diff options
| -rw-r--r-- | doc/manual/filters.rst | 13 | ||||
| -rw-r--r-- | doc/mistakes.rst | 50 | ||||
| -rw-r--r-- | doc/todo.rst | 2 | ||||
| -rw-r--r-- | src/build-data/policy/bsi.txt | 3 | ||||
| -rw-r--r-- | src/build-data/policy/modern.txt | 3 | ||||
| -rw-r--r-- | src/build-data/policy/nist.txt | 3 | ||||
| -rw-r--r-- | src/lib/hash/sha2_32/sha2_32.cpp | 40 | ||||
| -rw-r--r-- | src/lib/hash/sha2_32/sha2_32.h | 4 | ||||
| -rw-r--r-- | src/lib/hash/sha2_64/sha2_64.cpp | 58 | ||||
| -rw-r--r-- | src/lib/hash/sha2_64/sha2_64.h | 18 | ||||
| -rw-r--r-- | src/lib/hash/sha2_64/sha2_64_bmi2/info.txt | 15 | ||||
| -rw-r--r-- | src/lib/hash/sha2_64/sha2_64_bmi2/sha2_64_bmi2.cpp | 152 | ||||
| -rw-r--r-- | src/lib/hash/sha3/sha3.cpp | 20 | ||||
| -rw-r--r-- | src/lib/hash/sha3/sha3.h | 5 | ||||
| -rw-r--r-- | src/lib/hash/sha3/sha3_bmi2/info.txt | 15 | ||||
| -rw-r--r-- | src/lib/hash/sha3/sha3_bmi2/sha3_bmi2.cpp | 96 | ||||
| -rw-r--r-- | src/tests/data/hash/sha2_64.vec | 2 | ||||
| -rw-r--r-- | src/tests/data/hash/sha3.vec | 2 |
18 files changed, 491 insertions, 10 deletions
diff --git a/doc/manual/filters.rst b/doc/manual/filters.rst index 6b867159b..04baebf5d 100644 --- a/doc/manual/filters.rst +++ b/doc/manual/filters.rst @@ -253,6 +253,9 @@ in raw binary. In many situations you'll want to perform a sequence of operations on multiple branches of the fork; in which case, use the filter described in :ref:`chain`. +There is also a ``Threaded_Fork`` which acts the same as ``Fork``, +except it runs each of the filters in its own thread. + .. _chain: Chain @@ -683,6 +686,10 @@ as simple as possible to write new filter types. There are four functions that need to be implemented by a class deriving from ``Filter``: +.. cpp:function:: std::string Filter::name() const + + This should just return a useful decription of the filter object. + .. cpp:function:: void Filter::write(const uint8_t* input, size_t length) This function is what is called when a filter receives input for it @@ -699,6 +706,12 @@ functions that need to be implemented by a class deriving from also a version of ``send`` taking a single byte argument, as a convenience. + .. note:: + + Normally a filter does not need to override ``send``, though it + can for special handling. It does however need to call this + function whenever it wants to produce output. + .. cpp:function:: void Filter::start_msg() Implementing this function is optional. Implement it if your filter diff --git a/doc/mistakes.rst b/doc/mistakes.rst new file mode 100644 index 000000000..662aa8b81 --- /dev/null +++ b/doc/mistakes.rst @@ -0,0 +1,50 @@ + +These are mistakes made early on in the project's history which are difficult to +fix now, but mentioned in the hope they may serve as an example for others. + +C++ API +--------- + +As an implementation language, I still think C++ is the best choice (or at least +the best choice available in early '00s) at offering good performance, +reasonable abstractions, and low overhead. But the user API should have been +pure C with opaque structs (rather like the FFI layer, which was added much +later). Then an expressive C++ API could be built on top of the C API. This +would have given us a stable ABI, allowed C applications to use the library, and +(these days) make it easier to progressively rewrite the library in Rust. + +Exceptions +----------- + +Constant ABI headaches from this, and it impacts performance and makes APIs +harder to understand. Should have been handled with a result<> type instead. + +Virtual inheritence +--------------------- + +This was used in the public key interfaces and the hierarchy is a tangle. +Public and private keys should be distinct classes, with a function on private +keys that creates a new object cooresponding to the public key. + +Cipher Interface +------------------ + +The cipher interface taking a secure_vector that it reads from and writes to was +an artifact of an earlier design which supported both compression and encryption +in a single API. But it leads to inefficient copies. + +(I am hoping this issue can be somewhat fixed by introducing a new cipher API +and implementing the old API in terms of the new one.) + +Pipe Interface +---------------- + +On the surface this API seems very convenient and easy to use. And it is. But +the downside is it makes the application code totally opaque; some bytes go into +a Pipe object and then come out the end transformed in some way. What happens in +between? Unless the Pipe was built in the same function and you can see the +parameters to the constructor, there is no way to find out. + +The problems with the Pipe API are documented, and it is no longer used within +the library itself. But since many people seem to like it and many applications +use it, we are stuck at least with maintaining it as it currently exists. diff --git a/doc/todo.rst b/doc/todo.rst index 963a0bed5..b35f2938e 100644 --- a/doc/todo.rst +++ b/doc/todo.rst @@ -29,6 +29,7 @@ Ciphers, Hashes, PBKDF * SHA-512 using BMI2+AVX2 * Constant time DES using BMI2 * Threefish-1024 +* SIMD evaluation of SHA-2 and SHA-3 compression functions Public Key Crypto, Math ---------------------------------------- @@ -53,6 +54,7 @@ Public Key Crypto, Math Utility Functions ------------------ +* Thread pool Multiparty Protocols ---------------------- diff --git a/src/build-data/policy/bsi.txt b/src/build-data/policy/bsi.txt index 763ca69e1..04a29b817 100644 --- a/src/build-data/policy/bsi.txt +++ b/src/build-data/policy/bsi.txt @@ -63,6 +63,9 @@ pmull # hash sha2_32_x86 sha2_32_armv8 +sha2_32_bmi2 +sha2_64_bmi2 +sha3_bmi2 # entropy sources dev_random diff --git a/src/build-data/policy/modern.txt b/src/build-data/policy/modern.txt index 5f33211f7..b417a2342 100644 --- a/src/build-data/policy/modern.txt +++ b/src/build-data/policy/modern.txt @@ -73,6 +73,9 @@ sha1_x86 sha1_armv8 sha2_32_x86 sha2_32_armv8 +sha2_32_bmi2 +sha2_64_bmi2 +sha3_bmi2 simd diff --git a/src/build-data/policy/nist.txt b/src/build-data/policy/nist.txt index 157fc8247..573c1c721 100644 --- a/src/build-data/policy/nist.txt +++ b/src/build-data/policy/nist.txt @@ -58,6 +58,9 @@ sha1_x86 sha1_armv8 sha2_32_x86 sha2_32_armv8 +sha2_32_bmi2 +sha2_64_bmi2 +sha3_bmi2 # modes clmul diff --git a/src/lib/hash/sha2_32/sha2_32.cpp b/src/lib/hash/sha2_32/sha2_32.cpp index 9f1cfd2dc..1f1ab69f4 100644 --- a/src/lib/hash/sha2_32/sha2_32.cpp +++ b/src/lib/hash/sha2_32/sha2_32.cpp @@ -12,6 +12,36 @@ namespace Botan { +namespace { + +std::string sha256_provider() + { +#if defined(BOTAN_HAS_SHA2_32_X86) + if(CPUID::has_intel_sha()) + { + return "shani"; + } +#endif + +#if defined(BOTAN_HAS_SHA2_32_X86_BMI2) + if(CPUID::has_bmi2()) + { + return "bmi2"; + } +#endif + +#if defined(BOTAN_HAS_SHA2_32_ARMV8) + if(CPUID::has_arm_sha2()) + { + return "armv8"; + } +#endif + + return "base"; + } + +} + std::unique_ptr<HashFunction> SHA_224::copy_state() const { return std::unique_ptr<HashFunction>(new SHA_224(*this)); @@ -170,6 +200,16 @@ void SHA_256::compress_digest(secure_vector<uint32_t>& digest, } } +std::string SHA_224::provider() const + { + return sha256_provider(); + } + +std::string SHA_256::provider() const + { + return sha256_provider(); + } + /* * SHA-224 compression function */ diff --git a/src/lib/hash/sha2_32/sha2_32.h b/src/lib/hash/sha2_32/sha2_32.h index bc883f77a..7a3fce9d2 100644 --- a/src/lib/hash/sha2_32/sha2_32.h +++ b/src/lib/hash/sha2_32/sha2_32.h @@ -26,6 +26,8 @@ class BOTAN_PUBLIC_API(2,0) SHA_224 final : public MDx_HashFunction void clear() override; + std::string provider() const override; + SHA_224() : MDx_HashFunction(64, true, true), m_digest(8) { clear(); } private: @@ -48,6 +50,8 @@ class BOTAN_PUBLIC_API(2,0) SHA_256 final : public MDx_HashFunction void clear() override; + std::string provider() const override; + SHA_256() : MDx_HashFunction(64, true, true), m_digest(8) { clear(); } diff --git a/src/lib/hash/sha2_64/sha2_64.cpp b/src/lib/hash/sha2_64/sha2_64.cpp index e614e6b28..e554b3aa5 100644 --- a/src/lib/hash/sha2_64/sha2_64.cpp +++ b/src/lib/hash/sha2_64/sha2_64.cpp @@ -7,9 +7,26 @@ #include <botan/sha2_64.h> #include <botan/rotate.h> +#include <botan/cpuid.h> namespace Botan { +namespace { + +std::string sha512_provider() + { +#if defined(BOTAN_HAS_SHA2_64_BMI2) + if(CPUID::has_bmi2()) + { + return "bmi2"; + } +#endif + + return "base"; + } + +} + std::unique_ptr<HashFunction> SHA_384::copy_state() const { return std::unique_ptr<HashFunction>(new SHA_384(*this)); @@ -25,8 +42,6 @@ std::unique_ptr<HashFunction> SHA_512_256::copy_state() const return std::unique_ptr<HashFunction>(new SHA_512_256(*this)); } -namespace { - /* * SHA-512 F1 Function * @@ -48,12 +63,20 @@ namespace { /* * SHA-{384,512} Compression Function */ -void SHA64_compress(secure_vector<uint64_t>& digest, - const uint8_t input[], size_t blocks) +//static +void SHA_512::compress_digest(secure_vector<uint64_t>& digest, + const uint8_t input[], size_t blocks) { +#if defined(BOTAN_HAS_SHA2_64_BMI2) + if(CPUID::has_bmi2()) + { + return compress_digest_bmi2(digest, input, blocks); + } +#endif + uint64_t A = digest[0], B = digest[1], C = digest[2], - D = digest[3], E = digest[4], F = digest[5], - G = digest[6], H = digest[7]; + D = digest[3], E = digest[4], F = digest[5], + G = digest[6], H = digest[7]; for(size_t i = 0; i != blocks; ++i) { @@ -168,21 +191,36 @@ void SHA64_compress(secure_vector<uint64_t>& digest, } } -} +#undef SHA2_64_F + +std::string SHA_512_256::provider() const + { + return sha512_provider(); + } + +std::string SHA_384::provider() const + { + return sha512_provider(); + } + +std::string SHA_512::provider() const + { + return sha512_provider(); + } void SHA_512_256::compress_n(const uint8_t input[], size_t blocks) { - SHA64_compress(m_digest, input, blocks); + SHA_512::compress_digest(m_digest, input, blocks); } void SHA_384::compress_n(const uint8_t input[], size_t blocks) { - SHA64_compress(m_digest, input, blocks); + SHA_512::compress_digest(m_digest, input, blocks); } void SHA_512::compress_n(const uint8_t input[], size_t blocks) { - SHA64_compress(m_digest, input, blocks); + SHA_512::compress_digest(m_digest, input, blocks); } void SHA_512_256::copy_out(uint8_t output[]) diff --git a/src/lib/hash/sha2_64/sha2_64.h b/src/lib/hash/sha2_64/sha2_64.h index cbe1ad70b..ec3512dfc 100644 --- a/src/lib/hash/sha2_64/sha2_64.h +++ b/src/lib/hash/sha2_64/sha2_64.h @@ -22,6 +22,7 @@ class BOTAN_PUBLIC_API(2,0) SHA_384 final : public MDx_HashFunction size_t output_length() const override { return 48; } HashFunction* clone() const override { return new SHA_384; } std::unique_ptr<HashFunction> copy_state() const override; + std::string provider() const override; void clear() override; @@ -44,15 +45,31 @@ class BOTAN_PUBLIC_API(2,0) SHA_512 final : public MDx_HashFunction size_t output_length() const override { return 64; } HashFunction* clone() const override { return new SHA_512; } std::unique_ptr<HashFunction> copy_state() const override; + std::string provider() const override; void clear() override; + /* + * Perform a SHA-512 compression. For internal use + */ + static void compress_digest(secure_vector<uint64_t>& digest, + const uint8_t input[], + size_t blocks); + SHA_512() : MDx_HashFunction(128, true, true, 16), m_digest(8) { clear(); } private: void compress_n(const uint8_t[], size_t blocks) override; void copy_out(uint8_t[]) override; + static const uint64_t K[80]; + +#if defined(BOTAN_HAS_SHA2_64_BMI2) + static void compress_digest_bmi2(secure_vector<uint64_t>& digest, + const uint8_t input[], + size_t blocks); +#endif + secure_vector<uint64_t> m_digest; }; @@ -66,6 +83,7 @@ class BOTAN_PUBLIC_API(2,0) SHA_512_256 final : public MDx_HashFunction size_t output_length() const override { return 32; } HashFunction* clone() const override { return new SHA_512_256; } std::unique_ptr<HashFunction> copy_state() const override; + std::string provider() const override; void clear() override; diff --git a/src/lib/hash/sha2_64/sha2_64_bmi2/info.txt b/src/lib/hash/sha2_64/sha2_64_bmi2/info.txt new file mode 100644 index 000000000..08e97e172 --- /dev/null +++ b/src/lib/hash/sha2_64/sha2_64_bmi2/info.txt @@ -0,0 +1,15 @@ +<defines> +SHA2_64_BMI2 -> 20190117 +</defines> + +need_isa bmi2 + +# Needs 64-bit registers to be useful +<arch> +x86_64 +</arch> + +<cc> +gcc +clang +</cc> diff --git a/src/lib/hash/sha2_64/sha2_64_bmi2/sha2_64_bmi2.cpp b/src/lib/hash/sha2_64/sha2_64_bmi2/sha2_64_bmi2.cpp new file mode 100644 index 000000000..202dadbbe --- /dev/null +++ b/src/lib/hash/sha2_64/sha2_64_bmi2/sha2_64_bmi2.cpp @@ -0,0 +1,152 @@ +/* +* (C) 2019 Jack Lloyd +* +* Botan is released under the Simplified BSD License (see license.txt) +*/ + +#include <botan/sha2_64.h> +#include <botan/rotate.h> + +namespace Botan { + +/* +* SHA-512 F1 Function +* +* Use a macro as many compilers won't inline a function this big, +* even though it is much faster if inlined. +*/ +#define SHA2_64_F(A, B, C, D, E, F, G, H, M1, M2, M3, M4, magic) \ + do { \ + const uint64_t E_rho = rotr<14>(E) ^ rotr<18>(E) ^ rotr<41>(E); \ + const uint64_t A_rho = rotr<28>(A) ^ rotr<34>(A) ^ rotr<39>(A); \ + const uint64_t M2_sigma = rotr<19>(M2) ^ rotr<61>(M2) ^ (M2 >> 6); \ + const uint64_t M4_sigma = rotr<1>(M4) ^ rotr<8>(M4) ^ (M4 >> 7); \ + H += magic + E_rho + ((E & F) ^ (~E & G)) + M1; \ + D += H; \ + H += A_rho + ((A & B) | ((A | B) & C)); \ + M1 += M2_sigma + M3 + M4_sigma; \ + } while(0); + +void SHA_512::compress_digest_bmi2(secure_vector<uint64_t>& digest, + const uint8_t input[], size_t blocks) + { + uint64_t A = digest[0], B = digest[1], C = digest[2], + D = digest[3], E = digest[4], F = digest[5], + G = digest[6], H = digest[7]; + + for(size_t i = 0; i != blocks; ++i) + { + uint64_t W00 = load_be<uint64_t>(input, 0); + uint64_t W01 = load_be<uint64_t>(input, 1); + uint64_t W02 = load_be<uint64_t>(input, 2); + uint64_t W03 = load_be<uint64_t>(input, 3); + uint64_t W04 = load_be<uint64_t>(input, 4); + uint64_t W05 = load_be<uint64_t>(input, 5); + uint64_t W06 = load_be<uint64_t>(input, 6); + uint64_t W07 = load_be<uint64_t>(input, 7); + uint64_t W08 = load_be<uint64_t>(input, 8); + uint64_t W09 = load_be<uint64_t>(input, 9); + uint64_t W10 = load_be<uint64_t>(input, 10); + uint64_t W11 = load_be<uint64_t>(input, 11); + uint64_t W12 = load_be<uint64_t>(input, 12); + uint64_t W13 = load_be<uint64_t>(input, 13); + uint64_t W14 = load_be<uint64_t>(input, 14); + uint64_t W15 = load_be<uint64_t>(input, 15); + + SHA2_64_F(A, B, C, D, E, F, G, H, W00, W14, W09, W01, 0x428A2F98D728AE22); + SHA2_64_F(H, A, B, C, D, E, F, G, W01, W15, W10, W02, 0x7137449123EF65CD); + SHA2_64_F(G, H, A, B, C, D, E, F, W02, W00, W11, W03, 0xB5C0FBCFEC4D3B2F); + SHA2_64_F(F, G, H, A, B, C, D, E, W03, W01, W12, W04, 0xE9B5DBA58189DBBC); + SHA2_64_F(E, F, G, H, A, B, C, D, W04, W02, W13, W05, 0x3956C25BF348B538); + SHA2_64_F(D, E, F, G, H, A, B, C, W05, W03, W14, W06, 0x59F111F1B605D019); + SHA2_64_F(C, D, E, F, G, H, A, B, W06, W04, W15, W07, 0x923F82A4AF194F9B); + SHA2_64_F(B, C, D, E, F, G, H, A, W07, W05, W00, W08, 0xAB1C5ED5DA6D8118); + SHA2_64_F(A, B, C, D, E, F, G, H, W08, W06, W01, W09, 0xD807AA98A3030242); + SHA2_64_F(H, A, B, C, D, E, F, G, W09, W07, W02, W10, 0x12835B0145706FBE); + SHA2_64_F(G, H, A, B, C, D, E, F, W10, W08, W03, W11, 0x243185BE4EE4B28C); + SHA2_64_F(F, G, H, A, B, C, D, E, W11, W09, W04, W12, 0x550C7DC3D5FFB4E2); + SHA2_64_F(E, F, G, H, A, B, C, D, W12, W10, W05, W13, 0x72BE5D74F27B896F); + SHA2_64_F(D, E, F, G, H, A, B, C, W13, W11, W06, W14, 0x80DEB1FE3B1696B1); + SHA2_64_F(C, D, E, F, G, H, A, B, W14, W12, W07, W15, 0x9BDC06A725C71235); + SHA2_64_F(B, C, D, E, F, G, H, A, W15, W13, W08, W00, 0xC19BF174CF692694); + SHA2_64_F(A, B, C, D, E, F, G, H, W00, W14, W09, W01, 0xE49B69C19EF14AD2); + SHA2_64_F(H, A, B, C, D, E, F, G, W01, W15, W10, W02, 0xEFBE4786384F25E3); + SHA2_64_F(G, H, A, B, C, D, E, F, W02, W00, W11, W03, 0x0FC19DC68B8CD5B5); + SHA2_64_F(F, G, H, A, B, C, D, E, W03, W01, W12, W04, 0x240CA1CC77AC9C65); + SHA2_64_F(E, F, G, H, A, B, C, D, W04, W02, W13, W05, 0x2DE92C6F592B0275); + SHA2_64_F(D, E, F, G, H, A, B, C, W05, W03, W14, W06, 0x4A7484AA6EA6E483); + SHA2_64_F(C, D, E, F, G, H, A, B, W06, W04, W15, W07, 0x5CB0A9DCBD41FBD4); + SHA2_64_F(B, C, D, E, F, G, H, A, W07, W05, W00, W08, 0x76F988DA831153B5); + SHA2_64_F(A, B, C, D, E, F, G, H, W08, W06, W01, W09, 0x983E5152EE66DFAB); + SHA2_64_F(H, A, B, C, D, E, F, G, W09, W07, W02, W10, 0xA831C66D2DB43210); + SHA2_64_F(G, H, A, B, C, D, E, F, W10, W08, W03, W11, 0xB00327C898FB213F); + SHA2_64_F(F, G, H, A, B, C, D, E, W11, W09, W04, W12, 0xBF597FC7BEEF0EE4); + SHA2_64_F(E, F, G, H, A, B, C, D, W12, W10, W05, W13, 0xC6E00BF33DA88FC2); + SHA2_64_F(D, E, F, G, H, A, B, C, W13, W11, W06, W14, 0xD5A79147930AA725); + SHA2_64_F(C, D, E, F, G, H, A, B, W14, W12, W07, W15, 0x06CA6351E003826F); + SHA2_64_F(B, C, D, E, F, G, H, A, W15, W13, W08, W00, 0x142929670A0E6E70); + SHA2_64_F(A, B, C, D, E, F, G, H, W00, W14, W09, W01, 0x27B70A8546D22FFC); + SHA2_64_F(H, A, B, C, D, E, F, G, W01, W15, W10, W02, 0x2E1B21385C26C926); + SHA2_64_F(G, H, A, B, C, D, E, F, W02, W00, W11, W03, 0x4D2C6DFC5AC42AED); + SHA2_64_F(F, G, H, A, B, C, D, E, W03, W01, W12, W04, 0x53380D139D95B3DF); + SHA2_64_F(E, F, G, H, A, B, C, D, W04, W02, W13, W05, 0x650A73548BAF63DE); + SHA2_64_F(D, E, F, G, H, A, B, C, W05, W03, W14, W06, 0x766A0ABB3C77B2A8); + SHA2_64_F(C, D, E, F, G, H, A, B, W06, W04, W15, W07, 0x81C2C92E47EDAEE6); + SHA2_64_F(B, C, D, E, F, G, H, A, W07, W05, W00, W08, 0x92722C851482353B); + SHA2_64_F(A, B, C, D, E, F, G, H, W08, W06, W01, W09, 0xA2BFE8A14CF10364); + SHA2_64_F(H, A, B, C, D, E, F, G, W09, W07, W02, W10, 0xA81A664BBC423001); + SHA2_64_F(G, H, A, B, C, D, E, F, W10, W08, W03, W11, 0xC24B8B70D0F89791); + SHA2_64_F(F, G, H, A, B, C, D, E, W11, W09, W04, W12, 0xC76C51A30654BE30); + SHA2_64_F(E, F, G, H, A, B, C, D, W12, W10, W05, W13, 0xD192E819D6EF5218); + SHA2_64_F(D, E, F, G, H, A, B, C, W13, W11, W06, W14, 0xD69906245565A910); + SHA2_64_F(C, D, E, F, G, H, A, B, W14, W12, W07, W15, 0xF40E35855771202A); + SHA2_64_F(B, C, D, E, F, G, H, A, W15, W13, W08, W00, 0x106AA07032BBD1B8); + SHA2_64_F(A, B, C, D, E, F, G, H, W00, W14, W09, W01, 0x19A4C116B8D2D0C8); + SHA2_64_F(H, A, B, C, D, E, F, G, W01, W15, W10, W02, 0x1E376C085141AB53); + SHA2_64_F(G, H, A, B, C, D, E, F, W02, W00, W11, W03, 0x2748774CDF8EEB99); + SHA2_64_F(F, G, H, A, B, C, D, E, W03, W01, W12, W04, 0x34B0BCB5E19B48A8); + SHA2_64_F(E, F, G, H, A, B, C, D, W04, W02, W13, W05, 0x391C0CB3C5C95A63); + SHA2_64_F(D, E, F, G, H, A, B, C, W05, W03, W14, W06, 0x4ED8AA4AE3418ACB); + SHA2_64_F(C, D, E, F, G, H, A, B, W06, W04, W15, W07, 0x5B9CCA4F7763E373); + SHA2_64_F(B, C, D, E, F, G, H, A, W07, W05, W00, W08, 0x682E6FF3D6B2B8A3); + SHA2_64_F(A, B, C, D, E, F, G, H, W08, W06, W01, W09, 0x748F82EE5DEFB2FC); + SHA2_64_F(H, A, B, C, D, E, F, G, W09, W07, W02, W10, 0x78A5636F43172F60); + SHA2_64_F(G, H, A, B, C, D, E, F, W10, W08, W03, W11, 0x84C87814A1F0AB72); + SHA2_64_F(F, G, H, A, B, C, D, E, W11, W09, W04, W12, 0x8CC702081A6439EC); + SHA2_64_F(E, F, G, H, A, B, C, D, W12, W10, W05, W13, 0x90BEFFFA23631E28); + SHA2_64_F(D, E, F, G, H, A, B, C, W13, W11, W06, W14, 0xA4506CEBDE82BDE9); + SHA2_64_F(C, D, E, F, G, H, A, B, W14, W12, W07, W15, 0xBEF9A3F7B2C67915); + SHA2_64_F(B, C, D, E, F, G, H, A, W15, W13, W08, W00, 0xC67178F2E372532B); + SHA2_64_F(A, B, C, D, E, F, G, H, W00, W14, W09, W01, 0xCA273ECEEA26619C); + SHA2_64_F(H, A, B, C, D, E, F, G, W01, W15, W10, W02, 0xD186B8C721C0C207); + SHA2_64_F(G, H, A, B, C, D, E, F, W02, W00, W11, W03, 0xEADA7DD6CDE0EB1E); + SHA2_64_F(F, G, H, A, B, C, D, E, W03, W01, W12, W04, 0xF57D4F7FEE6ED178); + SHA2_64_F(E, F, G, H, A, B, C, D, W04, W02, W13, W05, 0x06F067AA72176FBA); + SHA2_64_F(D, E, F, G, H, A, B, C, W05, W03, W14, W06, 0x0A637DC5A2C898A6); + SHA2_64_F(C, D, E, F, G, H, A, B, W06, W04, W15, W07, 0x113F9804BEF90DAE); + SHA2_64_F(B, C, D, E, F, G, H, A, W07, W05, W00, W08, 0x1B710B35131C471B); + SHA2_64_F(A, B, C, D, E, F, G, H, W08, W06, W01, W09, 0x28DB77F523047D84); + SHA2_64_F(H, A, B, C, D, E, F, G, W09, W07, W02, W10, 0x32CAAB7B40C72493); + SHA2_64_F(G, H, A, B, C, D, E, F, W10, W08, W03, W11, 0x3C9EBE0A15C9BEBC); + SHA2_64_F(F, G, H, A, B, C, D, E, W11, W09, W04, W12, 0x431D67C49C100D4C); + SHA2_64_F(E, F, G, H, A, B, C, D, W12, W10, W05, W13, 0x4CC5D4BECB3E42B6); + SHA2_64_F(D, E, F, G, H, A, B, C, W13, W11, W06, W14, 0x597F299CFC657E2A); + SHA2_64_F(C, D, E, F, G, H, A, B, W14, W12, W07, W15, 0x5FCB6FAB3AD6FAEC); + SHA2_64_F(B, C, D, E, F, G, H, A, W15, W13, W08, W00, 0x6C44198C4A475817); + + A = (digest[0] += A); + B = (digest[1] += B); + C = (digest[2] += C); + D = (digest[3] += D); + E = (digest[4] += E); + F = (digest[5] += F); + G = (digest[6] += G); + H = (digest[7] += H); + + input += 128; + } + } + +#undef SHA2_64_F + +} diff --git a/src/lib/hash/sha3/sha3.cpp b/src/lib/hash/sha3/sha3.cpp index 09c2d8c1b..837768f85 100644 --- a/src/lib/hash/sha3/sha3.cpp +++ b/src/lib/hash/sha3/sha3.cpp @@ -8,12 +8,20 @@ #include <botan/sha3.h> #include <botan/rotate.h> #include <botan/exceptn.h> +#include <botan/cpuid.h> namespace Botan { //static void SHA_3::permute(uint64_t A[25]) { +#if defined(BOTAN_HAS_SHA3_BMI2) + if(CPUID::has_bmi2()) + { + return permute_bmi2(A); + } +#endif + static const uint64_t RC[24] = { 0x0000000000000001, 0x0000000000008082, 0x800000000000808A, 0x8000000080008000, 0x000000000000808B, 0x0000000080000001, @@ -198,6 +206,18 @@ std::string SHA_3::name() const return "SHA-3(" + std::to_string(m_output_bits) + ")"; } +std::string SHA_3::provider() const + { +#if defined(BOTAN_HAS_SHA3_BMI2) + if(CPUID::has_bmi2()) + { + return "bmi2"; + } +#endif + + return "base"; + } + std::unique_ptr<HashFunction> SHA_3::copy_state() const { return std::unique_ptr<HashFunction>(new SHA_3(*this)); diff --git a/src/lib/hash/sha3/sha3.h b/src/lib/hash/sha3/sha3.h index a3a666971..310468599 100644 --- a/src/lib/hash/sha3/sha3.h +++ b/src/lib/hash/sha3/sha3.h @@ -34,6 +34,7 @@ class BOTAN_PUBLIC_API(2,0) SHA_3 : public HashFunction std::unique_ptr<HashFunction> copy_state() const override; std::string name() const override; void clear() override; + std::string provider() const override; // Static functions for internal usage @@ -83,6 +84,10 @@ class BOTAN_PUBLIC_API(2,0) SHA_3 : public HashFunction void add_data(const uint8_t input[], size_t length) override; void final_result(uint8_t out[]) override; +#if defined(BOTAN_HAS_SHA3_BMI2) + static void permute_bmi2(uint64_t A[25]); +#endif + size_t m_output_bits, m_bitrate; secure_vector<uint64_t> m_S; size_t m_S_pos; diff --git a/src/lib/hash/sha3/sha3_bmi2/info.txt b/src/lib/hash/sha3/sha3_bmi2/info.txt new file mode 100644 index 000000000..46a5e7234 --- /dev/null +++ b/src/lib/hash/sha3/sha3_bmi2/info.txt @@ -0,0 +1,15 @@ +<defines> +SHA3_BMI2 -> 20190117 +</defines> + +need_isa bmi2 + +# Needs 64-bit registers to be useful +<arch> +x86_64 +</arch> + +<cc> +gcc +clang +</cc> diff --git a/src/lib/hash/sha3/sha3_bmi2/sha3_bmi2.cpp b/src/lib/hash/sha3/sha3_bmi2/sha3_bmi2.cpp new file mode 100644 index 000000000..f2161b9ba --- /dev/null +++ b/src/lib/hash/sha3/sha3_bmi2/sha3_bmi2.cpp @@ -0,0 +1,96 @@ +/* +* SHA-3 +* (C) 2019 Jack Lloyd +* +* Botan is released under the Simplified BSD License (see license.txt) +*/ + +#include <botan/sha3.h> +#include <botan/rotate.h> + +namespace Botan { + +void SHA_3::permute_bmi2(uint64_t A[25]) + { + static const uint64_t RC[24] = { + 0x0000000000000001, 0x0000000000008082, 0x800000000000808A, + 0x8000000080008000, 0x000000000000808B, 0x0000000080000001, + 0x8000000080008081, 0x8000000000008009, 0x000000000000008A, + 0x0000000000000088, 0x0000000080008009, 0x000000008000000A, + 0x000000008000808B, 0x800000000000008B, 0x8000000000008089, + 0x8000000000008003, 0x8000000000008002, 0x8000000000000080, + 0x000000000000800A, 0x800000008000000A, 0x8000000080008081, + 0x8000000000008080, 0x0000000080000001, 0x8000000080008008 + }; + + for(size_t i = 0; i != 24; ++i) + { + const uint64_t C0 = A[0] ^ A[5] ^ A[10] ^ A[15] ^ A[20]; + const uint64_t C1 = A[1] ^ A[6] ^ A[11] ^ A[16] ^ A[21]; + const uint64_t C2 = A[2] ^ A[7] ^ A[12] ^ A[17] ^ A[22]; + const uint64_t C3 = A[3] ^ A[8] ^ A[13] ^ A[18] ^ A[23]; + const uint64_t C4 = A[4] ^ A[9] ^ A[14] ^ A[19] ^ A[24]; + + const uint64_t D0 = rotl<1>(C0) ^ C3; + const uint64_t D1 = rotl<1>(C1) ^ C4; + const uint64_t D2 = rotl<1>(C2) ^ C0; + const uint64_t D3 = rotl<1>(C3) ^ C1; + const uint64_t D4 = rotl<1>(C4) ^ C2; + + const uint64_t B00 = A[ 0] ^ D1; + const uint64_t B10 = rotl< 1>(A[ 1] ^ D2); + const uint64_t B20 = rotl<62>(A[ 2] ^ D3); + const uint64_t B05 = rotl<28>(A[ 3] ^ D4); + const uint64_t B15 = rotl<27>(A[ 4] ^ D0); + const uint64_t B16 = rotl<36>(A[ 5] ^ D1); + const uint64_t B01 = rotl<44>(A[ 6] ^ D2); + const uint64_t B11 = rotl< 6>(A[ 7] ^ D3); + const uint64_t B21 = rotl<55>(A[ 8] ^ D4); + const uint64_t B06 = rotl<20>(A[ 9] ^ D0); + const uint64_t B07 = rotl< 3>(A[10] ^ D1); + const uint64_t B17 = rotl<10>(A[11] ^ D2); + const uint64_t B02 = rotl<43>(A[12] ^ D3); + const uint64_t B12 = rotl<25>(A[13] ^ D4); + const uint64_t B22 = rotl<39>(A[14] ^ D0); + const uint64_t B23 = rotl<41>(A[15] ^ D1); + const uint64_t B08 = rotl<45>(A[16] ^ D2); + const uint64_t B18 = rotl<15>(A[17] ^ D3); + const uint64_t B03 = rotl<21>(A[18] ^ D4); + const uint64_t B13 = rotl< 8>(A[19] ^ D0); + const uint64_t B14 = rotl<18>(A[20] ^ D1); + const uint64_t B24 = rotl< 2>(A[21] ^ D2); + const uint64_t B09 = rotl<61>(A[22] ^ D3); + const uint64_t B19 = rotl<56>(A[23] ^ D4); + const uint64_t B04 = rotl<14>(A[24] ^ D0); + + A[ 0] = B00 ^ (~B01 & B02); + A[ 1] = B01 ^ (~B02 & B03); + A[ 2] = B02 ^ (~B03 & B04); + A[ 3] = B03 ^ (~B04 & B00); + A[ 4] = B04 ^ (~B00 & B01); + A[ 5] = B05 ^ (~B06 & B07); + A[ 6] = B06 ^ (~B07 & B08); + A[ 7] = B07 ^ (~B08 & B09); + A[ 8] = B08 ^ (~B09 & B05); + A[ 9] = B09 ^ (~B05 & B06); + A[10] = B10 ^ (~B11 & B12); + A[11] = B11 ^ (~B12 & B13); + A[12] = B12 ^ (~B13 & B14); + A[13] = B13 ^ (~B14 & B10); + A[14] = B14 ^ (~B10 & B11); + A[15] = B15 ^ (~B16 & B17); + A[16] = B16 ^ (~B17 & B18); + A[17] = B17 ^ (~B18 & B19); + A[18] = B18 ^ (~B19 & B15); + A[19] = B19 ^ (~B15 & B16); + A[20] = B20 ^ (~B21 & B22); + A[21] = B21 ^ (~B22 & B23); + A[22] = B22 ^ (~B23 & B24); + A[23] = B23 ^ (~B24 & B20); + A[24] = B24 ^ (~B20 & B21); + + A[0] ^= RC[i]; + } + } + +} diff --git a/src/tests/data/hash/sha2_64.vec b/src/tests/data/hash/sha2_64.vec index 5498201ec..85eae0867 100644 --- a/src/tests/data/hash/sha2_64.vec +++ b/src/tests/data/hash/sha2_64.vec @@ -1,3 +1,5 @@ +#cpuid bmi2 + [SHA-384] In = Out = 38B060A751AC96384CD9327EB1B1E36A21FDB71114BE07434C0CC7BF63F6E1DA274EDEBFE76F65FBD51AD2F14898B95B diff --git a/src/tests/data/hash/sha3.vec b/src/tests/data/hash/sha3.vec index af39ec6f8..0b36b6166 100644 --- a/src/tests/data/hash/sha3.vec +++ b/src/tests/data/hash/sha3.vec @@ -1,3 +1,5 @@ +#cpuid bmi2 + [SHA-3(224)] In = Out = 6b4e03423667dbb73b6e15454f0eb1abd4597f9a1b078e3f5b5a6bc7 |