Merge pull request #709 from MarekKnapek/sha-stack

Smaller stack usage for SHA-1, SHA-256 and SHA-512.

Author: sjaeckel

.github/workflows/main.yml

@@ -47,10 +47,12 @@ jobs:
           - { BUILDNAME: 'STOCK',                   BUILDOPTIONS: '',                                                                     BUILDSCRIPT: '.ci/run.sh' }
           - { BUILDNAME: 'STOCK-MPI',               BUILDOPTIONS: '-ULTM_DESC -UTFM_DESC -UUSE_LTM -UUSE_TFM',                            BUILDSCRIPT: '.ci/run.sh' }
           - { BUILDNAME: 'EASY',                    BUILDOPTIONS: '-DLTC_EASY',                                                           BUILDSCRIPT: '.ci/run.sh' }
-          - { BUILDNAME: 'SMALL',                   BUILDOPTIONS: '-DLTC_SMALL_CODE',                                                     BUILDSCRIPT: '.ci/run.sh' }
+          - { BUILDNAME: 'SMALL_CODE',              BUILDOPTIONS: '-DLTC_SMALL_CODE',                                                     BUILDSCRIPT: '.ci/run.sh' }
+          - { BUILDNAME: 'SMALL_STACK',             BUILDOPTIONS: '-DLTC_SMALL_STACK',                                                    BUILDSCRIPT: '.ci/run.sh' }
+          - { BUILDNAME: 'SMALL',                   BUILDOPTIONS: '-DLTC_SMALL_CODE -DLTC_SMALL_STACK',                                   BUILDSCRIPT: '.ci/run.sh' }
           - { BUILDNAME: 'NO_TABLES',               BUILDOPTIONS: '-DLTC_NO_TABLES',                                                      BUILDSCRIPT: '.ci/run.sh' }
           - { BUILDNAME: 'NO_FAST',                 BUILDOPTIONS: '-DLTC_NO_FAST',                                                        BUILDSCRIPT: '.ci/run.sh' }
-          - { BUILDNAME: 'NO_FAST+SMALL+NO_TABLES', BUILDOPTIONS: '-DLTC_NO_FAST -DLTC_SMALL_CODE -DLTC_NO_TABLES',                       BUILDSCRIPT: '.ci/run.sh' }
+          - { BUILDNAME: 'NO_FAST+SMALL+NO_TABLES', BUILDOPTIONS: '-DLTC_NO_FAST -DLTC_SMALL_CODE -DLTC_SMALL_STACK -DLTC_NO_TABLES',     BUILDSCRIPT: '.ci/run.sh' }
           - { BUILDNAME: 'NO_ASM',                  BUILDOPTIONS: '-DLTC_NO_ASM',                                                         BUILDSCRIPT: '.ci/run.sh' }
           - { BUILDNAME: 'NO_DEPRECATED_APIS',      BUILDOPTIONS: '-DLTC_NO_DEPRECATED_APIS',                                             BUILDSCRIPT: '.ci/run.sh' }
           - { BUILDNAME: 'NO_TIMING_RESISTANCE',    BUILDOPTIONS: '-DLTC_NO_ECC_TIMING_RESISTANT -DLTC_NO_RSA_BLINDING',                  BUILDSCRIPT: '.ci/run.sh' }

demos/timing.c

@@ -14,6 +14,8 @@ static prng_state yarrow_prng;
 #define KTIMES  25
 #define TIMES   100000
 
+static const char *filter_arg;
+
 static struct list {
     int id;
     ulong64 spd1, spd2, avg;
@@ -56,7 +58,7 @@ static void tally_results(int type)
 }
 
 /* RDTSC from Scott Duplichan */
-static ulong64 rdtsc (void)
+static LTC_INLINE ulong64 rdtsc (void)
    {
    #if defined __GNUC__ && !defined(LTC_NO_ASM)
       #if defined(__i386__) || defined(__x86_64__)
@@ -111,12 +113,12 @@ static ulong64 rdtsc (void)
 
 static ulong64 timer, skew = 0;
 
-static void t_start(void)
+static LTC_INLINE void t_start(void)
 {
    timer = rdtsc();
 }
 
-static ulong64 t_read(void)
+static LTC_INLINE ulong64 t_read(void)
 {
    return rdtsc() - timer;
 }
@@ -470,20 +472,27 @@ static void time_cipher_lrw(void) { fprintf(stderr, "NO LRW\n"); }
 
 static void time_hash(void)
 {
-  unsigned long x, y1, len;
+  unsigned long x, y1, len = 1024;
   ulong64 t1, t2, c1, c2;
   hash_state md;
   int    (*func)(hash_state *, const unsigned char *, unsigned long), err;
-  unsigned char pt[MAXBLOCKSIZE] = { 0 };
-
+  unsigned char *pt = XMALLOC(len);
+  if (pt == NULL) {
+     fprintf(stderr, "\n\nout of heap yo\n\n");
+     exit(EXIT_FAILURE);
+  }
 
   fprintf(stderr, "\n\nHASH Time Trials for:\n");
   no_results = 0;
   for (x = 0; hash_descriptor[x].name != NULL; x++) {
 
+     if (filter_arg && strstr(hash_descriptor[x].name, filter_arg) == NULL)
+        continue;
+
     /* sanity check on hash */
     if ((err = hash_descriptor[x].test()) != CRYPT_OK) {
        fprintf(stderr, "\n\nERROR: Hash %s failed self-test %s\n", hash_descriptor[x].name, error_to_string(err));
+       XFREE(pt);
        exit(EXIT_FAILURE);
     }
 
@@ -493,7 +502,6 @@ static void time_hash(void)
 #define DO2   DO1 DO1
 
     func = hash_descriptor[x].process;
-    len  = hash_descriptor[x].blocksize;
 
     c1 = c2 = (ulong64)-1;
     for (y1 = 0; y1 < TIMES; y1++) {
@@ -515,6 +523,7 @@ static void time_hash(void)
 #undef DO1
    }
    tally_results(2);
+   XFREE(pt);
 }
 
 /*#warning you need an mp_rand!!!*/
@@ -1368,12 +1377,15 @@ static void LTC_NORETURN die(int status)
 {
    FILE* o = status == EXIT_SUCCESS ? stdout : stderr;
    fprintf(o,
-         "Usage: timing [<-h|-l|alg>] [mpi]\n\n"
+         "Usage: timing [<-h|-l|alg>] [mpi] [filter]\n\n"
          "Run timing tests of all built-in algorithms, or only the one given in <alg>.\n\n"
-         "\talg\tThe algorithm to test. Use the '-l' option to check for valid values.\n"
+         "\talg\tThe algorithms to test. Use the '-l' option to check for valid values.\n"
          "\tmpi\tThe MPI provider to use.\n"
+         "\tfilter\tFilter within the algorithm class (currently only for 'hash'es).\n"
          "\t-l\tList all built-in algorithms that can be timed.\n"
-         "\t-h\tThe help you're looking at.\n"
+         "\t-h\tThe help you're looking at.\n\n"
+         "Examples:\n"
+         "\ttiming hash sha\t\tWill run the timing demo for all hashes containing 'sha' in their name\n"
    );
    exit(status);
 }
@@ -1440,6 +1452,9 @@ register_all_prngs();
 
    if (crypt_mp_init(mpi_provider) != CRYPT_OK) {
       fprintf(stderr, "Init of MPI provider \"%s\" failed\n", mpi_provider ? mpi_provider : "(null)");
+      filter_arg = mpi_provider;
+   } else if (argc > 3){
+      filter_arg = argv[3];
    }
 
 if ((err = rng_make_prng(128, find_prng("yarrow"), &yarrow_prng, NULL)) != CRYPT_OK) {

doc/crypt.tex

@@ -9124,6 +9124,12 @@ \subsection{LTC\_SMALL\_CODE}
 When this is defined some of the code such as the Rijndael and SAFER+ ciphers are replaced with smaller code variants.
 These variants are slower but can save quite a bit of code space.
 
+\subsection{LTC\_SMALL\_STACK}
+When this is defined some of the code uses a variant which results in smaller stack sizes.
+Depending on the architecture and other configuration options the results of execution speeed can vary.
+Therefore we try to enable this automatically where it brings an advantage in speed.
+In case you always want smaller stack usage, no matter if it makes the execution slower, you should enable this.
+
 \subsection{LTC\_PTHREAD}
 When this is activated all of the descriptor table functions will use pthread locking to ensure thread safe updates to the tables.  Note that
 it doesn't prevent a thread that is passively using a table from being messed up by another thread that updates the table.

src/hashes/sha1.c

@@ -4,12 +4,20 @@
 
 /**
   @file sha1.c
-  LTC_SHA1 code by Tom St Denis
+  SHA1 code by Tom St Denis
 */
 
 
 #ifdef LTC_SHA1
 
+/* While implementing the SMALL STACK option in https://github.com/libtom/libtomcrypt/pull/709
+ * we came to the conclusion that SHA1 profits from the SMALL STACK option when the SMALL CODE
+ * option is enabled, so let's do that.
+ */
+#if defined(LTC_SMALL_STACK) || defined(LTC_SMALL_CODE)
+#define LTC_SMALL_STACK_SHA1
+#endif
+
 const struct ltc_hash_descriptor sha1_desc =
 {
     "sha1",
@@ -39,7 +47,12 @@ static int ss_sha1_compress(hash_state *md, const unsigned char *buf)
 static int  s_sha1_compress(hash_state *md, const unsigned char *buf)
 #endif
 {
-    ulong32 a,b,c,d,e,W[80],i;
+    ulong32 a,b,c,d,e,i;
+#ifdef LTC_SMALL_STACK_SHA1
+    ulong32 W[16];
+#else
+    ulong32 W[80];
+#endif
 #ifdef LTC_SMALL_CODE
     ulong32 t;
 #endif
@@ -56,78 +69,95 @@ static int  s_sha1_compress(hash_state *md, const unsigned char *buf)
     d = md->sha1.state[3];
     e = md->sha1.state[4];
 
+#ifdef LTC_SMALL_STACK_SHA1
+    #define Wi(i) do { W[(i) % 16] = ROL(W[((i) - 3) % 16] ^ W[((i) - 8) % 16] ^ W[((i) - 14) % 16] ^ W[((i) - 16) % 16], 1); } while(0)
+    #define Windex(i) ((i) % 16)
+#else
+    #define Wi(i) do { } while(0)
+    #define Windex(i) (i)
     /* expand it */
     for (i = 16; i < 80; i++) {
         W[i] = ROL(W[i-3] ^ W[i-8] ^ W[i-14] ^ W[i-16], 1);
     }
+#endif
 
     /* compress */
     /* round one */
-    #define FF0(a,b,c,d,e,i) e = (ROLc(a, 5) + F0(b,c,d) + e + W[i] + 0x5a827999UL); b = ROLc(b, 30);
-    #define FF1(a,b,c,d,e,i) e = (ROLc(a, 5) + F1(b,c,d) + e + W[i] + 0x6ed9eba1UL); b = ROLc(b, 30);
-    #define FF2(a,b,c,d,e,i) e = (ROLc(a, 5) + F2(b,c,d) + e + W[i] + 0x8f1bbcdcUL); b = ROLc(b, 30);
-    #define FF3(a,b,c,d,e,i) e = (ROLc(a, 5) + F3(b,c,d) + e + W[i] + 0xca62c1d6UL); b = ROLc(b, 30);
+    #define FF0(a,b,c,d,e,i) e = (ROLc(a, 5) + F0(b,c,d) + e + W[Windex(i)] + 0x5a827999UL); b = ROLc(b, 30);
+    #define FF1(a,b,c,d,e,i) e = (ROLc(a, 5) + F1(b,c,d) + e + W[Windex(i)] + 0x6ed9eba1UL); b = ROLc(b, 30);
+    #define FF2(a,b,c,d,e,i) e = (ROLc(a, 5) + F2(b,c,d) + e + W[Windex(i)] + 0x8f1bbcdcUL); b = ROLc(b, 30);
+    #define FF3(a,b,c,d,e,i) e = (ROLc(a, 5) + F3(b,c,d) + e + W[Windex(i)] + 0xca62c1d6UL); b = ROLc(b, 30);
 
 #ifdef LTC_SMALL_CODE
 
-    for (i = 0; i < 20; ) {
+    for (i = 0; i < 16; ) {
        FF0(a,b,c,d,e,i++); t = e; e = d; d = c; c = b; b = a; a = t;
     }
+    for (; i < 20; ) {
+       Wi(i); FF0(a,b,c,d,e,i++); t = e; e = d; d = c; c = b; b = a; a = t;
+    }
 
     for (; i < 40; ) {
-       FF1(a,b,c,d,e,i++); t = e; e = d; d = c; c = b; b = a; a = t;
+       Wi(i); FF1(a,b,c,d,e,i++); t = e; e = d; d = c; c = b; b = a; a = t;
     }
 
     for (; i < 60; ) {
-       FF2(a,b,c,d,e,i++); t = e; e = d; d = c; c = b; b = a; a = t;
+       Wi(i); FF2(a,b,c,d,e,i++); t = e; e = d; d = c; c = b; b = a; a = t;
     }
 
     for (; i < 80; ) {
-       FF3(a,b,c,d,e,i++); t = e; e = d; d = c; c = b; b = a; a = t;
+       Wi(i); FF3(a,b,c,d,e,i++); t = e; e = d; d = c; c = b; b = a; a = t;
     }
 
 #else
 
-    for (i = 0; i < 20; ) {
+    for (i = 0; i < 15; ) {
        FF0(a,b,c,d,e,i++);
        FF0(e,a,b,c,d,i++);
        FF0(d,e,a,b,c,i++);
        FF0(c,d,e,a,b,i++);
        FF0(b,c,d,e,a,i++);
     }
+    FF0(a,b,c,d,e,i++);
+    Wi(i); FF0(e,a,b,c,d,i++);
+    Wi(i); FF0(d,e,a,b,c,i++);
+    Wi(i); FF0(c,d,e,a,b,i++);
+    Wi(i); FF0(b,c,d,e,a,i++);
 
     /* round two */
     for (; i < 40; )  {
-       FF1(a,b,c,d,e,i++);
-       FF1(e,a,b,c,d,i++);
-       FF1(d,e,a,b,c,i++);
-       FF1(c,d,e,a,b,i++);
-       FF1(b,c,d,e,a,i++);
+       Wi(i); FF1(a,b,c,d,e,i++);
+       Wi(i); FF1(e,a,b,c,d,i++);
+       Wi(i); FF1(d,e,a,b,c,i++);
+       Wi(i); FF1(c,d,e,a,b,i++);
+       Wi(i); FF1(b,c,d,e,a,i++);
     }
 
     /* round three */
     for (; i < 60; )  {
-       FF2(a,b,c,d,e,i++);
-       FF2(e,a,b,c,d,i++);
-       FF2(d,e,a,b,c,i++);
-       FF2(c,d,e,a,b,i++);
-       FF2(b,c,d,e,a,i++);
+       Wi(i); FF2(a,b,c,d,e,i++);
+       Wi(i); FF2(e,a,b,c,d,i++);
+       Wi(i); FF2(d,e,a,b,c,i++);
+       Wi(i); FF2(c,d,e,a,b,i++);
+       Wi(i); FF2(b,c,d,e,a,i++);
     }
 
     /* round four */
     for (; i < 80; )  {
-       FF3(a,b,c,d,e,i++);
-       FF3(e,a,b,c,d,i++);
-       FF3(d,e,a,b,c,i++);
-       FF3(c,d,e,a,b,i++);
-       FF3(b,c,d,e,a,i++);
+       Wi(i); FF3(a,b,c,d,e,i++);
+       Wi(i); FF3(e,a,b,c,d,i++);
+       Wi(i); FF3(d,e,a,b,c,i++);
+       Wi(i); FF3(c,d,e,a,b,i++);
+       Wi(i); FF3(b,c,d,e,a,i++);
     }
 #endif
 
     #undef FF0
     #undef FF1
     #undef FF2
     #undef FF3
+    #undef Wi
+    #undef Windex
 
     /* store */
     md->sha1.state[0] = md->sha1.state[0] + a;