// Copyright (c) 2014, The Monero Project // // All rights reserved. // // Redistribution and use in source and binary forms, with or without modification, are // permitted provided that the following conditions are met: // // 1. Redistributions of source code must retain the above copyright notice, this list of // conditions and the following disclaimer. // // 2. Redistributions in binary form must reproduce the above copyright notice, this list // of conditions and the following disclaimer in the documentation and/or other // materials provided with the distribution. // // 3. Neither the name of the copyright holder nor the names of its contributors may be // used to endorse or promote products derived from this software without specific // prior written permission. // // THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND ANY // EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF // MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL // THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, // SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, // PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS // INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, // STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF // THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. // // Parts of this file are originally copyright (c) 2012-2013 The Cryptonote developers #include #include #include #include #include "common/int-util.h" #include "hash-ops.h" #include "oaes_lib.h" #include #if defined(_MSC_VER) #include #include #define STATIC #define INLINE __inline #if !defined(RDATA_ALIGN16) #define RDATA_ALIGN16 __declspec(align(16)) #endif #else #include #include #define STATIC static #define INLINE inline #if !defined(RDATA_ALIGN16) #define RDATA_ALIGN16 __attribute__ ((aligned(16))) #endif #endif #if defined(__INTEL_COMPILER) #define ASM __asm__ #elif !defined(_MSC_VER) #define ASM __asm__ #else #define ASM __asm #endif #define MEMORY (1 << 21) // 2MB scratchpad #define ITER (1 << 20) #define AES_BLOCK_SIZE 16 #define AES_KEY_SIZE 32 #define INIT_SIZE_BLK 8 #define INIT_SIZE_BYTE (INIT_SIZE_BLK * AES_BLOCK_SIZE) #define TOTALBLOCKS (MEMORY / AES_BLOCK_SIZE) #define U64(x) ((uint64_t *) (x)) #define R128(x) ((__m128i *) (x)) #define state_index(x) (((*((uint64_t *)x) >> 4) & (TOTALBLOCKS - 1)) << 4) #if defined(_MSC_VER) #if !defined(_WIN64) #define __mul() lo = mul128(c[0], b[0], &hi); #else #define __mul() lo = _umul128(c[0], b[0], &hi); #endif #else #if defined(__x86_64__) #define __mul() ASM("mulq %3\n\t" : "=d"(hi), "=a"(lo) : "%a" (c[0]), "rm" (b[0]) : "cc"); #else #define __mul() lo = mul128(c[0], b[0], &hi); #endif #endif #define pre_aes() \ j = state_index(a); \ _c = _mm_load_si128(R128(&hp_state[j])); \ _a = _mm_load_si128(R128(a)); \ // dga's optimized scratchpad twiddling #define post_aes() \ _mm_store_si128(R128(c), _c); \ _b = _mm_xor_si128(_b, _c); \ _mm_store_si128(R128(&hp_state[j]), _b); \ j = state_index(c); \ p = U64(&hp_state[j]); \ b[0] = p[0]; b[1] = p[1]; \ __mul(); \ a[0] += hi; a[1] += lo; \ p = U64(&hp_state[j]); \ p[0] = a[0]; p[1] = a[1]; \ a[0] ^= b[0]; a[1] ^= b[1]; \ _b = _c; \ #if defined(_MSC_VER) #define THREADV __declspec(thread) #else #define THREADV __thread #endif extern int aesb_single_round(const uint8_t *in, uint8_t*out, const uint8_t *expandedKey); extern int aesb_pseudo_round(const uint8_t *in, uint8_t *out, const uint8_t *expandedKey); #pragma pack(push, 1) union cn_slow_hash_state { union hash_state hs; struct { uint8_t k[64]; uint8_t init[INIT_SIZE_BYTE]; }; }; #pragma pack(pop) THREADV uint8_t *hp_state = NULL; THREADV int hp_allocated = 0; #if defined(_MSC_VER) #define cpuid(info,x) __cpuidex(info,x,0) #else void cpuid(int CPUInfo[4], int InfoType) { ASM __volatile__ ( "cpuid": "=a" (CPUInfo[0]), "=b" (CPUInfo[1]), "=c" (CPUInfo[2]), "=d" (CPUInfo[3]) : "a" (InfoType), "c" (0) ); } #endif STATIC INLINE void xor_blocks(uint8_t *a, const uint8_t *b) { U64(a)[0] ^= U64(b)[0]; U64(a)[1] ^= U64(b)[1]; } STATIC INLINE int check_aes_hw(void) { int cpuid_results[4]; static int supported = -1; if(supported >= 0) return supported; cpuid(cpuid_results,1); return supported = cpuid_results[2] & (1 << 25); } STATIC INLINE void aes_256_assist1(__m128i* t1, __m128i * t2) { __m128i t4; *t2 = _mm_shuffle_epi32(*t2, 0xff); t4 = _mm_slli_si128(*t1, 0x04); *t1 = _mm_xor_si128(*t1, t4); t4 = _mm_slli_si128(t4, 0x04); *t1 = _mm_xor_si128(*t1, t4); t4 = _mm_slli_si128(t4, 0x04); *t1 = _mm_xor_si128(*t1, t4); *t1 = _mm_xor_si128(*t1, *t2); } STATIC INLINE void aes_256_assist2(__m128i* t1, __m128i * t3) { __m128i t2, t4; t4 = _mm_aeskeygenassist_si128(*t1, 0x00); t2 = _mm_shuffle_epi32(t4, 0xaa); t4 = _mm_slli_si128(*t3, 0x04); *t3 = _mm_xor_si128(*t3, t4); t4 = _mm_slli_si128(t4, 0x04); *t3 = _mm_xor_si128(*t3, t4); t4 = _mm_slli_si128(t4, 0x04); *t3 = _mm_xor_si128(*t3, t4); *t3 = _mm_xor_si128(*t3, t2); } STATIC INLINE void aes_expand_key(const uint8_t *key, uint8_t *expandedKey) { __m128i *ek = R128(expandedKey); __m128i t1, t2, t3; t1 = _mm_loadu_si128(R128(key)); t3 = _mm_loadu_si128(R128(key + 16)); ek[0] = t1; ek[1] = t3; t2 = _mm_aeskeygenassist_si128(t3, 0x01); aes_256_assist1(&t1, &t2); ek[2] = t1; aes_256_assist2(&t1, &t3); ek[3] = t3; t2 = _mm_aeskeygenassist_si128(t3, 0x02); aes_256_assist1(&t1, &t2); ek[4] = t1; aes_256_assist2(&t1, &t3); ek[5] = t3; t2 = _mm_aeskeygenassist_si128(t3, 0x04); aes_256_assist1(&t1, &t2); ek[6] = t1; aes_256_assist2(&t1, &t3); ek[7] = t3; t2 = _mm_aeskeygenassist_si128(t3, 0x08); aes_256_assist1(&t1, &t2); ek[8] = t1; aes_256_assist2(&t1, &t3); ek[9] = t3; t2 = _mm_aeskeygenassist_si128(t3, 0x10); aes_256_assist1(&t1, &t2); ek[10] = t1; } STATIC INLINE void aes_pseudo_round(const uint8_t *in, uint8_t *out, const uint8_t *expandedKey, int nblocks) { __m128i *k = R128(expandedKey); __m128i d; int i; for(i = 0; i < nblocks; i++) { d = _mm_loadu_si128(R128(in + i * AES_BLOCK_SIZE)); d = _mm_aesenc_si128(d, *R128(&k[0])); d = _mm_aesenc_si128(d, *R128(&k[1])); d = _mm_aesenc_si128(d, *R128(&k[2])); d = _mm_aesenc_si128(d, *R128(&k[3])); d = _mm_aesenc_si128(d, *R128(&k[4])); d = _mm_aesenc_si128(d, *R128(&k[5])); d = _mm_aesenc_si128(d, *R128(&k[6])); d = _mm_aesenc_si128(d, *R128(&k[7])); d = _mm_aesenc_si128(d, *R128(&k[8])); d = _mm_aesenc_si128(d, *R128(&k[9])); _mm_storeu_si128((R128(out + i * AES_BLOCK_SIZE)), d); } } STATIC INLINE void aes_pseudo_round_xor(const uint8_t *in, uint8_t *out, const uint8_t *expandedKey, const uint8_t *xor, int nblocks) { __m128i *k = R128(expandedKey); __m128i *x = R128(xor); __m128i d; int i; for(i = 0; i < nblocks; i++) { d = _mm_loadu_si128(R128(in + i * AES_BLOCK_SIZE)); d = _mm_xor_si128(d, *R128(x++)); d = _mm_aesenc_si128(d, *R128(&k[0])); d = _mm_aesenc_si128(d, *R128(&k[1])); d = _mm_aesenc_si128(d, *R128(&k[2])); d = _mm_aesenc_si128(d, *R128(&k[3])); d = _mm_aesenc_si128(d, *R128(&k[4])); d = _mm_aesenc_si128(d, *R128(&k[5])); d = _mm_aesenc_si128(d, *R128(&k[6])); d = _mm_aesenc_si128(d, *R128(&k[7])); d = _mm_aesenc_si128(d, *R128(&k[8])); d = _mm_aesenc_si128(d, *R128(&k[9])); _mm_storeu_si128((R128(out + i * AES_BLOCK_SIZE)), d); } } #if defined(_MSC_VER) BOOL SetLockPagesPrivilege(HANDLE hProcess, BOOL bEnable) { struct { DWORD count; LUID_AND_ATTRIBUTES privilege[1]; } info; HANDLE token; if(!OpenProcessToken(hProcess, TOKEN_ADJUST_PRIVILEGES, &token)) return FALSE; info.count = 1; info.privilege[0].Attributes = bEnable ? SE_PRIVILEGE_ENABLED : 0; if(!LookupPrivilegeValue(NULL, SE_LOCK_MEMORY_NAME, &(info.privilege[0].Luid))) return FALSE; if(!AdjustTokenPrivileges(token, FALSE, (PTOKEN_PRIVILEGES) &info, 0, NULL, NULL)) return FALSE; if (GetLastError() != ERROR_SUCCESS) return FALSE; CloseHandle(token); return TRUE; } #endif void slow_hash_allocate_state(void) { int state = 0; if(hp_state != NULL) return; #if defined(_MSC_VER) SetLockPagesPrivilege(GetCurrentProcess(), TRUE); hp_state = (uint8_t *) VirtualAlloc(hp_state, MEMORY, MEM_LARGE_PAGES | MEM_COMMIT | MEM_RESERVE, PAGE_READWRITE); #else #if defined(__APPLE__) || defined(__FreeBSD__) hp_state = mmap(0, MEMORY, PROT_READ | PROT_WRITE, MAP_PRIVATE | MAP_ANON, 0, 0); #else hp_state = mmap(0, MEMORY, PROT_READ | PROT_WRITE, MAP_PRIVATE | MAP_ANONYMOUS | MAP_HUGETLB, 0, 0); #endif if(hp_state == MAP_FAILED) hp_state = NULL; #endif hp_allocated = 1; if(hp_state == NULL) { hp_allocated = 0; hp_state = (uint8_t *) malloc(MEMORY); } } void slow_hash_free_state(void) { if(hp_state == NULL) return; if(!hp_allocated) free(hp_state); else { #if defined(_MSC_VER) VirtualFree(hp_state, MEMORY, MEM_RELEASE); #else munmap(hp_state, MEMORY); #endif } hp_state = NULL; hp_allocated = 0; } void cn_slow_hash(const void *data, size_t length, char *hash) { RDATA_ALIGN16 uint8_t expandedKey[240]; uint8_t text[INIT_SIZE_BYTE]; RDATA_ALIGN16 uint64_t a[2]; RDATA_ALIGN16 uint64_t b[2]; RDATA_ALIGN16 uint64_t c[2]; union cn_slow_hash_state state; __m128i _a, _b, _c; uint64_t hi, lo; size_t i, j; uint64_t *p = NULL; oaes_ctx *aes_ctx; int useAes = check_aes_hw(); static void (*const extra_hashes[4])(const void *, size_t, char *) = { hash_extra_blake, hash_extra_groestl, hash_extra_jh, hash_extra_skein }; // this isn't supposed to happen, but guard against it for now. if(hp_state == NULL) slow_hash_allocate_state(); hash_process(&state.hs, data, length); memcpy(text, state.init, INIT_SIZE_BYTE); if(useAes) { aes_expand_key(state.hs.b, expandedKey); for(i = 0; i < MEMORY / INIT_SIZE_BYTE; i++) { aes_pseudo_round(text, text, expandedKey, INIT_SIZE_BLK); memcpy(&hp_state[i * INIT_SIZE_BYTE], text, INIT_SIZE_BYTE); } } else { aes_ctx = (oaes_ctx *) oaes_alloc(); oaes_key_import_data(aes_ctx, state.hs.b, AES_KEY_SIZE); for(i = 0; i < MEMORY / INIT_SIZE_BYTE; i++) { for(j = 0; j < INIT_SIZE_BLK; j++) aesb_pseudo_round(&text[AES_BLOCK_SIZE * j], &text[AES_BLOCK_SIZE * j], aes_ctx->key->exp_data); memcpy(&hp_state[i * INIT_SIZE_BYTE], text, INIT_SIZE_BYTE); } } U64(a)[0] = U64(&state.k[0])[0] ^ U64(&state.k[32])[0]; U64(a)[1] = U64(&state.k[0])[1] ^ U64(&state.k[32])[1]; U64(b)[0] = U64(&state.k[16])[0] ^ U64(&state.k[48])[0]; U64(b)[1] = U64(&state.k[16])[1] ^ U64(&state.k[48])[1]; _b = _mm_load_si128(R128(b)); // this is ugly but the branching affects the loop somewhat so put it outside. if(useAes) { for(i = 0; i < ITER / 2; i++) { pre_aes(); _c = _mm_aesenc_si128(_c, _a); // post_aes(), optimized scratchpad twiddling (credits to dga) post_aes(); } } else { for(i = 0; i < ITER / 2; i++) { pre_aes(); aesb_single_round((uint8_t *) &_c, (uint8_t *) &_c, (uint8_t *) &_a); post_aes(); } } memcpy(text, state.init, INIT_SIZE_BYTE); if(useAes) { aes_expand_key(&state.hs.b[32], expandedKey); for(i = 0; i < MEMORY / INIT_SIZE_BYTE; i++) { // add the xor to the pseudo round aes_pseudo_round_xor(text, text, expandedKey, &hp_state[i * INIT_SIZE_BYTE], INIT_SIZE_BLK); } } else { oaes_key_import_data(aes_ctx, &state.hs.b[32], AES_KEY_SIZE); for(i = 0; i < MEMORY / INIT_SIZE_BYTE; i++) { for(j = 0; j < INIT_SIZE_BLK; j++) { xor_blocks(&text[j * AES_BLOCK_SIZE], &hp_state[i * INIT_SIZE_BYTE + j * AES_BLOCK_SIZE]); aesb_pseudo_round(&text[AES_BLOCK_SIZE * j], &text[AES_BLOCK_SIZE * j], aes_ctx->key->exp_data); } } oaes_free((OAES_CTX **) &aes_ctx); } memcpy(state.init, text, INIT_SIZE_BYTE); hash_permutation(&state.hs); extra_hashes[state.hs.b[0] & 3](&state, 200, hash); }