mirror of
https://github.com/git/git.git
synced 2024-05-07 10:26:08 +02:00
9dc523aa0e
Remove the PPC_SHA1 implementation added ina6ef3518f9([PATCH] PPC assembly implementation of SHA1, 2005-04-22). When this was added Apple consumer hardware used the PPC architecture, and the implementation was intended to improve SHA-1 speed there. Since it was added we've moved to using sha1collisiondetection by default, and anyone wanting hard-rolled non-DC SHA-1 implementation can use OpenSSL's via the OPENSSL_SHA1 knob. The PPC_SHA1 originally originally targeted 32 bit PPC, and later the 64 bit PPC 970 (a.k.a. Apple PowerPC G5). See926172c5e4(block-sha1: improve code on large-register-set machines, 2009-08-10) for a reference about the performance on G5 (a comment in block-sha1/sha1.c being removed here). I can't get it to do anything but segfault on both the BE and LE POWER machines in the GCC compile farm[1]. Anyone who's concerned about performance on PPC these days is likely to be using the IBM POWER processors. There have been proposals to entirely remove non-sha1collisiondetection implementations from the tree[2]. I think per [3] that would be a bit overzealous. I.e. there are various set-ups git's speed is going to be more important than the relatively implausible SHA-1 collision attack, or where such attacks are entirely mitigated by other means (e.g. by incoming objects being checked with DC_SHA1). But that really doesn't apply to PPC_SHA1 in particular, which seems to have outlived its usefulness. As this gets rid of the only in-tree *.S assembly file we can remove the small bits of logic from the Makefile needed to build objects from *.S (as opposed to *.c) The code being removed here was also throwing warnings with the "-pedantic" flag, it could have been fixed as544d93bc3b(block-sha1: remove use of obsolete x86 assembly, 2022-03-10) did for block-sha1/*, but as noted above let's remove it instead. 1. https://cfarm.tetaneutral.net/machines/list/ Tested on gcc{110,112,135,203}, a mixture of POWER [789] ppc64 and ppc64le. All segfault in anything needing object hashing (e.g. t/t1007-hash-object.sh) when compiled with PPC_SHA1=Y. 2. https://lore.kernel.org/git/20200223223758.120941-1-mh@glandium.org/ 3. https://lore.kernel.org/git/20200224044732.GK1018190@coredump.intra.peff.net/ Acked-by: brian m. carlson" <sandals@crustytoothpaste.net> Signed-off-by: Ævar Arnfjörð Bjarmason <avarab@gmail.com> Signed-off-by: Junio C Hamano <gitster@pobox.com>
231 lines
6.6 KiB
C
231 lines
6.6 KiB
C
/*
|
|
* SHA1 routine optimized to do word accesses rather than byte accesses,
|
|
* and to avoid unnecessary copies into the context array.
|
|
*
|
|
* This was initially based on the Mozilla SHA1 implementation, although
|
|
* none of the original Mozilla code remains.
|
|
*/
|
|
|
|
/* this is only to get definitions for memcpy(), ntohl() and htonl() */
|
|
#include "../git-compat-util.h"
|
|
|
|
#include "sha1.h"
|
|
|
|
#define SHA_ROT(X,l,r) (((X) << (l)) | ((X) >> (r)))
|
|
#define SHA_ROL(X,n) SHA_ROT(X,n,32-(n))
|
|
#define SHA_ROR(X,n) SHA_ROT(X,32-(n),n)
|
|
|
|
/*
|
|
* If you have 32 registers or more, the compiler can (and should)
|
|
* try to change the array[] accesses into registers. However, on
|
|
* machines with less than ~25 registers, that won't really work,
|
|
* and at least gcc will make an unholy mess of it.
|
|
*
|
|
* So to avoid that mess which just slows things down, we force
|
|
* the stores to memory to actually happen (we might be better off
|
|
* with a 'W(t)=(val);asm("":"+m" (W(t))' there instead, as
|
|
* suggested by Artur Skawina - that will also make gcc unable to
|
|
* try to do the silly "optimize away loads" part because it won't
|
|
* see what the value will be).
|
|
*
|
|
* On ARM we get the best code generation by forcing a full memory barrier
|
|
* between each SHA_ROUND, otherwise gcc happily get wild with spilling and
|
|
* the stack frame size simply explode and performance goes down the drain.
|
|
*/
|
|
|
|
#if defined(__i386__) || defined(__x86_64__)
|
|
#define setW(x, val) (*(volatile unsigned int *)&W(x) = (val))
|
|
#elif defined(__GNUC__) && defined(__arm__)
|
|
#define setW(x, val) do { W(x) = (val); __asm__("":::"memory"); } while (0)
|
|
#else
|
|
#define setW(x, val) (W(x) = (val))
|
|
#endif
|
|
|
|
/* This "rolls" over the 512-bit array */
|
|
#define W(x) (array[(x)&15])
|
|
|
|
/*
|
|
* Where do we get the source from? The first 16 iterations get it from
|
|
* the input data, the next mix it from the 512-bit array.
|
|
*/
|
|
#define SHA_SRC(t) get_be32((unsigned char *) block + (t)*4)
|
|
#define SHA_MIX(t) SHA_ROL(W((t)+13) ^ W((t)+8) ^ W((t)+2) ^ W(t), 1)
|
|
|
|
#define SHA_ROUND(t, input, fn, constant, A, B, C, D, E) do { \
|
|
unsigned int TEMP = input(t); setW(t, TEMP); \
|
|
E += TEMP + SHA_ROL(A,5) + (fn) + (constant); \
|
|
B = SHA_ROR(B, 2); } while (0)
|
|
|
|
#define T_0_15(t, A, B, C, D, E) SHA_ROUND(t, SHA_SRC, (((C^D)&B)^D) , 0x5a827999, A, B, C, D, E )
|
|
#define T_16_19(t, A, B, C, D, E) SHA_ROUND(t, SHA_MIX, (((C^D)&B)^D) , 0x5a827999, A, B, C, D, E )
|
|
#define T_20_39(t, A, B, C, D, E) SHA_ROUND(t, SHA_MIX, (B^C^D) , 0x6ed9eba1, A, B, C, D, E )
|
|
#define T_40_59(t, A, B, C, D, E) SHA_ROUND(t, SHA_MIX, ((B&C)+(D&(B^C))) , 0x8f1bbcdc, A, B, C, D, E )
|
|
#define T_60_79(t, A, B, C, D, E) SHA_ROUND(t, SHA_MIX, (B^C^D) , 0xca62c1d6, A, B, C, D, E )
|
|
|
|
static void blk_SHA1_Block(blk_SHA_CTX *ctx, const void *block)
|
|
{
|
|
unsigned int A,B,C,D,E;
|
|
unsigned int array[16];
|
|
|
|
A = ctx->H[0];
|
|
B = ctx->H[1];
|
|
C = ctx->H[2];
|
|
D = ctx->H[3];
|
|
E = ctx->H[4];
|
|
|
|
/* Round 1 - iterations 0-16 take their input from 'block' */
|
|
T_0_15( 0, A, B, C, D, E);
|
|
T_0_15( 1, E, A, B, C, D);
|
|
T_0_15( 2, D, E, A, B, C);
|
|
T_0_15( 3, C, D, E, A, B);
|
|
T_0_15( 4, B, C, D, E, A);
|
|
T_0_15( 5, A, B, C, D, E);
|
|
T_0_15( 6, E, A, B, C, D);
|
|
T_0_15( 7, D, E, A, B, C);
|
|
T_0_15( 8, C, D, E, A, B);
|
|
T_0_15( 9, B, C, D, E, A);
|
|
T_0_15(10, A, B, C, D, E);
|
|
T_0_15(11, E, A, B, C, D);
|
|
T_0_15(12, D, E, A, B, C);
|
|
T_0_15(13, C, D, E, A, B);
|
|
T_0_15(14, B, C, D, E, A);
|
|
T_0_15(15, A, B, C, D, E);
|
|
|
|
/* Round 1 - tail. Input from 512-bit mixing array */
|
|
T_16_19(16, E, A, B, C, D);
|
|
T_16_19(17, D, E, A, B, C);
|
|
T_16_19(18, C, D, E, A, B);
|
|
T_16_19(19, B, C, D, E, A);
|
|
|
|
/* Round 2 */
|
|
T_20_39(20, A, B, C, D, E);
|
|
T_20_39(21, E, A, B, C, D);
|
|
T_20_39(22, D, E, A, B, C);
|
|
T_20_39(23, C, D, E, A, B);
|
|
T_20_39(24, B, C, D, E, A);
|
|
T_20_39(25, A, B, C, D, E);
|
|
T_20_39(26, E, A, B, C, D);
|
|
T_20_39(27, D, E, A, B, C);
|
|
T_20_39(28, C, D, E, A, B);
|
|
T_20_39(29, B, C, D, E, A);
|
|
T_20_39(30, A, B, C, D, E);
|
|
T_20_39(31, E, A, B, C, D);
|
|
T_20_39(32, D, E, A, B, C);
|
|
T_20_39(33, C, D, E, A, B);
|
|
T_20_39(34, B, C, D, E, A);
|
|
T_20_39(35, A, B, C, D, E);
|
|
T_20_39(36, E, A, B, C, D);
|
|
T_20_39(37, D, E, A, B, C);
|
|
T_20_39(38, C, D, E, A, B);
|
|
T_20_39(39, B, C, D, E, A);
|
|
|
|
/* Round 3 */
|
|
T_40_59(40, A, B, C, D, E);
|
|
T_40_59(41, E, A, B, C, D);
|
|
T_40_59(42, D, E, A, B, C);
|
|
T_40_59(43, C, D, E, A, B);
|
|
T_40_59(44, B, C, D, E, A);
|
|
T_40_59(45, A, B, C, D, E);
|
|
T_40_59(46, E, A, B, C, D);
|
|
T_40_59(47, D, E, A, B, C);
|
|
T_40_59(48, C, D, E, A, B);
|
|
T_40_59(49, B, C, D, E, A);
|
|
T_40_59(50, A, B, C, D, E);
|
|
T_40_59(51, E, A, B, C, D);
|
|
T_40_59(52, D, E, A, B, C);
|
|
T_40_59(53, C, D, E, A, B);
|
|
T_40_59(54, B, C, D, E, A);
|
|
T_40_59(55, A, B, C, D, E);
|
|
T_40_59(56, E, A, B, C, D);
|
|
T_40_59(57, D, E, A, B, C);
|
|
T_40_59(58, C, D, E, A, B);
|
|
T_40_59(59, B, C, D, E, A);
|
|
|
|
/* Round 4 */
|
|
T_60_79(60, A, B, C, D, E);
|
|
T_60_79(61, E, A, B, C, D);
|
|
T_60_79(62, D, E, A, B, C);
|
|
T_60_79(63, C, D, E, A, B);
|
|
T_60_79(64, B, C, D, E, A);
|
|
T_60_79(65, A, B, C, D, E);
|
|
T_60_79(66, E, A, B, C, D);
|
|
T_60_79(67, D, E, A, B, C);
|
|
T_60_79(68, C, D, E, A, B);
|
|
T_60_79(69, B, C, D, E, A);
|
|
T_60_79(70, A, B, C, D, E);
|
|
T_60_79(71, E, A, B, C, D);
|
|
T_60_79(72, D, E, A, B, C);
|
|
T_60_79(73, C, D, E, A, B);
|
|
T_60_79(74, B, C, D, E, A);
|
|
T_60_79(75, A, B, C, D, E);
|
|
T_60_79(76, E, A, B, C, D);
|
|
T_60_79(77, D, E, A, B, C);
|
|
T_60_79(78, C, D, E, A, B);
|
|
T_60_79(79, B, C, D, E, A);
|
|
|
|
ctx->H[0] += A;
|
|
ctx->H[1] += B;
|
|
ctx->H[2] += C;
|
|
ctx->H[3] += D;
|
|
ctx->H[4] += E;
|
|
}
|
|
|
|
void blk_SHA1_Init(blk_SHA_CTX *ctx)
|
|
{
|
|
ctx->size = 0;
|
|
|
|
/* Initialize H with the magic constants (see FIPS180 for constants) */
|
|
ctx->H[0] = 0x67452301;
|
|
ctx->H[1] = 0xefcdab89;
|
|
ctx->H[2] = 0x98badcfe;
|
|
ctx->H[3] = 0x10325476;
|
|
ctx->H[4] = 0xc3d2e1f0;
|
|
}
|
|
|
|
void blk_SHA1_Update(blk_SHA_CTX *ctx, const void *data, size_t len)
|
|
{
|
|
unsigned int lenW = ctx->size & 63;
|
|
|
|
ctx->size += len;
|
|
|
|
/* Read the data into W and process blocks as they get full */
|
|
if (lenW) {
|
|
unsigned int left = 64 - lenW;
|
|
if (len < left)
|
|
left = len;
|
|
memcpy(lenW + (char *)ctx->W, data, left);
|
|
lenW = (lenW + left) & 63;
|
|
len -= left;
|
|
data = ((const char *)data + left);
|
|
if (lenW)
|
|
return;
|
|
blk_SHA1_Block(ctx, ctx->W);
|
|
}
|
|
while (len >= 64) {
|
|
blk_SHA1_Block(ctx, data);
|
|
data = ((const char *)data + 64);
|
|
len -= 64;
|
|
}
|
|
if (len)
|
|
memcpy(ctx->W, data, len);
|
|
}
|
|
|
|
void blk_SHA1_Final(unsigned char hashout[20], blk_SHA_CTX *ctx)
|
|
{
|
|
static const unsigned char pad[64] = { 0x80 };
|
|
unsigned int padlen[2];
|
|
int i;
|
|
|
|
/* Pad with a binary 1 (ie 0x80), then zeroes, then length */
|
|
padlen[0] = htonl((uint32_t)(ctx->size >> 29));
|
|
padlen[1] = htonl((uint32_t)(ctx->size << 3));
|
|
|
|
i = ctx->size & 63;
|
|
blk_SHA1_Update(ctx, pad, 1 + (63 & (55 - i)));
|
|
blk_SHA1_Update(ctx, padlen, 8);
|
|
|
|
/* Output hash */
|
|
for (i = 0; i < 5; i++)
|
|
put_be32(hashout + i * 4, ctx->H[i]);
|
|
}
|