1// Copyright 2013 The Go Authors. All rights reserved.
2// Use of this source code is governed by a BSD-style
3// license that can be found in the LICENSE file.
4
5//go:build !purego
6
7// SHA256 block routine. See sha256block.go for Go equivalent.
8//
9// The algorithm is detailed in FIPS 180-4:
10//
11// https://csrc.nist.gov/publications/fips/fips180-4/fips-180-4.pdf
12//
13// Wt = Mt; for 0 <= t <= 15
14// Wt = SIGMA1(Wt-2) + SIGMA0(Wt-15) + Wt-16; for 16 <= t <= 63
15//
16// a = H0
17// b = H1
18// c = H2
19// d = H3
20// e = H4
21// f = H5
22// g = H6
23// h = H7
24//
25// for t = 0 to 63 {
26// T1 = h + BIGSIGMA1(e) + Ch(e,f,g) + Kt + Wt
27// T2 = BIGSIGMA0(a) + Maj(a,b,c)
28// h = g
29// g = f
30// f = e
31// e = d + T1
32// d = c
33// c = b
34// b = a
35// a = T1 + T2
36// }
37//
38// H0 = a + H0
39// H1 = b + H1
40// H2 = c + H2
41// H3 = d + H3
42// H4 = e + H4
43// H5 = f + H5
44// H6 = g + H6
45// H7 = h + H7
46
47// Wt = Mt; for 0 <= t <= 15
48#define MSGSCHEDULE0(index) \
49 MOVL (index*4)(SI), AX; \
50 BSWAPL AX; \
51 MOVL AX, (index*4)(BP)
52
53// Wt = SIGMA1(Wt-2) + Wt-7 + SIGMA0(Wt-15) + Wt-16; for 16 <= t <= 63
54// SIGMA0(x) = ROTR(7,x) XOR ROTR(18,x) XOR SHR(3,x)
55// SIGMA1(x) = ROTR(17,x) XOR ROTR(19,x) XOR SHR(10,x)
56#define MSGSCHEDULE1(index) \
57 MOVL ((index-2)*4)(BP), AX; \
58 MOVL AX, CX; \
59 RORL $17, AX; \
60 MOVL CX, DX; \
61 RORL $19, CX; \
62 SHRL $10, DX; \
63 MOVL ((index-15)*4)(BP), BX; \
64 XORL CX, AX; \
65 MOVL BX, CX; \
66 XORL DX, AX; \
67 RORL $7, BX; \
68 MOVL CX, DX; \
69 SHRL $3, DX; \
70 RORL $18, CX; \
71 ADDL ((index-7)*4)(BP), AX; \
72 XORL CX, BX; \
73 XORL DX, BX; \
74 ADDL ((index-16)*4)(BP), BX; \
75 ADDL BX, AX; \
76 MOVL AX, ((index)*4)(BP)
77
78// Calculate T1 in AX - uses AX, BX, CX and DX registers.
79// Wt is passed in AX.
80// T1 = h + BIGSIGMA1(e) + Ch(e, f, g) + Kt + Wt
81// BIGSIGMA1(x) = ROTR(6,x) XOR ROTR(11,x) XOR ROTR(25,x)
82// Ch(x, y, z) = (x AND y) XOR (NOT x AND z)
83#define SHA256T1(const, e, f, g, h) \
84 MOVL (h*4)(DI), BX; \
85 ADDL AX, BX; \
86 MOVL (e*4)(DI), AX; \
87 ADDL $const, BX; \
88 MOVL (e*4)(DI), CX; \
89 RORL $6, AX; \
90 MOVL (e*4)(DI), DX; \
91 RORL $11, CX; \
92 XORL CX, AX; \
93 MOVL (e*4)(DI), CX; \
94 RORL $25, DX; \
95 ANDL (f*4)(DI), CX; \
96 XORL AX, DX; \
97 MOVL (e*4)(DI), AX; \
98 NOTL AX; \
99 ADDL DX, BX; \
100 ANDL (g*4)(DI), AX; \
101 XORL CX, AX; \
102 ADDL BX, AX
103
104// Calculate T2 in BX - uses AX, BX, CX and DX registers.
105// T2 = BIGSIGMA0(a) + Maj(a, b, c)
106// BIGSIGMA0(x) = ROTR(2,x) XOR ROTR(13,x) XOR ROTR(22,x)
107// Maj(x, y, z) = (x AND y) XOR (x AND z) XOR (y AND z)
108#define SHA256T2(a, b, c) \
109 MOVL (a*4)(DI), AX; \
110 MOVL (c*4)(DI), BX; \
111 RORL $2, AX; \
112 MOVL (a*4)(DI), DX; \
113 ANDL (b*4)(DI), BX; \
114 RORL $13, DX; \
115 MOVL (a*4)(DI), CX; \
116 ANDL (c*4)(DI), CX; \
117 XORL DX, AX; \
118 XORL CX, BX; \
119 MOVL (a*4)(DI), DX; \
120 MOVL (b*4)(DI), CX; \
121 RORL $22, DX; \
122 ANDL (a*4)(DI), CX; \
123 XORL CX, BX; \
124 XORL DX, AX; \
125 ADDL AX, BX
126
127// Calculate T1 and T2, then e = d + T1 and a = T1 + T2.
128// The values for e and a are stored in d and h, ready for rotation.
129#define SHA256ROUND(index, const, a, b, c, d, e, f, g, h) \
130 SHA256T1(const, e, f, g, h); \
131 MOVL AX, 292(SP); \
132 SHA256T2(a, b, c); \
133 MOVL 292(SP), AX; \
134 ADDL AX, BX; \
135 ADDL AX, (d*4)(DI); \
136 MOVL BX, (h*4)(DI)
137
138#define SHA256ROUND0(index, const, a, b, c, d, e, f, g, h) \
139 MSGSCHEDULE0(index); \
140 SHA256ROUND(index, const, a, b, c, d, e, f, g, h)
141
142#define SHA256ROUND1(index, const, a, b, c, d, e, f, g, h) \
143 MSGSCHEDULE1(index); \
144 SHA256ROUND(index, const, a, b, c, d, e, f, g, h)
145
146TEXT ·block(SB),0,$296-16
147 MOVL p_base+4(FP), SI
148 MOVL p_len+8(FP), DX
149 SHRL $6, DX
150 SHLL $6, DX
151
152 LEAL (SI)(DX*1), DI
153 MOVL DI, 288(SP)
154 CMPL SI, DI
155 JEQ end
156
157 LEAL 256(SP), DI // variables
158
159 MOVL dig+0(FP), BP
160 MOVL (0*4)(BP), AX // a = H0
161 MOVL AX, (0*4)(DI)
162 MOVL (1*4)(BP), BX // b = H1
163 MOVL BX, (1*4)(DI)
164 MOVL (2*4)(BP), CX // c = H2
165 MOVL CX, (2*4)(DI)
166 MOVL (3*4)(BP), DX // d = H3
167 MOVL DX, (3*4)(DI)
168 MOVL (4*4)(BP), AX // e = H4
169 MOVL AX, (4*4)(DI)
170 MOVL (5*4)(BP), BX // f = H5
171 MOVL BX, (5*4)(DI)
172 MOVL (6*4)(BP), CX // g = H6
173 MOVL CX, (6*4)(DI)
174 MOVL (7*4)(BP), DX // h = H7
175 MOVL DX, (7*4)(DI)
176
177loop:
178 MOVL SP, BP // message schedule
179
180 SHA256ROUND0(0, 0x428a2f98, 0, 1, 2, 3, 4, 5, 6, 7)
181 SHA256ROUND0(1, 0x71374491, 7, 0, 1, 2, 3, 4, 5, 6)
182 SHA256ROUND0(2, 0xb5c0fbcf, 6, 7, 0, 1, 2, 3, 4, 5)
183 SHA256ROUND0(3, 0xe9b5dba5, 5, 6, 7, 0, 1, 2, 3, 4)
184 SHA256ROUND0(4, 0x3956c25b, 4, 5, 6, 7, 0, 1, 2, 3)
185 SHA256ROUND0(5, 0x59f111f1, 3, 4, 5, 6, 7, 0, 1, 2)
186 SHA256ROUND0(6, 0x923f82a4, 2, 3, 4, 5, 6, 7, 0, 1)
187 SHA256ROUND0(7, 0xab1c5ed5, 1, 2, 3, 4, 5, 6, 7, 0)
188 SHA256ROUND0(8, 0xd807aa98, 0, 1, 2, 3, 4, 5, 6, 7)
189 SHA256ROUND0(9, 0x12835b01, 7, 0, 1, 2, 3, 4, 5, 6)
190 SHA256ROUND0(10, 0x243185be, 6, 7, 0, 1, 2, 3, 4, 5)
191 SHA256ROUND0(11, 0x550c7dc3, 5, 6, 7, 0, 1, 2, 3, 4)
192 SHA256ROUND0(12, 0x72be5d74, 4, 5, 6, 7, 0, 1, 2, 3)
193 SHA256ROUND0(13, 0x80deb1fe, 3, 4, 5, 6, 7, 0, 1, 2)
194 SHA256ROUND0(14, 0x9bdc06a7, 2, 3, 4, 5, 6, 7, 0, 1)
195 SHA256ROUND0(15, 0xc19bf174, 1, 2, 3, 4, 5, 6, 7, 0)
196
197 SHA256ROUND1(16, 0xe49b69c1, 0, 1, 2, 3, 4, 5, 6, 7)
198 SHA256ROUND1(17, 0xefbe4786, 7, 0, 1, 2, 3, 4, 5, 6)
199 SHA256ROUND1(18, 0x0fc19dc6, 6, 7, 0, 1, 2, 3, 4, 5)
200 SHA256ROUND1(19, 0x240ca1cc, 5, 6, 7, 0, 1, 2, 3, 4)
201 SHA256ROUND1(20, 0x2de92c6f, 4, 5, 6, 7, 0, 1, 2, 3)
202 SHA256ROUND1(21, 0x4a7484aa, 3, 4, 5, 6, 7, 0, 1, 2)
203 SHA256ROUND1(22, 0x5cb0a9dc, 2, 3, 4, 5, 6, 7, 0, 1)
204 SHA256ROUND1(23, 0x76f988da, 1, 2, 3, 4, 5, 6, 7, 0)
205 SHA256ROUND1(24, 0x983e5152, 0, 1, 2, 3, 4, 5, 6, 7)
206 SHA256ROUND1(25, 0xa831c66d, 7, 0, 1, 2, 3, 4, 5, 6)
207 SHA256ROUND1(26, 0xb00327c8, 6, 7, 0, 1, 2, 3, 4, 5)
208 SHA256ROUND1(27, 0xbf597fc7, 5, 6, 7, 0, 1, 2, 3, 4)
209 SHA256ROUND1(28, 0xc6e00bf3, 4, 5, 6, 7, 0, 1, 2, 3)
210 SHA256ROUND1(29, 0xd5a79147, 3, 4, 5, 6, 7, 0, 1, 2)
211 SHA256ROUND1(30, 0x06ca6351, 2, 3, 4, 5, 6, 7, 0, 1)
212 SHA256ROUND1(31, 0x14292967, 1, 2, 3, 4, 5, 6, 7, 0)
213 SHA256ROUND1(32, 0x27b70a85, 0, 1, 2, 3, 4, 5, 6, 7)
214 SHA256ROUND1(33, 0x2e1b2138, 7, 0, 1, 2, 3, 4, 5, 6)
215 SHA256ROUND1(34, 0x4d2c6dfc, 6, 7, 0, 1, 2, 3, 4, 5)
216 SHA256ROUND1(35, 0x53380d13, 5, 6, 7, 0, 1, 2, 3, 4)
217 SHA256ROUND1(36, 0x650a7354, 4, 5, 6, 7, 0, 1, 2, 3)
218 SHA256ROUND1(37, 0x766a0abb, 3, 4, 5, 6, 7, 0, 1, 2)
219 SHA256ROUND1(38, 0x81c2c92e, 2, 3, 4, 5, 6, 7, 0, 1)
220 SHA256ROUND1(39, 0x92722c85, 1, 2, 3, 4, 5, 6, 7, 0)
221 SHA256ROUND1(40, 0xa2bfe8a1, 0, 1, 2, 3, 4, 5, 6, 7)
222 SHA256ROUND1(41, 0xa81a664b, 7, 0, 1, 2, 3, 4, 5, 6)
223 SHA256ROUND1(42, 0xc24b8b70, 6, 7, 0, 1, 2, 3, 4, 5)
224 SHA256ROUND1(43, 0xc76c51a3, 5, 6, 7, 0, 1, 2, 3, 4)
225 SHA256ROUND1(44, 0xd192e819, 4, 5, 6, 7, 0, 1, 2, 3)
226 SHA256ROUND1(45, 0xd6990624, 3, 4, 5, 6, 7, 0, 1, 2)
227 SHA256ROUND1(46, 0xf40e3585, 2, 3, 4, 5, 6, 7, 0, 1)
228 SHA256ROUND1(47, 0x106aa070, 1, 2, 3, 4, 5, 6, 7, 0)
229 SHA256ROUND1(48, 0x19a4c116, 0, 1, 2, 3, 4, 5, 6, 7)
230 SHA256ROUND1(49, 0x1e376c08, 7, 0, 1, 2, 3, 4, 5, 6)
231 SHA256ROUND1(50, 0x2748774c, 6, 7, 0, 1, 2, 3, 4, 5)
232 SHA256ROUND1(51, 0x34b0bcb5, 5, 6, 7, 0, 1, 2, 3, 4)
233 SHA256ROUND1(52, 0x391c0cb3, 4, 5, 6, 7, 0, 1, 2, 3)
234 SHA256ROUND1(53, 0x4ed8aa4a, 3, 4, 5, 6, 7, 0, 1, 2)
235 SHA256ROUND1(54, 0x5b9cca4f, 2, 3, 4, 5, 6, 7, 0, 1)
236 SHA256ROUND1(55, 0x682e6ff3, 1, 2, 3, 4, 5, 6, 7, 0)
237 SHA256ROUND1(56, 0x748f82ee, 0, 1, 2, 3, 4, 5, 6, 7)
238 SHA256ROUND1(57, 0x78a5636f, 7, 0, 1, 2, 3, 4, 5, 6)
239 SHA256ROUND1(58, 0x84c87814, 6, 7, 0, 1, 2, 3, 4, 5)
240 SHA256ROUND1(59, 0x8cc70208, 5, 6, 7, 0, 1, 2, 3, 4)
241 SHA256ROUND1(60, 0x90befffa, 4, 5, 6, 7, 0, 1, 2, 3)
242 SHA256ROUND1(61, 0xa4506ceb, 3, 4, 5, 6, 7, 0, 1, 2)
243 SHA256ROUND1(62, 0xbef9a3f7, 2, 3, 4, 5, 6, 7, 0, 1)
244 SHA256ROUND1(63, 0xc67178f2, 1, 2, 3, 4, 5, 6, 7, 0)
245
246 MOVL dig+0(FP), BP
247 MOVL (0*4)(BP), AX // H0 = a + H0
248 ADDL (0*4)(DI), AX
249 MOVL AX, (0*4)(DI)
250 MOVL AX, (0*4)(BP)
251 MOVL (1*4)(BP), BX // H1 = b + H1
252 ADDL (1*4)(DI), BX
253 MOVL BX, (1*4)(DI)
254 MOVL BX, (1*4)(BP)
255 MOVL (2*4)(BP), CX // H2 = c + H2
256 ADDL (2*4)(DI), CX
257 MOVL CX, (2*4)(DI)
258 MOVL CX, (2*4)(BP)
259 MOVL (3*4)(BP), DX // H3 = d + H3
260 ADDL (3*4)(DI), DX
261 MOVL DX, (3*4)(DI)
262 MOVL DX, (3*4)(BP)
263 MOVL (4*4)(BP), AX // H4 = e + H4
264 ADDL (4*4)(DI), AX
265 MOVL AX, (4*4)(DI)
266 MOVL AX, (4*4)(BP)
267 MOVL (5*4)(BP), BX // H5 = f + H5
268 ADDL (5*4)(DI), BX
269 MOVL BX, (5*4)(DI)
270 MOVL BX, (5*4)(BP)
271 MOVL (6*4)(BP), CX // H6 = g + H6
272 ADDL (6*4)(DI), CX
273 MOVL CX, (6*4)(DI)
274 MOVL CX, (6*4)(BP)
275 MOVL (7*4)(BP), DX // H7 = h + H7
276 ADDL (7*4)(DI), DX
277 MOVL DX, (7*4)(DI)
278 MOVL DX, (7*4)(BP)
279
280 ADDL $64, SI
281 CMPL SI, 288(SP)
282 JB loop
283
284end:
285 RET
View as plain text