1// Copyright 2013 The Go Authors. All rights reserved.
2// Use of this source code is governed by a BSD-style
3// license that can be found in the LICENSE file.
4
5// SHA256 block routine. See sha256block.go for Go equivalent.
6//
7// The algorithm is detailed in FIPS 180-4:
8//
9// https://csrc.nist.gov/publications/fips/fips180-4/fips-180-4.pdf
10//
11// Wt = Mt; for 0 <= t <= 15
12// Wt = SIGMA1(Wt-2) + SIGMA0(Wt-15) + Wt-16; for 16 <= t <= 63
13//
14// a = H0
15// b = H1
16// c = H2
17// d = H3
18// e = H4
19// f = H5
20// g = H6
21// h = H7
22//
23// for t = 0 to 63 {
24// T1 = h + BIGSIGMA1(e) + Ch(e,f,g) + Kt + Wt
25// T2 = BIGSIGMA0(a) + Maj(a,b,c)
26// h = g
27// g = f
28// f = e
29// e = d + T1
30// d = c
31// c = b
32// b = a
33// a = T1 + T2
34// }
35//
36// H0 = a + H0
37// H1 = b + H1
38// H2 = c + H2
39// H3 = d + H3
40// H4 = e + H4
41// H5 = f + H5
42// H6 = g + H6
43// H7 = h + H7
44
45// Wt = Mt; for 0 <= t <= 15
46#define MSGSCHEDULE0(index) \
47 MOVL (index*4)(SI), AX; \
48 BSWAPL AX; \
49 MOVL AX, (index*4)(BP)
50
51// Wt = SIGMA1(Wt-2) + Wt-7 + SIGMA0(Wt-15) + Wt-16; for 16 <= t <= 63
52// SIGMA0(x) = ROTR(7,x) XOR ROTR(18,x) XOR SHR(3,x)
53// SIGMA1(x) = ROTR(17,x) XOR ROTR(19,x) XOR SHR(10,x)
54#define MSGSCHEDULE1(index) \
55 MOVL ((index-2)*4)(BP), AX; \
56 MOVL AX, CX; \
57 RORL $17, AX; \
58 MOVL CX, DX; \
59 RORL $19, CX; \
60 SHRL $10, DX; \
61 MOVL ((index-15)*4)(BP), BX; \
62 XORL CX, AX; \
63 MOVL BX, CX; \
64 XORL DX, AX; \
65 RORL $7, BX; \
66 MOVL CX, DX; \
67 SHRL $3, DX; \
68 RORL $18, CX; \
69 ADDL ((index-7)*4)(BP), AX; \
70 XORL CX, BX; \
71 XORL DX, BX; \
72 ADDL ((index-16)*4)(BP), BX; \
73 ADDL BX, AX; \
74 MOVL AX, ((index)*4)(BP)
75
76// Calculate T1 in AX - uses AX, BX, CX and DX registers.
77// Wt is passed in AX.
78// T1 = h + BIGSIGMA1(e) + Ch(e, f, g) + Kt + Wt
79// BIGSIGMA1(x) = ROTR(6,x) XOR ROTR(11,x) XOR ROTR(25,x)
80// Ch(x, y, z) = (x AND y) XOR (NOT x AND z)
81#define SHA256T1(const, e, f, g, h) \
82 MOVL (h*4)(DI), BX; \
83 ADDL AX, BX; \
84 MOVL (e*4)(DI), AX; \
85 ADDL $const, BX; \
86 MOVL (e*4)(DI), CX; \
87 RORL $6, AX; \
88 MOVL (e*4)(DI), DX; \
89 RORL $11, CX; \
90 XORL CX, AX; \
91 MOVL (e*4)(DI), CX; \
92 RORL $25, DX; \
93 ANDL (f*4)(DI), CX; \
94 XORL AX, DX; \
95 MOVL (e*4)(DI), AX; \
96 NOTL AX; \
97 ADDL DX, BX; \
98 ANDL (g*4)(DI), AX; \
99 XORL CX, AX; \
100 ADDL BX, AX
101
102// Calculate T2 in BX - uses AX, BX, CX and DX registers.
103// T2 = BIGSIGMA0(a) + Maj(a, b, c)
104// BIGSIGMA0(x) = ROTR(2,x) XOR ROTR(13,x) XOR ROTR(22,x)
105// Maj(x, y, z) = (x AND y) XOR (x AND z) XOR (y AND z)
106#define SHA256T2(a, b, c) \
107 MOVL (a*4)(DI), AX; \
108 MOVL (c*4)(DI), BX; \
109 RORL $2, AX; \
110 MOVL (a*4)(DI), DX; \
111 ANDL (b*4)(DI), BX; \
112 RORL $13, DX; \
113 MOVL (a*4)(DI), CX; \
114 ANDL (c*4)(DI), CX; \
115 XORL DX, AX; \
116 XORL CX, BX; \
117 MOVL (a*4)(DI), DX; \
118 MOVL (b*4)(DI), CX; \
119 RORL $22, DX; \
120 ANDL (a*4)(DI), CX; \
121 XORL CX, BX; \
122 XORL DX, AX; \
123 ADDL AX, BX
124
125// Calculate T1 and T2, then e = d + T1 and a = T1 + T2.
126// The values for e and a are stored in d and h, ready for rotation.
127#define SHA256ROUND(index, const, a, b, c, d, e, f, g, h) \
128 SHA256T1(const, e, f, g, h); \
129 MOVL AX, 292(SP); \
130 SHA256T2(a, b, c); \
131 MOVL 292(SP), AX; \
132 ADDL AX, BX; \
133 ADDL AX, (d*4)(DI); \
134 MOVL BX, (h*4)(DI)
135
136#define SHA256ROUND0(index, const, a, b, c, d, e, f, g, h) \
137 MSGSCHEDULE0(index); \
138 SHA256ROUND(index, const, a, b, c, d, e, f, g, h)
139
140#define SHA256ROUND1(index, const, a, b, c, d, e, f, g, h) \
141 MSGSCHEDULE1(index); \
142 SHA256ROUND(index, const, a, b, c, d, e, f, g, h)
143
144TEXT ·block(SB),0,$296-16
145 MOVL p_base+4(FP), SI
146 MOVL p_len+8(FP), DX
147 SHRL $6, DX
148 SHLL $6, DX
149
150 LEAL (SI)(DX*1), DI
151 MOVL DI, 288(SP)
152 CMPL SI, DI
153 JEQ end
154
155 LEAL 256(SP), DI // variables
156
157 MOVL dig+0(FP), BP
158 MOVL (0*4)(BP), AX // a = H0
159 MOVL AX, (0*4)(DI)
160 MOVL (1*4)(BP), BX // b = H1
161 MOVL BX, (1*4)(DI)
162 MOVL (2*4)(BP), CX // c = H2
163 MOVL CX, (2*4)(DI)
164 MOVL (3*4)(BP), DX // d = H3
165 MOVL DX, (3*4)(DI)
166 MOVL (4*4)(BP), AX // e = H4
167 MOVL AX, (4*4)(DI)
168 MOVL (5*4)(BP), BX // f = H5
169 MOVL BX, (5*4)(DI)
170 MOVL (6*4)(BP), CX // g = H6
171 MOVL CX, (6*4)(DI)
172 MOVL (7*4)(BP), DX // h = H7
173 MOVL DX, (7*4)(DI)
174
175loop:
176 MOVL SP, BP // message schedule
177
178 SHA256ROUND0(0, 0x428a2f98, 0, 1, 2, 3, 4, 5, 6, 7)
179 SHA256ROUND0(1, 0x71374491, 7, 0, 1, 2, 3, 4, 5, 6)
180 SHA256ROUND0(2, 0xb5c0fbcf, 6, 7, 0, 1, 2, 3, 4, 5)
181 SHA256ROUND0(3, 0xe9b5dba5, 5, 6, 7, 0, 1, 2, 3, 4)
182 SHA256ROUND0(4, 0x3956c25b, 4, 5, 6, 7, 0, 1, 2, 3)
183 SHA256ROUND0(5, 0x59f111f1, 3, 4, 5, 6, 7, 0, 1, 2)
184 SHA256ROUND0(6, 0x923f82a4, 2, 3, 4, 5, 6, 7, 0, 1)
185 SHA256ROUND0(7, 0xab1c5ed5, 1, 2, 3, 4, 5, 6, 7, 0)
186 SHA256ROUND0(8, 0xd807aa98, 0, 1, 2, 3, 4, 5, 6, 7)
187 SHA256ROUND0(9, 0x12835b01, 7, 0, 1, 2, 3, 4, 5, 6)
188 SHA256ROUND0(10, 0x243185be, 6, 7, 0, 1, 2, 3, 4, 5)
189 SHA256ROUND0(11, 0x550c7dc3, 5, 6, 7, 0, 1, 2, 3, 4)
190 SHA256ROUND0(12, 0x72be5d74, 4, 5, 6, 7, 0, 1, 2, 3)
191 SHA256ROUND0(13, 0x80deb1fe, 3, 4, 5, 6, 7, 0, 1, 2)
192 SHA256ROUND0(14, 0x9bdc06a7, 2, 3, 4, 5, 6, 7, 0, 1)
193 SHA256ROUND0(15, 0xc19bf174, 1, 2, 3, 4, 5, 6, 7, 0)
194
195 SHA256ROUND1(16, 0xe49b69c1, 0, 1, 2, 3, 4, 5, 6, 7)
196 SHA256ROUND1(17, 0xefbe4786, 7, 0, 1, 2, 3, 4, 5, 6)
197 SHA256ROUND1(18, 0x0fc19dc6, 6, 7, 0, 1, 2, 3, 4, 5)
198 SHA256ROUND1(19, 0x240ca1cc, 5, 6, 7, 0, 1, 2, 3, 4)
199 SHA256ROUND1(20, 0x2de92c6f, 4, 5, 6, 7, 0, 1, 2, 3)
200 SHA256ROUND1(21, 0x4a7484aa, 3, 4, 5, 6, 7, 0, 1, 2)
201 SHA256ROUND1(22, 0x5cb0a9dc, 2, 3, 4, 5, 6, 7, 0, 1)
202 SHA256ROUND1(23, 0x76f988da, 1, 2, 3, 4, 5, 6, 7, 0)
203 SHA256ROUND1(24, 0x983e5152, 0, 1, 2, 3, 4, 5, 6, 7)
204 SHA256ROUND1(25, 0xa831c66d, 7, 0, 1, 2, 3, 4, 5, 6)
205 SHA256ROUND1(26, 0xb00327c8, 6, 7, 0, 1, 2, 3, 4, 5)
206 SHA256ROUND1(27, 0xbf597fc7, 5, 6, 7, 0, 1, 2, 3, 4)
207 SHA256ROUND1(28, 0xc6e00bf3, 4, 5, 6, 7, 0, 1, 2, 3)
208 SHA256ROUND1(29, 0xd5a79147, 3, 4, 5, 6, 7, 0, 1, 2)
209 SHA256ROUND1(30, 0x06ca6351, 2, 3, 4, 5, 6, 7, 0, 1)
210 SHA256ROUND1(31, 0x14292967, 1, 2, 3, 4, 5, 6, 7, 0)
211 SHA256ROUND1(32, 0x27b70a85, 0, 1, 2, 3, 4, 5, 6, 7)
212 SHA256ROUND1(33, 0x2e1b2138, 7, 0, 1, 2, 3, 4, 5, 6)
213 SHA256ROUND1(34, 0x4d2c6dfc, 6, 7, 0, 1, 2, 3, 4, 5)
214 SHA256ROUND1(35, 0x53380d13, 5, 6, 7, 0, 1, 2, 3, 4)
215 SHA256ROUND1(36, 0x650a7354, 4, 5, 6, 7, 0, 1, 2, 3)
216 SHA256ROUND1(37, 0x766a0abb, 3, 4, 5, 6, 7, 0, 1, 2)
217 SHA256ROUND1(38, 0x81c2c92e, 2, 3, 4, 5, 6, 7, 0, 1)
218 SHA256ROUND1(39, 0x92722c85, 1, 2, 3, 4, 5, 6, 7, 0)
219 SHA256ROUND1(40, 0xa2bfe8a1, 0, 1, 2, 3, 4, 5, 6, 7)
220 SHA256ROUND1(41, 0xa81a664b, 7, 0, 1, 2, 3, 4, 5, 6)
221 SHA256ROUND1(42, 0xc24b8b70, 6, 7, 0, 1, 2, 3, 4, 5)
222 SHA256ROUND1(43, 0xc76c51a3, 5, 6, 7, 0, 1, 2, 3, 4)
223 SHA256ROUND1(44, 0xd192e819, 4, 5, 6, 7, 0, 1, 2, 3)
224 SHA256ROUND1(45, 0xd6990624, 3, 4, 5, 6, 7, 0, 1, 2)
225 SHA256ROUND1(46, 0xf40e3585, 2, 3, 4, 5, 6, 7, 0, 1)
226 SHA256ROUND1(47, 0x106aa070, 1, 2, 3, 4, 5, 6, 7, 0)
227 SHA256ROUND1(48, 0x19a4c116, 0, 1, 2, 3, 4, 5, 6, 7)
228 SHA256ROUND1(49, 0x1e376c08, 7, 0, 1, 2, 3, 4, 5, 6)
229 SHA256ROUND1(50, 0x2748774c, 6, 7, 0, 1, 2, 3, 4, 5)
230 SHA256ROUND1(51, 0x34b0bcb5, 5, 6, 7, 0, 1, 2, 3, 4)
231 SHA256ROUND1(52, 0x391c0cb3, 4, 5, 6, 7, 0, 1, 2, 3)
232 SHA256ROUND1(53, 0x4ed8aa4a, 3, 4, 5, 6, 7, 0, 1, 2)
233 SHA256ROUND1(54, 0x5b9cca4f, 2, 3, 4, 5, 6, 7, 0, 1)
234 SHA256ROUND1(55, 0x682e6ff3, 1, 2, 3, 4, 5, 6, 7, 0)
235 SHA256ROUND1(56, 0x748f82ee, 0, 1, 2, 3, 4, 5, 6, 7)
236 SHA256ROUND1(57, 0x78a5636f, 7, 0, 1, 2, 3, 4, 5, 6)
237 SHA256ROUND1(58, 0x84c87814, 6, 7, 0, 1, 2, 3, 4, 5)
238 SHA256ROUND1(59, 0x8cc70208, 5, 6, 7, 0, 1, 2, 3, 4)
239 SHA256ROUND1(60, 0x90befffa, 4, 5, 6, 7, 0, 1, 2, 3)
240 SHA256ROUND1(61, 0xa4506ceb, 3, 4, 5, 6, 7, 0, 1, 2)
241 SHA256ROUND1(62, 0xbef9a3f7, 2, 3, 4, 5, 6, 7, 0, 1)
242 SHA256ROUND1(63, 0xc67178f2, 1, 2, 3, 4, 5, 6, 7, 0)
243
244 MOVL dig+0(FP), BP
245 MOVL (0*4)(BP), AX // H0 = a + H0
246 ADDL (0*4)(DI), AX
247 MOVL AX, (0*4)(DI)
248 MOVL AX, (0*4)(BP)
249 MOVL (1*4)(BP), BX // H1 = b + H1
250 ADDL (1*4)(DI), BX
251 MOVL BX, (1*4)(DI)
252 MOVL BX, (1*4)(BP)
253 MOVL (2*4)(BP), CX // H2 = c + H2
254 ADDL (2*4)(DI), CX
255 MOVL CX, (2*4)(DI)
256 MOVL CX, (2*4)(BP)
257 MOVL (3*4)(BP), DX // H3 = d + H3
258 ADDL (3*4)(DI), DX
259 MOVL DX, (3*4)(DI)
260 MOVL DX, (3*4)(BP)
261 MOVL (4*4)(BP), AX // H4 = e + H4
262 ADDL (4*4)(DI), AX
263 MOVL AX, (4*4)(DI)
264 MOVL AX, (4*4)(BP)
265 MOVL (5*4)(BP), BX // H5 = f + H5
266 ADDL (5*4)(DI), BX
267 MOVL BX, (5*4)(DI)
268 MOVL BX, (5*4)(BP)
269 MOVL (6*4)(BP), CX // H6 = g + H6
270 ADDL (6*4)(DI), CX
271 MOVL CX, (6*4)(DI)
272 MOVL CX, (6*4)(BP)
273 MOVL (7*4)(BP), DX // H7 = h + H7
274 ADDL (7*4)(DI), DX
275 MOVL DX, (7*4)(DI)
276 MOVL DX, (7*4)(BP)
277
278 ADDL $64, SI
279 CMPL SI, 288(SP)
280 JB loop
281
282end:
283 RET
View as plain text