/src/nss/lib/freebl/sha_fast.c

Source
/* This Source Code Form is subject to the terms of the Mozilla Public
 * License, v. 2.0. If a copy of the MPL was not distributed with this
 * file, You can obtain one at http://mozilla.org/MPL/2.0/. */

#ifdef FREEBL_NO_DEPEND
#include "stubs.h"
#endif

#include <memory.h>
#include "blapi.h"
#include "sha_fast.h"
#include "prerror.h"
#include "secerr.h"

#ifdef TRACING_SSL
#include "ssl.h"
#include "ssltrace.h"
#endif

static void shaCompress(volatile SHA_HW_t *X, const PRUint32 *datain);

#define W u.w
#define B u.b

#define SHA_F1(X, Y, Z) ((((Y) ^ (Z)) & (X)) ^ (Z))
#define SHA_F2(X, Y, Z) ((X) ^ (Y) ^ (Z))
#define SHA_F3(X, Y, Z) (((X) & (Y)) | ((Z) & ((X) | (Y))))
#define SHA_F4(X, Y, Z) ((X) ^ (Y) ^ (Z))

#define SHA_MIX(n, a, b, c) XW(n) = SHA_ROTL(XW(a) ^ XW(b) ^ XW(c) ^ XW(n), 1)

void SHA1_Compress_Native(SHA1Context *ctx);
void SHA1_Update_Native(SHA1Context *ctx, const unsigned char *dataIn, unsigned int len);

static void SHA1_Compress_Generic(SHA1Context *ctx);
static void SHA1_Update_Generic(SHA1Context *ctx, const unsigned char *dataIn, unsigned int len);

#ifndef USE_HW_SHA1
void
SHA1_Compress_Native(SHA1Context *ctx)
{
    PORT_SetError(SEC_ERROR_LIBRARY_FAILURE);
    PORT_Assert(0);
}

void
SHA1_Update_Native(SHA1Context *ctx, const unsigned char *dataIn, unsigned int len)
{
    PORT_SetError(SEC_ERROR_LIBRARY_FAILURE);
    PORT_Assert(0);
}
#endif

/*
 *  SHA: initialize context
 */
void
SHA1_Begin(SHA1Context *ctx)
{
    ctx->size = 0;
    /*
     *  Initialize H with constants from FIPS180-1.
     */
    ctx->H[0] = 0x67452301L;
    ctx->H[1] = 0xefcdab89L;
    ctx->H[2] = 0x98badcfeL;
    ctx->H[3] = 0x10325476L;
    ctx->H[4] = 0xc3d2e1f0L;

#if defined(USE_HW_SHA1) && defined(IS_LITTLE_ENDIAN)
    /* arm's implementation is tested on little endian only */
    if (arm_sha1_support()) {
        ctx->compress = SHA1_Compress_Native;
        ctx->update = SHA1_Update_Native;
    } else
#endif
    {
        ctx->compress = SHA1_Compress_Generic;
        ctx->update = SHA1_Update_Generic;
    }
}

/* Explanation of H array and index values:
 * The context's H array is actually the concatenation of two arrays
 * defined by SHA1, the H array of state variables (5 elements),
 * and the W array of intermediate values, of which there are 16 elements.
 * The W array starts at H[5], that is W[0] is H[5].
 * Although these values are defined as 32-bit values, we use 64-bit
 * variables to hold them because the AMD64 stores 64 bit values in
 * memory MUCH faster than it stores any smaller values.
 *
 * Rather than passing the context structure to shaCompress, we pass
 * this combined array of H and W values.  We do not pass the address
 * of the first element of this array, but rather pass the address of an
 * element in the middle of the array, element X.  Presently X[0] is H[11].
 * So we pass the address of H[11] as the address of array X to shaCompress.
 * Then shaCompress accesses the members of the array using positive AND
 * negative indexes.
 *
 * Pictorially: (each element is 8 bytes)
 * H | H0 H1 H2 H3 H4 W0 W1 W2 W3 W4 W5 W6 W7 W8 W9 Wa Wb Wc Wd We Wf |
 * X |-11-10 -9 -8 -7 -6 -5 -4 -3 -2 -1 X0 X1 X2 X3 X4 X5 X6 X7 X8 X9 |
 *
 * The byte offset from X[0] to any member of H and W is always
 * representable in a signed 8-bit value, which will be encoded
 * as a single byte offset in the X86-64 instruction set.
 * If we didn't pass the address of H[11], and instead passed the
 * address of H[0], the offsets to elements H[16] and above would be
 * greater than 127, not representable in a signed 8-bit value, and the
 * x86-64 instruction set would encode every such offset as a 32-bit
 * signed number in each instruction that accessed element H[16] or
 * higher.  This results in much bigger and slower code.
 */
#if !defined(SHA_PUT_W_IN_STACK)
#define H2X 11 /* X[0] is H[11], and H[0] is X[-11] */
#define W2X 6  /* X[0] is W[6],  and W[0] is X[-6]  */
#else
#define H2X 0
#endif

/*
 *  SHA: Add data to context.
 */
void
SHA1_Update(SHA1Context *ctx, const unsigned char *dataIn, unsigned int len)
{
    ctx->update(ctx, dataIn, len);
}

static void
SHA1_Update_Generic(SHA1Context *ctx, const unsigned char *dataIn, unsigned int len)
{
    register unsigned int lenB;
    register unsigned int togo;

    if (!len)
        return;

    /* accumulate the byte count. */
    lenB = (unsigned int)(ctx->size) & 63U;

    ctx->size += len;

    /*
     *  Read the data into W and process blocks as they get full
     */
    if (lenB > 0) {
        togo = 64U - lenB;
        if (len < togo)
            togo = len;
        memcpy(ctx->B + lenB, dataIn, togo);
        len -= togo;
        dataIn += togo;
        lenB = (lenB + togo) & 63U;
        if (!lenB) {
            shaCompress(&ctx->H[H2X], ctx->W);
        }
    }
#if !defined(HAVE_UNALIGNED_ACCESS)
    if ((ptrdiff_t)dataIn % sizeof(PRUint32)) {
        while (len >= 64U) {
            memcpy(ctx->B, dataIn, 64);
            len -= 64U;
            shaCompress(&ctx->H[H2X], ctx->W);
            dataIn += 64U;
        }
    } else
#endif
    {
        while (len >= 64U) {
            len -= 64U;
            shaCompress(&ctx->H[H2X], (PRUint32 *)dataIn);
            dataIn += 64U;
        }
    }
    if (len) {
        memcpy(ctx->B, dataIn, len);
    }
}

/*
 *  SHA: Generate hash value from context
 */
void NO_SANITIZE_ALIGNMENT
SHA1_End(SHA1Context *ctx, unsigned char *hashout,
         unsigned int *pDigestLen, unsigned int maxDigestLen)
{
    register PRUint64 size;
    register PRUint32 lenB;

    static const unsigned char bulk_pad[64] = { 0x80, 0, 0, 0, 0, 0, 0, 0, 0, 0,
                                                0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
                                                0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0 };
#define tmp lenB

    PORT_Assert(maxDigestLen >= SHA1_LENGTH);

    /*
     *  Pad with a binary 1 (e.g. 0x80), then zeroes, then length in bits
     */
    size = ctx->size;

    lenB = (PRUint32)size & 63;
    SHA1_Update(ctx, bulk_pad, (((55 + 64) - lenB) & 63) + 1);
    PORT_Assert(((PRUint32)ctx->size & 63) == 56);
    /* Convert size from bytes to bits. */
    size <<= 3;
    ctx->W[14] = SHA_HTONL((PRUint32)(size >> 32));
    ctx->W[15] = SHA_HTONL((PRUint32)size);
    ctx->compress(ctx);

    /*
     *  Output hash
     */
    SHA_STORE_RESULT;
    if (pDigestLen) {
        *pDigestLen = SHA1_LENGTH;
    }
#undef tmp
}

void
SHA1_EndRaw(SHA1Context *ctx, unsigned char *hashout,
            unsigned int *pDigestLen, unsigned int maxDigestLen)
{
#if defined(SHA_NEED_TMP_VARIABLE)
    register PRUint32 tmp;
#endif
    PORT_Assert(maxDigestLen >= SHA1_LENGTH);

    SHA_STORE_RESULT;
    if (pDigestLen)
        *pDigestLen = SHA1_LENGTH;
}

#undef B
/*
 *  SHA: Compression function, unrolled.
 *
 * Some operations in shaCompress are done as 5 groups of 16 operations.
 * Others are done as 4 groups of 20 operations.
 * The code below shows that structure.
 *
 * The functions that compute the new values of the 5 state variables
 * A-E are done in 4 groups of 20 operations (or you may also think
 * of them as being done in 16 groups of 5 operations).  They are
 * done by the SHA_RNDx macros below, in the right column.
 *
 * The functions that set the 16 values of the W array are done in
 * 5 groups of 16 operations.  The first group is done by the
 * LOAD macros below, the latter 4 groups are done by SHA_MIX below,
 * in the left column.
 *
 * gcc's optimizer observes that each member of the W array is assigned
 * a value 5 times in this code.  It reduces the number of store
 * operations done to the W array in the context (that is, in the X array)
 * by creating a W array on the stack, and storing the W values there for
 * the first 4 groups of operations on W, and storing the values in the
 * context's W array only in the fifth group.  This is undesirable.
 * It is MUCH bigger code than simply using the context's W array, because
 * all the offsets to the W array in the stack are 32-bit signed offsets,
 * and it is no faster than storing the values in the context's W array.
 *
 * The original code for sha_fast.c prevented this creation of a separate
 * W array in the stack by creating a W array of 80 members, each of
 * whose elements is assigned only once. It also separated the computations
 * of the W array values and the computations of the values for the 5
 * state variables into two separate passes, W's, then A-E's so that the
 * second pass could be done all in registers (except for accessing the W
 * array) on machines with fewer registers.  The method is suboptimal
 * for machines with enough registers to do it all in one pass, and it
 * necessitates using many instructions with 32-bit offsets.
 *
 * This code eliminates the separate W array on the stack by a completely
 * different means: by declaring the X array volatile.  This prevents
 * the optimizer from trying to reduce the use of the X array by the
 * creation of a MORE expensive W array on the stack. The result is
 * that all instructions use signed 8-bit offsets and not 32-bit offsets.
 *
 * The combination of this code and the -O3 optimizer flag on GCC 3.4.3
 * results in code that is 3 times faster than the previous NSS sha_fast
 * code on AMD64.
 */
static void NO_SANITIZE_ALIGNMENT
shaCompress(volatile SHA_HW_t *X, const PRUint32 *inbuf)
{
    register SHA_HW_t A, B, C, D, E;

#if defined(SHA_NEED_TMP_VARIABLE)
    register PRUint32 tmp;
#endif

#if !defined(SHA_PUT_W_IN_STACK)
#define XH(n) X[n - H2X]
#define XW(n) X[n - W2X]
#else
    SHA_HW_t w_0, w_1, w_2, w_3, w_4, w_5, w_6, w_7,
        w_8, w_9, w_10, w_11, w_12, w_13, w_14, w_15;
#define XW(n) w_##n
#define XH(n) X[n]
#endif

#define K0 0x5a827999L
#define K1 0x6ed9eba1L
#define K2 0x8f1bbcdcL
#define K3 0xca62c1d6L

#define SHA_RND1(a, b, c, d, e, n)                         \
    a = SHA_ROTL(b, 5) + SHA_F1(c, d, e) + a + XW(n) + K0; \
    c = SHA_ROTL(c, 30)
#define SHA_RND2(a, b, c, d, e, n)                         \
    a = SHA_ROTL(b, 5) + SHA_F2(c, d, e) + a + XW(n) + K1; \
    c = SHA_ROTL(c, 30)
#define SHA_RND3(a, b, c, d, e, n)                         \
    a = SHA_ROTL(b, 5) + SHA_F3(c, d, e) + a + XW(n) + K2; \
    c = SHA_ROTL(c, 30)
#define SHA_RND4(a, b, c, d, e, n)                         \
    a = SHA_ROTL(b, 5) + SHA_F4(c, d, e) + a + XW(n) + K3; \
    c = SHA_ROTL(c, 30)

#define LOAD(n) XW(n) = SHA_HTONL(inbuf[n])

    A = XH(0);
    B = XH(1);
    C = XH(2);
    D = XH(3);
    E = XH(4);

    LOAD(0);
    SHA_RND1(E, A, B, C, D, 0);
    LOAD(1);
    SHA_RND1(D, E, A, B, C, 1);
    LOAD(2);
    SHA_RND1(C, D, E, A, B, 2);
    LOAD(3);
    SHA_RND1(B, C, D, E, A, 3);
    LOAD(4);
    SHA_RND1(A, B, C, D, E, 4);
    LOAD(5);
    SHA_RND1(E, A, B, C, D, 5);
    LOAD(6);
    SHA_RND1(D, E, A, B, C, 6);
    LOAD(7);
    SHA_RND1(C, D, E, A, B, 7);
    LOAD(8);
    SHA_RND1(B, C, D, E, A, 8);
    LOAD(9);
    SHA_RND1(A, B, C, D, E, 9);
    LOAD(10);
    SHA_RND1(E, A, B, C, D, 10);
    LOAD(11);
    SHA_RND1(D, E, A, B, C, 11);
    LOAD(12);
    SHA_RND1(C, D, E, A, B, 12);
    LOAD(13);
    SHA_RND1(B, C, D, E, A, 13);
    LOAD(14);
    SHA_RND1(A, B, C, D, E, 14);
    LOAD(15);
    SHA_RND1(E, A, B, C, D, 15);

    SHA_MIX(0, 13, 8, 2);
    SHA_RND1(D, E, A, B, C, 0);
    SHA_MIX(1, 14, 9, 3);
    SHA_RND1(C, D, E, A, B, 1);
    SHA_MIX(2, 15, 10, 4);
    SHA_RND1(B, C, D, E, A, 2);
    SHA_MIX(3, 0, 11, 5);
    SHA_RND1(A, B, C, D, E, 3);

    SHA_MIX(4, 1, 12, 6);
    SHA_RND2(E, A, B, C, D, 4);
    SHA_MIX(5, 2, 13, 7);
    SHA_RND2(D, E, A, B, C, 5);
    SHA_MIX(6, 3, 14, 8);
    SHA_RND2(C, D, E, A, B, 6);
    SHA_MIX(7, 4, 15, 9);
    SHA_RND2(B, C, D, E, A, 7);
    SHA_MIX(8, 5, 0, 10);
    SHA_RND2(A, B, C, D, E, 8);
    SHA_MIX(9, 6, 1, 11);
    SHA_RND2(E, A, B, C, D, 9);
    SHA_MIX(10, 7, 2, 12);
    SHA_RND2(D, E, A, B, C, 10);
    SHA_MIX(11, 8, 3, 13);
    SHA_RND2(C, D, E, A, B, 11);
    SHA_MIX(12, 9, 4, 14);
    SHA_RND2(B, C, D, E, A, 12);
    SHA_MIX(13, 10, 5, 15);
    SHA_RND2(A, B, C, D, E, 13);
    SHA_MIX(14, 11, 6, 0);
    SHA_RND2(E, A, B, C, D, 14);
    SHA_MIX(15, 12, 7, 1);
    SHA_RND2(D, E, A, B, C, 15);

    SHA_MIX(0, 13, 8, 2);
    SHA_RND2(C, D, E, A, B, 0);
    SHA_MIX(1, 14, 9, 3);
    SHA_RND2(B, C, D, E, A, 1);
    SHA_MIX(2, 15, 10, 4);
    SHA_RND2(A, B, C, D, E, 2);
    SHA_MIX(3, 0, 11, 5);
    SHA_RND2(E, A, B, C, D, 3);
    SHA_MIX(4, 1, 12, 6);
    SHA_RND2(D, E, A, B, C, 4);
    SHA_MIX(5, 2, 13, 7);
    SHA_RND2(C, D, E, A, B, 5);
    SHA_MIX(6, 3, 14, 8);
    SHA_RND2(B, C, D, E, A, 6);
    SHA_MIX(7, 4, 15, 9);
    SHA_RND2(A, B, C, D, E, 7);

    SHA_MIX(8, 5, 0, 10);
    SHA_RND3(E, A, B, C, D, 8);
    SHA_MIX(9, 6, 1, 11);
    SHA_RND3(D, E, A, B, C, 9);
    SHA_MIX(10, 7, 2, 12);
    SHA_RND3(C, D, E, A, B, 10);
    SHA_MIX(11, 8, 3, 13);
    SHA_RND3(B, C, D, E, A, 11);
    SHA_MIX(12, 9, 4, 14);
    SHA_RND3(A, B, C, D, E, 12);
    SHA_MIX(13, 10, 5, 15);
    SHA_RND3(E, A, B, C, D, 13);
    SHA_MIX(14, 11, 6, 0);
    SHA_RND3(D, E, A, B, C, 14);
    SHA_MIX(15, 12, 7, 1);
    SHA_RND3(C, D, E, A, B, 15);

    SHA_MIX(0, 13, 8, 2);
    SHA_RND3(B, C, D, E, A, 0);
    SHA_MIX(1, 14, 9, 3);
    SHA_RND3(A, B, C, D, E, 1);
    SHA_MIX(2, 15, 10, 4);
    SHA_RND3(E, A, B, C, D, 2);
    SHA_MIX(3, 0, 11, 5);
    SHA_RND3(D, E, A, B, C, 3);
    SHA_MIX(4, 1, 12, 6);
    SHA_RND3(C, D, E, A, B, 4);
    SHA_MIX(5, 2, 13, 7);
    SHA_RND3(B, C, D, E, A, 5);
    SHA_MIX(6, 3, 14, 8);
    SHA_RND3(A, B, C, D, E, 6);
    SHA_MIX(7, 4, 15, 9);
    SHA_RND3(E, A, B, C, D, 7);
    SHA_MIX(8, 5, 0, 10);
    SHA_RND3(D, E, A, B, C, 8);
    SHA_MIX(9, 6, 1, 11);
    SHA_RND3(C, D, E, A, B, 9);
    SHA_MIX(10, 7, 2, 12);
    SHA_RND3(B, C, D, E, A, 10);
    SHA_MIX(11, 8, 3, 13);
    SHA_RND3(A, B, C, D, E, 11);

    SHA_MIX(12, 9, 4, 14);
    SHA_RND4(E, A, B, C, D, 12);
    SHA_MIX(13, 10, 5, 15);
    SHA_RND4(D, E, A, B, C, 13);
    SHA_MIX(14, 11, 6, 0);
    SHA_RND4(C, D, E, A, B, 14);
    SHA_MIX(15, 12, 7, 1);
    SHA_RND4(B, C, D, E, A, 15);

    SHA_MIX(0, 13, 8, 2);
    SHA_RND4(A, B, C, D, E, 0);
    SHA_MIX(1, 14, 9, 3);
    SHA_RND4(E, A, B, C, D, 1);
    SHA_MIX(2, 15, 10, 4);
    SHA_RND4(D, E, A, B, C, 2);
    SHA_MIX(3, 0, 11, 5);
    SHA_RND4(C, D, E, A, B, 3);
    SHA_MIX(4, 1, 12, 6);
    SHA_RND4(B, C, D, E, A, 4);
    SHA_MIX(5, 2, 13, 7);
    SHA_RND4(A, B, C, D, E, 5);
    SHA_MIX(6, 3, 14, 8);
    SHA_RND4(E, A, B, C, D, 6);
    SHA_MIX(7, 4, 15, 9);
    SHA_RND4(D, E, A, B, C, 7);
    SHA_MIX(8, 5, 0, 10);
    SHA_RND4(C, D, E, A, B, 8);
    SHA_MIX(9, 6, 1, 11);
    SHA_RND4(B, C, D, E, A, 9);
    SHA_MIX(10, 7, 2, 12);
    SHA_RND4(A, B, C, D, E, 10);
    SHA_MIX(11, 8, 3, 13);
    SHA_RND4(E, A, B, C, D, 11);
    SHA_MIX(12, 9, 4, 14);
    SHA_RND4(D, E, A, B, C, 12);
    SHA_MIX(13, 10, 5, 15);
    SHA_RND4(C, D, E, A, B, 13);
    SHA_MIX(14, 11, 6, 0);
    SHA_RND4(B, C, D, E, A, 14);
    SHA_MIX(15, 12, 7, 1);
    SHA_RND4(A, B, C, D, E, 15);

    XH(0) += A;
    XH(1) += B;
    XH(2) += C;
    XH(3) += D;
    XH(4) += E;
}

static void
SHA1_Compress_Generic(SHA1Context *ctx)
{
    shaCompress(&ctx->H[H2X], ctx->u.w);
}

/*************************************************************************
** Code below this line added to make SHA code support BLAPI interface
*/

SHA1Context *
SHA1_NewContext(void)
{
    SHA1Context *cx;

    /* no need to ZNew, SHA1_Begin will init the context */
    cx = PORT_New(SHA1Context);
    return cx;
}

/* Zero and free the context */
void
SHA1_DestroyContext(SHA1Context *cx, PRBool freeit)
{
    memset(cx, 0, sizeof *cx);
    if (freeit) {
        PORT_Free(cx);
    }
}

SECStatus
SHA1_HashBuf(unsigned char *dest, const unsigned char *src, PRUint32 src_length)
{
    SHA1Context ctx;
    unsigned int outLen;

    SHA1_Begin(&ctx);
    ctx.update(&ctx, src, src_length);
    SHA1_End(&ctx, dest, &outLen, SHA1_LENGTH);
    memset(&ctx, 0, sizeof ctx);
    return SECSuccess;
}

/* Hash a null-terminated character string. */
SECStatus
SHA1_Hash(unsigned char *dest, const char *src)
{
    return SHA1_HashBuf(dest, (const unsigned char *)src, PORT_Strlen(src));
}

/*
 * need to support save/restore state in pkcs11. Stores all the info necessary
 * for a structure into just a stream of bytes.
 */
unsigned int
SHA1_FlattenSize(SHA1Context *cx)
{
    return sizeof(SHA1Context);
}

SECStatus
SHA1_Flatten(SHA1Context *cx, unsigned char *space)
{
    PORT_Memcpy(space, cx, sizeof(SHA1Context));
    return SECSuccess;
}

SHA1Context *
SHA1_Resurrect(unsigned char *space, void *arg)
{
    SHA1Context *cx = SHA1_NewContext();
    if (cx == NULL)
        return NULL;

    PORT_Memcpy(cx, space, sizeof(SHA1Context));
    return cx;
}

void
SHA1_Clone(SHA1Context *dest, SHA1Context *src)
{
    memcpy(dest, src, sizeof *dest);
}

void
SHA1_TraceState(SHA1Context *ctx)
{
    PORT_SetError(PR_NOT_IMPLEMENTED_ERROR);
}

Coverage Report

Created: 2026-01-22 06:19

Line	Count	Source
1		/* This Source Code Form is subject to the terms of the Mozilla Public
2		* License, v. 2.0. If a copy of the MPL was not distributed with this
3		* file, You can obtain one at http://mozilla.org/MPL/2.0/. */
4
5		#ifdef FREEBL_NO_DEPEND
6		#include "stubs.h"
7		#endif
8
9		#include <memory.h>
10		#include "blapi.h"
11		#include "sha_fast.h"
12		#include "prerror.h"
13		#include "secerr.h"
14
15		#ifdef TRACING_SSL
16		#include "ssl.h"
17		#include "ssltrace.h"
18		#endif
19
20		static void shaCompress(volatile SHA_HW_t X, const PRUint32 datain);
21
22	5.98M	#define W u.w
23	7.55M	#define B u.b
24
25	148M	#define SHA_F1(X, Y, Z) ((((Y) ^ (Z)) & (X)) ^ (Z))
26	148M	#define SHA_F2(X, Y, Z) ((X) ^ (Y) ^ (Z))
27	148M	#define SHA_F3(X, Y, Z) (((X) & (Y)) \| ((Z) & ((X) \| (Y))))
28	148M	#define SHA_F4(X, Y, Z) ((X) ^ (Y) ^ (Z))
29
30	476M	#define SHA_MIX(n, a, b, c) XW(n) = SHA_ROTL(XW(a) ^ XW(b) ^ XW(c) ^ XW(n), 1)
31
32		void SHA1_Compress_Native(SHA1Context *ctx);
33		void SHA1_Update_Native(SHA1Context ctx, const unsigned char dataIn, unsigned int len);
34
35		static void SHA1_Compress_Generic(SHA1Context *ctx);
36		static void SHA1_Update_Generic(SHA1Context ctx, const unsigned char dataIn, unsigned int len);
37
38		#ifndef USE_HW_SHA1
39		void
40		SHA1_Compress_Native(SHA1Context *ctx)
41	0	{
42	0	PORT_SetError(SEC_ERROR_LIBRARY_FAILURE);
43	0	PORT_Assert(0);
44	0	}
45
46		void
47		SHA1_Update_Native(SHA1Context ctx, const unsigned char dataIn, unsigned int len)
48	0	{
49	0	PORT_SetError(SEC_ERROR_LIBRARY_FAILURE);
50	0	PORT_Assert(0);
51	0	}
52		#endif
53
54		/*
55		* SHA: initialize context
56		*/
57		void
58		SHA1_Begin(SHA1Context *ctx)
59	2.84M	{
60	2.84M	ctx->size = 0;
61		/*
62		* Initialize H with constants from FIPS180-1.
63		*/
64	2.84M	ctx->H[0] = 0x67452301L;
65	2.84M	ctx->H[1] = 0xefcdab89L;
66	2.84M	ctx->H[2] = 0x98badcfeL;
67	2.84M	ctx->H[3] = 0x10325476L;
68	2.84M	ctx->H[4] = 0xc3d2e1f0L;
69
70		#if defined(USE_HW_SHA1) && defined(IS_LITTLE_ENDIAN)
71		/* arm's implementation is tested on little endian only */
72		if (arm_sha1_support()) {
73		ctx->compress = SHA1_Compress_Native;
74		ctx->update = SHA1_Update_Native;
75		} else
76		#endif
77	2.84M	{
78	2.84M	ctx->compress = SHA1_Compress_Generic;
79	2.84M	ctx->update = SHA1_Update_Generic;
80	2.84M	}
81	2.84M	}
82
83		/* Explanation of H array and index values:
84		* The context's H array is actually the concatenation of two arrays
85		* defined by SHA1, the H array of state variables (5 elements),
86		* and the W array of intermediate values, of which there are 16 elements.
87		* The W array starts at H[5], that is W[0] is H[5].
88		* Although these values are defined as 32-bit values, we use 64-bit
89		* variables to hold them because the AMD64 stores 64 bit values in
90		* memory MUCH faster than it stores any smaller values.
91		*
92		* Rather than passing the context structure to shaCompress, we pass
93		* this combined array of H and W values. We do not pass the address
94		* of the first element of this array, but rather pass the address of an
95		* element in the middle of the array, element X. Presently X[0] is H[11].
96		* So we pass the address of H[11] as the address of array X to shaCompress.
97		* Then shaCompress accesses the members of the array using positive AND
98		* negative indexes.
99		*
100		* Pictorially: (each element is 8 bytes)
101		* H \| H0 H1 H2 H3 H4 W0 W1 W2 W3 W4 W5 W6 W7 W8 W9 Wa Wb Wc Wd We Wf \|
102		* X \|-11-10 -9 -8 -7 -6 -5 -4 -3 -2 -1 X0 X1 X2 X3 X4 X5 X6 X7 X8 X9 \|
103		*
104		* The byte offset from X[0] to any member of H and W is always
105		* representable in a signed 8-bit value, which will be encoded
106		* as a single byte offset in the X86-64 instruction set.
107		* If we didn't pass the address of H[11], and instead passed the
108		* address of H[0], the offsets to elements H[16] and above would be
109		* greater than 127, not representable in a signed 8-bit value, and the
110		* x86-64 instruction set would encode every such offset as a 32-bit
111		* signed number in each instruction that accessed element H[16] or
112		* higher. This results in much bigger and slower code.
113		*/
114		#if !defined(SHA_PUT_W_IN_STACK)
115	81.9M	#define H2X 11 /* X[0] is H[11], and H[0] is X[-11] */
116	3.09G	#define W2X 6 /* X[0] is W[6], and W[0] is X[-6] */
117		#else
118		#define H2X 0
119		#endif
120
121		/*
122		* SHA: Add data to context.
123		*/
124		void
125		SHA1_Update(SHA1Context ctx, const unsigned char dataIn, unsigned int len)
126	9.56M	{
127	9.56M	ctx->update(ctx, dataIn, len);
128	9.56M	}
129
130		static void
131		SHA1_Update_Generic(SHA1Context ctx, const unsigned char dataIn, unsigned int len)
132	9.56M	{
133	9.56M	register unsigned int lenB;
134	9.56M	register unsigned int togo;
135
136	9.56M	if (!len)
137	79.3k	return;
138
139		/* accumulate the byte count. */
140	9.48M	lenB = (unsigned int)(ctx->size) & 63U;
141
142	9.48M	ctx->size += len;
143
144		/*
145		* Read the data into W and process blocks as they get full
146		*/
147	9.48M	if (lenB > 0) {
148	4.22M	togo = 64U - lenB;
149	4.22M	if (len < togo)
150	3.49M	togo = len;
151	4.22M	memcpy(ctx->B + lenB, dataIn, togo);
152	4.22M	len -= togo;
153	4.22M	dataIn += togo;
154	4.22M	lenB = (lenB + togo) & 63U;
155	4.22M	if (!lenB) {
156	735k	shaCompress(&ctx->H[H2X], ctx->W);
157	735k	}
158	4.22M	}
159		#if !defined(HAVE_UNALIGNED_ACCESS)
160		if ((ptrdiff_t)dataIn % sizeof(PRUint32)) {
161		while (len >= 64U) {
162		memcpy(ctx->B, dataIn, 64);
163		len -= 64U;
164		shaCompress(&ctx->H[H2X], ctx->W);
165		dataIn += 64U;
166		}
167		} else
168		#endif
169	9.48M	{
170	13.5M	while (len >= 64U) {
171	4.09M	len -= 64U;
172	4.09M	shaCompress(&ctx->H[H2X], (PRUint32 *)dataIn);
173	4.09M	dataIn += 64U;
174	4.09M	}
175	9.48M	}
176	9.48M	if (len) {
177	3.32M	memcpy(ctx->B, dataIn, len);
178	3.32M	}
179	9.48M	}
180
181		/*
182		* SHA: Generate hash value from context
183		*/
184		void NO_SANITIZE_ALIGNMENT
185		SHA1_End(SHA1Context ctx, unsigned char hashout,
186		unsigned int *pDigestLen, unsigned int maxDigestLen)
187	2.62M	{
188	2.62M	register PRUint64 size;
189	2.62M	register PRUint32 lenB;
190
191	2.62M	static const unsigned char bulk_pad[64] = { 0x80, 0, 0, 0, 0, 0, 0, 0, 0, 0,
192	2.62M	0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
193	2.62M	0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0 };
194	2.62M	#define tmp lenB
195
196	2.62M	PORT_Assert(maxDigestLen >= SHA1_LENGTH);
197
198		/*
199		* Pad with a binary 1 (e.g. 0x80), then zeroes, then length in bits
200		*/
201	2.62M	size = ctx->size;
202
203	2.62M	lenB = (PRUint32)size & 63;
204	2.62M	SHA1_Update(ctx, bulk_pad, (((55 + 64) - lenB) & 63) + 1);
205	2.62M	PORT_Assert(((PRUint32)ctx->size & 63) == 56);
206		/* Convert size from bytes to bits. */
207	2.62M	size <<= 3;
208	2.62M	ctx->W[14] = SHA_HTONL((PRUint32)(size >> 32));
209	2.62M	ctx->W[15] = SHA_HTONL((PRUint32)size);
210	2.62M	ctx->compress(ctx);
211
212		/*
213		* Output hash
214		*/
215	2.62M	SHA_STORE_RESULT;
216	2.62M	if (pDigestLen) {
217	2.60M	*pDigestLen = SHA1_LENGTH;
218	2.60M	}
219	2.62M	#undef tmp
220	2.62M	}
221
222		void
223		SHA1_EndRaw(SHA1Context ctx, unsigned char hashout,
224		unsigned int *pDigestLen, unsigned int maxDigestLen)
225	125k	{
226		#if defined(SHA_NEED_TMP_VARIABLE)
227		register PRUint32 tmp;
228		#endif
229	125k	PORT_Assert(maxDigestLen >= SHA1_LENGTH);
230
231	125k	SHA_STORE_RESULT;
232	125k	if (pDigestLen)
233	0	*pDigestLen = SHA1_LENGTH;
234	125k	}
235
236		#undef B
237		/*
238		* SHA: Compression function, unrolled.
239		*
240		* Some operations in shaCompress are done as 5 groups of 16 operations.
241		* Others are done as 4 groups of 20 operations.
242		* The code below shows that structure.
243		*
244		* The functions that compute the new values of the 5 state variables
245		* A-E are done in 4 groups of 20 operations (or you may also think
246		* of them as being done in 16 groups of 5 operations). They are
247		* done by the SHA_RNDx macros below, in the right column.
248		*
249		* The functions that set the 16 values of the W array are done in
250		* 5 groups of 16 operations. The first group is done by the
251		* LOAD macros below, the latter 4 groups are done by SHA_MIX below,
252		* in the left column.
253		*
254		* gcc's optimizer observes that each member of the W array is assigned
255		* a value 5 times in this code. It reduces the number of store
256		* operations done to the W array in the context (that is, in the X array)
257		* by creating a W array on the stack, and storing the W values there for
258		* the first 4 groups of operations on W, and storing the values in the
259		* context's W array only in the fifth group. This is undesirable.
260		* It is MUCH bigger code than simply using the context's W array, because
261		* all the offsets to the W array in the stack are 32-bit signed offsets,
262		* and it is no faster than storing the values in the context's W array.
263		*
264		* The original code for sha_fast.c prevented this creation of a separate
265		* W array in the stack by creating a W array of 80 members, each of
266		* whose elements is assigned only once. It also separated the computations
267		* of the W array values and the computations of the values for the 5
268		* state variables into two separate passes, W's, then A-E's so that the
269		* second pass could be done all in registers (except for accessing the W
270		* array) on machines with fewer registers. The method is suboptimal
271		* for machines with enough registers to do it all in one pass, and it
272		* necessitates using many instructions with 32-bit offsets.
273		*
274		* This code eliminates the separate W array on the stack by a completely
275		* different means: by declaring the X array volatile. This prevents
276		* the optimizer from trying to reduce the use of the X array by the
277		* creation of a MORE expensive W array on the stack. The result is
278		* that all instructions use signed 8-bit offsets and not 32-bit offsets.
279		*
280		* The combination of this code and the -O3 optimizer flag on GCC 3.4.3
281		* results in code that is 3 times faster than the previous NSS sha_fast
282		* code on AMD64.
283		*/
284		static void NO_SANITIZE_ALIGNMENT
285		shaCompress(volatile SHA_HW_t X, const PRUint32 inbuf)
286	7.44M	{
287	7.44M	register SHA_HW_t A, B, C, D, E;
288
289		#if defined(SHA_NEED_TMP_VARIABLE)
290		register PRUint32 tmp;
291		#endif
292
293	7.44M	#if !defined(SHA_PUT_W_IN_STACK)
294	74.4M	#define XH(n) X[n - H2X]
295	3.09G	#define XW(n) X[n - W2X]
296		#else
297		SHA_HW_t w_0, w_1, w_2, w_3, w_4, w_5, w_6, w_7,
298		w_8, w_9, w_10, w_11, w_12, w_13, w_14, w_15;
299		#define XW(n) w_##n
300		#define XH(n) X[n]
301		#endif
302
303	148M	#define K0 0x5a827999L
304	148M	#define K1 0x6ed9eba1L
305	148M	#define K2 0x8f1bbcdcL
306	148M	#define K3 0xca62c1d6L
307
308	7.44M	#define SHA_RND1(a, b, c, d, e, n) \
309	148M	a = SHA_ROTL(b, 5) + SHA_F1(c, d, e) + a + XW(n) + K0; \
310	148M	c = SHA_ROTL(c, 30)
311	7.44M	#define SHA_RND2(a, b, c, d, e, n) \
312	148M	a = SHA_ROTL(b, 5) + SHA_F2(c, d, e) + a + XW(n) + K1; \
313	148M	c = SHA_ROTL(c, 30)
314	7.44M	#define SHA_RND3(a, b, c, d, e, n) \
315	148M	a = SHA_ROTL(b, 5) + SHA_F3(c, d, e) + a + XW(n) + K2; \
316	148M	c = SHA_ROTL(c, 30)
317	7.44M	#define SHA_RND4(a, b, c, d, e, n) \
318	148M	a = SHA_ROTL(b, 5) + SHA_F4(c, d, e) + a + XW(n) + K3; \
319	148M	c = SHA_ROTL(c, 30)
320
321	119M	#define LOAD(n) XW(n) = SHA_HTONL(inbuf[n])
322
323	7.44M	A = XH(0);
324	7.44M	B = XH(1);
325	7.44M	C = XH(2);
326	7.44M	D = XH(3);
327	7.44M	E = XH(4);
328
329	7.44M	LOAD(0);
330	7.44M	SHA_RND1(E, A, B, C, D, 0);
331	7.44M	LOAD(1);
332	7.44M	SHA_RND1(D, E, A, B, C, 1);
333	7.44M	LOAD(2);
334	7.44M	SHA_RND1(C, D, E, A, B, 2);
335	7.44M	LOAD(3);
336	7.44M	SHA_RND1(B, C, D, E, A, 3);
337	7.44M	LOAD(4);
338	7.44M	SHA_RND1(A, B, C, D, E, 4);
339	7.44M	LOAD(5);
340	7.44M	SHA_RND1(E, A, B, C, D, 5);
341	7.44M	LOAD(6);
342	7.44M	SHA_RND1(D, E, A, B, C, 6);
343	7.44M	LOAD(7);
344	7.44M	SHA_RND1(C, D, E, A, B, 7);
345	7.44M	LOAD(8);
346	7.44M	SHA_RND1(B, C, D, E, A, 8);
347	7.44M	LOAD(9);
348	7.44M	SHA_RND1(A, B, C, D, E, 9);
349	7.44M	LOAD(10);
350	7.44M	SHA_RND1(E, A, B, C, D, 10);
351	7.44M	LOAD(11);
352	7.44M	SHA_RND1(D, E, A, B, C, 11);
353	7.44M	LOAD(12);
354	7.44M	SHA_RND1(C, D, E, A, B, 12);
355	7.44M	LOAD(13);
356	7.44M	SHA_RND1(B, C, D, E, A, 13);
357	7.44M	LOAD(14);
358	7.44M	SHA_RND1(A, B, C, D, E, 14);
359	7.44M	LOAD(15);
360	7.44M	SHA_RND1(E, A, B, C, D, 15);
361
362	7.44M	SHA_MIX(0, 13, 8, 2);
363	7.44M	SHA_RND1(D, E, A, B, C, 0);
364	7.44M	SHA_MIX(1, 14, 9, 3);
365	7.44M	SHA_RND1(C, D, E, A, B, 1);
366	7.44M	SHA_MIX(2, 15, 10, 4);
367	7.44M	SHA_RND1(B, C, D, E, A, 2);
368	7.44M	SHA_MIX(3, 0, 11, 5);
369	7.44M	SHA_RND1(A, B, C, D, E, 3);
370
371	7.44M	SHA_MIX(4, 1, 12, 6);
372	7.44M	SHA_RND2(E, A, B, C, D, 4);
373	7.44M	SHA_MIX(5, 2, 13, 7);
374	7.44M	SHA_RND2(D, E, A, B, C, 5);
375	7.44M	SHA_MIX(6, 3, 14, 8);
376	7.44M	SHA_RND2(C, D, E, A, B, 6);
377	7.44M	SHA_MIX(7, 4, 15, 9);
378	7.44M	SHA_RND2(B, C, D, E, A, 7);
379	7.44M	SHA_MIX(8, 5, 0, 10);
380	7.44M	SHA_RND2(A, B, C, D, E, 8);
381	7.44M	SHA_MIX(9, 6, 1, 11);
382	7.44M	SHA_RND2(E, A, B, C, D, 9);
383	7.44M	SHA_MIX(10, 7, 2, 12);
384	7.44M	SHA_RND2(D, E, A, B, C, 10);
385	7.44M	SHA_MIX(11, 8, 3, 13);
386	7.44M	SHA_RND2(C, D, E, A, B, 11);
387	7.44M	SHA_MIX(12, 9, 4, 14);
388	7.44M	SHA_RND2(B, C, D, E, A, 12);
389	7.44M	SHA_MIX(13, 10, 5, 15);
390	7.44M	SHA_RND2(A, B, C, D, E, 13);
391	7.44M	SHA_MIX(14, 11, 6, 0);
392	7.44M	SHA_RND2(E, A, B, C, D, 14);
393	7.44M	SHA_MIX(15, 12, 7, 1);
394	7.44M	SHA_RND2(D, E, A, B, C, 15);
395
396	7.44M	SHA_MIX(0, 13, 8, 2);
397	7.44M	SHA_RND2(C, D, E, A, B, 0);
398	7.44M	SHA_MIX(1, 14, 9, 3);
399	7.44M	SHA_RND2(B, C, D, E, A, 1);
400	7.44M	SHA_MIX(2, 15, 10, 4);
401	7.44M	SHA_RND2(A, B, C, D, E, 2);
402	7.44M	SHA_MIX(3, 0, 11, 5);
403	7.44M	SHA_RND2(E, A, B, C, D, 3);
404	7.44M	SHA_MIX(4, 1, 12, 6);
405	7.44M	SHA_RND2(D, E, A, B, C, 4);
406	7.44M	SHA_MIX(5, 2, 13, 7);
407	7.44M	SHA_RND2(C, D, E, A, B, 5);
408	7.44M	SHA_MIX(6, 3, 14, 8);
409	7.44M	SHA_RND2(B, C, D, E, A, 6);
410	7.44M	SHA_MIX(7, 4, 15, 9);
411	7.44M	SHA_RND2(A, B, C, D, E, 7);
412
413	7.44M	SHA_MIX(8, 5, 0, 10);
414	7.44M	SHA_RND3(E, A, B, C, D, 8);
415	7.44M	SHA_MIX(9, 6, 1, 11);
416	7.44M	SHA_RND3(D, E, A, B, C, 9);
417	7.44M	SHA_MIX(10, 7, 2, 12);
418	7.44M	SHA_RND3(C, D, E, A, B, 10);
419	7.44M	SHA_MIX(11, 8, 3, 13);
420	7.44M	SHA_RND3(B, C, D, E, A, 11);
421	7.44M	SHA_MIX(12, 9, 4, 14);
422	7.44M	SHA_RND3(A, B, C, D, E, 12);
423	7.44M	SHA_MIX(13, 10, 5, 15);
424	7.44M	SHA_RND3(E, A, B, C, D, 13);
425	7.44M	SHA_MIX(14, 11, 6, 0);
426	7.44M	SHA_RND3(D, E, A, B, C, 14);
427	7.44M	SHA_MIX(15, 12, 7, 1);
428	7.44M	SHA_RND3(C, D, E, A, B, 15);
429
430	7.44M	SHA_MIX(0, 13, 8, 2);
431	7.44M	SHA_RND3(B, C, D, E, A, 0);
432	7.44M	SHA_MIX(1, 14, 9, 3);
433	7.44M	SHA_RND3(A, B, C, D, E, 1);
434	7.44M	SHA_MIX(2, 15, 10, 4);
435	7.44M	SHA_RND3(E, A, B, C, D, 2);
436	7.44M	SHA_MIX(3, 0, 11, 5);
437	7.44M	SHA_RND3(D, E, A, B, C, 3);
438	7.44M	SHA_MIX(4, 1, 12, 6);
439	7.44M	SHA_RND3(C, D, E, A, B, 4);
440	7.44M	SHA_MIX(5, 2, 13, 7);
441	7.44M	SHA_RND3(B, C, D, E, A, 5);
442	7.44M	SHA_MIX(6, 3, 14, 8);
443	7.44M	SHA_RND3(A, B, C, D, E, 6);
444	7.44M	SHA_MIX(7, 4, 15, 9);
445	7.44M	SHA_RND3(E, A, B, C, D, 7);
446	7.44M	SHA_MIX(8, 5, 0, 10);
447	7.44M	SHA_RND3(D, E, A, B, C, 8);
448	7.44M	SHA_MIX(9, 6, 1, 11);
449	7.44M	SHA_RND3(C, D, E, A, B, 9);
450	7.44M	SHA_MIX(10, 7, 2, 12);
451	7.44M	SHA_RND3(B, C, D, E, A, 10);
452	7.44M	SHA_MIX(11, 8, 3, 13);
453	7.44M	SHA_RND3(A, B, C, D, E, 11);
454
455	7.44M	SHA_MIX(12, 9, 4, 14);
456	7.44M	SHA_RND4(E, A, B, C, D, 12);
457	7.44M	SHA_MIX(13, 10, 5, 15);
458	7.44M	SHA_RND4(D, E, A, B, C, 13);
459	7.44M	SHA_MIX(14, 11, 6, 0);
460	7.44M	SHA_RND4(C, D, E, A, B, 14);
461	7.44M	SHA_MIX(15, 12, 7, 1);
462	7.44M	SHA_RND4(B, C, D, E, A, 15);
463
464	7.44M	SHA_MIX(0, 13, 8, 2);
465	7.44M	SHA_RND4(A, B, C, D, E, 0);
466	7.44M	SHA_MIX(1, 14, 9, 3);
467	7.44M	SHA_RND4(E, A, B, C, D, 1);
468	7.44M	SHA_MIX(2, 15, 10, 4);
469	7.44M	SHA_RND4(D, E, A, B, C, 2);
470	7.44M	SHA_MIX(3, 0, 11, 5);
471	7.44M	SHA_RND4(C, D, E, A, B, 3);
472	7.44M	SHA_MIX(4, 1, 12, 6);
473	7.44M	SHA_RND4(B, C, D, E, A, 4);
474	7.44M	SHA_MIX(5, 2, 13, 7);
475	7.44M	SHA_RND4(A, B, C, D, E, 5);
476	7.44M	SHA_MIX(6, 3, 14, 8);
477	7.44M	SHA_RND4(E, A, B, C, D, 6);
478	7.44M	SHA_MIX(7, 4, 15, 9);
479	7.44M	SHA_RND4(D, E, A, B, C, 7);
480	7.44M	SHA_MIX(8, 5, 0, 10);
481	7.44M	SHA_RND4(C, D, E, A, B, 8);
482	7.44M	SHA_MIX(9, 6, 1, 11);
483	7.44M	SHA_RND4(B, C, D, E, A, 9);
484	7.44M	SHA_MIX(10, 7, 2, 12);
485	7.44M	SHA_RND4(A, B, C, D, E, 10);
486	7.44M	SHA_MIX(11, 8, 3, 13);
487	7.44M	SHA_RND4(E, A, B, C, D, 11);
488	7.44M	SHA_MIX(12, 9, 4, 14);
489	7.44M	SHA_RND4(D, E, A, B, C, 12);
490	7.44M	SHA_MIX(13, 10, 5, 15);
491	7.44M	SHA_RND4(C, D, E, A, B, 13);
492	7.44M	SHA_MIX(14, 11, 6, 0);
493	7.44M	SHA_RND4(B, C, D, E, A, 14);
494	7.44M	SHA_MIX(15, 12, 7, 1);
495	7.44M	SHA_RND4(A, B, C, D, E, 15);
496
497	7.44M	XH(0) += A;
498	7.44M	XH(1) += B;
499	7.44M	XH(2) += C;
500	7.44M	XH(3) += D;
501	7.44M	XH(4) += E;
502	7.44M	}
503
504		static void
505		SHA1_Compress_Generic(SHA1Context *ctx)
506	2.62M	{
507	2.62M	shaCompress(&ctx->H[H2X], ctx->u.w);
508	2.62M	}
509
510		/*************************************************************************
511		** Code below this line added to make SHA code support BLAPI interface
512		*/
513
514		SHA1Context *
515		SHA1_NewContext(void)
516	807k	{
517	807k	SHA1Context *cx;
518
519		/* no need to ZNew, SHA1_Begin will init the context */
520	807k	cx = PORT_New(SHA1Context);
521	807k	return cx;
522	807k	}
523
524		/* Zero and free the context */
525		void
526		SHA1_DestroyContext(SHA1Context *cx, PRBool freeit)
527	807k	{
528	807k	memset(cx, 0, sizeof *cx);
529	807k	if (freeit) {
530	807k	PORT_Free(cx);
531	807k	}
532	807k	}
533
534		SECStatus
535		SHA1_HashBuf(unsigned char dest, const unsigned char src, PRUint32 src_length)
536	0	{
537	0	SHA1Context ctx;
538	0	unsigned int outLen;
539
540	0	SHA1_Begin(&ctx);
541	0	ctx.update(&ctx, src, src_length);
542	0	SHA1_End(&ctx, dest, &outLen, SHA1_LENGTH);
543	0	memset(&ctx, 0, sizeof ctx);
544	0	return SECSuccess;
545	0	}
546
547		/* Hash a null-terminated character string. */
548		SECStatus
549		SHA1_Hash(unsigned char dest, const char src)
550	0	{
551	0	return SHA1_HashBuf(dest, (const unsigned char *)src, PORT_Strlen(src));
552	0	}
553
554		/*
555		* need to support save/restore state in pkcs11. Stores all the info necessary
556		* for a structure into just a stream of bytes.
557		*/
558		unsigned int
559		SHA1_FlattenSize(SHA1Context *cx)
560	346k	{
561	346k	return sizeof(SHA1Context);
562	346k	}
563
564		SECStatus
565		SHA1_Flatten(SHA1Context cx, unsigned char space)
566	0	{
567	0	PORT_Memcpy(space, cx, sizeof(SHA1Context));
568	0	return SECSuccess;
569	0	}
570
571		SHA1Context *
572		SHA1_Resurrect(unsigned char space, void arg)
573	0	{
574	0	SHA1Context *cx = SHA1_NewContext();
575	0	if (cx == NULL)
576	0	return NULL;
577
578	0	PORT_Memcpy(cx, space, sizeof(SHA1Context));
579	0	return cx;
580	0	}
581
582		void
583		SHA1_Clone(SHA1Context dest, SHA1Context src)
584	0	{
585	0	memcpy(dest, src, sizeof *dest);
586	0	}
587
588		void
589		SHA1_TraceState(SHA1Context *ctx)
590	0	{
591	0	PORT_SetError(PR_NOT_IMPLEMENTED_ERROR);
592	0	}