putty-source/crypto/sha512.h

/*
 * Definitions likely to be helpful to multiple SHA-512 implementations.
 */

/*
 * The 'extra' structure used by SHA-512 implementations is used to
 * include information about how to check if a given implementation is
 * available at run time, and whether we've already checked.
 */
struct sha512_extra_mutable;
struct sha512_extra {
    /* Pointer to the initial state (distinguishes SHA-384 from -512) */
    const uint64_t *initial_state;

    /* Function to check availability. Might be expensive, so we don't
     * want to call it more than once. */
    bool (*check_available)(void);

    /* Point to a writable substructure. */
    struct sha512_extra_mutable *mut;
};
struct sha512_extra_mutable {
    bool checked_availability;
    bool is_available;
};
static inline bool check_availability(const struct sha512_extra *extra)
{
    if (!extra->mut->checked_availability) {
        extra->mut->is_available = extra->check_available();
        extra->mut->checked_availability = true;
    }

    return extra->mut->is_available;
}

/*
 * Macro to define a pair of SHA-{384,512} vtables together with their
 * 'extra' structure.
 */
#define SHA512_VTABLES(impl_c, impl_display)                            \
    static struct sha512_extra_mutable sha512_ ## impl_c ## _extra_mut; \
    static const struct sha512_extra sha384_ ## impl_c ## _extra = {    \
        .initial_state = sha384_initial_state,                          \
        .check_available = sha512_ ## impl_c ## _available,             \
        .mut = &sha512_ ## impl_c ## _extra_mut,                        \
    };                                                                  \
    static const struct sha512_extra sha512_ ## impl_c ## _extra = {    \
        .initial_state = sha512_initial_state,                          \
        .check_available = sha512_ ## impl_c ## _available,             \
        .mut = &sha512_ ## impl_c ## _extra_mut,                        \
    };                                                                  \
    const ssh_hashalg ssh_sha384_ ## impl_c = {                         \
        .new = sha512_ ## impl_c ## _new,                               \
        .reset = sha512_ ## impl_c ## _reset,                           \
        .copyfrom = sha512_ ## impl_c ## _copyfrom,                     \
        .digest = sha384_ ## impl_c ## _digest,                         \
        .free = sha512_ ## impl_c ## _free,                             \
        .hlen = 48,                                                     \
        .blocklen = 128,                                                \
        HASHALG_NAMES_ANNOTATED("SHA-384", impl_display),               \
        .extra = &sha384_ ## impl_c ## _extra,                          \
    };                                                                  \
    const ssh_hashalg ssh_sha512_ ## impl_c = {                         \
        .new = sha512_ ## impl_c ## _new,                               \
        .reset = sha512_ ## impl_c ## _reset,                           \
        .copyfrom = sha512_ ## impl_c ## _copyfrom,                     \
        .digest = sha512_ ## impl_c ## _digest,                         \
        .free = sha512_ ## impl_c ## _free,                             \
        .hlen = 64,                                                     \
        .blocklen = 128,                                                \
        HASHALG_NAMES_ANNOTATED("SHA-512", impl_display),               \
        .extra = &sha512_ ## impl_c ## _extra,                          \
    }

extern const uint64_t sha512_initial_state[8];
extern const uint64_t sha384_initial_state[8];
extern const uint64_t sha512_round_constants[80];

#define SHA512_ROUNDS 80

typedef struct sha512_block sha512_block;
struct sha512_block {
    uint8_t block[128];
    size_t used;
    uint64_t lenhi, lenlo;
};

static inline void sha512_block_setup(sha512_block *blk)
{
    blk->used = 0;
    blk->lenhi = blk->lenlo = 0;
}

static inline bool sha512_block_write(
    sha512_block *blk, const void **vdata, size_t *len)
{
    size_t blkleft = sizeof(blk->block) - blk->used;
    size_t chunk = *len < blkleft ? *len : blkleft;

    const uint8_t *p = *vdata;
    memcpy(blk->block + blk->used, p, chunk);
    *vdata = p + chunk;
    *len -= chunk;
    blk->used += chunk;

    size_t chunkbits = chunk << 3;

    blk->lenlo += chunkbits;
    blk->lenhi += (blk->lenlo < chunkbits);

    if (blk->used == sizeof(blk->block)) {
        blk->used = 0;
        return true;
    }

    return false;
}

static inline void sha512_block_pad(sha512_block *blk, BinarySink *bs)
{
    uint64_t final_lenhi = blk->lenhi;
    uint64_t final_lenlo = blk->lenlo;
    size_t pad = 127 & (111 - blk->used);

    put_byte(bs, 0x80);
    put_padding(bs, pad, 0);
    put_uint64(bs, final_lenhi);
    put_uint64(bs, final_lenlo);

    assert(blk->used == 0 && "Should have exactly hit a block boundary");
}
Break up crypto modules containing HW acceleration. This applies to all of AES, SHA-1, SHA-256 and SHA-512. All those source files previously contained multiple implementations of the algorithm, enabled or disabled by ifdefs detecting whether they would work on a given compiler. And in order to get advanced machine instructions like AES-NI or NEON crypto into the output file when the compile flags hadn't enabled them, we had to do nasty stuff with compiler-specific pragmas or attributes. Now we can do the detection at cmake time, and enable advanced instructions in the more sensible way, by compile-time flags. So I've broken up each of these modules into lots of sub-pieces: a file called (e.g.) 'foo-common.c' containing common definitions across all implementations (such as round constants), one called 'foo-select.c' containing the top-level vtable(s), and a separate file for each implementation exporting just the vtable(s) for that implementation. One advantage of this is that it depends a lot less on compiler- specific bodgery. My particular least favourite part of the previous setup was the part where I had to _manually_ define some Arm ACLE feature macros before including <arm_neon.h>, so that it would define the intrinsics I wanted. Now I'm enabling interesting architecture features in the normal way, on the compiler command line, there's no need for that kind of trick: the right feature macros are already defined and <arm_neon.h> does the right thing. Another change in this reorganisation is that I've stopped assuming there's just one hardware implementation per platform. Previously, the accelerated vtables were called things like sha256_hw, and varied between FOO-NI and NEON depending on platform; and the selection code would simply ask 'is hw available? if so, use hw, else sw'. Now, each HW acceleration strategy names its vtable its own way, and the selection vtable has a whole list of possibilities to iterate over looking for a supported one. So if someone feels like writing a second accelerated implementation of something for a given platform - for example, I've heard you can use plain NEON to speed up AES somewhat even without the crypto extension - then it will now have somewhere to drop in alongside the existing ones. 2021-04-19 05:42:12 +00:00			`/*`
			`* Definitions likely to be helpful to multiple SHA-512 implementations.`
			`*/`

			`/*`
			`* The 'extra' structure used by SHA-512 implementations is used to`
			`* include information about how to check if a given implementation is`
			`* available at run time, and whether we've already checked.`
			`*/`
			`struct sha512_extra_mutable;`
			`struct sha512_extra {`
			`/* Pointer to the initial state (distinguishes SHA-384 from -512) */`
			`const uint64_t *initial_state;`

			`/* Function to check availability. Might be expensive, so we don't`
			`* want to call it more than once. */`
			`bool (*check_available)(void);`

			`/* Point to a writable substructure. */`
			`struct sha512_extra_mutable *mut;`
			`};`
			`struct sha512_extra_mutable {`
			`bool checked_availability;`
			`bool is_available;`
			`};`
			`static inline bool check_availability(const struct sha512_extra *extra)`
			`{`
			`if (!extra->mut->checked_availability) {`
			`extra->mut->is_available = extra->check_available();`
			`extra->mut->checked_availability = true;`
			`}`

			`return extra->mut->is_available;`
			`}`

			`/*`
			`* Macro to define a pair of SHA-{384,512} vtables together with their`
			`* 'extra' structure.`
			`*/`
			`#define SHA512_VTABLES(impl_c, impl_display) \`
			`static struct sha512_extra_mutable sha512_ ## impl_c ## _extra_mut; \`
			`static const struct sha512_extra sha384_ ## impl_c ## _extra = { \`
			`.initial_state = sha384_initial_state, \`
			`.check_available = sha512_ ## impl_c ## _available, \`
			`.mut = &sha512_ ## impl_c ## _extra_mut, \`
			`}; \`
			`static const struct sha512_extra sha512_ ## impl_c ## _extra = { \`
			`.initial_state = sha512_initial_state, \`
			`.check_available = sha512_ ## impl_c ## _available, \`
			`.mut = &sha512_ ## impl_c ## _extra_mut, \`
			`}; \`
			`const ssh_hashalg ssh_sha384_ ## impl_c = { \`
			`.new = sha512_ ## impl_c ## _new, \`
			`.reset = sha512_ ## impl_c ## _reset, \`
			`.copyfrom = sha512_ ## impl_c ## _copyfrom, \`
			`.digest = sha384_ ## impl_c ## _digest, \`
			`.free = sha512_ ## impl_c ## _free, \`
			`.hlen = 48, \`
			`.blocklen = 128, \`
			`HASHALG_NAMES_ANNOTATED("SHA-384", impl_display), \`
			`.extra = &sha384_ ## impl_c ## _extra, \`
			`}; \`
			`const ssh_hashalg ssh_sha512_ ## impl_c = { \`
			`.new = sha512_ ## impl_c ## _new, \`
			`.reset = sha512_ ## impl_c ## _reset, \`
			`.copyfrom = sha512_ ## impl_c ## _copyfrom, \`
			`.digest = sha512_ ## impl_c ## _digest, \`
			`.free = sha512_ ## impl_c ## _free, \`
			`.hlen = 64, \`
			`.blocklen = 128, \`
			`HASHALG_NAMES_ANNOTATED("SHA-512", impl_display), \`
			`.extra = &sha512_ ## impl_c ## _extra, \`
			`}`

			`extern const uint64_t sha512_initial_state[8];`
			`extern const uint64_t sha384_initial_state[8];`
			`extern const uint64_t sha512_round_constants[80];`

			`#define SHA512_ROUNDS 80`

			`typedef struct sha512_block sha512_block;`
			`struct sha512_block {`
			`uint8_t block[128];`
			`size_t used;`
			`uint64_t lenhi, lenlo;`
			`};`

			`static inline void sha512_block_setup(sha512_block *blk)`
			`{`
			`blk->used = 0;`
			`blk->lenhi = blk->lenlo = 0;`
			`}`

			`static inline bool sha512_block_write(`
			`sha512_block blk, const void vdata, size_t len)`
			`{`
			`size_t blkleft = sizeof(blk->block) - blk->used;`
			`size_t chunk = len < blkleft ? len : blkleft;`

			`const uint8_t p = vdata;`
			`memcpy(blk->block + blk->used, p, chunk);`
			`*vdata = p + chunk;`
			`*len -= chunk;`
			`blk->used += chunk;`

			`size_t chunkbits = chunk << 3;`

			`blk->lenlo += chunkbits;`
			`blk->lenhi += (blk->lenlo < chunkbits);`

			`if (blk->used == sizeof(blk->block)) {`
			`blk->used = 0;`
			`return true;`
			`}`

			`return false;`
			`}`

			`static inline void sha512_block_pad(sha512_block blk, BinarySink bs)`
			`{`
			`uint64_t final_lenhi = blk->lenhi;`
			`uint64_t final_lenlo = blk->lenlo;`
			`size_t pad = 127 & (111 - blk->used);`

			`put_byte(bs, 0x80);`
			`put_padding(bs, pad, 0);`
			`put_uint64(bs, final_lenhi);`
			`put_uint64(bs, final_lenlo);`

			`assert(blk->used == 0 && "Should have exactly hit a block boundary");`
			`}`