3 This file is part of the AVR-Crypto-Lib.
4 Copyright (C) 2008 Daniel Otte (daniel.otte@rub.de)
6 This program is free software: you can redistribute it and/or modify
7 it under the terms of the GNU General Public License as published by
8 the Free Software Foundation, either version 3 of the License, or
9 (at your option) any later version.
11 This program is distributed in the hope that it will be useful,
12 but WITHOUT ANY WARRANTY; without even the implied warranty of
13 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
14 GNU General Public License for more details.
16 You should have received a copy of the GNU General Public License
17 along with this program. If not, see <http://www.gnu.org/licenses/>.
22 * License: GPLv3 or later
24 ; SHA1 implementation in assembler for AVR
29 /* push r18 - r27, r30 - r31*/
108 /* X points to Block */
109 .macro dbg_hexdump length
129 ; [h0][h1][h2][h3][h4][length]
130 ; hn is 32 bit large, length is 64 bit large
132 ;###########################################################
134 .global sha1_ctx2hash
135 ; === sha1_ctx2hash ===
136 ; this function converts a state into a normal hash (bytestring)
137 ; param1: the 16-bit destination pointer
138 ; given in r25,r24 (r25 is most significant)
139 ; param2: the 16-bit pointer to sha1_ctx structure
160 ;###########################################################
164 ; this function calculates SHA-1 hashes from messages in RAM
165 ; param1: the 16-bit hash destination pointer
166 ; given in r25,r24 (r25 is most significant)
167 ; param2: the 16-bit pointer to message
169 ; param3: 32-bit length value (length of message in bits)
170 ; given in r21,r20,r19,r18
195 movw r8, r18 /* backup of length*/
198 movw r12, r22 /* backup pf msg-ptr */
202 /* if length >= 512 */
252 ;###########################################################
255 ; block MUST NOT be larger than 64 bytes
257 .global sha1_lastBlock
258 ; === sha1_lastBlock ===
259 ; this function does padding & Co. for calculating SHA-1 hashes
260 ; param1: the 16-bit pointer to sha1_ctx structure
261 ; given in r25,r24 (r25 is most significant)
262 ; param2: an 16-bit pointer to 64 byte block to hash
264 ; param3: an 16-bit integer specifing length of block in bits
266 sha1_lastBlock_localSpace = (SHA1_BLOCK_BITS/8+1)
271 brlo sha1_lastBlock_prolog
290 sha1_lastBlock_prolog:
291 /* allocate space on stack */
296 sbci r31, hi8(64) /* ??? */
302 adiw r30, 1 /* SP points to next free byte on stack */
303 mov r18, r20 /* r20 = LSB(length) */
307 bst r21, 0 /* may be we should explain this ... */
308 bld r18, 5 /* now: r18 == length/8 (aka. length in bytes) */
311 movw r26, r22 /* X points to begin of msg */
313 breq sha1_lastBlock_post_copy
315 sha1_lastBlock_copy_loop:
319 brne sha1_lastBlock_copy_loop
320 sha1_lastBlock_post_copy:
321 sha1_lastBlock_insert_stuffing_bit:
325 and r19, r20 /* if we are in bitmode */
326 breq 2f /* no bitmode */
332 /* maybe we should do some ANDing here, just for safety */
338 /* checking stuff here */
341 rjmp sha1_lastBlock_insert_zeros
343 /* oh shit, we landed here */
344 /* first we have to fill it up with zeros */
371 /* now we should subtract 512 from length */
373 adiw r26, 4*5+1 /* we can skip the lowest byte */
385 ; clr r18 /* not neccessary ;-) */
386 /* reset Z pointer to begin of block */
388 sha1_lastBlock_insert_zeros:
391 breq sha1_lastBlock_insert_length
394 st Z+, r1 /* r1 is still zero */
398 ; rjmp sha1_lastBlock_epilog
399 sha1_lastBlock_insert_length:
400 movw r26, r24 /* X points to state */
401 adiw r26, 5*4 /* X points to (state.length) */
402 adiw r30, 8 /* Z points one after the last byte of block */
421 sha1_lastBlock_epilog:
425 adiw r30, 63 ; lo8(64)
426 adiw r30, 1 ; hi8(64)
436 ;###########################################################
438 .global sha1_nextBlock
439 ; === sha1_nextBlock ===
440 ; this is the core function for calculating SHA-1 hashes
441 ; param1: the 16-bit pointer to sha1_ctx structure
442 ; given in r25,r24 (r25 is most significant)
443 ; param2: an 16-bit pointer to 64 byte block to hash
445 sha1_nextBlock_localSpace = (16+5+1)*4 ; 16 32-bit values for w array and 5 32-bit values for a array (total 84 byte)
466 /* byteorder: high number <--> high significance */
468 ; initial, let's make some space ready for local vars
469 /* replace push & pop by mem ops? */
482 movw r18, r20 ;backup SP
483 ; movw r26, r20 ; X points to free space on stack /* maybe removeable? */
484 movw r30, r22 ; Z points to message
485 subi r20, lo8(sha1_nextBlock_localSpace) ;sbiw can do only up to 63
486 sbci r21, hi8(sha1_nextBlock_localSpace)
487 movw r26, r20 ; X points to free space on stack
489 cli ; we want to be uninterrupted while updating SP
495 push r19 /* push old SP on new stack */
497 push r25 /* param1 will be needed later */
499 /* load a[] with state */
500 movw 28, r24 /* load pointer to state in Y */
509 movw W1, r26 /* save pointer to w[0] */
510 /* load w[] with endian fixed message */
511 /* we might also use the changeendian32() function at bottom */
512 movw r30, r22 /* mv param2 (ponter to msg) to Z */
527 ;clr LoopC /* LoopC is named t in FIPS 180-2 */
529 sha1_nextBlock_mainloop:
533 andi S, 0x3C /* S is a bytepointer so *4 */
536 add r26, S /* X points at w[s] */
563 brlt sha1_nextBlock_mainloop_core
572 1: /* this might be "outsourced" to save the jump above */
587 2: /* now we just hav to do a ROTL(T) and save T back */
602 sha1_nextBlock_mainloop_core: /* ther core function; T=ROTL5(a) ....*/
603 /* T already contains w[s] */
605 sbiw r26, 4*1 /* X points at a[4] aka e */
613 adc T4, tmp1 /* T = w[s]+e */
614 sbiw r26, 4*5 /* X points at a[0] aka a */
619 mov tmp1, F4 /* X points at a[1] aka b */
633 adc T4, F4 /* T = ROTL(a,5) + e + w[s] */
635 /* now we have to do this fucking conditional stuff */
636 ldi r30, lo8(sha1_nextBlock_xTable)
637 ldi r31, hi8(sha1_nextBlock_xTable)
644 1: ldi r30, lo8(sha1_nextBlock_KTable)
645 ldi r31, hi8(sha1_nextBlock_KTable)
661 /* T = ROTL(a,5) + e + kt + w[s] */
663 /* Z-4 is just pointing to kt ... */
664 movw r28, r26 /* copy X in Y */
665 adiw r30, 3*4 /* now Z points to the rigth locatin in our jump-vector-table */
680 adc T4, tmp1 /* T = ROTL5(a) + f_t(b,c,d) + e + k_t + w[s] */
681 /* X points still at a[1] aka b, Y points at a[2] aka c */
683 sha1_nextBlock_update_a:
684 /*first we move all vars in a[] "one up" e=d, d=c, c=b, b=a*/
685 //adiw r28, 3*4 /* Y should point at a[4] aka e */
695 /* Y points at a[0] aka a*/
699 /* store T in a[0] aka a */
704 /* Y points at a[1] aka b*/
736 rjmp sha1_nextBlock_mainloop
737 /**************************************/
742 /* add a[] to state and inc length */
744 pop r26 /* now X points to state (and Y still at a[0]) */
757 /* now length += 512 */
758 adiw r26, 1 /* we skip the least significant byte */
760 ldi tmp2, hi8(512) /* 2 */
772 sha1_nextBlock_epilog:
773 /* now we should clean up the stack */
777 cli ; we want to be uninterrupted while updating SP
795 sha1_nextBlock_xTable:
797 sha1_nextBlock_KTable:
802 sha1_nextBlock_JumpTable:
803 rjmp sha1_nextBlock_Ch
805 rjmp sha1_nextBlock_Parity
807 rjmp sha1_nextBlock_Maj
809 rjmp sha1_nextBlock_Parity
811 /* X and Y still point at a[1] aka b ; return value in tmp1 */
816 ldd tmp3, Y+3 /* load from c */
818 ldd tmp3, Y+7 /* load from d */
826 ldd tmp3, Y+3 /* load from c */
828 ldd tmp4, Y+7 /* load from d */
835 sha1_nextBlock_Parity:
837 ldd tmp2, Y+3 /* load from c */
839 ldd tmp2, Y+7 /* load from d */
843 ch_str: .asciz "\r\nCh"
844 maj_str: .asciz "\r\nMaj"
845 parity_str: .asciz "\r\nParity"
847 ;###########################################################
850 ;void sha1_init(sha1_ctx_t *state){
851 ; DEBUG_S("\r\nSHA1_INIT");
852 ; state->h[0] = 0x67452301;
853 ; state->h[1] = 0xefcdab89;
854 ; state->h[2] = 0x98badcfe;
855 ; state->h[3] = 0x10325476;
856 ; state->h[4] = 0xc3d2e1f0;
859 ; param1: (Func3,r24) 16-bit pointer to sha1_ctx_t struct in ram
860 ; modifys: Z(r30,r31), Func1, r22
862 movw r26, r24 ; (24,25) --> (26,27) load X with param1
863 ldi r30, lo8((sha1_init_vector))
864 ldi r31, hi8((sha1_init_vector))
865 ldi r22, 5*4 /* bytes to copy */
projects / avr-crypto-lib.git / blob