1 // SPDX-License-Identifier: GPL-2.0
3 * SHA1 routine optimized to do word accesses rather than byte accesses,
4 * and to avoid unnecessary copies into the context array.
6 * This was based on the git SHA1 implementation.
9 #include <linux/kernel.h>
10 #include <linux/export.h>
11 #include <linux/bitops.h>
12 #include <linux/string.h>
13 #include <crypto/sha1.h>
14 #include <asm/unaligned.h>
17 * If you have 32 registers or more, the compiler can (and should)
18 * try to change the array[] accesses into registers. However, on
19 * machines with less than ~25 registers, that won't really work,
20 * and at least gcc will make an unholy mess of it.
22 * So to avoid that mess which just slows things down, we force
23 * the stores to memory to actually happen (we might be better off
24 * with a 'W(t)=(val);asm("":"+m" (W(t))' there instead, as
25 * suggested by Artur Skawina - that will also make gcc unable to
26 * try to do the silly "optimize away loads" part because it won't
27 * see what the value will be).
29 * Ben Herrenschmidt reports that on PPC, the C version comes close
30 * to the optimized asm with this (ie on PPC you don't want that
31 * 'volatile', since there are lots of registers).
33 * On ARM we get the best code generation by forcing a full memory barrier
34 * between each SHA_ROUND, otherwise gcc happily get wild with spilling and
35 * the stack frame size simply explode and performance goes down the drain.
39 #define setW(x, val) (*(volatile __u32 *)&W(x) = (val))
40 #elif defined(CONFIG_ARM)
41 #define setW(x, val) do { W(x) = (val); __asm__("":::"memory"); } while (0)
43 #define setW(x, val) (W(x) = (val))
46 /* This "rolls" over the 512-bit array */
47 #define W(x) (array[(x)&15])
50 * Where do we get the source from? The first 16 iterations get it from
51 * the input data, the next mix it from the 512-bit array.
53 #define SHA_SRC(t) get_unaligned_be32((__u32 *)data + t)
54 #define SHA_MIX(t) rol32(W(t+13) ^ W(t+8) ^ W(t+2) ^ W(t), 1)
56 #define SHA_ROUND(t, input, fn, constant, A, B, C, D, E) do { \
57 __u32 TEMP = input(t); setW(t, TEMP); \
58 E += TEMP + rol32(A,5) + (fn) + (constant); \
60 TEMP = E; E = D; D = C; C = B; B = A; A = TEMP; } while (0)
62 #define T_0_15(t, A, B, C, D, E) SHA_ROUND(t, SHA_SRC, (((C^D)&B)^D) , 0x5a827999, A, B, C, D, E )
63 #define T_16_19(t, A, B, C, D, E) SHA_ROUND(t, SHA_MIX, (((C^D)&B)^D) , 0x5a827999, A, B, C, D, E )
64 #define T_20_39(t, A, B, C, D, E) SHA_ROUND(t, SHA_MIX, (B^C^D) , 0x6ed9eba1, A, B, C, D, E )
65 #define T_40_59(t, A, B, C, D, E) SHA_ROUND(t, SHA_MIX, ((B&C)+(D&(B^C))) , 0x8f1bbcdc, A, B, C, D, E )
66 #define T_60_79(t, A, B, C, D, E) SHA_ROUND(t, SHA_MIX, (B^C^D) , 0xca62c1d6, A, B, C, D, E )
69 * sha1_transform - single block SHA1 transform (deprecated)
71 * @digest: 160 bit digest to update
72 * @data: 512 bits of data to hash
73 * @array: 16 words of workspace (see note)
75 * This function executes SHA-1's internal compression function. It updates the
76 * 160-bit internal state (@digest) with a single 512-bit data block (@data).
78 * Don't use this function. SHA-1 is no longer considered secure. And even if
79 * you do have to use SHA-1, this isn't the correct way to hash something with
80 * SHA-1 as this doesn't handle padding and finalization.
82 * Note: If the hash is security sensitive, the caller should be sure
83 * to clear the workspace. This is left to the caller to avoid
84 * unnecessary clears between chained hashing operations.
86 void sha1_transform(__u32 *digest, const char *data, __u32 *array)
97 /* Round 1 - iterations 0-16 take their input from 'data' */
99 T_0_15(i, A, B, C, D, E);
101 /* Round 1 - tail. Input from 512-bit mixing array */
103 T_16_19(i, A, B, C, D, E);
107 T_20_39(i, A, B, C, D, E);
111 T_40_59(i, A, B, C, D, E);
115 T_60_79(i, A, B, C, D, E);
123 EXPORT_SYMBOL(sha1_transform);
126 * sha1_init - initialize the vectors for a SHA1 digest
127 * @buf: vector to initialize
129 void sha1_init(__u32 *buf)
137 EXPORT_SYMBOL(sha1_init);