-
Notifications
You must be signed in to change notification settings - Fork 32
Expand file tree
/
Copy pathcrypto.asm
More file actions
443 lines (414 loc) · 10.4 KB
/
crypto.asm
File metadata and controls
443 lines (414 loc) · 10.4 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
;; sha1Init [Cryptography]
;; Allocates a memory block to keep the state and result of
;; a SHA1 hash operation. The result is kept in the first 20 bytes
;; of the allocated block. You must use [[sha1Clean]] to deallocate
;; the block; simply using [[free]] will result in a memory leak!
;; Outputs:
;; Z: Set on success, reset on failure
;; A: Error code (on failure)
;; IX: location of allocated block (on success)
sha1Init:
push bc
push de
push hl
ld bc, sha1Memblock_size
ld a, 1
call calloc
jr nz, .fail
push ix \ pop de
ld bc, .defaultMemblock_copy_end - .defaultMemblock
ld hl, .defaultMemblock
ldir
; Possibly this could be improved
push ix
ld bc, 320 ; SHA1 block is this size
ld a, 1
call calloc
; Store the pointers
push ix \ pop hl
pop ix
ld (ix + sha1_block_ptr), l
ld (ix + sha1_block_ptr + 1), h
ld (ix + sha1_block_front_ptr), l
ld (ix + sha1_block_front_ptr + 1), h
.fail:
pop hl
pop de
pop bc
ret
; This is the default memblock. Its
; state will be changed by the algorithm.
.defaultMemblock:
; Holds the completed hash.
.equ sha1_hash, $ - .defaultMemblock
.db 0x67,0x45,0x23,0x01
.db 0xEF,0xCD,0xAB,0x89
.db 0x98,0xBA,0xDC,0xFE
.db 0x10,0x32,0x54,0x76
.db 0xC3,0xD2,0xE1,0xF0
.defaultMemblock_copy_end:
; The length of the input is kept here
sha1_length .equ $ - .defaultMemblock
; Keep these contiguous
sha1_temp .equ sha1_length + 8
sha1_a .equ sha1_temp + 4
sha1_b .equ sha1_a + 4
sha1_c .equ sha1_b + 4
sha1_d .equ sha1_c + 4
sha1_e .equ sha1_d + 4
sha1_f .equ sha1_e + 4
sha1_k .equ sha1_f + 4
sha1_f_op_ptr .equ sha1_k + 4
; Pointers to the SHA1 block are kept here
sha1_block_ptr .equ sha1_f_op_ptr + 2
sha1_block_front_ptr .equ sha1_block_ptr + 2
sha1Memblock_size .equ sha1_block_front_ptr + 2
;; sha1Clean [Cryptography]
;; Safely deallocates a SHA1 state block allocated by
;; sha1Init.
;; Inputs:
;; IX: location of allocated block
sha1Clean:
push hl
push ix
ld l, (ix + sha1_block_front_ptr)
ld h, (ix + sha1_block_front_ptr + 1)
call free
push hl \ pop ix
call free
pop ix
pop hl
ret
;; sha1Pad [Cryptography]
;; Finishes the SHA1 computation by appending the
;; required bits to the input. Call this routine once after
;; calling [[sha1AddByte]] for each input byte. After this routine,
;; the 8 bytes pointed to by IX will contain the big-endian
;; SHA1 hash.
;; Inputs:
;; IX: location of SHA1 state block
sha1Pad:
push af
push de
push hl
call sha1Pad_noPush
jr sha1AddByte_pop
sha1Pad_noPush:
; append the bit '1' to the message
; append 0 <= k < 512 bits '0', so that the resulting message length (in bits)
; is congruent to 448 = -64 (mod 512)
ld a, 0x80
.zero:
call sha1AddByte_noLength
ld a, (ix + sha1_block_front_ptr)
add a, 56
cp (ix + sha1_block_ptr)
ld a, 0x00
jr nz, .zero
; append length of message (before padding), in bits, as 64-bit big-endian integer
push ix \ pop hl
ld de, sha1_length
add hl, de
ld e, (ix + sha1_block_ptr)
ld d, (ix + sha1_block_ptr + 1)
ld bc, 8
ldir
jr sha1ProcessBlock
;; sha1AddByte [Cryptography]
;; Adds a single byte to the SHA1 hash input stream.
;; Call this function once for each byte in the input
;; stream, then call [[sha1Pad]].
;; Inputs:
;; IX: location of SHA1 state block
;; A: Byte to add
sha1AddByte:
push af
push de
push hl
call sha1AddByte_noPush
sha1AddByte_pop:
pop hl
pop de
pop af
ret
sha1AddByte_noPush:
push af
ld a, (ix + sha1_length + 7)
add a, 8
ld (ix + sha1_length + 7), a
jr nc, .length_ok
push ix
_: dec ix
inc (ix + sha1_length + 7)
jr z, -_
pop ix
.length_ok:
pop af
sha1AddByte_noLength:
ld e, (ix + sha1_block_ptr)
ld d, (ix + sha1_block_ptr + 1)
ld (de), a
inc de
ld (ix + sha1_block_ptr), e
ld (ix + sha1_block_ptr + 1), d
ld a, (ix + sha1_block_front_ptr)
add a, 64
cp e
ret nz
sha1ProcessBlock:
; Extend the sixteen 32-bit words into eighty 32-bit words:
; for i from 16 to 79
; w[i] = (w[i-3] xor w[i-8] xor w[i-14] xor w[i-16]) leftrotate 1
ld l, (ix + sha1_block_front_ptr)
ld h, (ix + sha1_block_front_ptr + 1)
ld bc, 63
add hl, bc
push hl \ ex (sp), iy
ld c, 64
.extend:
ld b, 4
.extend_inner:
inc iy
ld a, (iy + -12)
xor (iy + -32)
xor (iy + -56)
xor (iy + -64)
ld (iy), a
djnz .extend_inner
push iy \ pop hl
ld a, (iy + -3)
rlca
rl (hl) \ dec hl
rl (hl) \ dec hl
rl (hl) \ dec hl
rl (hl) \ dec hl
dec c
jr nz, .extend
; Initialize hash value for this chunk:
; a = h0
; b = h1
; c = h2
; d = h3
; e = h4
push ix \ pop hl
; Unneeded because the sha1_hash offset is 0!
;ld de, sha1_hash
;add hl, de
push hl
ld de, sha1_a - sha1_hash
add hl, de
ex de, hl
pop hl
ld bc, 20
ldir
; Main loop
ld l, (ix + sha1_block_front_ptr)
ld h, (ix + sha1_block_front_ptr + 1)
dec hl
ld (ix + sha1_block_ptr), l
ld (ix + sha1_block_ptr + 1), h
ld hl, sha1Operation_mux \ call sha1Do20Rounds \ .db 0x5A,0x82,0x79,0x99
ld hl, sha1Operation_xor \ call sha1Do20Rounds \ .db 0x6E,0xD9,0xEB,0xA1
ld hl, sha1Operation_maj \ call sha1Do20Rounds \ .db 0x8F,0x1B,0xBC,0xDC
ld hl, sha1Operation_xor \ call sha1Do20Rounds \ .db 0xCA,0x62,0xC1,0xD6
; Add this chunk's hash to result so far
; h0 += a
; h1 += b
; h2 += c
; h3 += d
; h4 += e
push bc
; Perhaps this could be improved.
push ix \ pop de \ push de \ pop hl
ld bc, 19 + sha1_hash
add hl, bc
ex de, hl
ld bc, 19 + sha1_a
add hl, bc
pop bc
ld c, 5
.add_result:
call sha1_32BitAdd
dec c
jr nz, .add_result
ld l, (ix + sha1_block_front_ptr)
ld h, (ix + sha1_block_front_ptr + 1)
ld (ix + sha1_block_ptr), l
ld (ix + sha1_block_ptr + 1), h
pop iy
ret
sha1Do20Rounds:
ld (ix + sha1_f_op_ptr), l
ld (ix + sha1_f_op_ptr + 1), h
ld de, sha1_k
push ix \ pop hl
add hl, de
ex de, hl
pop hl
ld bc, 4
ldir
push hl
ld b, 20
.rounds:
push bc
; f = <some operation involving b, c, and d>
call .do_f_operation
; temp = (a leftrotate 5) + f + e + k + w[i]
ld bc, 4
push ix \ pop hl
ld de, sha1_temp
add hl, de
push hl \ pop de
add hl, bc ; HACK! This is the correct value to get HL to sha1_a
ldir
ld a, (ix + sha1_temp)
rrca
rrca
rrca
rrca
push af
ld de, sha1_temp + 3
push ix \ pop hl
add hl, de
pop af
rld \ rl (hl) \ dec hl
rld \ rl (hl) \ dec hl
rld \ rl (hl) \ dec hl
rld \ rl (hl)
ld de, 3 + (sha1_k - sha1_temp) ; Undo the three DECs we just did (HL now
; at sha1_temp + 3), then add difference
add hl, de ; to get to sha1_k + 3.
call sha1AddToTemp ; k
call sha1AddToTemp ; f
call sha1AddToTemp ; e
ld l, (ix + sha1_block_ptr)
ld h, (ix + sha1_block_ptr + 1)
inc hl
inc hl
inc hl
inc hl
ld (ix + sha1_block_ptr), l
ld (ix + sha1_block_ptr + 1), h
call sha1AddToTemp
; e = d
; d = c
; c = b leftrotate 30
; b = a
; a = temp
push ix \ pop hl
ld bc, sha1_d + 3
add hl, bc
push hl \ pop de
inc de \ inc de \ inc de \ inc de ; sha1_e - sha1_d = 4 bytes
ld bc, 20
lddr
ld a, (ix + sha1_c + 3)
ld b, 2
.ror2:
push bc
push ix \ pop hl
ld bc, sha1_c
add hl, bc
pop bc
rrca
rr (hl) \ inc hl
rr (hl) \ inc hl
rr (hl) \ inc hl
rr (hl)
djnz .ror2
pop bc
dec b
jp nz, .rounds
ret
.do_f_operation:
push ix
ex (sp), iy
ex de, hl
ld de, sha1_a
add iy, de
ex de, hl
ld l, (ix + sha1_f_op_ptr)
ld h, (ix + sha1_f_op_ptr + 1)
ld b, 4
jp (hl)
sha1Operation_mux:
; f = (b & c) | (~b & d) = ((c ^ d) & 8) ^ d
ld a, (iy + 8)
ld c, (iy + 12)
xor c
and (iy + 4)
xor c
ld (iy + 20), a
inc iy
djnz sha1Operation_mux
jr sha1Operation_done
sha1Operation_xor:
; f = b ^ c ^ d
ld a, (iy + 4)
xor (iy + 8)
xor (iy + 12)
ld (iy + 20), a
inc iy
djnz sha1Operation_xor
jr sha1Operation_done
sha1Operation_maj:
; f = (b & c) | (b & d) | (c & d)
; = (b & c) | ((b | c) & d)
ld c, (iy + 4)
ld d, (iy + 8)
ld a, c
and d
ld e, a
ld a, c
or d
and (iy + 12)
or e
ld (iy + 20), a
inc iy
djnz sha1Operation_maj
;jr sha1Operation_done
sha1Operation_done:
pop iy
ret
sha1AddToTemp:
ld de, sha1_temp+3
push ix
ex (sp), hl
add hl, de
ex de, hl
pop hl
sha1_32BitAdd:
ld b, 4
or a
_: ld a, (de)
adc a, (hl)
ld (de), a
dec de
dec hl
djnz -_
ret
;; sha1AddRange [Cryptography]
;; Adds a range of bytes to a SHA1 hash. This
;; routine is equivalent to, but faster than, calling
;; [[sha1AddByte]] many times.
;; Inputs:
;; IX: location of SHA1 state block
;; HL: location of range to add
;; BC: number of bytes to add
sha1AddRange:
push hl
push de
push bc
push af
_: ld a, (hl)
push hl
call sha1AddByte_noPush
pop hl
dec bc
inc hl
ld a, b \ or c \ jr nz, -_
pop af
pop bc
pop de
pop hl
ret