| author | Anatol Pomozov
<anatolik@archlinux.org> 2021-07-20 17:18:09 UTC |
| committer | Anatol Pomozov
<anatolik@archlinux.org> 2021-07-20 17:18:09 UTC |
| parent | 1795dd1d68853ed70d1576ee05bbee81ae865106 |
| PKGBUILD | +5 | -12 |
| android-tools-gcc11.patch | +0 | -4065 |
diff --git a/PKGBUILD b/PKGBUILD index e63f18c..1898c37 100644 --- a/PKGBUILD +++ b/PKGBUILD @@ -3,24 +3,17 @@ # Contributor: Alucryd <alucryd at gmail dot com> pkgname=android-tools -pkgver=31.0.0 -_tag=${pkgver}p1 # https://github.com/nmeum/android-tools sometimes carries extra patch version on top of the upstream versioning -pkgrel=4 +pkgver=31.0.2 +_tag=${pkgver} # https://github.com/nmeum/android-tools sometimes carries extra patch version on top of the upstream versioning +pkgrel=1 pkgdesc='Android platform tools' arch=(x86_64) url='http://tools.android.com/' license=(Apache MIT) depends=(libusb protobuf brotli zstd android-udev) makedepends=(pcre2 gtest cmake go ninja git) -source=(https://github.com/nmeum/android-tools/releases/download/$_tag/android-tools-$_tag.tar.xz - android-tools-gcc11.patch) -sha256sums=('51a4c3ba5f16945905449c4bd2c1c781a4df7469f6b7362f8837f4f640d8c7b6' - '75fd8517769e5cb3b9a4b54c7d2d0b728537e35a42113531e8b7dfb6f296ea84') - -prepare() { - cd android-tools-$_tag - patch -d vendor/boringssl -p1 < ../android-tools-gcc11.patch -} +source=(https://github.com/nmeum/android-tools/releases/download/$_tag/android-tools-$_tag.tar.xz) +sha256sums=('61b3bf6c240cb0b4d0ccfef696c55986e06657843627df950fdcf6881af0f8d4') build() { cd android-tools-$_tag diff --git a/android-tools-gcc11.patch b/android-tools-gcc11.patch deleted file mode 100644 index cc95c55..0000000 --- a/android-tools-gcc11.patch +++ /dev/null @@ -1,4065 +0,0 @@ -From 139adff9b27eaf0bdaac664ec4c9a7db2fe3f920 Mon Sep 17 00:00:00 2001 -From: David Benjamin <davidben@google.com> -Date: Thu, 25 Mar 2021 01:41:51 -0400 -Subject: [PATCH] Fix mismatch between header and implementation of bn_sqr_comba8. - -Bug: 402 -Change-Id: I6de879f44f6e3eca26f2f49c500769d944fa9bc0 -Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/46404 -Reviewed-by: Adam Langley <agl@google.com> ---- - -diff --git a/crypto/fipsmodule/bn/internal.h b/crypto/fipsmodule/bn/internal.h -index 623e0c6..3d368db 100644 ---- a/crypto/fipsmodule/bn/internal.h -+++ b/crypto/fipsmodule/bn/internal.h -@@ -297,7 +297,7 @@ - void bn_mul_comba8(BN_ULONG r[16], const BN_ULONG a[8], const BN_ULONG b[8]); - - // bn_sqr_comba8 sets |r| to |a|^2. --void bn_sqr_comba8(BN_ULONG r[16], const BN_ULONG a[4]); -+void bn_sqr_comba8(BN_ULONG r[16], const BN_ULONG a[8]); - - // bn_sqr_comba4 sets |r| to |a|^2. - void bn_sqr_comba4(BN_ULONG r[8], const BN_ULONG a[4]); -From a24ab549e6ae246b391155d7bed3790ac0e07de2 Mon Sep 17 00:00:00 2001 -From: David Benjamin <davidben@google.com> -Date: Thu, 25 Mar 2021 15:26:25 -0400 -Subject: [PATCH] Use an unsized helper for truncated SHA-512 variants. - -Although it is strictly fine to call SHA512_Final in SHA384_Final -(array sizes in C parameters are purely decorational, according to the -language), GCC 11 reportedly checks now and gets upset about the size -mismatch. Use an unsized helper function so all our code matches the -specified bounds. - -Unfortunately, the bounds in all the functions are a bit misleading -because SHA512_Final really outputs based on sha->md_len (which Init -function you called) rather than which Final function. I've fixed this -places within a library where we mismatched and added asserts to the -smaller functions. SHA512_Final is assert-less because I've seen lots of -code use SHA384_Init / SHA512_Update / SHA512_Final. - -This doesn't fix the SHA256 variant since that is generated by a pile of -macros in a multiply-included file. This is probably a good opportunity -to make that code less macro-heavy. - -Update-Note: There is a small chance the asserts will trip something, -but hopefully not since I've left SHA512_Final alone. - -Bug: 402 -Change-Id: I4c9d579a63ee0a0dea103c19ef219c13bb9aa62c -Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/46405 -Reviewed-by: Adam Langley <agl@google.com> ---- - -diff --git a/crypto/fipsmodule/digest/digests.c b/crypto/fipsmodule/digest/digests.c -index 16daeba..f006ebb 100644 ---- a/crypto/fipsmodule/digest/digests.c -+++ b/crypto/fipsmodule/digest/digests.c -@@ -247,13 +247,21 @@ - CHECK(SHA512_256_Init(ctx->md_data)); - } - -+static void sha512_256_update(EVP_MD_CTX *ctx, const void *data, size_t count) { -+ CHECK(SHA512_256_Update(ctx->md_data, data, count)); -+} -+ -+static void sha512_256_final(EVP_MD_CTX *ctx, uint8_t *md) { -+ CHECK(SHA512_256_Final(md, ctx->md_data)); -+} -+ - DEFINE_METHOD_FUNCTION(EVP_MD, EVP_sha512_256) { - out->type = NID_sha512_256; - out->md_size = SHA512_256_DIGEST_LENGTH; - out->flags = 0; - out->init = sha512_256_init; -- out->update = sha512_update; -- out->final = sha512_final; -+ out->update = sha512_256_update; -+ out->final = sha512_256_final; - out->block_size = 128; - out->ctx_size = sizeof(SHA512_CTX); - } -diff --git a/crypto/fipsmodule/sha/sha512.c b/crypto/fipsmodule/sha/sha512.c -index fd02574..ba86c1e 100644 ---- a/crypto/fipsmodule/sha/sha512.c -+++ b/crypto/fipsmodule/sha/sha512.c -@@ -70,6 +70,8 @@ - // this writing, so there is no need for a common collector/padding - // implementation yet. - -+static int sha512_final_impl(uint8_t *out, SHA512_CTX *sha); -+ - int SHA384_Init(SHA512_CTX *sha) { - sha->h[0] = UINT64_C(0xcbbb9d5dc1059ed8); - sha->h[1] = UINT64_C(0x629a292a367cd507); -@@ -146,8 +148,8 @@ - uint8_t out[SHA512_256_DIGEST_LENGTH]) { - SHA512_CTX ctx; - SHA512_256_Init(&ctx); -- SHA512_Update(&ctx, data, len); -- SHA512_Final(out, &ctx); -+ SHA512_256_Update(&ctx, data, len); -+ SHA512_256_Final(out, &ctx); - OPENSSL_cleanse(&ctx, sizeof(ctx)); - return out; - } -@@ -161,7 +163,8 @@ - int SHA384_Final(uint8_t out[SHA384_DIGEST_LENGTH], SHA512_CTX *sha) { - // |SHA384_Init| sets |sha->md_len| to |SHA384_DIGEST_LENGTH|, so this has a - // |smaller output. -- return SHA512_Final(out, sha); -+ assert(sha->md_len == SHA384_DIGEST_LENGTH); -+ return sha512_final_impl(out, sha); - } - - int SHA384_Update(SHA512_CTX *sha, const void *data, size_t len) { -@@ -172,11 +175,11 @@ - return SHA512_Update(sha, data, len); - } - --int SHA512_256_Final(uint8_t out[SHA512_256_DIGEST_LENGTH], -- SHA512_CTX *sha) { -+int SHA512_256_Final(uint8_t out[SHA512_256_DIGEST_LENGTH], SHA512_CTX *sha) { - // |SHA512_256_Init| sets |sha->md_len| to |SHA512_256_DIGEST_LENGTH|, so this - // has a |smaller output. -- return SHA512_Final(out, sha); -+ assert(sha->md_len == SHA512_256_DIGEST_LENGTH); -+ return sha512_final_impl(out, sha); - } - - void SHA512_Transform(SHA512_CTX *c, const uint8_t block[SHA512_CBLOCK]) { -@@ -232,6 +235,15 @@ - } - - int SHA512_Final(uint8_t out[SHA512_DIGEST_LENGTH], SHA512_CTX *sha) { -+ // Ideally we would assert |sha->md_len| is |SHA512_DIGEST_LENGTH| to match -+ // the size hint, but calling code often pairs |SHA384_Init| with -+ // |SHA512_Final| and expects |sha->md_len| to carry the over. -+ // -+ // TODO(davidben): Add an assert and fix code to match them up. -+ return sha512_final_impl(out, sha); -+} -+ -+static int sha512_final_impl(uint8_t *out, SHA512_CTX *sha) { - uint8_t *p = sha->p; - size_t n = sha->num; - -From 8c31179d81081cc9b8ce5b5ac3151088c45042f7 Mon Sep 17 00:00:00 2001 -From: David Benjamin <davidben@google.com> -Date: Fri, 19 Mar 2021 11:53:48 -0400 -Subject: [PATCH] Fix unnecessarily direction-specific tests in cipher_tests.txt - -All our EVP_CIPHERs are deterministic, so there's usually no point in -testing only one direction. Some of the ECB tests were missing free -decryption tests. CTR is the same in both directions, but we ought to -test the API agrees. OFB vectors are doubled up, so we can merge them -together. Plus there are typos in the OFB-AES192.Decrypt tests, also -present upstream, so we weren't actually testing everything we should. - -(I haven't removed the direction-specific logic altogether since the -tests imported from nist_cavp rely on it. Though there may be something -to be said for running them both ways since they don't actually double -them up...) - -Change-Id: I36a77d342afa436e89ad244a87567e1a4c6ee9dc -Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/46284 -Reviewed-by: Adam Langley <agl@google.com> -Commit-Queue: David Benjamin <davidben@google.com> ---- - -diff --git a/crypto/cipher_extra/test/cipher_tests.txt b/crypto/cipher_extra/test/cipher_tests.txt -index ced7595..52fd4af 100644 ---- a/crypto/cipher_extra/test/cipher_tests.txt -+++ b/crypto/cipher_extra/test/cipher_tests.txt -@@ -109,7 +109,6 @@ - # AES 128 ECB tests (from FIPS-197 test vectors, encrypt) - Cipher = AES-128-ECB - Key = 000102030405060708090A0B0C0D0E0F --Operation = ENCRYPT - Plaintext = 00112233445566778899AABBCCDDEEFF - Ciphertext = 69C4E0D86A7B0430D8CDB78070B4C55A - -@@ -117,7 +116,6 @@ - # AES 256 ECB tests (from FIPS-197 test vectors, encrypt) - Cipher = AES-256-ECB - Key = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F --Operation = ENCRYPT - Plaintext = 00112233445566778899AABBCCDDEEFF - Ciphertext = 8EA2B7CA516745BFEAFC49904B496089 - -@@ -227,42 +225,36 @@ - Cipher = AES-128-CTR - Key = AE6852F8121067CC4BF7A5765577F39E - IV = 00000030000000000000000000000001 --Operation = ENCRYPT - Plaintext = 53696E676C6520626C6F636B206D7367 - Ciphertext = E4095D4FB7A7B3792D6175A3261311B8 - - Cipher = AES-128-CTR - Key = 7E24067817FAE0D743D6CE1F32539163 - IV = 006CB6DBC0543B59DA48D90B00000001 --Operation = ENCRYPT - Plaintext = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F - Ciphertext = 5104A106168A72D9790D41EE8EDAD388EB2E1EFC46DA57C8FCE630DF9141BE28 - - Cipher = AES-128-CTR - Key = 7691BE035E5020A8AC6E618529F9A0DC - IV = 00E0017B27777F3F4A1786F000000001 --Operation = ENCRYPT - Plaintext = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F20212223 - Ciphertext = C1CF48A89F2FFDD9CF4652E9EFDB72D74540A42BDE6D7836D59A5CEAAEF3105325B2072F - - Cipher = AES-256-CTR - Key = 776BEFF2851DB06F4C8A0542C8696F6C6A81AF1EEC96B4D37FC1D689E6C1C104 - IV = 00000060DB5672C97AA8F0B200000001 --Operation = ENCRYPT - Plaintext = 53696E676C6520626C6F636B206D7367 - Ciphertext = 145AD01DBF824EC7560863DC71E3E0C0 - - Cipher = AES-256-CTR - Key = F6D66D6BD52D59BB0796365879EFF886C66DD51A5B6A99744B50590C87A23884 - IV = 00FAAC24C1585EF15A43D87500000001 --Operation = ENCRYPT - Plaintext = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F - Ciphertext = F05E231B3894612C49EE000B804EB2A9B8306B508F839D6A5530831D9344AF1C - - Cipher = AES-256-CTR - Key = FF7A617CE69148E4F1726E2F43581DE2AA62D9F805532EDFF1EED687FB54153D - IV = 001CC5B751A51D70A1C1114800000001 --Operation = ENCRYPT - Plaintext = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F20212223 - Ciphertext = EB6C52821D0BBBF7CE7594462ACA4FAAB407DF866569FD07F48CC0B583D6071F1EC0E6B8 - -@@ -270,7 +262,6 @@ - Cipher = AES-128-CTR - Key = 7E24067817FAE0D743D6CE1F32539163 - IV = 00000000000000007FFFFFFFFFFFFFFF --Operation = ENCRYPT - Plaintext = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F - Ciphertext = A2D459477E6432BD74184B1B5370D2243CDC202BC43583B2A55D288CDBBD1E03 - -@@ -462,178 +453,78 @@ - - # OFB tests from OpenSSL upstream. - --# OFB-AES128.Encrypt -+# OFB-AES128 - Cipher = AES-128-OFB - Key = 2B7E151628AED2A6ABF7158809CF4F3C - IV = 000102030405060708090A0B0C0D0E0F --Operation = ENCRYPT - Plaintext = 6BC1BEE22E409F96E93D7E117393172A - Ciphertext = 3B3FD92EB72DAD20333449F8E83CFB4A - - Cipher = AES-128-OFB - Key = 2B7E151628AED2A6ABF7158809CF4F3C - IV = 50FE67CC996D32B6DA0937E99BAFEC60 --Operation = ENCRYPT - Plaintext = AE2D8A571E03AC9C9EB76FAC45AF8E51 - Ciphertext = 7789508D16918F03F53C52DAC54ED825 - - Cipher = AES-128-OFB - Key = 2B7E151628AED2A6ABF7158809CF4F3C - IV = D9A4DADA0892239F6B8B3D7680E15674 --Operation = ENCRYPT - Plaintext = 30C81C46A35CE411E5FBC1191A0A52EF - Ciphertext = 9740051E9C5FECF64344F7A82260EDCC - - Cipher = AES-128-OFB - Key = 2B7E151628AED2A6ABF7158809CF4F3C - IV = A78819583F0308E7A6BF36B1386ABF23 --Operation = ENCRYPT - Plaintext = F69F2445DF4F9B17AD2B417BE66C3710 - Ciphertext = 304C6528F659C77866A510D9C1D6AE5E - --# OFB-AES128.Decrypt --Cipher = AES-128-OFB --Key = 2B7E151628AED2A6ABF7158809CF4F3C --IV = 000102030405060708090A0B0C0D0E0F --Operation = DECRYPT --Plaintext = 6BC1BEE22E409F96E93D7E117393172A --Ciphertext = 3B3FD92EB72DAD20333449F8E83CFB4A -- --Cipher = AES-128-OFB --Key = 2B7E151628AED2A6ABF7158809CF4F3C --IV = 50FE67CC996D32B6DA0937E99BAFEC60 --Operation = DECRYPT --Plaintext = AE2D8A571E03AC9C9EB76FAC45AF8E51 --Ciphertext = 7789508D16918F03F53C52DAC54ED825 -- --Cipher = AES-128-OFB --Key = 2B7E151628AED2A6ABF7158809CF4F3C --IV = D9A4DADA0892239F6B8B3D7680E15674 --Operation = DECRYPT --Plaintext = 30C81C46A35CE411E5FBC1191A0A52EF --Ciphertext = 9740051E9C5FECF64344F7A82260EDCC -- --Cipher = AES-128-OFB --Key = 2B7E151628AED2A6ABF7158809CF4F3C --IV = A78819583F0308E7A6BF36B1386ABF23 --Operation = DECRYPT --Plaintext = F69F2445DF4F9B17AD2B417BE66C3710 --Ciphertext = 304C6528F659C77866A510D9C1D6AE5E -- --# OFB-AES192.Encrypt -+# OFB-AES192 - Cipher = AES-192-OFB - Key = 8E73B0F7DA0E6452C810F32B809079E562F8EAD2522C6B7B - IV = 000102030405060708090A0B0C0D0E0F --Operation = ENCRYPT - Plaintext = 6BC1BEE22E409F96E93D7E117393172A - Ciphertext = CDC80D6FDDF18CAB34C25909C99A4174 - - Cipher = AES-192-OFB - Key = 8E73B0F7DA0E6452C810F32B809079E562F8EAD2522C6B7B - IV = A609B38DF3B1133DDDFF2718BA09565E --Operation = ENCRYPT - Plaintext = AE2D8A571E03AC9C9EB76FAC45AF8E51 - Ciphertext = FCC28B8D4C63837C09E81700C1100401 - - Cipher = AES-192-OFB - Key = 8E73B0F7DA0E6452C810F32B809079E562F8EAD2522C6B7B - IV = 52EF01DA52602FE0975F78AC84BF8A50 --Operation = ENCRYPT - Plaintext = 30C81C46A35CE411E5FBC1191A0A52EF - Ciphertext = 8D9A9AEAC0F6596F559C6D4DAF59A5F2 - - Cipher = AES-192-OFB - Key = 8E73B0F7DA0E6452C810F32B809079E562F8EAD2522C6B7B - IV = BD5286AC63AABD7EB067AC54B553F71D --Operation = ENCRYPT - Plaintext = F69F2445DF4F9B17AD2B417BE66C3710 - Ciphertext = 6D9F200857CA6C3E9CAC524BD9ACC92A - --# OFB-AES192.Decrypt --Cipher = AES-192-OFB --Key = 8E73B0F7DA0E6452C810F32B809079E562F8EAD2522C6B7B --IV = 000102030405060708090A0B0C0D0E0F --Operation = ENCRYPT --Plaintext = 6BC1BEE22E409F96E93D7E117393172A --Ciphertext = CDC80D6FDDF18CAB34C25909C99A4174 -- --Cipher = AES-192-OFB --Key = 8E73B0F7DA0E6452C810F32B809079E562F8EAD2522C6B7B --IV = A609B38DF3B1133DDDFF2718BA09565E --Operation = ENCRYPT --Plaintext = AE2D8A571E03AC9C9EB76FAC45AF8E51 --Ciphertext = FCC28B8D4C63837C09E81700C1100401 -- --Cipher = AES-192-OFB --Key = 8E73B0F7DA0E6452C810F32B809079E562F8EAD2522C6B7B --IV = 52EF01DA52602FE0975F78AC84BF8A50 --Operation = ENCRYPT --Plaintext = 30C81C46A35CE411E5FBC1191A0A52EF --Ciphertext = 8D9A9AEAC0F6596F559C6D4DAF59A5F2 -- --Cipher = AES-192-OFB --Key = 8E73B0F7DA0E6452C810F32B809079E562F8EAD2522C6B7B --IV = BD5286AC63AABD7EB067AC54B553F71D --Operation = ENCRYPT --Plaintext = F69F2445DF4F9B17AD2B417BE66C3710 --Ciphertext = 6D9F200857CA6C3E9CAC524BD9ACC92A -- --# OFB-AES256.Encrypt -+# OFB-AES256 - Cipher = AES-256-OFB - Key = 603DEB1015CA71BE2B73AEF0857D77811F352C073B6108D72D9810A30914DFF4 - IV = 000102030405060708090A0B0C0D0E0F --Operation = ENCRYPT - Plaintext = 6BC1BEE22E409F96E93D7E117393172A - Ciphertext = DC7E84BFDA79164B7ECD8486985D3860 - - Cipher = AES-256-OFB - Key = 603DEB1015CA71BE2B73AEF0857D77811F352C073B6108D72D9810A30914DFF4 - IV = B7BF3A5DF43989DD97F0FA97EBCE2F4A --Operation = ENCRYPT - Plaintext = AE2D8A571E03AC9C9EB76FAC45AF8E51 - Ciphertext = 4FEBDC6740D20B3AC88F6AD82A4FB08D - - Cipher = AES-256-OFB - Key = 603DEB1015CA71BE2B73AEF0857D77811F352C073B6108D72D9810A30914DFF4 - IV = E1C656305ED1A7A6563805746FE03EDC --Operation = ENCRYPT - Plaintext = 30C81C46A35CE411E5FBC1191A0A52EF - Ciphertext = 71AB47A086E86EEDF39D1C5BBA97C408 - - Cipher = AES-256-OFB - Key = 603DEB1015CA71BE2B73AEF0857D77811F352C073B6108D72D9810A30914DFF4 - IV = 41635BE625B48AFC1666DD42A09D96E7 --Operation = ENCRYPT --Plaintext = F69F2445DF4F9B17AD2B417BE66C3710 --Ciphertext = 0126141D67F37BE8538F5A8BE740E484 -- -- --# OFB-AES256.Decrypt --Cipher = AES-256-OFB --Key = 603DEB1015CA71BE2B73AEF0857D77811F352C073B6108D72D9810A30914DFF4 --IV = 000102030405060708090A0B0C0D0E0F --Operation = DECRYPT --Plaintext = 6BC1BEE22E409F96E93D7E117393172A --Ciphertext = DC7E84BFDA79164B7ECD8486985D3860 -- --Cipher = AES-256-OFB --Key = 603DEB1015CA71BE2B73AEF0857D77811F352C073B6108D72D9810A30914DFF4 --IV = B7BF3A5DF43989DD97F0FA97EBCE2F4A --Operation = DECRYPT --Plaintext = AE2D8A571E03AC9C9EB76FAC45AF8E51 --Ciphertext = 4FEBDC6740D20B3AC88F6AD82A4FB08D -- --Cipher = AES-256-OFB --Key = 603DEB1015CA71BE2B73AEF0857D77811F352C073B6108D72D9810A30914DFF4 --IV = E1C656305ED1A7A6563805746FE03EDC --Operation = DECRYPT --Plaintext = 30C81C46A35CE411E5FBC1191A0A52EF --Ciphertext = 71AB47A086E86EEDF39D1C5BBA97C408 -- --Cipher = AES-256-OFB --Key = 603DEB1015CA71BE2B73AEF0857D77811F352C073B6108D72D9810A30914DFF4 --IV = 41635BE625B48AFC1666DD42A09D96E7 --Operation = DECRYPT - Plaintext = F69F2445DF4F9B17AD2B417BE66C3710 - Ciphertext = 0126141D67F37BE8538F5A8BE740E484 - -@@ -667,7 +558,6 @@ - # AES-192-ECB tests from FIPS-197 - Cipher = AES-192-ECB - Key = 000102030405060708090A0B0C0D0E0F1011121314151617 --Operation = ENCRYPT - Plaintext = 00112233445566778899AABBCCDDEEFF - Ciphertext = DDA97CA4864CDFE06EAF70A0EC0D7191 - -From 502fceede9e9856ce9eb913d697490b58886ca38 Mon Sep 17 00:00:00 2001 -From: David Benjamin <davidben@google.com> -Date: Fri, 19 Mar 2021 12:15:49 -0400 -Subject: [PATCH] Test empty EVP_CIPHER inputs and fix exact memcpy overlap. - -See also 8129ac6ac4c0ca3a488c225cde580ede7dabe874 and -81198bf323ea9deda907714170d329ca7d2ff01f from upstream. - -In trying to figure out why ASan (which normally catches overlapping -memcpys) didn't flag this, I noticed that we actually don't have tests -for empty inputs. I've added them to cipher_tests.txt where missing and -fixed a bad assert in ofb.c. - -ASan still doesn't flag this because LLVM even requires memcpy handle -dst == src. Still, fixing it is less effort than getting a clear answer -from GCC and MSVC. Though this puts us in the frustrating position of -trying to follow a C rule that our main toolchain and sanitizer disavow. -https://bugs.llvm.org/show_bug.cgi?id=11763 -https://reviews.llvm.org/D86993 - -Change-Id: I53c64a84834ddf5cddca0b3d53a29998f666ea2f -Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/46285 -Commit-Queue: David Benjamin <davidben@google.com> -Reviewed-by: Adam Langley <agl@google.com> ---- - -diff --git a/crypto/cipher_extra/test/cipher_tests.txt b/crypto/cipher_extra/test/cipher_tests.txt -index 52fd4af..bf7325e 100644 ---- a/crypto/cipher_extra/test/cipher_tests.txt -+++ b/crypto/cipher_extra/test/cipher_tests.txt -@@ -29,6 +29,11 @@ - Plaintext = 00000000000000000000 - Ciphertext = d6a141a7ec3c38dfbd61 - -+Cipher = RC4 -+Key = ef012345ef012345ef012345ef012345 -+Plaintext = -+Ciphertext = -+ - - # DES EDE3 ECB tests - Cipher = DES-EDE3 -@@ -81,6 +86,11 @@ - Plaintext = cc7569d005afd1a365f5c5836c14475fc15091199902af4a78460d56c16f91ca - Ciphertext = 64db8af7a30363051a017cc92ed67ac6c0e2e1ffda0c94bbf0eeb803ba6b3d22 - -+Cipher = DES-EDE3 -+Key = 2e8eb05dd8a2b7a5a61a6b8a3830b12da2c4b1bea1e884d5 -+Plaintext = -+Ciphertext = -+ - - # DES EDE3 CBC tests (from destest) - Cipher = DES-EDE3-CBC -@@ -89,6 +99,12 @@ - Plaintext = 37363534333231204E6F77206973207468652074696D6520666F722000000000 - Ciphertext = 3FE301C962AC01D02213763C1CBD4CDC799657C064ECF5D41C673812CFDE9675 - -+Cipher = DES-EDE3-CBC -+Key = 0123456789abcdeff1e0d3c2b5a49786fedcba9876543210 -+IV = fedcba9876543210 -+Plaintext = -+Ciphertext = -+ - - # DES EDE CBC tests - Cipher = DES-EDE-CBC -@@ -97,6 +113,12 @@ - Plaintext = 37363534333231204E6F77206973207468652074696D6520666F722000000000 - Ciphertext = 7948C0DA4FE91CD815DCA96DBC9B60A857EB954F4DEB08EB98722642AE69257B - -+Cipher = DES-EDE-CBC -+Key = 0123456789abcdeff1e0d3c2b5a49786 -+IV = fedcba9876543210 -+Plaintext = -+Ciphertext = -+ - - # DES EDE tests - Cipher = DES-EDE -@@ -105,6 +127,12 @@ - Plaintext = 37363534333231204E6F77206973207468652074696D6520666F722000000000 - Ciphertext = 22E889402E28422F8167AD279D90A566DA75B734E12C671FC2669AECB3E4FE8F - -+Cipher = DES-EDE -+Key = 0123456789abcdeff1e0d3c2b5a49786 -+IV = fedcba9876543210 -+Plaintext = -+Ciphertext = -+ - - # AES 128 ECB tests (from FIPS-197 test vectors, encrypt) - Cipher = AES-128-ECB -@@ -112,6 +140,11 @@ - Plaintext = 00112233445566778899AABBCCDDEEFF - Ciphertext = 69C4E0D86A7B0430D8CDB78070B4C55A - -+Cipher = AES-128-ECB -+Key = 000102030405060708090A0B0C0D0E0F -+Plaintext = -+Ciphertext = -+ - - # AES 256 ECB tests (from FIPS-197 test vectors, encrypt) - Cipher = AES-256-ECB -@@ -119,6 +152,11 @@ - Plaintext = 00112233445566778899AABBCCDDEEFF - Ciphertext = 8EA2B7CA516745BFEAFC49904B496089 - -+Cipher = AES-256-ECB -+Key = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F -+Plaintext = -+Ciphertext = -+ - - # AES tests from NIST document SP800-38A - # For all ECB encrypts and decrypts, the transformed sequence is -@@ -194,6 +232,12 @@ - Plaintext = F69F2445DF4F9B17AD2B417BE66C3710 - Ciphertext = 3FF1CAA1681FAC09120ECA307586E1A7 - -+Cipher = AES-128-CBC -+Key = 2B7E151628AED2A6ABF7158809CF4F3C -+IV = 73BED6B8E3C1743B7116E69E22229516 -+Plaintext = -+Ciphertext = -+ - - # CBC-AES256.Encrypt and CBC-AES256.Decrypt - Cipher = AES-256-CBC -@@ -220,6 +264,12 @@ - Plaintext = F69F2445DF4F9B17AD2B417BE66C3710 - Ciphertext = B2EB05E2C39BE9FCDA6C19078C6A9D1B - -+Cipher = AES-256-CBC -+Key = 603DEB1015CA71BE2B73AEF0857D77811F352C073B6108D72D9810A30914DFF4 -+IV = 39F23369A9D9BACFA530E26304231461 -+Plaintext = -+Ciphertext = -+ - - # AES Counter test vectors from RFC3686 - Cipher = AES-128-CTR -@@ -247,6 +297,12 @@ - Ciphertext = 145AD01DBF824EC7560863DC71E3E0C0 - - Cipher = AES-256-CTR -+Key = 776BEFF2851DB06F4C8A0542C8696F6C6A81AF1EEC96B4D37FC1D689E6C1C104 -+IV = 00000060DB5672C97AA8F0B200000001 -+Plaintext = -+Ciphertext = -+ -+Cipher = AES-256-CTR - Key = F6D66D6BD52D59BB0796365879EFF886C66DD51A5B6A99744B50590C87A23884 - IV = 00FAAC24C1585EF15A43D87500000001 - Plaintext = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F -@@ -258,6 +314,12 @@ - Plaintext = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F20212223 - Ciphertext = EB6C52821D0BBBF7CE7594462ACA4FAAB407DF866569FD07F48CC0B583D6071F1EC0E6B8 - -+Cipher = AES-256-CTR -+Key = FF7A617CE69148E4F1726E2F43581DE2AA62D9F805532EDFF1EED687FB54153D -+IV = 001CC5B751A51D70A1C1114800000001 -+Plaintext = -+Ciphertext = -+ - # Regression test for https://github.com/openssl/openssl/issues/1916. - Cipher = AES-128-CTR - Key = 7E24067817FAE0D743D6CE1F32539163 -@@ -478,6 +540,13 @@ - Plaintext = F69F2445DF4F9B17AD2B417BE66C3710 - Ciphertext = 304C6528F659C77866A510D9C1D6AE5E - -+Cipher = AES-128-OFB -+Key = 2B7E151628AED2A6ABF7158809CF4F3C -+IV = A78819583F0308E7A6BF36B1386ABF23 -+Plaintext = -+Ciphertext = -+ -+ - # OFB-AES192 - Cipher = AES-192-OFB - Key = 8E73B0F7DA0E6452C810F32B809079E562F8EAD2522C6B7B -@@ -503,6 +572,13 @@ - Plaintext = F69F2445DF4F9B17AD2B417BE66C3710 - Ciphertext = 6D9F200857CA6C3E9CAC524BD9ACC92A - -+Cipher = AES-192-OFB -+Key = 8E73B0F7DA0E6452C810F32B809079E562F8EAD2522C6B7B -+IV = BD5286AC63AABD7EB067AC54B553F71D -+Plaintext = -+Ciphertext = -+ -+ - # OFB-AES256 - Cipher = AES-256-OFB - Key = 603DEB1015CA71BE2B73AEF0857D77811F352C073B6108D72D9810A30914DFF4 -@@ -528,6 +604,12 @@ - Plaintext = F69F2445DF4F9B17AD2B417BE66C3710 - Ciphertext = 0126141D67F37BE8538F5A8BE740E484 - -+Cipher = AES-256-OFB -+Key = 603DEB1015CA71BE2B73AEF0857D77811F352C073B6108D72D9810A30914DFF4 -+IV = 41635BE625B48AFC1666DD42A09D96E7 -+Plaintext = -+Ciphertext = -+ - - # AES-192 CBC-mode test from upstream OpenSSL. - Cipher = AES-192-CBC -@@ -619,3 +701,8 @@ - Key = FEDCBA9876543210 - Plaintext = 0123456789ABCDEF - Ciphertext = ED39D950FA74BCC4 -+ -+Cipher = DES-ECB -+Key = FEDCBA9876543210 -+Plaintext = -+Ciphertext = -diff --git a/crypto/fipsmodule/modes/cbc.c b/crypto/fipsmodule/modes/cbc.c -index 3f1d777..750c575 100644 ---- a/crypto/fipsmodule/modes/cbc.c -+++ b/crypto/fipsmodule/modes/cbc.c -@@ -57,12 +57,15 @@ - void CRYPTO_cbc128_encrypt(const uint8_t *in, uint8_t *out, size_t len, - const AES_KEY *key, uint8_t ivec[16], - block128_f block) { -+ assert(key != NULL && ivec != NULL); -+ if (len == 0) { -+ // Avoid |ivec| == |iv| in the |memcpy| below, which is not legal in C. -+ return; -+ } -+ -+ assert(in != NULL && out != NULL); - size_t n; - const uint8_t *iv = ivec; -- -- assert(key != NULL && ivec != NULL); -- assert(len == 0 || (in != NULL && out != NULL)); -- - while (len >= 16) { - for (n = 0; n < 16; n += sizeof(size_t)) { - store_word_le(out + n, load_word_le(in + n) ^ load_word_le(iv + n)); -@@ -97,20 +100,25 @@ - void CRYPTO_cbc128_decrypt(const uint8_t *in, uint8_t *out, size_t len, - const AES_KEY *key, uint8_t ivec[16], - block128_f block) { -- size_t n; -- union { -- size_t t[16 / sizeof(size_t)]; -- uint8_t c[16]; -- } tmp; -- - assert(key != NULL && ivec != NULL); -- assert(len == 0 || (in != NULL && out != NULL)); -+ if (len == 0) { -+ // Avoid |ivec| == |iv| in the |memcpy| below, which is not legal in C. -+ return; -+ } -+ -+ assert(in != NULL && out != NULL); - - const uintptr_t inptr = (uintptr_t) in; - const uintptr_t outptr = (uintptr_t) out; - // If |in| and |out| alias, |in| must be ahead. - assert(inptr >= outptr || inptr + len <= outptr); - -+ size_t n; -+ union { -+ size_t t[16 / sizeof(size_t)]; -+ uint8_t c[16]; -+ } tmp; -+ - if ((inptr >= 32 && outptr <= inptr - 32) || inptr < outptr) { - // If |out| is at least two blocks behind |in| or completely disjoint, there - // is no need to decrypt to a temporary block. -diff --git a/crypto/fipsmodule/modes/ofb.c b/crypto/fipsmodule/modes/ofb.c -index 4c70ce6..9d73d8a 100644 ---- a/crypto/fipsmodule/modes/ofb.c -+++ b/crypto/fipsmodule/modes/ofb.c -@@ -60,7 +60,8 @@ - void CRYPTO_ofb128_encrypt(const uint8_t *in, uint8_t *out, size_t len, - const AES_KEY *key, uint8_t ivec[16], unsigned *num, - block128_f block) { -- assert(in && out && key && ivec && num); -+ assert(key != NULL && ivec != NULL && num != NULL); -+ assert(len == 0 || (in != NULL && out != NULL)); - - unsigned n = *num; - -From 8d4c8fc41be567bca17ce7c15304dc06539a060a Mon Sep 17 00:00:00 2001 -From: David Benjamin <davidben@google.com> -Date: Mon, 29 Mar 2021 12:59:55 -0400 -Subject: [PATCH] Make words in crypto/fipsmodule/modes actually words. - -It's a little confusing to have load_word_le but actually use size_t -instead of crypto_word_t. - -NOTE: on some platforms, notably NaCl, crypto_word_t is larger than -size_t. (Do we still need to support this?) We don't have a good testing -story here, so I tested it by hacking up a 32-bit x86 build to think it -was OPENSSL_64_BIT. - -Change-Id: Ia0ce469e86803f22655fe2d9659a6a5db766429f -Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/46424 -Reviewed-by: Adam Langley <agl@google.com> ---- - -diff --git a/crypto/fipsmodule/modes/cbc.c b/crypto/fipsmodule/modes/cbc.c -index 750c575..ee3a186 100644 ---- a/crypto/fipsmodule/modes/cbc.c -+++ b/crypto/fipsmodule/modes/cbc.c -@@ -67,7 +67,7 @@ - size_t n; - const uint8_t *iv = ivec; - while (len >= 16) { -- for (n = 0; n < 16; n += sizeof(size_t)) { -+ for (n = 0; n < 16; n += sizeof(crypto_word_t)) { - store_word_le(out + n, load_word_le(in + n) ^ load_word_le(iv + n)); - } - (*block)(out, out, key); -@@ -115,19 +115,19 @@ - - size_t n; - union { -- size_t t[16 / sizeof(size_t)]; -+ crypto_word_t t[16 / sizeof(crypto_word_t)]; - uint8_t c[16]; - } tmp; - - if ((inptr >= 32 && outptr <= inptr - 32) || inptr < outptr) { - // If |out| is at least two blocks behind |in| or completely disjoint, there - // is no need to decrypt to a temporary block. -- OPENSSL_STATIC_ASSERT(16 % sizeof(size_t) == 0, -+ OPENSSL_STATIC_ASSERT(16 % sizeof(crypto_word_t) == 0, - "block cannot be evenly divided into words"); - const uint8_t *iv = ivec; - while (len >= 16) { - (*block)(in, out, key); -- for (n = 0; n < 16; n += sizeof(size_t)) { -+ for (n = 0; n < 16; n += sizeof(crypto_word_t)) { - store_word_le(out + n, load_word_le(out + n) ^ load_word_le(iv + n)); - } - iv = in; -@@ -137,15 +137,15 @@ - } - OPENSSL_memcpy(ivec, iv, 16); - } else { -- OPENSSL_STATIC_ASSERT(16 % sizeof(size_t) == 0, -+ OPENSSL_STATIC_ASSERT(16 % sizeof(crypto_word_t) == 0, - "block cannot be evenly divided into words"); - - while (len >= 16) { - (*block)(in, tmp.c, key); -- for (n = 0; n < 16; n += sizeof(size_t)) { -- size_t c = load_word_le(in + n); -- store_word_le(out + n, -- tmp.t[n / sizeof(size_t)] ^ load_word_le(ivec + n)); -+ for (n = 0; n < 16; n += sizeof(crypto_word_t)) { -+ crypto_word_t c = load_word_le(in + n); -+ store_word_le( -+ out + n, tmp.t[n / sizeof(crypto_word_t)] ^ load_word_le(ivec + n)); - store_word_le(ivec + n, c); - } - len -= 16; -diff --git a/crypto/fipsmodule/modes/cfb.c b/crypto/fipsmodule/modes/cfb.c -index 8ca9004..01291c8 100644 ---- a/crypto/fipsmodule/modes/cfb.c -+++ b/crypto/fipsmodule/modes/cfb.c -@@ -72,8 +72,8 @@ - } - while (len >= 16) { - (*block)(ivec, ivec, key); -- for (; n < 16; n += sizeof(size_t)) { -- size_t tmp = load_word_le(ivec + n) ^ load_word_le(in + n); -+ for (; n < 16; n += sizeof(crypto_word_t)) { -+ crypto_word_t tmp = load_word_le(ivec + n) ^ load_word_le(in + n); - store_word_le(ivec + n, tmp); - store_word_le(out + n, tmp); - } -@@ -101,8 +101,8 @@ - } - while (len >= 16) { - (*block)(ivec, ivec, key); -- for (; n < 16; n += sizeof(size_t)) { -- size_t t = load_word_le(in + n); -+ for (; n < 16; n += sizeof(crypto_word_t)) { -+ crypto_word_t t = load_word_le(in + n); - store_word_le(out + n, load_word_le(ivec + n) ^ t); - store_word_le(ivec + n, t); - } -diff --git a/crypto/fipsmodule/modes/ctr.c b/crypto/fipsmodule/modes/ctr.c -index 8b0e059..cfb2184 100644 ---- a/crypto/fipsmodule/modes/ctr.c -+++ b/crypto/fipsmodule/modes/ctr.c -@@ -69,8 +69,8 @@ - } while (n); - } - --OPENSSL_STATIC_ASSERT(16 % sizeof(size_t) == 0, -- "block cannot be divided into size_t"); -+OPENSSL_STATIC_ASSERT(16 % sizeof(crypto_word_t) == 0, -+ "block cannot be divided into crypto_word_t"); - - // The input encrypted as though 128bit counter mode is being used. The extra - // state information to record how much of the 128bit block we have used is -@@ -102,7 +102,7 @@ - while (len >= 16) { - (*block)(ivec, ecount_buf, key); - ctr128_inc(ivec); -- for (n = 0; n < 16; n += sizeof(size_t)) { -+ for (n = 0; n < 16; n += sizeof(crypto_word_t)) { - store_word_le(out + n, - load_word_le(in + n) ^ load_word_le(ecount_buf + n)); - } -diff --git a/crypto/fipsmodule/modes/gcm.c b/crypto/fipsmodule/modes/gcm.c -index 14fff86..077369d 100644 ---- a/crypto/fipsmodule/modes/gcm.c -+++ b/crypto/fipsmodule/modes/gcm.c -@@ -73,7 +73,7 @@ - - #if defined(GHASH_ASM_X86_64) || defined(GHASH_ASM_X86) - static inline void gcm_reduce_1bit(u128 *V) { -- if (sizeof(size_t) == 8) { -+ if (sizeof(crypto_word_t) == 8) { - uint64_t T = UINT64_C(0xe100000000000000) & (0 - (V->hi & 1)); - V->hi = (V->lo << 63) | (V->hi >> 1); - V->lo = (V->lo >> 1) ^ T; -@@ -377,9 +377,9 @@ - (*block)(ctx->Yi.c, ctx->EKi.c, key); - ++ctr; - ctx->Yi.d[3] = CRYPTO_bswap4(ctr); -- for (size_t i = 0; i < 16; i += sizeof(size_t)) { -- store_word_le(out + i, -- load_word_le(in + i) ^ ctx->EKi.t[i / sizeof(size_t)]); -+ for (size_t i = 0; i < 16; i += sizeof(crypto_word_t)) { -+ store_word_le(out + i, load_word_le(in + i) ^ -+ ctx->EKi.t[i / sizeof(crypto_word_t)]); - } - out += 16; - in += 16; -@@ -394,9 +394,9 @@ - (*block)(ctx->Yi.c, ctx->EKi.c, key); - ++ctr; - ctx->Yi.d[3] = CRYPTO_bswap4(ctr); -- for (size_t i = 0; i < 16; i += sizeof(size_t)) { -- store_word_le(out + i, -- load_word_le(in + i) ^ ctx->EKi.t[i / sizeof(size_t)]); -+ for (size_t i = 0; i < 16; i += sizeof(crypto_word_t)) { -+ store_word_le(out + i, load_word_le(in + i) ^ -+ ctx->EKi.t[i / sizeof(crypto_word_t)]); - } - out += 16; - in += 16; -@@ -468,9 +468,9 @@ - (*block)(ctx->Yi.c, ctx->EKi.c, key); - ++ctr; - ctx->Yi.d[3] = CRYPTO_bswap4(ctr); -- for (size_t i = 0; i < 16; i += sizeof(size_t)) { -- store_word_le(out + i, -- load_word_le(in + i) ^ ctx->EKi.t[i / sizeof(size_t)]); -+ for (size_t i = 0; i < 16; i += sizeof(crypto_word_t)) { -+ store_word_le(out + i, load_word_le(in + i) ^ -+ ctx->EKi.t[i / sizeof(crypto_word_t)]); - } - out += 16; - in += 16; -@@ -485,9 +485,9 @@ - (*block)(ctx->Yi.c, ctx->EKi.c, key); - ++ctr; - ctx->Yi.d[3] = CRYPTO_bswap4(ctr); -- for (size_t i = 0; i < 16; i += sizeof(size_t)) { -- store_word_le(out + i, -- load_word_le(in + i) ^ ctx->EKi.t[i / sizeof(size_t)]); -+ for (size_t i = 0; i < 16; i += sizeof(crypto_word_t)) { -+ store_word_le(out + i, load_word_le(in + i) ^ -+ ctx->EKi.t[i / sizeof(crypto_word_t)]); - } - out += 16; - in += 16; -diff --git a/crypto/fipsmodule/modes/internal.h b/crypto/fipsmodule/modes/internal.h -index 2693fa6..bf25023 100644 ---- a/crypto/fipsmodule/modes/internal.h -+++ b/crypto/fipsmodule/modes/internal.h -@@ -75,13 +75,13 @@ - OPENSSL_memcpy(out, &v, sizeof(v)); - } - --static inline size_t load_word_le(const void *in) { -- size_t v; -+static inline crypto_word_t load_word_le(const void *in) { -+ crypto_word_t v; - OPENSSL_memcpy(&v, in, sizeof(v)); - return v; - } - --static inline void store_word_le(void *out, size_t v) { -+static inline void store_word_le(void *out, crypto_word_t v) { - OPENSSL_memcpy(out, &v, sizeof(v)); - } - -@@ -171,7 +171,7 @@ - uint64_t u[2]; - uint32_t d[4]; - uint8_t c[16]; -- size_t t[16 / sizeof(size_t)]; -+ crypto_word_t t[16 / sizeof(crypto_word_t)]; - } Yi, EKi, EK0, len, Xi; - - // Note that the order of |Xi| and |gcm_key| is fixed by the MOVBE-based, -From ca4598781a37b6d3f2f7a63593229cd7570a194f Mon Sep 17 00:00:00 2001 -From: David Benjamin <davidben@google.com> -Date: Mon, 29 Mar 2021 12:54:16 -0400 -Subject: [PATCH] Move load/store helpers to crypto/internal.h. - -We have loads of variations of these. Align them in one set. This avoids -the HOST_* macros defined by md32_common.h, so it'll be a little easier -to make it a more conventional header. - -Change-Id: Id47fe7b51a8f961bd87839f8146d8a5aa8027aa6 -Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/46425 -Reviewed-by: Adam Langley <agl@google.com> ---- - -diff --git a/crypto/fipsmodule/digest/md32_common.h b/crypto/fipsmodule/digest/md32_common.h -index 07d39d9..a0634d1 100644 ---- a/crypto/fipsmodule/digest/md32_common.h -+++ b/crypto/fipsmodule/digest/md32_common.h -@@ -136,44 +136,6 @@ - #error "HASH_MAKE_STRING must be defined!" - #endif - --#if defined(DATA_ORDER_IS_BIG_ENDIAN) -- --#define HOST_c2l(c, l) \ -- do { \ -- (l) = (((uint32_t)(*((c)++))) << 24); \ -- (l) |= (((uint32_t)(*((c)++))) << 16); \ -- (l) |= (((uint32_t)(*((c)++))) << 8); \ -- (l) |= (((uint32_t)(*((c)++)))); \ -- } while (0) -- --#define HOST_l2c(l, c) \ -- do { \ -- *((c)++) = (uint8_t)(((l) >> 24) & 0xff); \ -- *((c)++) = (uint8_t)(((l) >> 16) & 0xff); \ -- *((c)++) = (uint8_t)(((l) >> 8) & 0xff); \ -- *((c)++) = (uint8_t)(((l)) & 0xff); \ -- } while (0) -- --#elif defined(DATA_ORDER_IS_LITTLE_ENDIAN) -- --#define HOST_c2l(c, l) \ -- do { \ -- (l) = (((uint32_t)(*((c)++)))); \ -- (l) |= (((uint32_t)(*((c)++))) << 8); \ -- (l) |= (((uint32_t)(*((c)++))) << 16); \ -- (l) |= (((uint32_t)(*((c)++))) << 24); \ -- } while (0) -- --#define HOST_l2c(l, c) \ -- do { \ -- *((c)++) = (uint8_t)(((l)) & 0xff); \ -- *((c)++) = (uint8_t)(((l) >> 8) & 0xff); \ -- *((c)++) = (uint8_t)(((l) >> 16) & 0xff); \ -- *((c)++) = (uint8_t)(((l) >> 24) & 0xff); \ -- } while (0) -- --#endif // DATA_ORDER -- - int HASH_UPDATE(HASH_CTX *c, const void *data_, size_t len) { - const uint8_t *data = data_; - -@@ -247,13 +209,12 @@ - // Append a 64-bit length to the block and process it. - uint8_t *p = c->data + HASH_CBLOCK - 8; - #if defined(DATA_ORDER_IS_BIG_ENDIAN) -- HOST_l2c(c->Nh, p); -- HOST_l2c(c->Nl, p); -+ CRYPTO_store_u32_be(p, c->Nh); -+ CRYPTO_store_u32_be(p + 4, c->Nl); - #elif defined(DATA_ORDER_IS_LITTLE_ENDIAN) -- HOST_l2c(c->Nl, p); -- HOST_l2c(c->Nh, p); -+ CRYPTO_store_u32_le(p, c->Nl); -+ CRYPTO_store_u32_le(p + 4, c->Nh); - #endif -- assert(p == c->data + HASH_CBLOCK); - HASH_BLOCK_DATA_ORDER(c->h, c->data, 1); - c->num = 0; - OPENSSL_memset(c->data, 0, HASH_CBLOCK); -diff --git a/crypto/fipsmodule/md4/md4.c b/crypto/fipsmodule/md4/md4.c -index cc2a631..0551664 100644 ---- a/crypto/fipsmodule/md4/md4.c -+++ b/crypto/fipsmodule/md4/md4.c -@@ -92,17 +92,16 @@ - #define HASH_UPDATE MD4_Update - #define HASH_TRANSFORM MD4_Transform - #define HASH_FINAL MD4_Final --#define HASH_MAKE_STRING(c, s) \ -- do { \ -- uint32_t ll; \ -- ll = (c)->h[0]; \ -- HOST_l2c(ll, (s)); \ -- ll = (c)->h[1]; \ -- HOST_l2c(ll, (s)); \ -- ll = (c)->h[2]; \ -- HOST_l2c(ll, (s)); \ -- ll = (c)->h[3]; \ -- HOST_l2c(ll, (s)); \ -+#define HASH_MAKE_STRING(c, s) \ -+ do { \ -+ CRYPTO_store_u32_le((s), (c)->h[0]); \ -+ (s) += 4; \ -+ CRYPTO_store_u32_le((s), (c)->h[1]); \ -+ (s) += 4; \ -+ CRYPTO_store_u32_le((s), (c)->h[2]); \ -+ (s) += 4; \ -+ CRYPTO_store_u32_le((s), (c)->h[3]); \ -+ (s) += 4; \ - } while (0) - #define HASH_BLOCK_DATA_ORDER md4_block_data_order - -@@ -136,7 +135,7 @@ - } while (0) - - void md4_block_data_order(uint32_t *state, const uint8_t *data, size_t num) { -- uint32_t A, B, C, D, l; -+ uint32_t A, B, C, D; - uint32_t X0, X1, X2, X3, X4, X5, X6, X7, X8, X9, X10, X11, X12, X13, X14, X15; - - A = state[0]; -@@ -145,53 +144,53 @@ - D = state[3]; - - for (; num--;) { -- HOST_c2l(data, l); -- X0 = l; -- HOST_c2l(data, l); -- X1 = l; -+ X0 = CRYPTO_load_u32_le(data); -+ data += 4; -+ X1 = CRYPTO_load_u32_le(data); -+ data += 4; - // Round 0 - R0(A, B, C, D, X0, 3, 0); -- HOST_c2l(data, l); -- X2 = l; -+ X2 = CRYPTO_load_u32_le(data); -+ data += 4; - R0(D, A, B, C, X1, 7, 0); -- HOST_c2l(data, l); -- X3 = l; -+ X3 = CRYPTO_load_u32_le(data); -+ data += 4; - R0(C, D, A, B, X2, 11, 0); -- HOST_c2l(data, l); -- X4 = l; -+ X4 = CRYPTO_load_u32_le(data); -+ data += 4; - R0(B, C, D, A, X3, 19, 0); -- HOST_c2l(data, l); -- X5 = l; -+ X5 = CRYPTO_load_u32_le(data); -+ data += 4; - R0(A, B, C, D, X4, 3, 0); -- HOST_c2l(data, l); -- X6 = l; -+ X6 = CRYPTO_load_u32_le(data); -+ data += 4; - R0(D, A, B, C, X5, 7, 0); -- HOST_c2l(data, l); -- X7 = l; -+ X7 = CRYPTO_load_u32_le(data); -+ data += 4; - R0(C, D, A, B, X6, 11, 0); -- HOST_c2l(data, l); -- X8 = l; -+ X8 = CRYPTO_load_u32_le(data); -+ data += 4; - R0(B, C, D, A, X7, 19, 0); -- HOST_c2l(data, l); -- X9 = l; -+ X9 = CRYPTO_load_u32_le(data); -+ data += 4; - R0(A, B, C, D, X8, 3, 0); -- HOST_c2l(data, l); -- X10 = l; -+ X10 = CRYPTO_load_u32_le(data); -+ data += 4; - R0(D, A, B, C, X9, 7, 0); -- HOST_c2l(data, l); -- X11 = l; -+ X11 = CRYPTO_load_u32_le(data); -+ data += 4; - R0(C, D, A, B, X10, 11, 0); -- HOST_c2l(data, l); -- X12 = l; -+ X12 = CRYPTO_load_u32_le(data); -+ data += 4; - R0(B, C, D, A, X11, 19, 0); -- HOST_c2l(data, l); -- X13 = l; -+ X13 = CRYPTO_load_u32_le(data); -+ data += 4; - R0(A, B, C, D, X12, 3, 0); -- HOST_c2l(data, l); -- X14 = l; -+ X14 = CRYPTO_load_u32_le(data); -+ data += 4; - R0(D, A, B, C, X13, 7, 0); -- HOST_c2l(data, l); -- X15 = l; -+ X15 = CRYPTO_load_u32_le(data); -+ data += 4; - R0(C, D, A, B, X14, 11, 0); - R0(B, C, D, A, X15, 19, 0); - // Round 1 -@@ -252,5 +251,3 @@ - #undef R0 - #undef R1 - #undef R2 --#undef HOST_c2l --#undef HOST_l2c -diff --git a/crypto/fipsmodule/md5/md5.c b/crypto/fipsmodule/md5/md5.c -index a48d704..bd6bf6a 100644 ---- a/crypto/fipsmodule/md5/md5.c -+++ b/crypto/fipsmodule/md5/md5.c -@@ -98,17 +98,16 @@ - #define HASH_UPDATE MD5_Update - #define HASH_TRANSFORM MD5_Transform - #define HASH_FINAL MD5_Final --#define HASH_MAKE_STRING(c, s) \ -- do { \ -- uint32_t ll; \ -- ll = (c)->h[0]; \ -- HOST_l2c(ll, (s)); \ -- ll = (c)->h[1]; \ -- HOST_l2c(ll, (s)); \ -- ll = (c)->h[2]; \ -- HOST_l2c(ll, (s)); \ -- ll = (c)->h[3]; \ -- HOST_l2c(ll, (s)); \ -+#define HASH_MAKE_STRING(c, s) \ -+ do { \ -+ CRYPTO_store_u32_le((s), (c)->h[0]); \ -+ (s) += 4; \ -+ CRYPTO_store_u32_le((s), (c)->h[1]); \ -+ (s) += 4; \ -+ CRYPTO_store_u32_le((s), (c)->h[2]); \ -+ (s) += 4; \ -+ CRYPTO_store_u32_le((s), (c)->h[3]); \ -+ (s) += 4; \ - } while (0) - #define HASH_BLOCK_DATA_ORDER md5_block_data_order - -@@ -158,7 +157,7 @@ - #endif - static void md5_block_data_order(uint32_t *state, const uint8_t *data, - size_t num) { -- uint32_t A, B, C, D, l; -+ uint32_t A, B, C, D; - uint32_t XX0, XX1, XX2, XX3, XX4, XX5, XX6, XX7, XX8, XX9, XX10, XX11, XX12, - XX13, XX14, XX15; - #define X(i) XX##i -@@ -169,53 +168,53 @@ - D = state[3]; - - for (; num--;) { -- HOST_c2l(data, l); -- X(0) = l; -- HOST_c2l(data, l); -- X(1) = l; -+ X(0) = CRYPTO_load_u32_le(data); -+ data += 4; -+ X(1) = CRYPTO_load_u32_le(data); -+ data += 4; - // Round 0 - R0(A, B, C, D, X(0), 7, 0xd76aa478L); -- HOST_c2l(data, l); -- X(2) = l; -+ X(2) = CRYPTO_load_u32_le(data); -+ data += 4; - R0(D, A, B, C, X(1), 12, 0xe8c7b756L); -- HOST_c2l(data, l); -- X(3) = l; -+ X(3) = CRYPTO_load_u32_le(data); -+ data += 4; - R0(C, D, A, B, X(2), 17, 0x242070dbL); -- HOST_c2l(data, l); -- X(4) = l; -+ X(4) = CRYPTO_load_u32_le(data); -+ data += 4; - R0(B, C, D, A, X(3), 22, 0xc1bdceeeL); -- HOST_c2l(data, l); -- X(5) = l; -+ X(5) = CRYPTO_load_u32_le(data); -+ data += 4; - R0(A, B, C, D, X(4), 7, 0xf57c0fafL); -- HOST_c2l(data, l); -- X(6) = l; -+ X(6) = CRYPTO_load_u32_le(data); -+ data += 4; - R0(D, A, B, C, X(5), 12, 0x4787c62aL); -- HOST_c2l(data, l); -- X(7) = l; -+ X(7) = CRYPTO_load_u32_le(data); -+ data += 4; - R0(C, D, A, B, X(6), 17, 0xa8304613L); -- HOST_c2l(data, l); -- X(8) = l; -+ X(8) = CRYPTO_load_u32_le(data); -+ data += 4; - R0(B, C, D, A, X(7), 22, 0xfd469501L); -- HOST_c2l(data, l); -- X(9) = l; -+ X(9) = CRYPTO_load_u32_le(data); -+ data += 4; - R0(A, B, C, D, X(8), 7, 0x698098d8L); -- HOST_c2l(data, l); -- X(10) = l; -+ X(10) = CRYPTO_load_u32_le(data); -+ data += 4; - R0(D, A, B, C, X(9), 12, 0x8b44f7afL); -- HOST_c2l(data, l); -- X(11) = l; -+ X(11) = CRYPTO_load_u32_le(data); -+ data += 4; - R0(C, D, A, B, X(10), 17, 0xffff5bb1L); -- HOST_c2l(data, l); -- X(12) = l; -+ X(12) = CRYPTO_load_u32_le(data); -+ data += 4; - R0(B, C, D, A, X(11), 22, 0x895cd7beL); -- HOST_c2l(data, l); -- X(13) = l; -+ X(13) = CRYPTO_load_u32_le(data); -+ data += 4; - R0(A, B, C, D, X(12), 7, 0x6b901122L); -- HOST_c2l(data, l); -- X(14) = l; -+ X(14) = CRYPTO_load_u32_le(data); -+ data += 4; - R0(D, A, B, C, X(13), 12, 0xfd987193L); -- HOST_c2l(data, l); -- X(15) = l; -+ X(15) = CRYPTO_load_u32_le(data); -+ data += 4; - R0(C, D, A, B, X(14), 17, 0xa679438eL); - R0(B, C, D, A, X(15), 22, 0x49b40821L); - // Round 1 -@@ -297,5 +296,3 @@ - #undef R1 - #undef R2 - #undef R3 --#undef HOST_c2l --#undef HOST_l2c -diff --git a/crypto/fipsmodule/modes/cbc.c b/crypto/fipsmodule/modes/cbc.c -index ee3a186..192580e 100644 ---- a/crypto/fipsmodule/modes/cbc.c -+++ b/crypto/fipsmodule/modes/cbc.c -@@ -52,6 +52,7 @@ - #include <openssl/type_check.h> - - #include "internal.h" -+#include "../../internal.h" - - - void CRYPTO_cbc128_encrypt(const uint8_t *in, uint8_t *out, size_t len, -@@ -68,7 +69,8 @@ - const uint8_t *iv = ivec; - while (len >= 16) { - for (n = 0; n < 16; n += sizeof(crypto_word_t)) { -- store_word_le(out + n, load_word_le(in + n) ^ load_word_le(iv + n)); -+ CRYPTO_store_word_le( -+ out + n, CRYPTO_load_word_le(in + n) ^ CRYPTO_load_word_le(iv + n)); - } - (*block)(out, out, key); - iv = out; -@@ -128,7 +130,8 @@ - while (len >= 16) { - (*block)(in, out, key); - for (n = 0; n < 16; n += sizeof(crypto_word_t)) { -- store_word_le(out + n, load_word_le(out + n) ^ load_word_le(iv + n)); -+ CRYPTO_store_word_le(out + n, CRYPTO_load_word_le(out + n) ^ -+ CRYPTO_load_word_le(iv + n)); - } - iv = in; - len -= 16; -@@ -143,10 +146,10 @@ - while (len >= 16) { - (*block)(in, tmp.c, key); - for (n = 0; n < 16; n += sizeof(crypto_word_t)) { -- crypto_word_t c = load_word_le(in + n); -- store_word_le( -- out + n, tmp.t[n / sizeof(crypto_word_t)] ^ load_word_le(ivec + n)); -- store_word_le(ivec + n, c); -+ crypto_word_t c = CRYPTO_load_word_le(in + n); -+ CRYPTO_store_word_le(out + n, tmp.t[n / sizeof(crypto_word_t)] ^ -+ CRYPTO_load_word_le(ivec + n)); -+ CRYPTO_store_word_le(ivec + n, c); - } - len -= 16; - in += 16; -diff --git a/crypto/fipsmodule/modes/cfb.c b/crypto/fipsmodule/modes/cfb.c -index 01291c8..283a107 100644 ---- a/crypto/fipsmodule/modes/cfb.c -+++ b/crypto/fipsmodule/modes/cfb.c -@@ -73,9 +73,10 @@ - while (len >= 16) { - (*block)(ivec, ivec, key); - for (; n < 16; n += sizeof(crypto_word_t)) { -- crypto_word_t tmp = load_word_le(ivec + n) ^ load_word_le(in + n); -- store_word_le(ivec + n, tmp); -- store_word_le(out + n, tmp); -+ crypto_word_t tmp = -+ CRYPTO_load_word_le(ivec + n) ^ CRYPTO_load_word_le(in + n); -+ CRYPTO_store_word_le(ivec + n, tmp); -+ CRYPTO_store_word_le(out + n, tmp); - } - len -= 16; - out += 16; -@@ -102,9 +103,9 @@ - while (len >= 16) { - (*block)(ivec, ivec, key); - for (; n < 16; n += sizeof(crypto_word_t)) { -- crypto_word_t t = load_word_le(in + n); -- store_word_le(out + n, load_word_le(ivec + n) ^ t); -- store_word_le(ivec + n, t); -+ crypto_word_t t = CRYPTO_load_word_le(in + n); -+ CRYPTO_store_word_le(out + n, CRYPTO_load_word_le(ivec + n) ^ t); -+ CRYPTO_store_word_le(ivec + n, t); - } - len -= 16; - out += 16; -diff --git a/crypto/fipsmodule/modes/ctr.c b/crypto/fipsmodule/modes/ctr.c -index cfb2184..cea79ad 100644 ---- a/crypto/fipsmodule/modes/ctr.c -+++ b/crypto/fipsmodule/modes/ctr.c -@@ -52,6 +52,7 @@ - #include <string.h> - - #include "internal.h" -+#include "../../internal.h" - - - // NOTE: the IV/counter CTR mode is big-endian. The code itself -@@ -103,8 +104,8 @@ - (*block)(ivec, ecount_buf, key); - ctr128_inc(ivec); - for (n = 0; n < 16; n += sizeof(crypto_word_t)) { -- store_word_le(out + n, -- load_word_le(in + n) ^ load_word_le(ecount_buf + n)); -+ CRYPTO_store_word_le(out + n, CRYPTO_load_word_le(in + n) ^ -+ CRYPTO_load_word_le(ecount_buf + n)); - } - len -= 16; - out += 16; -@@ -152,7 +153,7 @@ - n = (n + 1) % 16; - } - -- ctr32 = GETU32(ivec + 12); -+ ctr32 = CRYPTO_load_u32_be(ivec + 12); - while (len >= 16) { - size_t blocks = len / 16; - // 1<<28 is just a not-so-small yet not-so-large number... -@@ -172,7 +173,7 @@ - } - (*func)(in, out, blocks, key, ivec); - // (*func) does not update ivec, caller does: -- PUTU32(ivec + 12, ctr32); -+ CRYPTO_store_u32_be(ivec + 12, ctr32); - // ... overflow was detected, propogate carry. - if (ctr32 == 0) { - ctr96_inc(ivec); -@@ -186,7 +187,7 @@ - OPENSSL_memset(ecount_buf, 0, 16); - (*func)(ecount_buf, ecount_buf, 1, key, ivec); - ++ctr32; -- PUTU32(ivec + 12, ctr32); -+ CRYPTO_store_u32_be(ivec + 12, ctr32); - if (ctr32 == 0) { - ctr96_inc(ivec); - } -diff --git a/crypto/fipsmodule/modes/gcm.c b/crypto/fipsmodule/modes/gcm.c -index 077369d..b010cd5 100644 ---- a/crypto/fipsmodule/modes/gcm.c -+++ b/crypto/fipsmodule/modes/gcm.c -@@ -378,8 +378,9 @@ - ++ctr; - ctx->Yi.d[3] = CRYPTO_bswap4(ctr); - for (size_t i = 0; i < 16; i += sizeof(crypto_word_t)) { -- store_word_le(out + i, load_word_le(in + i) ^ -- ctx->EKi.t[i / sizeof(crypto_word_t)]); -+ CRYPTO_store_word_le(out + i, -+ CRYPTO_load_word_le(in + i) ^ -+ ctx->EKi.t[i / sizeof(crypto_word_t)]); - } - out += 16; - in += 16; -@@ -395,8 +396,9 @@ - ++ctr; - ctx->Yi.d[3] = CRYPTO_bswap4(ctr); - for (size_t i = 0; i < 16; i += sizeof(crypto_word_t)) { -- store_word_le(out + i, load_word_le(in + i) ^ -- ctx->EKi.t[i / sizeof(crypto_word_t)]); -+ CRYPTO_store_word_le(out + i, -+ CRYPTO_load_word_le(in + i) ^ -+ ctx->EKi.t[i / sizeof(crypto_word_t)]); - } - out += 16; - in += 16; -@@ -469,8 +471,9 @@ - ++ctr; - ctx->Yi.d[3] = CRYPTO_bswap4(ctr); - for (size_t i = 0; i < 16; i += sizeof(crypto_word_t)) { -- store_word_le(out + i, load_word_le(in + i) ^ -- ctx->EKi.t[i / sizeof(crypto_word_t)]); -+ CRYPTO_store_word_le(out + i, -+ CRYPTO_load_word_le(in + i) ^ -+ ctx->EKi.t[i / sizeof(crypto_word_t)]); - } - out += 16; - in += 16; -@@ -486,8 +489,9 @@ - ++ctr; - ctx->Yi.d[3] = CRYPTO_bswap4(ctr); - for (size_t i = 0; i < 16; i += sizeof(crypto_word_t)) { -- store_word_le(out + i, load_word_le(in + i) ^ -- ctx->EKi.t[i / sizeof(crypto_word_t)]); -+ CRYPTO_store_word_le(out + i, -+ CRYPTO_load_word_le(in + i) ^ -+ ctx->EKi.t[i / sizeof(crypto_word_t)]); - } - out += 16; - in += 16; -diff --git a/crypto/fipsmodule/modes/internal.h b/crypto/fipsmodule/modes/internal.h -index bf25023..2fea558 100644 ---- a/crypto/fipsmodule/modes/internal.h -+++ b/crypto/fipsmodule/modes/internal.h -@@ -64,27 +64,6 @@ - #endif - - --static inline uint32_t GETU32(const void *in) { -- uint32_t v; -- OPENSSL_memcpy(&v, in, sizeof(v)); -- return CRYPTO_bswap4(v); --} -- --static inline void PUTU32(void *out, uint32_t v) { -- v = CRYPTO_bswap4(v); -- OPENSSL_memcpy(out, &v, sizeof(v)); --} -- --static inline crypto_word_t load_word_le(const void *in) { -- crypto_word_t v; -- OPENSSL_memcpy(&v, in, sizeof(v)); -- return v; --} -- --static inline void store_word_le(void *out, crypto_word_t v) { -- OPENSSL_memcpy(out, &v, sizeof(v)); --} -- - // block128_f is the type of an AES block cipher implementation. - // - // Unlike upstream OpenSSL, it and the other functions in this file hard-code -diff --git a/crypto/fipsmodule/sha/sha1.c b/crypto/fipsmodule/sha/sha1.c -index 3b76194..2f50c67 100644 ---- a/crypto/fipsmodule/sha/sha1.c -+++ b/crypto/fipsmodule/sha/sha1.c -@@ -88,19 +88,18 @@ - #define HASH_CTX SHA_CTX - #define HASH_CBLOCK 64 - #define HASH_DIGEST_LENGTH 20 --#define HASH_MAKE_STRING(c, s) \ -- do { \ -- uint32_t ll; \ -- ll = (c)->h[0]; \ -- HOST_l2c(ll, (s)); \ -- ll = (c)->h[1]; \ -- HOST_l2c(ll, (s)); \ -- ll = (c)->h[2]; \ -- HOST_l2c(ll, (s)); \ -- ll = (c)->h[3]; \ -- HOST_l2c(ll, (s)); \ -- ll = (c)->h[4]; \ -- HOST_l2c(ll, (s)); \ -+#define HASH_MAKE_STRING(c, s) \ -+ do { \ -+ CRYPTO_store_u32_be((s), (c)->h[0]); \ -+ (s) += 4; \ -+ CRYPTO_store_u32_be((s), (c)->h[1]); \ -+ (s) += 4; \ -+ CRYPTO_store_u32_be((s), (c)->h[2]); \ -+ (s) += 4; \ -+ CRYPTO_store_u32_be((s), (c)->h[3]); \ -+ (s) += 4; \ -+ CRYPTO_store_u32_be((s), (c)->h[4]); \ -+ (s) += 4; \ - } while (0) - - #define HASH_UPDATE SHA1_Update -@@ -193,7 +192,7 @@ - #if !defined(SHA1_ASM) - static void sha1_block_data_order(uint32_t *state, const uint8_t *data, - size_t num) { -- register uint32_t A, B, C, D, E, T, l; -+ register uint32_t A, B, C, D, E, T; - uint32_t XX0, XX1, XX2, XX3, XX4, XX5, XX6, XX7, XX8, XX9, XX10, - XX11, XX12, XX13, XX14, XX15; - -@@ -204,52 +203,52 @@ - E = state[4]; - - for (;;) { -- HOST_c2l(data, l); -- X(0) = l; -- HOST_c2l(data, l); -- X(1) = l; -+ X(0) = CRYPTO_load_u32_be(data); -+ data += 4; -+ X(1) = CRYPTO_load_u32_be(data); -+ data += 4; - BODY_00_15(0, A, B, C, D, E, T, X(0)); -- HOST_c2l(data, l); -- X(2) = l; -+ X(2) = CRYPTO_load_u32_be(data); -+ data += 4; - BODY_00_15(1, T, A, B, C, D, E, X(1)); -- HOST_c2l(data, l); -- X(3) = l; -+ X(3) = CRYPTO_load_u32_be(data); -+ data += 4; - BODY_00_15(2, E, T, A, B, C, D, X(2)); -- HOST_c2l(data, l); -- X(4) = l; -+ X(4) = CRYPTO_load_u32_be(data); -+ data += 4; - BODY_00_15(3, D, E, T, A, B, C, X(3)); -- HOST_c2l(data, l); -- X(5) = l; -+ X(5) = CRYPTO_load_u32_be(data); -+ data += 4; - BODY_00_15(4, C, D, E, T, A, B, X(4)); -- HOST_c2l(data, l); -- X(6) = l; -+ X(6) = CRYPTO_load_u32_be(data); -+ data += 4; - BODY_00_15(5, B, C, D, E, T, A, X(5)); -- HOST_c2l(data, l); -- X(7) = l; -+ X(7) = CRYPTO_load_u32_be(data); -+ data += 4; - BODY_00_15(6, A, B, C, D, E, T, X(6)); -- HOST_c2l(data, l); -- X(8) = l; -+ X(8) = CRYPTO_load_u32_be(data); -+ data += 4; - BODY_00_15(7, T, A, B, C, D, E, X(7)); -- HOST_c2l(data, l); -- X(9) = l; -+ X(9) = CRYPTO_load_u32_be(data); -+ data += 4; - BODY_00_15(8, E, T, A, B, C, D, X(8)); -- HOST_c2l(data, l); -- X(10) = l; -+ X(10) = CRYPTO_load_u32_be(data); -+ data += 4; - BODY_00_15(9, D, E, T, A, B, C, X(9)); -- HOST_c2l(data, l); -- X(11) = l; -+ X(11) = CRYPTO_load_u32_be(data); -+ data += 4; - BODY_00_15(10, C, D, E, T, A, B, X(10)); -- HOST_c2l(data, l); -- X(12) = l; -+ X(12) = CRYPTO_load_u32_be(data); -+ data += 4; - BODY_00_15(11, B, C, D, E, T, A, X(11)); -- HOST_c2l(data, l); -- X(13) = l; -+ X(13) = CRYPTO_load_u32_be(data); -+ data += 4; - BODY_00_15(12, A, B, C, D, E, T, X(12)); -- HOST_c2l(data, l); -- X(14) = l; -+ X(14) = CRYPTO_load_u32_be(data); -+ data += 4; - BODY_00_15(13, T, A, B, C, D, E, X(13)); -- HOST_c2l(data, l); -- X(15) = l; -+ X(15) = CRYPTO_load_u32_be(data); -+ data += 4; - BODY_00_15(14, E, T, A, B, C, D, X(14)); - BODY_00_15(15, D, E, T, A, B, C, X(15)); - -@@ -367,5 +366,3 @@ - #undef BODY_40_59 - #undef BODY_60_79 - #undef X --#undef HOST_c2l --#undef HOST_l2c -diff --git a/crypto/fipsmodule/sha/sha256.c b/crypto/fipsmodule/sha/sha256.c -index 0e42446..390ee3a 100644 ---- a/crypto/fipsmodule/sha/sha256.c -+++ b/crypto/fipsmodule/sha/sha256.c -@@ -139,19 +139,18 @@ - // hash 'final' function can fail. This should never happen. - #define HASH_MAKE_STRING(c, s) \ - do { \ -- uint32_t ll; \ - unsigned int nn; \ - switch ((c)->md_len) { \ - case SHA224_DIGEST_LENGTH: \ - for (nn = 0; nn < SHA224_DIGEST_LENGTH / 4; nn++) { \ -- ll = (c)->h[nn]; \ -- HOST_l2c(ll, (s)); \ -+ CRYPTO_store_u32_be((s), (c)->h[nn]); \ -+ (s) += 4; \ - } \ - break; \ - case SHA256_DIGEST_LENGTH: \ - for (nn = 0; nn < SHA256_DIGEST_LENGTH / 4; nn++) { \ -- ll = (c)->h[nn]; \ -- HOST_l2c(ll, (s)); \ -+ CRYPTO_store_u32_be((s), (c)->h[nn]); \ -+ (s) += 4; \ - } \ - break; \ - default: \ -@@ -159,8 +158,8 @@ - return 0; \ - } \ - for (nn = 0; nn < (c)->md_len / 4; nn++) { \ -- ll = (c)->h[nn]; \ -- HOST_l2c(ll, (s)); \ -+ CRYPTO_store_u32_be((s), (c)->h[nn]); \ -+ (s) += 4; \ - } \ - break; \ - } \ -@@ -241,55 +240,53 @@ - g = state[6]; - h = state[7]; - -- uint32_t l; -- -- HOST_c2l(data, l); -- T1 = X[0] = l; -+ T1 = X[0] = CRYPTO_load_u32_be(data); -+ data += 4; - ROUND_00_15(0, a, b, c, d, e, f, g, h); -- HOST_c2l(data, l); -- T1 = X[1] = l; -+ T1 = X[1] = CRYPTO_load_u32_be(data); -+ data += 4; - ROUND_00_15(1, h, a, b, c, d, e, f, g); -- HOST_c2l(data, l); -- T1 = X[2] = l; -+ T1 = X[2] = CRYPTO_load_u32_be(data); -+ data += 4; - ROUND_00_15(2, g, h, a, b, c, d, e, f); -- HOST_c2l(data, l); -- T1 = X[3] = l; -+ T1 = X[3] = CRYPTO_load_u32_be(data); -+ data += 4; - ROUND_00_15(3, f, g, h, a, b, c, d, e); -- HOST_c2l(data, l); -- T1 = X[4] = l; -+ T1 = X[4] = CRYPTO_load_u32_be(data); -+ data += 4; - ROUND_00_15(4, e, f, g, h, a, b, c, d); -- HOST_c2l(data, l); -- T1 = X[5] = l; -+ T1 = X[5] = CRYPTO_load_u32_be(data); -+ data += 4; - ROUND_00_15(5, d, e, f, g, h, a, b, c); -- HOST_c2l(data, l); -- T1 = X[6] = l; -+ T1 = X[6] = CRYPTO_load_u32_be(data); -+ data += 4; - ROUND_00_15(6, c, d, e, f, g, h, a, b); -- HOST_c2l(data, l); -- T1 = X[7] = l; -+ T1 = X[7] = CRYPTO_load_u32_be(data); -+ data += 4; - ROUND_00_15(7, b, c, d, e, f, g, h, a); -- HOST_c2l(data, l); -- T1 = X[8] = l; -+ T1 = X[8] = CRYPTO_load_u32_be(data); -+ data += 4; - ROUND_00_15(8, a, b, c, d, e, f, g, h); -- HOST_c2l(data, l); -- T1 = X[9] = l; -+ T1 = X[9] = CRYPTO_load_u32_be(data); -+ data += 4; - ROUND_00_15(9, h, a, b, c, d, e, f, g); -- HOST_c2l(data, l); -- T1 = X[10] = l; -+ T1 = X[10] = CRYPTO_load_u32_be(data); -+ data += 4; - ROUND_00_15(10, g, h, a, b, c, d, e, f); -- HOST_c2l(data, l); -- T1 = X[11] = l; -+ T1 = X[11] = CRYPTO_load_u32_be(data); -+ data += 4; - ROUND_00_15(11, f, g, h, a, b, c, d, e); -- HOST_c2l(data, l); -- T1 = X[12] = l; -+ T1 = X[12] = CRYPTO_load_u32_be(data); -+ data += 4; - ROUND_00_15(12, e, f, g, h, a, b, c, d); -- HOST_c2l(data, l); -- T1 = X[13] = l; -+ T1 = X[13] = CRYPTO_load_u32_be(data); -+ data += 4; - ROUND_00_15(13, d, e, f, g, h, a, b, c); -- HOST_c2l(data, l); -- T1 = X[14] = l; -+ T1 = X[14] = CRYPTO_load_u32_be(data); -+ data += 4; - ROUND_00_15(14, c, d, e, f, g, h, a, b); -- HOST_c2l(data, l); -- T1 = X[15] = l; -+ T1 = X[15] = CRYPTO_load_u32_be(data); -+ data += 4; - ROUND_00_15(15, b, c, d, e, f, g, h, a); - - for (i = 16; i < 64; i += 8) { -@@ -339,5 +336,3 @@ - #undef Maj - #undef ROUND_00_15 - #undef ROUND_16_63 --#undef HOST_c2l --#undef HOST_l2c -diff --git a/crypto/fipsmodule/sha/sha512.c b/crypto/fipsmodule/sha/sha512.c -index ba86c1e..1f40e7a 100644 ---- a/crypto/fipsmodule/sha/sha512.c -+++ b/crypto/fipsmodule/sha/sha512.c -@@ -256,22 +256,8 @@ - } - - OPENSSL_memset(p + n, 0, sizeof(sha->p) - 16 - n); -- p[sizeof(sha->p) - 1] = (uint8_t)(sha->Nl); -- p[sizeof(sha->p) - 2] = (uint8_t)(sha->Nl >> 8); -- p[sizeof(sha->p) - 3] = (uint8_t)(sha->Nl >> 16); -- p[sizeof(sha->p) - 4] = (uint8_t)(sha->Nl >> 24); -- p[sizeof(sha->p) - 5] = (uint8_t)(sha->Nl >> 32); -- p[sizeof(sha->p) - 6] = (uint8_t)(sha->Nl >> 40); -- p[sizeof(sha->p) - 7] = (uint8_t)(sha->Nl >> 48); -- p[sizeof(sha->p) - 8] = (uint8_t)(sha->Nl >> 56); -- p[sizeof(sha->p) - 9] = (uint8_t)(sha->Nh); -- p[sizeof(sha->p) - 10] = (uint8_t)(sha->Nh >> 8); -- p[sizeof(sha->p) - 11] = (uint8_t)(sha->Nh >> 16); -- p[sizeof(sha->p) - 12] = (uint8_t)(sha->Nh >> 24); -- p[sizeof(sha->p) - 13] = (uint8_t)(sha->Nh >> 32); -- p[sizeof(sha->p) - 14] = (uint8_t)(sha->Nh >> 40); -- p[sizeof(sha->p) - 15] = (uint8_t)(sha->Nh >> 48); -- p[sizeof(sha->p) - 16] = (uint8_t)(sha->Nh >> 56); -+ CRYPTO_store_u64_be(p + sizeof(sha->p) - 16, sha->Nh); -+ CRYPTO_store_u64_be(p + sizeof(sha->p) - 8, sha->Nl); - - sha512_block_data_order(sha->h, p, 1); - -@@ -368,12 +354,6 @@ - #define ROTR(x, s) (((x) >> s) | (x) << (64 - s)) - #endif - --static inline uint64_t load_u64_be(const void *ptr) { -- uint64_t ret; -- OPENSSL_memcpy(&ret, ptr, sizeof(ret)); -- return CRYPTO_bswap8(ret); --} -- - #define Sigma0(x) (ROTR((x), 28) ^ ROTR((x), 34) ^ ROTR((x), 39)) - #define Sigma1(x) (ROTR((x), 14) ^ ROTR((x), 18) ^ ROTR((x), 41)) - #define sigma0(x) (ROTR((x), 1) ^ ROTR((x), 8) ^ ((x) >> 7)) -@@ -404,7 +384,7 @@ - F[7] = state[7]; - - for (i = 0; i < 16; i++, F--) { -- T = load_u64_be(in + i * 8); -+ T = CRYPTO_load_u64_be(in + i * 8); - F[0] = A; - F[4] = E; - F[8] = T; -@@ -476,37 +456,37 @@ - g = state[6]; - h = state[7]; - -- T1 = X[0] = load_u64_be(in); -+ T1 = X[0] = CRYPTO_load_u64_be(in); - ROUND_00_15(0, a, b, c, d, e, f, g, h); -- T1 = X[1] = load_u64_be(in + 8); -+ T1 = X[1] = CRYPTO_load_u64_be(in + 8); - ROUND_00_15(1, h, a, b, c, d, e, f, g); -- T1 = X[2] = load_u64_be(in + 2 * 8); -+ T1 = X[2] = CRYPTO_load_u64_be(in + 2 * 8); - ROUND_00_15(2, g, h, a, b, c, d, e, f); -- T1 = X[3] = load_u64_be(in + 3 * 8); -+ T1 = X[3] = CRYPTO_load_u64_be(in + 3 * 8); - ROUND_00_15(3, f, g, h, a, b, c, d, e); -- T1 = X[4] = load_u64_be(in + 4 * 8); -+ T1 = X[4] = CRYPTO_load_u64_be(in + 4 * 8); - ROUND_00_15(4, e, f, g, h, a, b, c, d); -- T1 = X[5] = load_u64_be(in + 5 * 8); -+ T1 = X[5] = CRYPTO_load_u64_be(in + 5 * 8); - ROUND_00_15(5, d, e, f, g, h, a, b, c); -- T1 = X[6] = load_u64_be(in + 6 * 8); -+ T1 = X[6] = CRYPTO_load_u64_be(in + 6 * 8); - ROUND_00_15(6, c, d, e, f, g, h, a, b); -- T1 = X[7] = load_u64_be(in + 7 * 8); -+ T1 = X[7] = CRYPTO_load_u64_be(in + 7 * 8); - ROUND_00_15(7, b, c, d, e, f, g, h, a); -- T1 = X[8] = load_u64_be(in + 8 * 8); -+ T1 = X[8] = CRYPTO_load_u64_be(in + 8 * 8); - ROUND_00_15(8, a, b, c, d, e, f, g, h); -- T1 = X[9] = load_u64_be(in + 9 * 8); -+ T1 = X[9] = CRYPTO_load_u64_be(in + 9 * 8); - ROUND_00_15(9, h, a, b, c, d, e, f, g); -- T1 = X[10] = load_u64_be(in + 10 * 8); -+ T1 = X[10] = CRYPTO_load_u64_be(in + 10 * 8); - ROUND_00_15(10, g, h, a, b, c, d, e, f); -- T1 = X[11] = load_u64_be(in + 11 * 8); -+ T1 = X[11] = CRYPTO_load_u64_be(in + 11 * 8); - ROUND_00_15(11, f, g, h, a, b, c, d, e); -- T1 = X[12] = load_u64_be(in + 12 * 8); -+ T1 = X[12] = CRYPTO_load_u64_be(in + 12 * 8); - ROUND_00_15(12, e, f, g, h, a, b, c, d); -- T1 = X[13] = load_u64_be(in + 13 * 8); -+ T1 = X[13] = CRYPTO_load_u64_be(in + 13 * 8); - ROUND_00_15(13, d, e, f, g, h, a, b, c); -- T1 = X[14] = load_u64_be(in + 14 * 8); -+ T1 = X[14] = CRYPTO_load_u64_be(in + 14 * 8); - ROUND_00_15(14, c, d, e, f, g, h, a, b); -- T1 = X[15] = load_u64_be(in + 15 * 8); -+ T1 = X[15] = CRYPTO_load_u64_be(in + 15 * 8); - ROUND_00_15(15, b, c, d, e, f, g, h, a); - - for (i = 16; i < 80; i += 16) { -diff --git a/crypto/internal.h b/crypto/internal.h -index 51d1d9c..14c60e0 100644 ---- a/crypto/internal.h -+++ b/crypto/internal.h -@@ -819,6 +819,58 @@ - return memset(dst, c, n); - } - -+ -+// Loads and stores. -+// -+// The following functions load and store sized integers with the specified -+// endianness. They use |memcpy|, and so avoid alignment or strict aliasing -+// requirements on the input and output pointers. -+ -+static inline uint32_t CRYPTO_load_u32_le(const void *in) { -+ uint32_t v; -+ OPENSSL_memcpy(&v, in, sizeof(v)); -+ return v; -+} -+ -+static inline void CRYPTO_store_u32_le(void *out, uint32_t v) { -+ OPENSSL_memcpy(out, &v, sizeof(v)); -+} -+ -+static inline uint32_t CRYPTO_load_u32_be(const void *in) { -+ uint32_t v; -+ OPENSSL_memcpy(&v, in, sizeof(v)); -+ return CRYPTO_bswap4(v); -+} -+ -+static inline void CRYPTO_store_u32_be(void *out, uint32_t v) { -+ v = CRYPTO_bswap4(v); -+ OPENSSL_memcpy(out, &v, sizeof(v)); -+} -+ -+static inline uint64_t CRYPTO_load_u64_be(const void *ptr) { -+ uint64_t ret; -+ OPENSSL_memcpy(&ret, ptr, sizeof(ret)); -+ return CRYPTO_bswap8(ret); -+} -+ -+static inline void CRYPTO_store_u64_be(void *out, uint64_t v) { -+ v = CRYPTO_bswap8(v); -+ OPENSSL_memcpy(out, &v, sizeof(v)); -+} -+ -+static inline crypto_word_t CRYPTO_load_word_le(const void *in) { -+ crypto_word_t v; -+ OPENSSL_memcpy(&v, in, sizeof(v)); -+ return v; -+} -+ -+static inline void CRYPTO_store_word_le(void *out, crypto_word_t v) { -+ OPENSSL_memcpy(out, &v, sizeof(v)); -+} -+ -+ -+// FIPS functions. -+ - #if defined(BORINGSSL_FIPS) - // BORINGSSL_FIPS_abort is called when a FIPS power-on or continuous test - // fails. It prevents any further cryptographic operations by the current -diff --git a/decrepit/ripemd/internal.h b/decrepit/ripemd/internal.h -index 089be15..6be563d 100644 ---- a/decrepit/ripemd/internal.h -+++ b/decrepit/ripemd/internal.h -@@ -59,6 +59,8 @@ - - #include <openssl/base.h> - -+#include "../../crypto/internal.h" -+ - #if defined(__cplusplus) - extern "C" { - #endif -@@ -76,20 +78,20 @@ - #define HASH_UPDATE RIPEMD160_Update - #define HASH_TRANSFORM RIPEMD160_Transform - #define HASH_FINAL RIPEMD160_Final --#define HASH_MAKE_STRING(c, s) \ -- do { \ -- unsigned long ll; \ -- ll = (c)->h[0]; \ -- HOST_l2c(ll, (s)); \ -- ll = (c)->h[1]; \ -- HOST_l2c(ll, (s)); \ -- ll = (c)->h[2]; \ -- HOST_l2c(ll, (s)); \ -- ll = (c)->h[3]; \ -- HOST_l2c(ll, (s)); \ -- ll = (c)->h[4]; \ -- HOST_l2c(ll, (s)); \ -+#define HASH_MAKE_STRING(c, s) \ -+ do { \ -+ CRYPTO_store_u32_le((s), (c)->h[0]); \ -+ (s) += 4; \ -+ CRYPTO_store_u32_le((s), (c)->h[1]); \ -+ (s) += 4; \ -+ CRYPTO_store_u32_le((s), (c)->h[2]); \ -+ (s) += 4; \ -+ CRYPTO_store_u32_le((s), (c)->h[3]); \ -+ (s) += 4; \ -+ CRYPTO_store_u32_le((s), (c)->h[4]); \ -+ (s) += 4; \ - } while (0) -+ - #define HASH_BLOCK_DATA_ORDER ripemd160_block_data_order - - #include "../../crypto/fipsmodule/digest/md32_common.h" -diff --git a/decrepit/ripemd/ripemd.c b/decrepit/ripemd/ripemd.c -index 17b3fdf..f0c87cf 100644 ---- a/decrepit/ripemd/ripemd.c -+++ b/decrepit/ripemd/ripemd.c -@@ -74,7 +74,7 @@ - static void ripemd160_block_data_order(uint32_t h[5], const uint8_t *data, - size_t num) { - uint32_t A, B, C, D, E; -- uint32_t a, b, c, d, e, l; -+ uint32_t a, b, c, d, e; - uint32_t XX0, XX1, XX2, XX3, XX4, XX5, XX6, XX7, XX8, XX9, XX10, XX11, XX12, - XX13, XX14, XX15; - #define X(i) XX##i -@@ -86,52 +86,52 @@ - D = h[3]; - E = h[4]; - -- HOST_c2l(data, l); -- X(0) = l; -- HOST_c2l(data, l); -- X(1) = l; -+ X(0) = CRYPTO_load_u32_le(data); -+ data += 4; -+ X(1) = CRYPTO_load_u32_le(data); -+ data += 4; - RIP1(A, B, C, D, E, WL00, SL00); -- HOST_c2l(data, l); -- X(2) = l; -+ X(2) = CRYPTO_load_u32_le(data); -+ data += 4; - RIP1(E, A, B, C, D, WL01, SL01); -- HOST_c2l(data, l); -- X(3) = l; -+ X(3) = CRYPTO_load_u32_le(data); -+ data += 4; - RIP1(D, E, A, B, C, WL02, SL02); -- HOST_c2l(data, l); -- X(4) = l; -+ X(4) = CRYPTO_load_u32_le(data); -+ data += 4; - RIP1(C, D, E, A, B, WL03, SL03); -- HOST_c2l(data, l); -- X(5) = l; -+ X(5) = CRYPTO_load_u32_le(data); -+ data += 4; - RIP1(B, C, D, E, A, WL04, SL04); -- HOST_c2l(data, l); -- X(6) = l; -+ X(6) = CRYPTO_load_u32_le(data); -+ data += 4; - RIP1(A, B, C, D, E, WL05, SL05); -- HOST_c2l(data, l); -- X(7) = l; -+ X(7) = CRYPTO_load_u32_le(data); -+ data += 4; - RIP1(E, A, B, C, D, WL06, SL06); -- HOST_c2l(data, l); -- X(8) = l; -+ X(8) = CRYPTO_load_u32_le(data); -+ data += 4; - RIP1(D, E, A, B, C, WL07, SL07); -- HOST_c2l(data, l); -- X(9) = l; -+ X(9) = CRYPTO_load_u32_le(data); -+ data += 4; - RIP1(C, D, E, A, B, WL08, SL08); -- HOST_c2l(data, l); -- X(10) = l; -+ X(10) = CRYPTO_load_u32_le(data); -+ data += 4; - RIP1(B, C, D, E, A, WL09, SL09); -- HOST_c2l(data, l); -- X(11) = l; -+ X(11) = CRYPTO_load_u32_le(data); -+ data += 4; - RIP1(A, B, C, D, E, WL10, SL10); -- HOST_c2l(data, l); -- X(12) = l; -+ X(12) = CRYPTO_load_u32_le(data); -+ data += 4; - RIP1(E, A, B, C, D, WL11, SL11); -- HOST_c2l(data, l); -- X(13) = l; -+ X(13) = CRYPTO_load_u32_le(data); -+ data += 4; - RIP1(D, E, A, B, C, WL12, SL12); -- HOST_c2l(data, l); -- X(14) = l; -+ X(14) = CRYPTO_load_u32_le(data); -+ data += 4; - RIP1(C, D, E, A, B, WL13, SL13); -- HOST_c2l(data, l); -- X(15) = l; -+ X(15) = CRYPTO_load_u32_le(data); -+ data += 4; - RIP1(B, C, D, E, A, WL14, SL14); - RIP1(A, B, C, D, E, WL15, SL15); - -From 15e0f6784bb986d44a170f131c6687a54822bedf Mon Sep 17 00:00:00 2001 -From: David Benjamin <davidben@google.com> -Date: Mon, 29 Mar 2021 14:16:58 -0400 -Subject: [PATCH] Fold ripemd/internal.h into ripemd.c. - -It's only used from that file and, given the names defined by it, -probably isn't usable by other files anyway. - -Change-Id: Ice205408962ade00c1dcb51406da3ef2fd7f0393 -Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/46426 -Reviewed-by: Adam Langley <agl@google.com> ---- - -diff --git a/decrepit/ripemd/internal.h b/decrepit/ripemd/internal.h -deleted file mode 100644 -index 6be563d..0000000 ---- a/decrepit/ripemd/internal.h -+++ /dev/null -@@ -1,496 +0,0 @@ --/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) -- * All rights reserved. -- * -- * This package is an SSL implementation written -- * by Eric Young (eay@cryptsoft.com). -- * The implementation was written so as to conform with Netscapes SSL. -- * -- * This library is free for commercial and non-commercial use as long as -- * the following conditions are aheared to. The following conditions -- * apply to all code found in this distribution, be it the RC4, RSA, -- * lhash, DES, etc., code; not just the SSL code. The SSL documentation -- * included with this distribution is covered by the same copyright terms -- * except that the holder is Tim Hudson (tjh@cryptsoft.com). -- * -- * Copyright remains Eric Young's, and as such any Copyright notices in -- * the code are not to be removed. -- * If this package is used in a product, Eric Young should be given attribution -- * as the author of the parts of the library used. -- * This can be in the form of a textual message at program startup or -- * in documentation (online or textual) provided with the package. -- * -- * Redistribution and use in source and binary forms, with or without -- * modification, are permitted provided that the following conditions -- * are met: -- * 1. Redistributions of source code must retain the copyright -- * notice, this list of conditions and the following disclaimer. -- * 2. Redistributions in binary form must reproduce the above copyright -- * notice, this list of conditions and the following disclaimer in the -- * documentation and/or other materials provided with the distribution. -- * 3. All advertising materials mentioning features or use of this software -- * must display the following acknowledgement: -- * "This product includes cryptographic software written by -- * Eric Young (eay@cryptsoft.com)" -- * The word 'cryptographic' can be left out if the rouines from the library -- * being used are not cryptographic related :-). -- * 4. If you include any Windows specific code (or a derivative thereof) from -- * the apps directory (application code) you must include an acknowledgement: -- * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)" -- * -- * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND -- * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE -- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE -- * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE -- * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL -- * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS -- * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) -- * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT -- * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY -- * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF -- * SUCH DAMAGE. -- * -- * The licence and distribution terms for any publically available version or -- * derivative of this code cannot be changed. i.e. this code cannot simply be -- * copied and put under another distribution licence -- * [including the GNU Public Licence.] */ -- --#ifndef OPENSSL_HEADER_RIPEMD_INTERNAL_H --#define OPENSSL_HEADER_RIPEMD_INTERNAL_H -- --#include <openssl/base.h> -- --#include "../../crypto/internal.h" -- --#if defined(__cplusplus) --extern "C" { --#endif -- -- --static void ripemd160_block_data_order(uint32_t h[5], const uint8_t *data, -- size_t num); -- --#define DATA_ORDER_IS_LITTLE_ENDIAN -- --#define HASH_LONG uint32_t --#define HASH_CTX RIPEMD160_CTX --#define HASH_CBLOCK RIPEMD160_CBLOCK --#define HASH_DIGEST_LENGTH RIPEMD160_DIGEST_LENGTH --#define HASH_UPDATE RIPEMD160_Update --#define HASH_TRANSFORM RIPEMD160_Transform --#define HASH_FINAL RIPEMD160_Final --#define HASH_MAKE_STRING(c, s) \ -- do { \ -- CRYPTO_store_u32_le((s), (c)->h[0]); \ -- (s) += 4; \ -- CRYPTO_store_u32_le((s), (c)->h[1]); \ -- (s) += 4; \ -- CRYPTO_store_u32_le((s), (c)->h[2]); \ -- (s) += 4; \ -- CRYPTO_store_u32_le((s), (c)->h[3]); \ -- (s) += 4; \ -- CRYPTO_store_u32_le((s), (c)->h[4]); \ -- (s) += 4; \ -- } while (0) -- --#define HASH_BLOCK_DATA_ORDER ripemd160_block_data_order -- --#include "../../crypto/fipsmodule/digest/md32_common.h" -- --// Transformed F2 and F4 are courtesy of Wei Dai <weidai@eskimo.com> --#define F1(x, y, z) ((x) ^ (y) ^ (z)) --#define F2(x, y, z) ((((y) ^ (z)) & (x)) ^ (z)) --#define F3(x, y, z) (((~(y)) | (x)) ^ (z)) --#define F4(x, y, z) ((((x) ^ (y)) & (z)) ^ (y)) --#define F5(x, y, z) (((~(z)) | (y)) ^ (x)) -- --#define RIPEMD160_A 0x67452301L --#define RIPEMD160_B 0xEFCDAB89L --#define RIPEMD160_C 0x98BADCFEL --#define RIPEMD160_D 0x10325476L --#define RIPEMD160_E 0xC3D2E1F0L -- --#define ROTATE(a, n) (((a) << (n)) | (((a)&0xffffffff) >> (32 - (n)))) -- --#define RIP1(a, b, c, d, e, w, s) \ -- { \ -- a += F1(b, c, d) + X(w); \ -- a = ROTATE(a, s) + e; \ -- c = ROTATE(c, 10); \ -- } -- --#define RIP2(a, b, c, d, e, w, s, K) \ -- { \ -- a += F2(b, c, d) + X(w) + K; \ -- a = ROTATE(a, s) + e; \ -- c = ROTATE(c, 10); \ -- } -- --#define RIP3(a, b, c, d, e, w, s, K) \ -- { \ -- a += F3(b, c, d) + X(w) + K; \ -- a = ROTATE(a, s) + e; \ -- c = ROTATE(c, 10); \ -- } -- --#define RIP4(a, b, c, d, e, w, s, K) \ -- { \ -- a += F4(b, c, d) + X(w) + K; \ -- a = ROTATE(a, s) + e; \ -- c = ROTATE(c, 10); \ -- } -- --#define RIP5(a, b, c, d, e, w, s, K) \ -- { \ -- a += F5(b, c, d) + X(w) + K; \ -- a = ROTATE(a, s) + e; \ -- c = ROTATE(c, 10); \ -- } -- --#define KL0 0x00000000L --#define KL1 0x5A827999L --#define KL2 0x6ED9EBA1L --#define KL3 0x8F1BBCDCL --#define KL4 0xA953FD4EL -- --#define KR0 0x50A28BE6L --#define KR1 0x5C4DD124L --#define KR2 0x6D703EF3L --#define KR3 0x7A6D76E9L --#define KR4 0x00000000L -- --#define WL00 0 --#define SL00 11 --#define WL01 1 --#define SL01 14 --#define WL02 2 --#define SL02 15 --#define WL03 3 --#define SL03 12 --#define WL04 4 --#define SL04 5 --#define WL05 5 --#define SL05 8 --#define WL06 6 --#define SL06 7 --#define WL07 7 --#define SL07 9 --#define WL08 8 --#define SL08 11 --#define WL09 9 --#define SL09 13 --#define WL10 10 --#define SL10 14 --#define WL11 11 --#define SL11 15 --#define WL12 12 --#define SL12 6 --#define WL13 13 --#define SL13 7 --#define WL14 14 --#define SL14 9 --#define WL15 15 --#define SL15 8 -- --#define WL16 7 --#define SL16 7 --#define WL17 4 --#define SL17 6 --#define WL18 13 --#define SL18 8 --#define WL19 1 --#define SL19 13 --#define WL20 10 --#define SL20 11 --#define WL21 6 --#define SL21 9 --#define WL22 15 --#define SL22 7 --#define WL23 3 --#define SL23 15 --#define WL24 12 --#define SL24 7 --#define WL25 0 --#define SL25 12 --#define WL26 9 --#define SL26 15 --#define WL27 5 --#define SL27 9 --#define WL28 2 --#define SL28 11 --#define WL29 14 --#define SL29 7 --#define WL30 11 --#define SL30 13 --#define WL31 8 --#define SL31 12 -- --#define WL32 3 --#define SL32 11 --#define WL33 10 --#define SL33 13 --#define WL34 14 --#define SL34 6 --#define WL35 4 --#define SL35 7 --#define WL36 9 --#define SL36 14 --#define WL37 15 --#define SL37 9 --#define WL38 8 --#define SL38 13 --#define WL39 1 --#define SL39 15 --#define WL40 2 --#define SL40 14 --#define WL41 7 --#define SL41 8 --#define WL42 0 --#define SL42 13 --#define WL43 6 --#define SL43 6 --#define WL44 13 --#define SL44 5 --#define WL45 11 --#define SL45 12 --#define WL46 5 --#define SL46 7 --#define WL47 12 --#define SL47 5 -- --#define WL48 1 --#define SL48 11 --#define WL49 9 --#define SL49 12 --#define WL50 11 --#define SL50 14 --#define WL51 10 --#define SL51 15 --#define WL52 0 --#define SL52 14 --#define WL53 8 --#define SL53 15 --#define WL54 12 --#define SL54 9 --#define WL55 4 --#define SL55 8 --#define WL56 13 --#define SL56 9 --#define WL57 3 --#define SL57 14 --#define WL58 7 --#define SL58 5 --#define WL59 15 --#define SL59 6 --#define WL60 14 --#define SL60 8 --#define WL61 5 --#define SL61 6 --#define WL62 6 --#define SL62 5 --#define WL63 2 --#define SL63 12 -- --#define WL64 4 --#define SL64 9 --#define WL65 0 --#define SL65 15 --#define WL66 5 --#define SL66 5 --#define WL67 9 --#define SL67 11 --#define WL68 7 --#define SL68 6 --#define WL69 12 --#define SL69 8 --#define WL70 2 --#define SL70 13 --#define WL71 10 --#define SL71 12 --#define WL72 14 --#define SL72 5 --#define WL73 1 --#define SL73 12 --#define WL74 3 --#define SL74 13 --#define WL75 8 --#define SL75 14 --#define WL76 11 --#define SL76 11 --#define WL77 6 --#define SL77 8 --#define WL78 15 --#define SL78 5 --#define WL79 13 --#define SL79 6 -- --#define WR00 5 --#define SR00 8 --#define WR01 14 --#define SR01 9 --#define WR02 7 --#define SR02 9 --#define WR03 0 --#define SR03 11 --#define WR04 9 --#define SR04 13 --#define WR05 2 --#define SR05 15 --#define WR06 11 --#define SR06 15 --#define WR07 4 --#define SR07 5 --#define WR08 13 --#define SR08 7 --#define WR09 6 --#define SR09 7 --#define WR10 15 --#define SR10 8 --#define WR11 8 --#define SR11 11 --#define WR12 1 --#define SR12 14 --#define WR13 10 --#define SR13 14 --#define WR14 3 --#define SR14 12 --#define WR15 12 --#define SR15 6 -- --#define WR16 6 --#define SR16 9 --#define WR17 11 --#define SR17 13 --#define WR18 3 --#define SR18 15 --#define WR19 7 --#define SR19 7 --#define WR20 0 --#define SR20 12 --#define WR21 13 --#define SR21 8 --#define WR22 5 --#define SR22 9 --#define WR23 10 --#define SR23 11 --#define WR24 14 --#define SR24 7 --#define WR25 15 --#define SR25 7 --#define WR26 8 --#define SR26 12 --#define WR27 12 --#define SR27 7 --#define WR28 4 --#define SR28 6 --#define WR29 9 --#define SR29 15 --#define WR30 1 --#define SR30 13 --#define WR31 2 --#define SR31 11 -- --#define WR32 15 --#define SR32 9 --#define WR33 5 --#define SR33 7 --#define WR34 1 --#define SR34 15 --#define WR35 3 --#define SR35 11 --#define WR36 7 --#define SR36 8 --#define WR37 14 --#define SR37 6 --#define WR38 6 --#define SR38 6 --#define WR39 9 --#define SR39 14 --#define WR40 11 --#define SR40 12 --#define WR41 8 --#define SR41 13 --#define WR42 12 --#define SR42 5 --#define WR43 2 --#define SR43 14 --#define WR44 10 --#define SR44 13 --#define WR45 0 --#define SR45 13 --#define WR46 4 --#define SR46 7 --#define WR47 13 --#define SR47 5 -- --#define WR48 8 --#define SR48 15 --#define WR49 6 --#define SR49 5 --#define WR50 4 --#define SR50 8 --#define WR51 1 --#define SR51 11 --#define WR52 3 --#define SR52 14 --#define WR53 11 --#define SR53 14 --#define WR54 15 --#define SR54 6 --#define WR55 0 --#define SR55 14 --#define WR56 5 --#define SR56 6 --#define WR57 12 --#define SR57 9 --#define WR58 2 --#define SR58 12 --#define WR59 13 --#define SR59 9 --#define WR60 9 --#define SR60 12 --#define WR61 7 --#define SR61 5 --#define WR62 10 --#define SR62 15 --#define WR63 14 --#define SR63 8 -- --#define WR64 12 --#define SR64 8 --#define WR65 15 --#define SR65 5 --#define WR66 10 --#define SR66 12 --#define WR67 4 --#define SR67 9 --#define WR68 1 --#define SR68 12 --#define WR69 5 --#define SR69 5 --#define WR70 8 --#define SR70 14 --#define WR71 7 --#define SR71 6 --#define WR72 6 --#define SR72 8 --#define WR73 2 --#define SR73 13 --#define WR74 13 --#define SR74 6 --#define WR75 14 --#define SR75 5 --#define WR76 0 --#define SR76 15 --#define WR77 3 --#define SR77 13 --#define WR78 9 --#define SR78 11 --#define WR79 11 --#define SR79 11 -- -- --#if defined(__cplusplus) --} // extern C --#endif -- --#endif // OPENSSL_HEADER_RIPEMD_INTERNAL_H -diff --git a/decrepit/ripemd/ripemd.c b/decrepit/ripemd/ripemd.c -index f0c87cf..50329c7 100644 ---- a/decrepit/ripemd/ripemd.c -+++ b/decrepit/ripemd/ripemd.c -@@ -58,9 +58,15 @@ - - #include <string.h> - --#include "internal.h" -+#include "../../crypto/internal.h" - - -+#define RIPEMD160_A 0x67452301L -+#define RIPEMD160_B 0xEFCDAB89L -+#define RIPEMD160_C 0x98BADCFEL -+#define RIPEMD160_D 0x10325476L -+#define RIPEMD160_E 0xC3D2E1F0L -+ - int RIPEMD160_Init(RIPEMD160_CTX *ctx) { - OPENSSL_memset(ctx, 0, sizeof(*ctx)); - ctx->h[0] = RIPEMD160_A; -@@ -72,6 +78,422 @@ - } - - static void ripemd160_block_data_order(uint32_t h[5], const uint8_t *data, -+ size_t num); -+ -+#define DATA_ORDER_IS_LITTLE_ENDIAN -+ -+#define HASH_LONG uint32_t -+#define HASH_CTX RIPEMD160_CTX -+#define HASH_CBLOCK RIPEMD160_CBLOCK -+#define HASH_DIGEST_LENGTH RIPEMD160_DIGEST_LENGTH -+#define HASH_UPDATE RIPEMD160_Update -+#define HASH_TRANSFORM RIPEMD160_Transform -+#define HASH_FINAL RIPEMD160_Final -+#define HASH_MAKE_STRING(c, s) \ -+ do { \ -+ CRYPTO_store_u32_le((s), (c)->h[0]); \ -+ (s) += 4; \ -+ CRYPTO_store_u32_le((s), (c)->h[1]); \ -+ (s) += 4; \ -+ CRYPTO_store_u32_le((s), (c)->h[2]); \ -+ (s) += 4; \ -+ CRYPTO_store_u32_le((s), (c)->h[3]); \ -+ (s) += 4; \ -+ CRYPTO_store_u32_le((s), (c)->h[4]); \ -+ (s) += 4; \ -+ } while (0) -+ -+#define HASH_BLOCK_DATA_ORDER ripemd160_block_data_order -+ -+#include "../../crypto/fipsmodule/digest/md32_common.h" -+ -+// Transformed F2 and F4 are courtesy of Wei Dai <weidai@eskimo.com> -+#define F1(x, y, z) ((x) ^ (y) ^ (z)) -+#define F2(x, y, z) ((((y) ^ (z)) & (x)) ^ (z)) -+#define F3(x, y, z) (((~(y)) | (x)) ^ (z)) -+#define F4(x, y, z) ((((x) ^ (y)) & (z)) ^ (y)) -+#define F5(x, y, z) (((~(z)) | (y)) ^ (x)) -+ -+#define ROTATE(a, n) (((a) << (n)) | (((a)&0xffffffff) >> (32 - (n)))) -+ -+#define RIP1(a, b, c, d, e, w, s) \ -+ { \ -+ a += F1(b, c, d) + X(w); \ -+ a = ROTATE(a, s) + e; \ -+ c = ROTATE(c, 10); \ -+ } -+ -+#define RIP2(a, b, c, d, e, w, s, K) \ -+ { \ -+ a += F2(b, c, d) + X(w) + K; \ -+ a = ROTATE(a, s) + e; \ -+ c = ROTATE(c, 10); \ -+ } -+ -+#define RIP3(a, b, c, d, e, w, s, K) \ -+ { \ -+ a += F3(b, c, d) + X(w) + K; \ -+ a = ROTATE(a, s) + e; \ -+ c = ROTATE(c, 10); \ -+ } -+ -+#define RIP4(a, b, c, d, e, w, s, K) \ -+ { \ -+ a += F4(b, c, d) + X(w) + K; \ -+ a = ROTATE(a, s) + e; \ -+ c = ROTATE(c, 10); \ -+ } -+ -+#define RIP5(a, b, c, d, e, w, s, K) \ -+ { \ -+ a += F5(b, c, d) + X(w) + K; \ -+ a = ROTATE(a, s) + e; \ -+ c = ROTATE(c, 10); \ -+ } -+ -+#define KL0 0x00000000L -+#define KL1 0x5A827999L -+#define KL2 0x6ED9EBA1L -+#define KL3 0x8F1BBCDCL -+#define KL4 0xA953FD4EL -+ -+#define KR0 0x50A28BE6L -+#define KR1 0x5C4DD124L -+#define KR2 0x6D703EF3L -+#define KR3 0x7A6D76E9L -+#define KR4 0x00000000L -+ -+#define WL00 0 -+#define SL00 11 -+#define WL01 1 -+#define SL01 14 -+#define WL02 2 -+#define SL02 15 -+#define WL03 3 -+#define SL03 12 -+#define WL04 4 -+#define SL04 5 -+#define WL05 5 -+#define SL05 8 -+#define WL06 6 -+#define SL06 7 -+#define WL07 7 -+#define SL07 9 -+#define WL08 8 -+#define SL08 11 -+#define WL09 9 -+#define SL09 13 -+#define WL10 10 -+#define SL10 14 -+#define WL11 11 -+#define SL11 15 -+#define WL12 12 -+#define SL12 6 -+#define WL13 13 -+#define SL13 7 -+#define WL14 14 -+#define SL14 9 -+#define WL15 15 -+#define SL15 8 -+ -+#define WL16 7 -+#define SL16 7 -+#define WL17 4 -+#define SL17 6 -+#define WL18 13 -+#define SL18 8 -+#define WL19 1 -+#define SL19 13 -+#define WL20 10 -+#define SL20 11 -+#define WL21 6 -+#define SL21 9 -+#define WL22 15 -+#define SL22 7 -+#define WL23 3 -+#define SL23 15 -+#define WL24 12 -+#define SL24 7 -+#define WL25 0 -+#define SL25 12 -+#define WL26 9 -+#define SL26 15 -+#define WL27 5 -+#define SL27 9 -+#define WL28 2 -+#define SL28 11 -+#define WL29 14 -+#define SL29 7 -+#define WL30 11 -+#define SL30 13 -+#define WL31 8 -+#define SL31 12 -+ -+#define WL32 3 -+#define SL32 11 -+#define WL33 10 -+#define SL33 13 -+#define WL34 14 -+#define SL34 6 -+#define WL35 4 -+#define SL35 7 -+#define WL36 9 -+#define SL36 14 -+#define WL37 15 -+#define SL37 9 -+#define WL38 8 -+#define SL38 13 -+#define WL39 1 -+#define SL39 15 -+#define WL40 2 -+#define SL40 14 -+#define WL41 7 -+#define SL41 8 -+#define WL42 0 -+#define SL42 13 -+#define WL43 6 -+#define SL43 6 -+#define WL44 13 -+#define SL44 5 -+#define WL45 11 -+#define SL45 12 -+#define WL46 5 -+#define SL46 7 -+#define WL47 12 -+#define SL47 5 -+ -+#define WL48 1 -+#define SL48 11 -+#define WL49 9 -+#define SL49 12 -+#define WL50 11 -+#define SL50 14 -+#define WL51 10 -+#define SL51 15 -+#define WL52 0 -+#define SL52 14 -+#define WL53 8 -+#define SL53 15 -+#define WL54 12 -+#define SL54 9 -+#define WL55 4 -+#define SL55 8 -+#define WL56 13 -+#define SL56 9 -+#define WL57 3 -+#define SL57 14 -+#define WL58 7 -+#define SL58 5 -+#define WL59 15 -+#define SL59 6 -+#define WL60 14 -+#define SL60 8 -+#define WL61 5 -+#define SL61 6 -+#define WL62 6 -+#define SL62 5 -+#define WL63 2 -+#define SL63 12 -+ -+#define WL64 4 -+#define SL64 9 -+#define WL65 0 -+#define SL65 15 -+#define WL66 5 -+#define SL66 5 -+#define WL67 9 -+#define SL67 11 -+#define WL68 7 -+#define SL68 6 -+#define WL69 12 -+#define SL69 8 -+#define WL70 2 -+#define SL70 13 -+#define WL71 10 -+#define SL71 12 -+#define WL72 14 -+#define SL72 5 -+#define WL73 1 -+#define SL73 12 -+#define WL74 3 -+#define SL74 13 -+#define WL75 8 -+#define SL75 14 -+#define WL76 11 -+#define SL76 11 -+#define WL77 6 -+#define SL77 8 -+#define WL78 15 -+#define SL78 5 -+#define WL79 13 -+#define SL79 6 -+ -+#define WR00 5 -+#define SR00 8 -+#define WR01 14 -+#define SR01 9 -+#define WR02 7 -+#define SR02 9 -+#define WR03 0 -+#define SR03 11 -+#define WR04 9 -+#define SR04 13 -+#define WR05 2 -+#define SR05 15 -+#define WR06 11 -+#define SR06 15 -+#define WR07 4 -+#define SR07 5 -+#define WR08 13 -+#define SR08 7 -+#define WR09 6 -+#define SR09 7 -+#define WR10 15 -+#define SR10 8 -+#define WR11 8 -+#define SR11 11 -+#define WR12 1 -+#define SR12 14 -+#define WR13 10 -+#define SR13 14 -+#define WR14 3 -+#define SR14 12 -+#define WR15 12 -+#define SR15 6 -+ -+#define WR16 6 -+#define SR16 9 -+#define WR17 11 -+#define SR17 13 -+#define WR18 3 -+#define SR18 15 -+#define WR19 7 -+#define SR19 7 -+#define WR20 0 -+#define SR20 12 -+#define WR21 13 -+#define SR21 8 -+#define WR22 5 -+#define SR22 9 -+#define WR23 10 -+#define SR23 11 -+#define WR24 14 -+#define SR24 7 -+#define WR25 15 -+#define SR25 7 -+#define WR26 8 -+#define SR26 12 -+#define WR27 12 -+#define SR27 7 -+#define WR28 4 -+#define SR28 6 -+#define WR29 9 -+#define SR29 15 -+#define WR30 1 -+#define SR30 13 -+#define WR31 2 -+#define SR31 11 -+ -+#define WR32 15 -+#define SR32 9 -+#define WR33 5 -+#define SR33 7 -+#define WR34 1 -+#define SR34 15 -+#define WR35 3 -+#define SR35 11 -+#define WR36 7 -+#define SR36 8 -+#define WR37 14 -+#define SR37 6 -+#define WR38 6 -+#define SR38 6 -+#define WR39 9 -+#define SR39 14 -+#define WR40 11 -+#define SR40 12 -+#define WR41 8 -+#define SR41 13 -+#define WR42 12 -+#define SR42 5 -+#define WR43 2 -+#define SR43 14 -+#define WR44 10 -+#define SR44 13 -+#define WR45 0 -+#define SR45 13 -+#define WR46 4 -+#define SR46 7 -+#define WR47 13 -+#define SR47 5 -+ -+#define WR48 8 -+#define SR48 15 -+#define WR49 6 -+#define SR49 5 -+#define WR50 4 -+#define SR50 8 -+#define WR51 1 -+#define SR51 11 -+#define WR52 3 -+#define SR52 14 -+#define WR53 11 -+#define SR53 14 -+#define WR54 15 -+#define SR54 6 -+#define WR55 0 -+#define SR55 14 -+#define WR56 5 -+#define SR56 6 -+#define WR57 12 -+#define SR57 9 -+#define WR58 2 -+#define SR58 12 -+#define WR59 13 -+#define SR59 9 -+#define WR60 9 -+#define SR60 12 -+#define WR61 7 -+#define SR61 5 -+#define WR62 10 -+#define SR62 15 -+#define WR63 14 -+#define SR63 8 -+ -+#define WR64 12 -+#define SR64 8 -+#define WR65 15 -+#define SR65 5 -+#define WR66 10 -+#define SR66 12 -+#define WR67 4 -+#define SR67 9 -+#define WR68 1 -+#define SR68 12 -+#define WR69 5 -+#define SR69 5 -+#define WR70 8 -+#define SR70 14 -+#define WR71 7 -+#define SR71 6 -+#define WR72 6 -+#define SR72 8 -+#define WR73 2 -+#define SR73 13 -+#define WR74 13 -+#define SR74 6 -+#define WR75 14 -+#define SR75 5 -+#define WR76 0 -+#define SR76 15 -+#define WR77 3 -+#define SR77 13 -+#define WR78 9 -+#define SR78 11 -+#define WR79 11 -+#define SR79 11 -+ -+static void ripemd160_block_data_order(uint32_t h[5], const uint8_t *data, - size_t num) { - uint32_t A, B, C, D, E; - uint32_t a, b, c, d, e; -From 4320bc47617a66d4219e66e2420311dbfb6c3cb0 Mon Sep 17 00:00:00 2001 -From: David Benjamin <davidben@google.com> -Date: Mon, 29 Mar 2021 14:26:07 -0400 -Subject: [PATCH] Pull HASH_TRANSFORM out of md32_common.h. - -The macro isn't doing any work here. - -Change-Id: Id97dfa4b027407c5e4b3e7eb1586c3c2a2d977d8 -Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/47806 -Commit-Queue: David Benjamin <davidben@google.com> -Reviewed-by: Adam Langley <agl@google.com> ---- - -diff --git a/crypto/fipsmodule/digest/md32_common.h b/crypto/fipsmodule/digest/md32_common.h -index a0634d1..8a14108 100644 ---- a/crypto/fipsmodule/digest/md32_common.h -+++ b/crypto/fipsmodule/digest/md32_common.h -@@ -86,9 +86,6 @@ - // |HASH_UPDATE| must be defined as the name of the "Update" function to - // generate. - // --// |HASH_TRANSFORM| must be defined as the the name of the "Transform" --// function to generate. --// - // |HASH_FINAL| must be defined as the name of "Final" function to generate. - // - // |HASH_BLOCK_DATA_ORDER| must be defined as the name of the "Block" function. -@@ -121,9 +118,6 @@ - #ifndef HASH_UPDATE - #error "HASH_UPDATE must be defined!" - #endif --#ifndef HASH_TRANSFORM --#error "HASH_TRANSFORM must be defined!" --#endif - #ifndef HASH_FINAL - #error "HASH_FINAL must be defined!" - #endif -@@ -185,11 +179,6 @@ - } - - --void HASH_TRANSFORM(HASH_CTX *c, const uint8_t data[HASH_CBLOCK]) { -- HASH_BLOCK_DATA_ORDER(c->h, data, 1); --} -- -- - int HASH_FINAL(uint8_t out[HASH_DIGEST_LENGTH], HASH_CTX *c) { - // |c->data| always has room for at least one byte. A full block would have - // been consumed. -diff --git a/crypto/fipsmodule/md4/md4.c b/crypto/fipsmodule/md4/md4.c -index 0551664..9d229bf 100644 ---- a/crypto/fipsmodule/md4/md4.c -+++ b/crypto/fipsmodule/md4/md4.c -@@ -84,13 +84,16 @@ - - void md4_block_data_order(uint32_t *state, const uint8_t *data, size_t num); - -+void MD4_Transform(MD4_CTX *c, const uint8_t data[MD4_CBLOCK]) { -+ md4_block_data_order(c->h, data, 1); -+} -+ - #define DATA_ORDER_IS_LITTLE_ENDIAN - - #define HASH_CTX MD4_CTX - #define HASH_CBLOCK 64 - #define HASH_DIGEST_LENGTH 16 - #define HASH_UPDATE MD4_Update --#define HASH_TRANSFORM MD4_Transform - #define HASH_FINAL MD4_Final - #define HASH_MAKE_STRING(c, s) \ - do { \ -@@ -240,7 +243,6 @@ - #undef HASH_CBLOCK - #undef HASH_DIGEST_LENGTH - #undef HASH_UPDATE --#undef HASH_TRANSFORM - #undef HASH_FINAL - #undef HASH_MAKE_STRING - #undef HASH_BLOCK_DATA_ORDER -diff --git a/crypto/fipsmodule/md5/md5.c b/crypto/fipsmodule/md5/md5.c -index bd6bf6a..e454a84 100644 ---- a/crypto/fipsmodule/md5/md5.c -+++ b/crypto/fipsmodule/md5/md5.c -@@ -89,6 +89,9 @@ - size_t num); - #endif - -+void MD5_Transform(MD5_CTX *c, const uint8_t data[MD5_CBLOCK]) { -+ md5_block_data_order(c->h, data, 1); -+} - - #define DATA_ORDER_IS_LITTLE_ENDIAN - -@@ -96,7 +99,6 @@ - #define HASH_CBLOCK 64 - #define HASH_DIGEST_LENGTH 16 - #define HASH_UPDATE MD5_Update --#define HASH_TRANSFORM MD5_Transform - #define HASH_FINAL MD5_Final - #define HASH_MAKE_STRING(c, s) \ - do { \ -@@ -283,7 +285,6 @@ - #undef HASH_CBLOCK - #undef HASH_DIGEST_LENGTH - #undef HASH_UPDATE --#undef HASH_TRANSFORM - #undef HASH_FINAL - #undef HASH_MAKE_STRING - #undef HASH_BLOCK_DATA_ORDER -diff --git a/crypto/fipsmodule/sha/sha1.c b/crypto/fipsmodule/sha/sha1.c -index 2f50c67..7149d11 100644 ---- a/crypto/fipsmodule/sha/sha1.c -+++ b/crypto/fipsmodule/sha/sha1.c -@@ -83,6 +83,15 @@ - return out; - } - -+#if !defined(SHA1_ASM) -+static void sha1_block_data_order(uint32_t *state, const uint8_t *data, -+ size_t num); -+#endif -+ -+void SHA1_Transform(SHA_CTX *c, const uint8_t data[SHA_CBLOCK]) { -+ sha1_block_data_order(c->h, data, 1); -+} -+ - #define DATA_ORDER_IS_BIG_ENDIAN - - #define HASH_CTX SHA_CTX -@@ -103,7 +112,6 @@ - } while (0) - - #define HASH_UPDATE SHA1_Update --#define HASH_TRANSFORM SHA1_Transform - #define HASH_FINAL SHA1_Final - #define HASH_BLOCK_DATA_ORDER sha1_block_data_order - #define ROTATE(a, n) (((a) << (n)) | ((a) >> (32 - (n)))) -@@ -113,11 +121,6 @@ - (ix) = (a) = ROTATE((a), 1); \ - } while (0) - --#if !defined(SHA1_ASM) --static void sha1_block_data_order(uint32_t *state, const uint8_t *data, -- size_t num); --#endif -- - #include "../digest/md32_common.h" - - #define K_00_19 0x5a827999UL -@@ -346,7 +349,6 @@ - #undef HASH_DIGEST_LENGTH - #undef HASH_MAKE_STRING - #undef HASH_UPDATE --#undef HASH_TRANSFORM - #undef HASH_FINAL - #undef HASH_BLOCK_DATA_ORDER - #undef ROTATE -diff --git a/crypto/fipsmodule/sha/sha256.c b/crypto/fipsmodule/sha/sha256.c -index 390ee3a..ff961c8 100644 ---- a/crypto/fipsmodule/sha/sha256.c -+++ b/crypto/fipsmodule/sha/sha256.c -@@ -122,6 +122,15 @@ - return SHA256_Final(out, ctx); - } - -+#ifndef SHA256_ASM -+static void sha256_block_data_order(uint32_t *state, const uint8_t *in, -+ size_t num); -+#endif -+ -+void SHA256_Transform(SHA256_CTX *c, const uint8_t data[SHA256_CBLOCK]) { -+ sha256_block_data_order(c->h, data, 1); -+} -+ - #define DATA_ORDER_IS_BIG_ENDIAN - - #define HASH_CTX SHA256_CTX -@@ -167,13 +176,8 @@ - - - #define HASH_UPDATE SHA256_Update --#define HASH_TRANSFORM SHA256_Transform - #define HASH_FINAL SHA256_Final - #define HASH_BLOCK_DATA_ORDER sha256_block_data_order --#ifndef SHA256_ASM --static void sha256_block_data_order(uint32_t *state, const uint8_t *in, -- size_t num); --#endif - - #include "../digest/md32_common.h" - -@@ -324,7 +328,6 @@ - #undef HASH_DIGEST_LENGTH - #undef HASH_MAKE_STRING - #undef HASH_UPDATE --#undef HASH_TRANSFORM - #undef HASH_FINAL - #undef HASH_BLOCK_DATA_ORDER - #undef ROTATE -diff --git a/decrepit/ripemd/ripemd.c b/decrepit/ripemd/ripemd.c -index 50329c7..ac6bd83 100644 ---- a/decrepit/ripemd/ripemd.c -+++ b/decrepit/ripemd/ripemd.c -@@ -80,6 +80,11 @@ - static void ripemd160_block_data_order(uint32_t h[5], const uint8_t *data, - size_t num); - -+void RIPEMD160_Transform(RIPEMD160_CTX *c, -+ const uint8_t data[RIPEMD160_CBLOCK]) { -+ ripemd160_block_data_order(c->h, data, 1); -+} -+ - #define DATA_ORDER_IS_LITTLE_ENDIAN - - #define HASH_LONG uint32_t -@@ -87,7 +92,6 @@ - #define HASH_CBLOCK RIPEMD160_CBLOCK - #define HASH_DIGEST_LENGTH RIPEMD160_DIGEST_LENGTH - #define HASH_UPDATE RIPEMD160_Update --#define HASH_TRANSFORM RIPEMD160_Transform - #define HASH_FINAL RIPEMD160_Final - #define HASH_MAKE_STRING(c, s) \ - do { \ -From 597ffef971dd980b7de5e97a0c9b7ca26eec94bc Mon Sep 17 00:00:00 2001 -From: David Benjamin <davidben@google.com> -Date: Mon, 29 Mar 2021 14:45:13 -0400 -Subject: [PATCH] Make md32_common.h single-included and use an unsized helper for SHA-256. - -Similar to -https://boringssl-review.googlesource.com/c/boringssl/+/46405, -SHA256_Final and SHA224_Final hit array size warnings in the new GCC. -The array sizes are, strictly speaking, purely decoration, but this is a -good warning so we should be clean with it on. - -That same change is difficult to apply to md32_common.h because -md32_common.h generates the functions for us. md32_common.h is already -strange in that it is multiply-included and changes behavior based on -macros defined by the caller. - -Instead, replace it with inline functions, which are a bit more -conventional and typesafe. This allows each hash function to define the -function prototype. Use this to add an unsized helper for SHA-256. - -Bug: 402 -Change-Id: I61bc30fb58c54dd40a55c9b1ebf3fb9adde5e038 -Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/47807 -Reviewed-by: Adam Langley <agl@google.com> -Reviewed-by: Peter Foley <pefoley@google.com> -Commit-Queue: David Benjamin <davidben@google.com> ---- - -diff --git a/crypto/fipsmodule/digest/md32_common.h b/crypto/fipsmodule/digest/md32_common.h -index 8a14108..129ec48 100644 ---- a/crypto/fipsmodule/digest/md32_common.h -+++ b/crypto/fipsmodule/digest/md32_common.h -@@ -46,6 +46,9 @@ - * OF THE POSSIBILITY OF SUCH DAMAGE. - * ==================================================================== */ - -+#ifndef OPENSSL_HEADER_DIGEST_MD32_COMMON_H -+#define OPENSSL_HEADER_DIGEST_MD32_COMMON_H -+ - #include <openssl/base.h> - - #include <assert.h> -@@ -59,22 +62,15 @@ - - // This is a generic 32-bit "collector" for message digest algorithms. It - // collects input character stream into chunks of 32-bit values and invokes the --// block function that performs the actual hash calculations. To make use of --// this mechanism, the following macros must be defined before including --// md32_common.h. -+// block function that performs the actual hash calculations. - // --// One of |DATA_ORDER_IS_BIG_ENDIAN| or |DATA_ORDER_IS_LITTLE_ENDIAN| must be --// defined to specify the byte order of the input stream. --// --// |HASH_CBLOCK| must be defined as the integer block size, in bytes. --// --// |HASH_CTX| must be defined as the name of the context structure, which must --// have at least the following members: -+// To make use of this mechanism, the hash context should be defined with the -+// following parameters. - // - // typedef struct <name>_state_st { - // uint32_t h[<chaining length> / sizeof(uint32_t)]; - // uint32_t Nl, Nh; --// uint8_t data[HASH_CBLOCK]; -+// uint8_t data[<block size>]; - // unsigned num; - // ... - // } <NAME>_CTX; -@@ -83,136 +79,117 @@ - // any truncation (e.g. 64 for SHA-224 and SHA-256, 128 for SHA-384 and - // SHA-512). - // --// |HASH_UPDATE| must be defined as the name of the "Update" function to --// generate. --// --// |HASH_FINAL| must be defined as the name of "Final" function to generate. --// --// |HASH_BLOCK_DATA_ORDER| must be defined as the name of the "Block" function. --// That function must be implemented manually. It must be capable of operating --// on *unaligned* input data in its original (data) byte order. It must have --// this signature: --// --// void HASH_BLOCK_DATA_ORDER(uint32_t *state, const uint8_t *data, --// size_t num); --// --// It must update the hash state |state| with |num| blocks of data from |data|, --// where each block is |HASH_CBLOCK| bytes; i.e. |data| points to a array of --// |HASH_CBLOCK * num| bytes. |state| points to the |h| member of a |HASH_CTX|, --// and so will have |<chaining length> / sizeof(uint32_t)| elements. --// --// |HASH_MAKE_STRING(c, s)| must be defined as a block statement that converts --// the hash state |c->h| into the output byte order, storing the result in |s|. -+// |h| is the hash state and is updated by a function of type -+// |crypto_md32_block_func|. |data| is the partial unprocessed block and has -+// |num| bytes. |Nl| and |Nh| maintain the number of bits processed so far. - --#if !defined(DATA_ORDER_IS_BIG_ENDIAN) && !defined(DATA_ORDER_IS_LITTLE_ENDIAN) --#error "DATA_ORDER must be defined!" --#endif -+// A crypto_md32_block_func should incorporate |num_blocks| of input from |data| -+// into |state|. It is assumed the caller has sized |state| and |data| for the -+// hash function. -+typedef void (*crypto_md32_block_func)(uint32_t *state, const uint8_t *data, -+ size_t num_blocks); - --#ifndef HASH_CBLOCK --#error "HASH_CBLOCK must be defined!" --#endif --#ifndef HASH_CTX --#error "HASH_CTX must be defined!" --#endif -- --#ifndef HASH_UPDATE --#error "HASH_UPDATE must be defined!" --#endif --#ifndef HASH_FINAL --#error "HASH_FINAL must be defined!" --#endif -- --#ifndef HASH_BLOCK_DATA_ORDER --#error "HASH_BLOCK_DATA_ORDER must be defined!" --#endif -- --#ifndef HASH_MAKE_STRING --#error "HASH_MAKE_STRING must be defined!" --#endif -- --int HASH_UPDATE(HASH_CTX *c, const void *data_, size_t len) { -- const uint8_t *data = data_; -- -+// crypto_md32_update adds |len| bytes from |in| to the digest. |data| must be a -+// buffer of length |block_size| with the first |*num| bytes containing a -+// partial block. This function combines the partial block with |in| and -+// incorporates any complete blocks into the digest state |h|. It then updates -+// |data| and |*num| with the new partial block and updates |*Nh| and |*Nl| with -+// the data consumed. -+static inline void crypto_md32_update(crypto_md32_block_func block_func, -+ uint32_t *h, uint8_t *data, -+ size_t block_size, unsigned *num, -+ uint32_t *Nh, uint32_t *Nl, -+ const uint8_t *in, size_t len) { - if (len == 0) { -- return 1; -+ return; - } - -- uint32_t l = c->Nl + (((uint32_t)len) << 3); -- if (l < c->Nl) { -+ uint32_t l = *Nl + (((uint32_t)len) << 3); -+ if (l < *Nl) { - // Handle carries. -- c->Nh++; -+ (*Nh)++; - } -- c->Nh += (uint32_t)(len >> 29); -- c->Nl = l; -+ *Nh += (uint32_t)(len >> 29); -+ *Nl = l; - -- size_t n = c->num; -+ size_t n = *num; - if (n != 0) { -- if (len >= HASH_CBLOCK || len + n >= HASH_CBLOCK) { -- OPENSSL_memcpy(c->data + n, data, HASH_CBLOCK - n); -- HASH_BLOCK_DATA_ORDER(c->h, c->data, 1); -- n = HASH_CBLOCK - n; -- data += n; -+ if (len >= block_size || len + n >= block_size) { -+ OPENSSL_memcpy(data + n, in, block_size - n); -+ block_func(h, data, 1); -+ n = block_size - n; -+ in += n; - len -= n; -- c->num = 0; -- // Keep |c->data| zeroed when unused. -- OPENSSL_memset(c->data, 0, HASH_CBLOCK); -+ *num = 0; -+ // Keep |data| zeroed when unused. -+ OPENSSL_memset(data, 0, block_size); - } else { -- OPENSSL_memcpy(c->data + n, data, len); -- c->num += (unsigned)len; -- return 1; -+ OPENSSL_memcpy(data + n, in, len); -+ *num += (unsigned)len; -+ return; - } - } - -- n = len / HASH_CBLOCK; -+ n = len / block_size; - if (n > 0) { -- HASH_BLOCK_DATA_ORDER(c->h, data, n); -- n *= HASH_CBLOCK; -- data += n; -+ block_func(h, in, n); -+ n *= block_size; -+ in += n; - len -= n; - } - - if (len != 0) { -- c->num = (unsigned)len; -- OPENSSL_memcpy(c->data, data, len); -+ *num = (unsigned)len; -+ OPENSSL_memcpy(data, in, len); - } -- return 1; - } - -- --int HASH_FINAL(uint8_t out[HASH_DIGEST_LENGTH], HASH_CTX *c) { -- // |c->data| always has room for at least one byte. A full block would have -+// crypto_md32_final incorporates the partial block and trailing length into the -+// digest state |h|. The trailing length is encoded in little-endian if -+// |is_big_endian| is zero and big-endian otherwise. |data| must be a buffer of -+// length |block_size| with the first |*num| bytes containing a partial block. -+// |Nh| and |Nl| contain the total number of bits processed. On return, this -+// function clears the partial block in |data| and -+// |*num|. -+// -+// This function does not serialize |h| into a final digest. This is the -+// responsibility of the caller. -+static inline void crypto_md32_final(crypto_md32_block_func block_func, -+ uint32_t *h, uint8_t *data, -+ size_t block_size, unsigned *num, -+ uint32_t Nh, uint32_t Nl, -+ int is_big_endian) { -+ // |data| always has room for at least one byte. A full block would have - // been consumed. -- size_t n = c->num; -- assert(n < HASH_CBLOCK); -- c->data[n] = 0x80; -+ size_t n = *num; -+ assert(n < block_size); -+ data[n] = 0x80; - n++; - - // Fill the block with zeros if there isn't room for a 64-bit length. -- if (n > (HASH_CBLOCK - 8)) { -- OPENSSL_memset(c->data + n, 0, HASH_CBLOCK - n); -+ if (n > block_size - 8) { -+ OPENSSL_memset(data + n, 0, block_size - n); - n = 0; -- HASH_BLOCK_DATA_ORDER(c->h, c->data, 1); -+ block_func(h, data, 1); - } -- OPENSSL_memset(c->data + n, 0, HASH_CBLOCK - 8 - n); -+ OPENSSL_memset(data + n, 0, block_size - 8 - n); - - // Append a 64-bit length to the block and process it. -- uint8_t *p = c->data + HASH_CBLOCK - 8; --#if defined(DATA_ORDER_IS_BIG_ENDIAN) -- CRYPTO_store_u32_be(p, c->Nh); -- CRYPTO_store_u32_be(p + 4, c->Nl); --#elif defined(DATA_ORDER_IS_LITTLE_ENDIAN) -- CRYPTO_store_u32_le(p, c->Nl); -- CRYPTO_store_u32_le(p + 4, c->Nh); --#endif -- HASH_BLOCK_DATA_ORDER(c->h, c->data, 1); -- c->num = 0; -- OPENSSL_memset(c->data, 0, HASH_CBLOCK); -- -- HASH_MAKE_STRING(c, out); -- return 1; -+ if (is_big_endian) { -+ CRYPTO_store_u32_be(data + block_size - 8, Nh); -+ CRYPTO_store_u32_be(data + block_size - 4, Nl); -+ } else { -+ CRYPTO_store_u32_le(data + block_size - 8, Nl); -+ CRYPTO_store_u32_le(data + block_size - 4, Nh); -+ } -+ block_func(h, data, 1); -+ *num = 0; -+ OPENSSL_memset(data, 0, block_size); - } - - - #if defined(__cplusplus) - } // extern C - #endif -+ -+#endif // OPENSSL_HEADER_DIGEST_MD32_COMMON_H -diff --git a/crypto/fipsmodule/md4/md4.c b/crypto/fipsmodule/md4/md4.c -index 9d229bf..8779402 100644 ---- a/crypto/fipsmodule/md4/md4.c -+++ b/crypto/fipsmodule/md4/md4.c -@@ -60,6 +60,7 @@ - #include <string.h> - - #include "../../internal.h" -+#include "../digest/md32_common.h" - - - uint8_t *MD4(const uint8_t *data, size_t len, uint8_t out[MD4_DIGEST_LENGTH]) { -@@ -88,27 +89,22 @@ - md4_block_data_order(c->h, data, 1); - } - --#define DATA_ORDER_IS_LITTLE_ENDIAN -+int MD4_Update(MD4_CTX *c, const void *data, size_t len) { -+ crypto_md32_update(&md4_block_data_order, c->h, c->data, MD4_CBLOCK, &c->num, -+ &c->Nh, &c->Nl, data, len); -+ return 1; -+} - --#define HASH_CTX MD4_CTX --#define HASH_CBLOCK 64 --#define HASH_DIGEST_LENGTH 16 --#define HASH_UPDATE MD4_Update --#define HASH_FINAL MD4_Final --#define HASH_MAKE_STRING(c, s) \ -- do { \ -- CRYPTO_store_u32_le((s), (c)->h[0]); \ -- (s) += 4; \ -- CRYPTO_store_u32_le((s), (c)->h[1]); \ -- (s) += 4; \ -- CRYPTO_store_u32_le((s), (c)->h[2]); \ -- (s) += 4; \ -- CRYPTO_store_u32_le((s), (c)->h[3]); \ -- (s) += 4; \ -- } while (0) --#define HASH_BLOCK_DATA_ORDER md4_block_data_order -+int MD4_Final(uint8_t out[MD4_DIGEST_LENGTH], MD4_CTX *c) { -+ crypto_md32_final(&md4_block_data_order, c->h, c->data, MD4_CBLOCK, &c->num, -+ c->Nh, c->Nl, /*is_big_endian=*/0); - --#include "../digest/md32_common.h" -+ CRYPTO_store_u32_le(out, c->h[0]); -+ CRYPTO_store_u32_le(out + 4, c->h[1]); -+ CRYPTO_store_u32_le(out + 8, c->h[2]); -+ CRYPTO_store_u32_le(out + 12, c->h[3]); -+ return 1; -+} - - // As pointed out by Wei Dai <weidai@eskimo.com>, the above can be - // simplified to the code below. Wei attributes these optimizations -@@ -238,14 +234,6 @@ - } - } - --#undef DATA_ORDER_IS_LITTLE_ENDIAN --#undef HASH_CTX --#undef HASH_CBLOCK --#undef HASH_DIGEST_LENGTH --#undef HASH_UPDATE --#undef HASH_FINAL --#undef HASH_MAKE_STRING --#undef HASH_BLOCK_DATA_ORDER - #undef F - #undef G - #undef H -diff --git a/crypto/fipsmodule/md5/md5.c b/crypto/fipsmodule/md5/md5.c -index e454a84..eba34bc 100644 ---- a/crypto/fipsmodule/md5/md5.c -+++ b/crypto/fipsmodule/md5/md5.c -@@ -60,8 +60,9 @@ - - #include <openssl/mem.h> - --#include "internal.h" - #include "../../internal.h" -+#include "../digest/md32_common.h" -+#include "internal.h" - - - uint8_t *MD5(const uint8_t *data, size_t len, uint8_t out[MD5_DIGEST_LENGTH]) { -@@ -93,27 +94,22 @@ - md5_block_data_order(c->h, data, 1); - } - --#define DATA_ORDER_IS_LITTLE_ENDIAN -+int MD5_Update(MD5_CTX *c, const void *data, size_t len) { -+ crypto_md32_update(&md5_block_data_order, c->h, c->data, MD5_CBLOCK, &c->num, -+ &c->Nh, &c->Nl, data, len); -+ return 1; -+} - --#define HASH_CTX MD5_CTX --#define HASH_CBLOCK 64 --#define HASH_DIGEST_LENGTH 16 --#define HASH_UPDATE MD5_Update --#define HASH_FINAL MD5_Final --#define HASH_MAKE_STRING(c, s) \ -- do { \ -- CRYPTO_store_u32_le((s), (c)->h[0]); \ -- (s) += 4; \ -- CRYPTO_store_u32_le((s), (c)->h[1]); \ -- (s) += 4; \ -- CRYPTO_store_u32_le((s), (c)->h[2]); \ -- (s) += 4; \ -- CRYPTO_store_u32_le((s), (c)->h[3]); \ -- (s) += 4; \ -- } while (0) --#define HASH_BLOCK_DATA_ORDER md5_block_data_order -+int MD5_Final(uint8_t out[MD5_DIGEST_LENGTH], MD5_CTX *c) { -+ crypto_md32_final(&md5_block_data_order, c->h, c->data, MD5_CBLOCK, &c->num, -+ c->Nh, c->Nl, /*is_big_endian=*/0); - --#include "../digest/md32_common.h" -+ CRYPTO_store_u32_le(out, c->h[0]); -+ CRYPTO_store_u32_le(out + 4, c->h[1]); -+ CRYPTO_store_u32_le(out + 8, c->h[2]); -+ CRYPTO_store_u32_le(out + 12, c->h[3]); -+ return 1; -+} - - // As pointed out by Wei Dai <weidai@eskimo.com>, the above can be - // simplified to the code below. Wei attributes these optimizations -@@ -280,14 +276,6 @@ - #undef X - #endif - --#undef DATA_ORDER_IS_LITTLE_ENDIAN --#undef HASH_CTX --#undef HASH_CBLOCK --#undef HASH_DIGEST_LENGTH --#undef HASH_UPDATE --#undef HASH_FINAL --#undef HASH_MAKE_STRING --#undef HASH_BLOCK_DATA_ORDER - #undef F - #undef G - #undef H -diff --git a/crypto/fipsmodule/sha/sha1.c b/crypto/fipsmodule/sha/sha1.c -index 7149d11..c629308 100644 ---- a/crypto/fipsmodule/sha/sha1.c -+++ b/crypto/fipsmodule/sha/sha1.c -@@ -60,8 +60,9 @@ - - #include <openssl/mem.h> - --#include "internal.h" - #include "../../internal.h" -+#include "../digest/md32_common.h" -+#include "internal.h" - - - int SHA1_Init(SHA_CTX *sha) { -@@ -92,28 +93,24 @@ - sha1_block_data_order(c->h, data, 1); - } - --#define DATA_ORDER_IS_BIG_ENDIAN -+int SHA1_Update(SHA_CTX *c, const void *data, size_t len) { -+ crypto_md32_update(&sha1_block_data_order, c->h, c->data, SHA_CBLOCK, &c->num, -+ &c->Nh, &c->Nl, data, len); -+ return 1; -+} - --#define HASH_CTX SHA_CTX --#define HASH_CBLOCK 64 --#define HASH_DIGEST_LENGTH 20 --#define HASH_MAKE_STRING(c, s) \ -- do { \ -- CRYPTO_store_u32_be((s), (c)->h[0]); \ -- (s) += 4; \ -- CRYPTO_store_u32_be((s), (c)->h[1]); \ -- (s) += 4; \ -- CRYPTO_store_u32_be((s), (c)->h[2]); \ -- (s) += 4; \ -- CRYPTO_store_u32_be((s), (c)->h[3]); \ -- (s) += 4; \ -- CRYPTO_store_u32_be((s), (c)->h[4]); \ -- (s) += 4; \ -- } while (0) -+int SHA1_Final(uint8_t out[SHA_DIGEST_LENGTH], SHA_CTX *c) { -+ crypto_md32_final(&sha1_block_data_order, c->h, c->data, SHA_CBLOCK, &c->num, -+ c->Nh, c->Nl, /*is_big_endian=*/1); - --#define HASH_UPDATE SHA1_Update --#define HASH_FINAL SHA1_Final --#define HASH_BLOCK_DATA_ORDER sha1_block_data_order -+ CRYPTO_store_u32_be(out, c->h[0]); -+ CRYPTO_store_u32_be(out + 4, c->h[1]); -+ CRYPTO_store_u32_be(out + 8, c->h[2]); -+ CRYPTO_store_u32_be(out + 12, c->h[3]); -+ CRYPTO_store_u32_be(out + 16, c->h[4]); -+ return 1; -+} -+ - #define ROTATE(a, n) (((a) << (n)) | ((a) >> (32 - (n)))) - #define Xupdate(a, ix, ia, ib, ic, id) \ - do { \ -@@ -121,8 +118,6 @@ - (ix) = (a) = ROTATE((a), 1); \ - } while (0) - --#include "../digest/md32_common.h" -- - #define K_00_19 0x5a827999UL - #define K_20_39 0x6ed9eba1UL - #define K_40_59 0x8f1bbcdcUL -@@ -343,14 +338,6 @@ - } - #endif - --#undef DATA_ORDER_IS_BIG_ENDIAN --#undef HASH_CTX --#undef HASH_CBLOCK --#undef HASH_DIGEST_LENGTH --#undef HASH_MAKE_STRING --#undef HASH_UPDATE --#undef HASH_FINAL --#undef HASH_BLOCK_DATA_ORDER - #undef ROTATE - #undef Xupdate - #undef K_00_19 -diff --git a/crypto/fipsmodule/sha/sha256.c b/crypto/fipsmodule/sha/sha256.c -index ff961c8..4394f4a 100644 ---- a/crypto/fipsmodule/sha/sha256.c -+++ b/crypto/fipsmodule/sha/sha256.c -@@ -60,8 +60,9 @@ - - #include <openssl/mem.h> - --#include "internal.h" - #include "../../internal.h" -+#include "../digest/md32_common.h" -+#include "internal.h" - - - int SHA224_Init(SHA256_CTX *sha) { -@@ -112,16 +113,6 @@ - return out; - } - --int SHA224_Update(SHA256_CTX *ctx, const void *data, size_t len) { -- return SHA256_Update(ctx, data, len); --} -- --int SHA224_Final(uint8_t out[SHA224_DIGEST_LENGTH], SHA256_CTX *ctx) { -- // SHA224_Init sets |ctx->md_len| to |SHA224_DIGEST_LENGTH|, so this has a -- // smaller output. -- return SHA256_Final(out, ctx); --} -- - #ifndef SHA256_ASM - static void sha256_block_data_order(uint32_t *state, const uint8_t *in, - size_t num); -@@ -131,55 +122,51 @@ - sha256_block_data_order(c->h, data, 1); - } - --#define DATA_ORDER_IS_BIG_ENDIAN -+int SHA256_Update(SHA256_CTX *c, const void *data, size_t len) { -+ crypto_md32_update(&sha256_block_data_order, c->h, c->data, SHA256_CBLOCK, -+ &c->num, &c->Nh, &c->Nl, data, len); -+ return 1; -+} - --#define HASH_CTX SHA256_CTX --#define HASH_CBLOCK 64 --#define HASH_DIGEST_LENGTH 32 -+int SHA224_Update(SHA256_CTX *ctx, const void *data, size_t len) { -+ return SHA256_Update(ctx, data, len); -+} - --// Note that FIPS180-2 discusses "Truncation of the Hash Function Output." --// default: case below covers for it. It's not clear however if it's permitted --// to truncate to amount of bytes not divisible by 4. I bet not, but if it is, --// then default: case shall be extended. For reference. Idea behind separate --// cases for pre-defined lenghts is to let the compiler decide if it's --// appropriate to unroll small loops. --// --// TODO(davidben): The small |md_len| case is one of the few places a low-level --// hash 'final' function can fail. This should never happen. --#define HASH_MAKE_STRING(c, s) \ -- do { \ -- unsigned int nn; \ -- switch ((c)->md_len) { \ -- case SHA224_DIGEST_LENGTH: \ -- for (nn = 0; nn < SHA224_DIGEST_LENGTH / 4; nn++) { \ -- CRYPTO_store_u32_be((s), (c)->h[nn]); \ -- (s) += 4; \ -- } \ -- break; \ -- case SHA256_DIGEST_LENGTH: \ -- for (nn = 0; nn < SHA256_DIGEST_LENGTH / 4; nn++) { \ -- CRYPTO_store_u32_be((s), (c)->h[nn]); \ -- (s) += 4; \ -- } \ -- break; \ -- default: \ -- if ((c)->md_len > SHA256_DIGEST_LENGTH) { \ -- return 0; \ -- } \ -- for (nn = 0; nn < (c)->md_len / 4; nn++) { \ -- CRYPTO_store_u32_be((s), (c)->h[nn]); \ -- (s) += 4; \ -- } \ -- break; \ -- } \ -- } while (0) -+static int sha256_final_impl(uint8_t *out, SHA256_CTX *c) { -+ crypto_md32_final(&sha256_block_data_order, c->h, c->data, SHA256_CBLOCK, -+ &c->num, c->Nh, c->Nl, /*is_big_endian=*/1); - -+ // TODO(davidben): This overflow check one of the few places a low-level hash -+ // 'final' function can fail. SHA-512 does not have a corresponding check. -+ // These functions already misbehave if the caller arbitrarily mutates |c|, so -+ // can we assume one of |SHA256_Init| or |SHA224_Init| was used? -+ if (c->md_len > SHA256_DIGEST_LENGTH) { -+ return 0; -+ } - --#define HASH_UPDATE SHA256_Update --#define HASH_FINAL SHA256_Final --#define HASH_BLOCK_DATA_ORDER sha256_block_data_order -+ assert(c->md_len % 4 == 0); -+ const size_t out_words = c->md_len / 4; -+ for (size_t i = 0; i < out_words; i++) { -+ CRYPTO_store_u32_be(out, c->h[i]); -+ out += 4; -+ } -+ return 1; -+} - --#include "../digest/md32_common.h" -+int SHA256_Final(uint8_t out[SHA256_DIGEST_LENGTH], SHA256_CTX *c) { -+ // Ideally we would assert |sha->md_len| is |SHA256_DIGEST_LENGTH| to match -+ // the size hint, but calling code often pairs |SHA224_Init| with -+ // |SHA256_Final| and expects |sha->md_len| to carry the size over. -+ // -+ // TODO(davidben): Add an assert and fix code to match them up. -+ return sha256_final_impl(out, c); -+} -+int SHA224_Final(uint8_t out[SHA224_DIGEST_LENGTH], SHA256_CTX *ctx) { -+ // SHA224_Init sets |ctx->md_len| to |SHA224_DIGEST_LENGTH|, so this has a -+ // smaller output. -+ assert(ctx->md_len == SHA224_DIGEST_LENGTH); -+ return sha256_final_impl(out, ctx); -+} - - #ifndef SHA256_ASM - static const uint32_t K256[64] = { -@@ -322,14 +309,6 @@ - sha256_block_data_order(state, data, num_blocks); - } - --#undef DATA_ORDER_IS_BIG_ENDIAN --#undef HASH_CTX --#undef HASH_CBLOCK --#undef HASH_DIGEST_LENGTH --#undef HASH_MAKE_STRING --#undef HASH_UPDATE --#undef HASH_FINAL --#undef HASH_BLOCK_DATA_ORDER - #undef ROTATE - #undef Sigma0 - #undef Sigma1 -diff --git a/crypto/fipsmodule/sha/sha512.c b/crypto/fipsmodule/sha/sha512.c -index 1f40e7a..befdd52 100644 ---- a/crypto/fipsmodule/sha/sha512.c -+++ b/crypto/fipsmodule/sha/sha512.c -@@ -162,7 +162,7 @@ - - int SHA384_Final(uint8_t out[SHA384_DIGEST_LENGTH], SHA512_CTX *sha) { - // |SHA384_Init| sets |sha->md_len| to |SHA384_DIGEST_LENGTH|, so this has a -- // |smaller output. -+ // smaller output. - assert(sha->md_len == SHA384_DIGEST_LENGTH); - return sha512_final_impl(out, sha); - } -@@ -237,7 +237,7 @@ - int SHA512_Final(uint8_t out[SHA512_DIGEST_LENGTH], SHA512_CTX *sha) { - // Ideally we would assert |sha->md_len| is |SHA512_DIGEST_LENGTH| to match - // the size hint, but calling code often pairs |SHA384_Init| with -- // |SHA512_Final| and expects |sha->md_len| to carry the over. -+ // |SHA512_Final| and expects |sha->md_len| to carry the size over. - // - // TODO(davidben): Add an assert and fix code to match them up. - return sha512_final_impl(out, sha); -@@ -270,9 +270,8 @@ - assert(sha->md_len % 8 == 0); - const size_t out_words = sha->md_len / 8; - for (size_t i = 0; i < out_words; i++) { -- const uint64_t t = CRYPTO_bswap8(sha->h[i]); -- memcpy(out, &t, sizeof(t)); -- out += sizeof(t); -+ CRYPTO_store_u64_be(out, sha->h[i]); -+ out += 8; - } - - return 1; -diff --git a/decrepit/ripemd/ripemd.c b/decrepit/ripemd/ripemd.c -index ac6bd83..9120cdd 100644 ---- a/decrepit/ripemd/ripemd.c -+++ b/decrepit/ripemd/ripemd.c -@@ -59,6 +59,7 @@ - #include <string.h> - - #include "../../crypto/internal.h" -+#include "../../crypto/fipsmodule/digest/md32_common.h" - - - #define RIPEMD160_A 0x67452301L -@@ -85,31 +86,24 @@ - ripemd160_block_data_order(c->h, data, 1); - } - --#define DATA_ORDER_IS_LITTLE_ENDIAN -+int RIPEMD160_Update(RIPEMD160_CTX *c, const void *data, size_t len) { -+ crypto_md32_update(&ripemd160_block_data_order, c->h, c->data, -+ RIPEMD160_CBLOCK, &c->num, &c->Nh, &c->Nl, data, len); -+ return 1; -+} - --#define HASH_LONG uint32_t --#define HASH_CTX RIPEMD160_CTX --#define HASH_CBLOCK RIPEMD160_CBLOCK --#define HASH_DIGEST_LENGTH RIPEMD160_DIGEST_LENGTH --#define HASH_UPDATE RIPEMD160_Update --#define HASH_FINAL RIPEMD160_Final --#define HASH_MAKE_STRING(c, s) \ -- do { \ -- CRYPTO_store_u32_le((s), (c)->h[0]); \ -- (s) += 4; \ -- CRYPTO_store_u32_le((s), (c)->h[1]); \ -- (s) += 4; \ -- CRYPTO_store_u32_le((s), (c)->h[2]); \ -- (s) += 4; \ -- CRYPTO_store_u32_le((s), (c)->h[3]); \ -- (s) += 4; \ -- CRYPTO_store_u32_le((s), (c)->h[4]); \ -- (s) += 4; \ -- } while (0) -+int RIPEMD160_Final(uint8_t out[RIPEMD160_DIGEST_LENGTH], RIPEMD160_CTX *c) { -+ crypto_md32_final(&ripemd160_block_data_order, c->h, c->data, -+ RIPEMD160_CBLOCK, &c->num, c->Nh, c->Nl, -+ /*is_big_endian=*/0); - --#define HASH_BLOCK_DATA_ORDER ripemd160_block_data_order -- --#include "../../crypto/fipsmodule/digest/md32_common.h" -+ CRYPTO_store_u32_le(out, c->h[0]); -+ CRYPTO_store_u32_le(out + 4, c->h[1]); -+ CRYPTO_store_u32_le(out + 8, c->h[2]); -+ CRYPTO_store_u32_le(out + 12, c->h[3]); -+ CRYPTO_store_u32_le(out + 16, c->h[4]); -+ return 1; -+} - - // Transformed F2 and F4 are courtesy of Wei Dai <weidai@eskimo.com> - #define F1(x, y, z) ((x) ^ (y) ^ (z)) -From 92c6fbfc4c44dc8462d260d836020d2b793e7804 Mon Sep 17 00:00:00 2001 -From: Peter Foley <pefoley2@pefoley.com> -Date: Fri, 28 May 2021 14:16:23 -0400 -Subject: [PATCH] Fix array-parameter warnings - -e.g. -/home/peter/boringssl/crypto/curve25519/curve25519.c:503:57: error: argument 2 of type 'const uint8_t[32]' {aka 'const unsigned char[32'} with mismatched bound [-Werror=array-parameter=] - 503 | int x25519_ge_frombytes_vartime(ge_p3 *h, const uint8_t s[32]) { - | ~~~~~~~~~~~~~~^~~~~ -In file included from /home/peter/boringssl/crypto/curve25519/curve25519.c:33: -/home/peter/boringssl/crypto/curve25519/internal.h:109:58: note: previously declared as 'const uint8_t *' {aka 'const unsigned char *'} - 109 | int x25519_ge_frombytes_vartime(ge_p3 *h, const uint8_t *s); - | ~~~~~~~~~~~~~~~^ -/home/peter/boringssl/crypto/curve25519/curve25519.c:823:57: error: argument 2 of type 'const uint8_t *' {aka 'const unsigned char *'} declared as a pointer [-Werror=array-parameter=] - 823 | void x25519_ge_scalarmult_base(ge_p3 *h, const uint8_t *a) { - | ~~~~~~~~~~~~~~~^ -In file included from /home/peter/boringssl/crypto/curve25519/curve25519.c:33: -/home/peter/boringssl/crypto/curve25519/internal.h:117:56: note: previously declared as an array 'const uint8_t[32]' {aka 'const unsigned char[32]'} - 117 | void x25519_ge_scalarmult_base(ge_p3 *h, const uint8_t a[32]); - | ~~~~~~~~~~~~~~^~~~~ -cc1: all warnings being treated as errors - -Change-Id: I7e9b68fe261a94834f519057adb6ff90c0cb73cf -Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/47805 -Reviewed-by: David Benjamin <davidben@google.com> -Commit-Queue: David Benjamin <davidben@google.com> ---- - -diff --git a/crypto/curve25519/curve25519.c b/crypto/curve25519/curve25519.c -index 232f6e0..ea48810 100644 ---- a/crypto/curve25519/curve25519.c -+++ b/crypto/curve25519/curve25519.c -@@ -820,7 +820,7 @@ - // - // Preconditions: - // a[31] <= 127 --void x25519_ge_scalarmult_base(ge_p3 *h, const uint8_t *a) { -+void x25519_ge_scalarmult_base(ge_p3 *h, const uint8_t a[32]) { - signed char e[64]; - signed char carry; - ge_p1p1 r; -diff --git a/crypto/curve25519/internal.h b/crypto/curve25519/internal.h -index 01be307..76ff78f 100644 ---- a/crypto/curve25519/internal.h -+++ b/crypto/curve25519/internal.h -@@ -106,7 +106,7 @@ - } ge_cached; - - void x25519_ge_tobytes(uint8_t s[32], const ge_p2 *h); --int x25519_ge_frombytes_vartime(ge_p3 *h, const uint8_t *s); -+int x25519_ge_frombytes_vartime(ge_p3 *h, const uint8_t s[32]); - void x25519_ge_p3_to_cached(ge_cached *r, const ge_p3 *p); - void x25519_ge_p1p1_to_p2(ge_p2 *r, const ge_p1p1 *p); - void x25519_ge_p1p1_to_p3(ge_p3 *r, const ge_p1p1 *p);