Botan 3.9.0
Crypto and TLS for C&
sha2_32_armv8.cpp
Go to the documentation of this file.
1/*
2* SHA-256 using CPU instructions in ARMv8
3*
4* Contributed by Jeffrey Walton. Based on public domain code by
5* Johannes Schneiders, Skip Hovsmith and Barry O'Rourke.
6*
7* Further changes (C) 2020 Jack Lloyd
8*
9* Botan is released under the Simplified BSD License (see license.txt)
10*/
11
12#include <botan/internal/sha2_32.h>
13
14#include <botan/internal/isa_extn.h>
15#include <botan/internal/stack_scrubbing.h>
16#include <arm_neon.h>
17
18namespace Botan {
19
20/*
21* SHA-256 using CPU instructions in ARMv8
22*/
23//static
24void BOTAN_FN_ISA_SHA2 BOTAN_SCRUB_STACK_AFTER_RETURN SHA_256::compress_digest_armv8(digest_type& digest,
25 std::span<const uint8_t> input8,
26 size_t blocks) {
27 alignas(64) static const uint32_t K[] = {
28 0x428A2F98, 0x71374491, 0xB5C0FBCF, 0xE9B5DBA5, 0x3956C25B, 0x59F111F1, 0x923F82A4, 0xAB1C5ED5,
29 0xD807AA98, 0x12835B01, 0x243185BE, 0x550C7DC3, 0x72BE5D74, 0x80DEB1FE, 0x9BDC06A7, 0xC19BF174,
30 0xE49B69C1, 0xEFBE4786, 0x0FC19DC6, 0x240CA1CC, 0x2DE92C6F, 0x4A7484AA, 0x5CB0A9DC, 0x76F988DA,
31 0x983E5152, 0xA831C66D, 0xB00327C8, 0xBF597FC7, 0xC6E00BF3, 0xD5A79147, 0x06CA6351, 0x14292967,
32 0x27B70A85, 0x2E1B2138, 0x4D2C6DFC, 0x53380D13, 0x650A7354, 0x766A0ABB, 0x81C2C92E, 0x92722C85,
33 0xA2BFE8A1, 0xA81A664B, 0xC24B8B70, 0xC76C51A3, 0xD192E819, 0xD6990624, 0xF40E3585, 0x106AA070,
34 0x19A4C116, 0x1E376C08, 0x2748774C, 0x34B0BCB5, 0x391C0CB3, 0x4ED8AA4A, 0x5B9CCA4F, 0x682E6FF3,
35 0x748F82EE, 0x78A5636F, 0x84C87814, 0x8CC70208, 0x90BEFFFA, 0xA4506CEB, 0xBEF9A3F7, 0xC67178F2,
36 };
37
38 // Load initial values
39 uint32x4_t STATE0 = vld1q_u32(&digest[0]);
40 uint32x4_t STATE1 = vld1q_u32(&digest[4]);
41
42 // Intermediate void* cast due to https://llvm.org/bugs/show_bug.cgi?id=20670
43 const uint32_t* input32 = reinterpret_cast<const uint32_t*>(reinterpret_cast<const void*>(input8.data()));
44
45 while(blocks > 0) {
46 // Save current state
47 const uint32x4_t ABCD_SAVE = STATE0;
48 const uint32x4_t EFGH_SAVE = STATE1;
49
50 uint32x4_t MSG0 = vld1q_u32(input32 + 0);
51 uint32x4_t MSG1 = vld1q_u32(input32 + 4);
52 uint32x4_t MSG2 = vld1q_u32(input32 + 8);
53 uint32x4_t MSG3 = vld1q_u32(input32 + 12);
54
55 MSG0 = vreinterpretq_u32_u8(vrev32q_u8(vreinterpretq_u8_u32(MSG0)));
56 MSG1 = vreinterpretq_u32_u8(vrev32q_u8(vreinterpretq_u8_u32(MSG1)));
57 MSG2 = vreinterpretq_u32_u8(vrev32q_u8(vreinterpretq_u8_u32(MSG2)));
58 MSG3 = vreinterpretq_u32_u8(vrev32q_u8(vreinterpretq_u8_u32(MSG3)));
59
60 uint32x4_t MSG_K, TSTATE;
61
62 // Rounds 0-3
63 MSG_K = vaddq_u32(MSG0, vld1q_u32(&K[4 * 0]));
64 TSTATE = vsha256hq_u32(STATE0, STATE1, MSG_K);
65 STATE1 = vsha256h2q_u32(STATE1, STATE0, MSG_K);
66 STATE0 = TSTATE;
67 MSG0 = vsha256su1q_u32(vsha256su0q_u32(MSG0, MSG1), MSG2, MSG3);
68
69 // Rounds 4-7
70 MSG_K = vaddq_u32(MSG1, vld1q_u32(&K[4 * 1]));
71 TSTATE = vsha256hq_u32(STATE0, STATE1, MSG_K);
72 STATE1 = vsha256h2q_u32(STATE1, STATE0, MSG_K);
73 STATE0 = TSTATE;
74 MSG1 = vsha256su1q_u32(vsha256su0q_u32(MSG1, MSG2), MSG3, MSG0);
75
76 // Rounds 8-11
77 MSG_K = vaddq_u32(MSG2, vld1q_u32(&K[4 * 2]));
78 TSTATE = vsha256hq_u32(STATE0, STATE1, MSG_K);
79 STATE1 = vsha256h2q_u32(STATE1, STATE0, MSG_K);
80 STATE0 = TSTATE;
81 MSG2 = vsha256su1q_u32(vsha256su0q_u32(MSG2, MSG3), MSG0, MSG1);
82
83 // Rounds 12-15
84 MSG_K = vaddq_u32(MSG3, vld1q_u32(&K[4 * 3]));
85 TSTATE = vsha256hq_u32(STATE0, STATE1, MSG_K);
86 STATE1 = vsha256h2q_u32(STATE1, STATE0, MSG_K);
87 STATE0 = TSTATE;
88 MSG3 = vsha256su1q_u32(vsha256su0q_u32(MSG3, MSG0), MSG1, MSG2);
89
90 // Rounds 16-19
91 MSG_K = vaddq_u32(MSG0, vld1q_u32(&K[4 * 4]));
92 TSTATE = vsha256hq_u32(STATE0, STATE1, MSG_K);
93 STATE1 = vsha256h2q_u32(STATE1, STATE0, MSG_K);
94 STATE0 = TSTATE;
95 MSG0 = vsha256su1q_u32(vsha256su0q_u32(MSG0, MSG1), MSG2, MSG3);
96
97 // Rounds 20-23
98 MSG_K = vaddq_u32(MSG1, vld1q_u32(&K[4 * 5]));
99 TSTATE = vsha256hq_u32(STATE0, STATE1, MSG_K);
100 STATE1 = vsha256h2q_u32(STATE1, STATE0, MSG_K);
101 STATE0 = TSTATE;
102 MSG1 = vsha256su1q_u32(vsha256su0q_u32(MSG1, MSG2), MSG3, MSG0);
103
104 // Rounds 24-27
105 MSG_K = vaddq_u32(MSG2, vld1q_u32(&K[4 * 6]));
106 TSTATE = vsha256hq_u32(STATE0, STATE1, MSG_K);
107 STATE1 = vsha256h2q_u32(STATE1, STATE0, MSG_K);
108 STATE0 = TSTATE;
109 MSG2 = vsha256su1q_u32(vsha256su0q_u32(MSG2, MSG3), MSG0, MSG1);
110
111 // Rounds 28-31
112 MSG_K = vaddq_u32(MSG3, vld1q_u32(&K[4 * 7]));
113 TSTATE = vsha256hq_u32(STATE0, STATE1, MSG_K);
114 STATE1 = vsha256h2q_u32(STATE1, STATE0, MSG_K);
115 STATE0 = TSTATE;
116 MSG3 = vsha256su1q_u32(vsha256su0q_u32(MSG3, MSG0), MSG1, MSG2);
117
118 // Rounds 32-35
119 MSG_K = vaddq_u32(MSG0, vld1q_u32(&K[4 * 8]));
120 TSTATE = vsha256hq_u32(STATE0, STATE1, MSG_K);
121 STATE1 = vsha256h2q_u32(STATE1, STATE0, MSG_K);
122 STATE0 = TSTATE;
123 MSG0 = vsha256su1q_u32(vsha256su0q_u32(MSG0, MSG1), MSG2, MSG3);
124
125 // Rounds 36-39
126 MSG_K = vaddq_u32(MSG1, vld1q_u32(&K[4 * 9]));
127 TSTATE = vsha256hq_u32(STATE0, STATE1, MSG_K);
128 STATE1 = vsha256h2q_u32(STATE1, STATE0, MSG_K);
129 STATE0 = TSTATE;
130 MSG1 = vsha256su1q_u32(vsha256su0q_u32(MSG1, MSG2), MSG3, MSG0);
131
132 // Rounds 40-43
133 MSG_K = vaddq_u32(MSG2, vld1q_u32(&K[4 * 10]));
134 TSTATE = vsha256hq_u32(STATE0, STATE1, MSG_K);
135 STATE1 = vsha256h2q_u32(STATE1, STATE0, MSG_K);
136 STATE0 = TSTATE;
137 MSG2 = vsha256su1q_u32(vsha256su0q_u32(MSG2, MSG3), MSG0, MSG1);
138
139 // Rounds 44-47
140 MSG_K = vaddq_u32(MSG3, vld1q_u32(&K[4 * 11]));
141 TSTATE = vsha256hq_u32(STATE0, STATE1, MSG_K);
142 STATE1 = vsha256h2q_u32(STATE1, STATE0, MSG_K);
143 STATE0 = TSTATE;
144 MSG3 = vsha256su1q_u32(vsha256su0q_u32(MSG3, MSG0), MSG1, MSG2);
145
146 // Rounds 48-51
147 MSG_K = vaddq_u32(MSG0, vld1q_u32(&K[4 * 12]));
148 TSTATE = vsha256hq_u32(STATE0, STATE1, MSG_K);
149 STATE1 = vsha256h2q_u32(STATE1, STATE0, MSG_K);
150 STATE0 = TSTATE;
151
152 // Rounds 52-55
153 MSG_K = vaddq_u32(MSG1, vld1q_u32(&K[4 * 13]));
154 TSTATE = vsha256hq_u32(STATE0, STATE1, MSG_K);
155 STATE1 = vsha256h2q_u32(STATE1, STATE0, MSG_K);
156 STATE0 = TSTATE;
157
158 // Rounds 56-59
159 MSG_K = vaddq_u32(MSG2, vld1q_u32(&K[4 * 14]));
160 TSTATE = vsha256hq_u32(STATE0, STATE1, MSG_K);
161 STATE1 = vsha256h2q_u32(STATE1, STATE0, MSG_K);
162 STATE0 = TSTATE;
163
164 // Rounds 60-63
165 MSG_K = vaddq_u32(MSG3, vld1q_u32(&K[4 * 15]));
166 TSTATE = vsha256hq_u32(STATE0, STATE1, MSG_K);
167 STATE1 = vsha256h2q_u32(STATE1, STATE0, MSG_K);
168 STATE0 = TSTATE;
169
170 // Add back to state
171 STATE0 = vaddq_u32(STATE0, ABCD_SAVE);
172 STATE1 = vaddq_u32(STATE1, EFGH_SAVE);
173
174 input32 += 64 / 4;
175 blocks--;
176 }
177
178 // Save state
179 vst1q_u32(&digest[0], STATE0);
180 vst1q_u32(&digest[4], STATE1);
181}
182
183} // namespace Botan
Botan::SHA_256::digest_type
secure_vector< uint32_t > digest_type
Definition sha2_32.h:61
Botan::SHA_256::compress_digest_armv8
static void compress_digest_armv8(digest_type &digest, std::span< const uint8_t > input, size_t blocks)
Definition sha2_32_armv8.cpp:24
BOTAN_SCRUB_STACK_AFTER_RETURN
#define BOTAN_SCRUB_STACK_AFTER_RETURN
Definition stack_scrubbing.h:33
Generated by doxygen 1.14.0