1 #![allow(clippy::many_single_char_names)]
2 use crate::consts::BLOCK_LEN;
3 use core::convert::TryInto;
4 
5 #[inline(always)]
shl(v: [u32; 4], o: u32) -> [u32; 4]6 fn shl(v: [u32; 4], o: u32) -> [u32; 4] {
7     [v[0] >> o, v[1] >> o, v[2] >> o, v[3] >> o]
8 }
9 
10 #[inline(always)]
shr(v: [u32; 4], o: u32) -> [u32; 4]11 fn shr(v: [u32; 4], o: u32) -> [u32; 4] {
12     [v[0] << o, v[1] << o, v[2] << o, v[3] << o]
13 }
14 
15 #[inline(always)]
or(a: [u32; 4], b: [u32; 4]) -> [u32; 4]16 fn or(a: [u32; 4], b: [u32; 4]) -> [u32; 4] {
17     [a[0] | b[0], a[1] | b[1], a[2] | b[2], a[3] | b[3]]
18 }
19 
20 #[inline(always)]
xor(a: [u32; 4], b: [u32; 4]) -> [u32; 4]21 fn xor(a: [u32; 4], b: [u32; 4]) -> [u32; 4] {
22     [a[0] ^ b[0], a[1] ^ b[1], a[2] ^ b[2], a[3] ^ b[3]]
23 }
24 
25 #[inline(always)]
add(a: [u32; 4], b: [u32; 4]) -> [u32; 4]26 fn add(a: [u32; 4], b: [u32; 4]) -> [u32; 4] {
27     [
28         a[0].wrapping_add(b[0]),
29         a[1].wrapping_add(b[1]),
30         a[2].wrapping_add(b[2]),
31         a[3].wrapping_add(b[3]),
32     ]
33 }
34 
sha256load(v2: [u32; 4], v3: [u32; 4]) -> [u32; 4]35 fn sha256load(v2: [u32; 4], v3: [u32; 4]) -> [u32; 4] {
36     [v3[3], v2[0], v2[1], v2[2]]
37 }
38 
sha256swap(v0: [u32; 4]) -> [u32; 4]39 fn sha256swap(v0: [u32; 4]) -> [u32; 4] {
40     [v0[2], v0[3], v0[0], v0[1]]
41 }
42 
sha256msg1(v0: [u32; 4], v1: [u32; 4]) -> [u32; 4]43 fn sha256msg1(v0: [u32; 4], v1: [u32; 4]) -> [u32; 4] {
44     // sigma 0 on vectors
45     #[inline]
sigma0x4(x: [u32; 4]) -> [u32; 4]46     fn sigma0x4(x: [u32; 4]) -> [u32; 4] {
47         let t1 = or(shl(x, 7), shr(x, 25));
48         let t2 = or(shl(x, 18), shr(x, 14));
49         let t3 = shl(x, 3);
50         xor(xor(t1, t2), t3)
51     }
52 
53     add(v0, sigma0x4(sha256load(v0, v1)))
54 }
55 
sha256msg2(v4: [u32; 4], v3: [u32; 4]) -> [u32; 4]56 fn sha256msg2(v4: [u32; 4], v3: [u32; 4]) -> [u32; 4] {
57     macro_rules! sigma1 {
58         ($a:expr) => {
59             $a.rotate_right(17) ^ $a.rotate_right(19) ^ ($a >> 10)
60         };
61     }
62 
63     let [x3, x2, x1, x0] = v4;
64     let [w15, w14, _, _] = v3;
65 
66     let w16 = x0.wrapping_add(sigma1!(w14));
67     let w17 = x1.wrapping_add(sigma1!(w15));
68     let w18 = x2.wrapping_add(sigma1!(w16));
69     let w19 = x3.wrapping_add(sigma1!(w17));
70 
71     [w19, w18, w17, w16]
72 }
73 
sha256_digest_round_x2(cdgh: [u32; 4], abef: [u32; 4], wk: [u32; 4]) -> [u32; 4]74 fn sha256_digest_round_x2(cdgh: [u32; 4], abef: [u32; 4], wk: [u32; 4]) -> [u32; 4] {
75     macro_rules! big_sigma0 {
76         ($a:expr) => {
77             ($a.rotate_right(2) ^ $a.rotate_right(13) ^ $a.rotate_right(22))
78         };
79     }
80     macro_rules! big_sigma1 {
81         ($a:expr) => {
82             ($a.rotate_right(6) ^ $a.rotate_right(11) ^ $a.rotate_right(25))
83         };
84     }
85     macro_rules! bool3ary_202 {
86         ($a:expr, $b:expr, $c:expr) => {
87             $c ^ ($a & ($b ^ $c))
88         };
89     } // Choose, MD5F, SHA1C
90     macro_rules! bool3ary_232 {
91         ($a:expr, $b:expr, $c:expr) => {
92             ($a & $b) ^ ($a & $c) ^ ($b & $c)
93         };
94     } // Majority, SHA1M
95 
96     let [_, _, wk1, wk0] = wk;
97     let [a0, b0, e0, f0] = abef;
98     let [c0, d0, g0, h0] = cdgh;
99 
100     // a round
101     let x0 = big_sigma1!(e0)
102         .wrapping_add(bool3ary_202!(e0, f0, g0))
103         .wrapping_add(wk0)
104         .wrapping_add(h0);
105     let y0 = big_sigma0!(a0).wrapping_add(bool3ary_232!(a0, b0, c0));
106     let (a1, b1, c1, d1, e1, f1, g1, h1) = (
107         x0.wrapping_add(y0),
108         a0,
109         b0,
110         c0,
111         x0.wrapping_add(d0),
112         e0,
113         f0,
114         g0,
115     );
116 
117     // a round
118     let x1 = big_sigma1!(e1)
119         .wrapping_add(bool3ary_202!(e1, f1, g1))
120         .wrapping_add(wk1)
121         .wrapping_add(h1);
122     let y1 = big_sigma0!(a1).wrapping_add(bool3ary_232!(a1, b1, c1));
123     let (a2, b2, _, _, e2, f2, _, _) = (
124         x1.wrapping_add(y1),
125         a1,
126         b1,
127         c1,
128         x1.wrapping_add(d1),
129         e1,
130         f1,
131         g1,
132     );
133 
134     [a2, b2, e2, f2]
135 }
136 
schedule(v0: [u32; 4], v1: [u32; 4], v2: [u32; 4], v3: [u32; 4]) -> [u32; 4]137 fn schedule(v0: [u32; 4], v1: [u32; 4], v2: [u32; 4], v3: [u32; 4]) -> [u32; 4] {
138     let t1 = sha256msg1(v0, v1);
139     let t2 = sha256load(v2, v3);
140     let t3 = add(t1, t2);
141     sha256msg2(t3, v3)
142 }
143 
144 macro_rules! rounds4 {
145     ($abef:ident, $cdgh:ident, $rest:expr, $i:expr) => {{
146         let t1 = add($rest, crate::consts::K32X4[$i]);
147         $cdgh = sha256_digest_round_x2($cdgh, $abef, t1);
148         let t2 = sha256swap(t1);
149         $abef = sha256_digest_round_x2($abef, $cdgh, t2);
150     }};
151 }
152 
153 macro_rules! schedule_rounds4 {
154     (
155         $abef:ident, $cdgh:ident,
156         $w0:expr, $w1:expr, $w2:expr, $w3:expr, $w4:expr,
157         $i: expr
158     ) => {{
159         $w4 = schedule($w0, $w1, $w2, $w3);
160         rounds4!($abef, $cdgh, $w4, $i);
161     }};
162 }
163 
164 /// Process a block with the SHA-256 algorithm.
sha256_digest_block_u32(state: &mut [u32; 8], block: &[u32; 16])165 fn sha256_digest_block_u32(state: &mut [u32; 8], block: &[u32; 16]) {
166     let mut abef = [state[0], state[1], state[4], state[5]];
167     let mut cdgh = [state[2], state[3], state[6], state[7]];
168 
169     // Rounds 0..64
170     let mut w0 = [block[3], block[2], block[1], block[0]];
171     let mut w1 = [block[7], block[6], block[5], block[4]];
172     let mut w2 = [block[11], block[10], block[9], block[8]];
173     let mut w3 = [block[15], block[14], block[13], block[12]];
174     let mut w4;
175 
176     rounds4!(abef, cdgh, w0, 0);
177     rounds4!(abef, cdgh, w1, 1);
178     rounds4!(abef, cdgh, w2, 2);
179     rounds4!(abef, cdgh, w3, 3);
180     schedule_rounds4!(abef, cdgh, w0, w1, w2, w3, w4, 4);
181     schedule_rounds4!(abef, cdgh, w1, w2, w3, w4, w0, 5);
182     schedule_rounds4!(abef, cdgh, w2, w3, w4, w0, w1, 6);
183     schedule_rounds4!(abef, cdgh, w3, w4, w0, w1, w2, 7);
184     schedule_rounds4!(abef, cdgh, w4, w0, w1, w2, w3, 8);
185     schedule_rounds4!(abef, cdgh, w0, w1, w2, w3, w4, 9);
186     schedule_rounds4!(abef, cdgh, w1, w2, w3, w4, w0, 10);
187     schedule_rounds4!(abef, cdgh, w2, w3, w4, w0, w1, 11);
188     schedule_rounds4!(abef, cdgh, w3, w4, w0, w1, w2, 12);
189     schedule_rounds4!(abef, cdgh, w4, w0, w1, w2, w3, 13);
190     schedule_rounds4!(abef, cdgh, w0, w1, w2, w3, w4, 14);
191     schedule_rounds4!(abef, cdgh, w1, w2, w3, w4, w0, 15);
192 
193     let [a, b, e, f] = abef;
194     let [c, d, g, h] = cdgh;
195 
196     state[0] = state[0].wrapping_add(a);
197     state[1] = state[1].wrapping_add(b);
198     state[2] = state[2].wrapping_add(c);
199     state[3] = state[3].wrapping_add(d);
200     state[4] = state[4].wrapping_add(e);
201     state[5] = state[5].wrapping_add(f);
202     state[6] = state[6].wrapping_add(g);
203     state[7] = state[7].wrapping_add(h);
204 }
205 
compress(state: &mut [u32; 8], blocks: &[[u8; 64]])206 pub fn compress(state: &mut [u32; 8], blocks: &[[u8; 64]]) {
207     let mut block_u32 = [0u32; BLOCK_LEN];
208     // since LLVM can't properly use aliasing yet it will make
209     // unnecessary state stores without this copy
210     let mut state_cpy = *state;
211     for block in blocks {
212         for (o, chunk) in block_u32.iter_mut().zip(block.chunks_exact(4)) {
213             *o = u32::from_be_bytes(chunk.try_into().unwrap());
214         }
215         sha256_digest_block_u32(&mut state_cpy, &block_u32);
216     }
217     *state = state_cpy;
218 }
219