | | |
263 | | /* |
264 | | * Clear memory of sensitive data |
265 | | */ |
266 | | void SHA_256::clear() |
267 | 467k | { |
268 | 467k | MDx_HashFunction::clear(); |
269 | 467k | m_digest[0] = 0x6A09E667; |
270 | 467k | m_digest[1] = 0xBB67AE85; |
271 | 467k | m_digest[2] = 0x3C6EF372; |
272 | 467k | m_digest[3] = 0xA54FF53A; |
273 | 467k | m_digest[4] = 0x510E527F; |
274 | 467k | m_digest[5] = 0x9B05688C; |
275 | 467k | m_digest[6] = 0x1F83D9AB; |
276 | 467k | m_digest[7] = 0x5BE0CD19; |
277 | 467k | } |
278 | | |
279 | | } |