diff --git a/patches/boringssl/0001-Fix-mismatch-between-header-and-implementation-of-bn_sqr_comba8.patch b/patches/boringssl/0001-Fix-mismatch-between-header-and-implementation-of-bn_sqr_comba8.patch new file mode 100644 index 0000000..8b298f9 --- /dev/null +++ b/patches/boringssl/0001-Fix-mismatch-between-header-and-implementation-of-bn_sqr_comba8.patch @@ -0,0 +1,24 @@ +From 139adff9b27eaf0bdaac664ec4c9a7db2fe3f920 Mon Sep 17 00:00:00 2001 +From: David Benjamin +Date: Thu, 25 Mar 2021 01:41:51 -0400 +Subject: [PATCH] Fix mismatch between header and implementation of bn_sqr_comba8. + +Bug: 402 +Change-Id: I6de879f44f6e3eca26f2f49c500769d944fa9bc0 +Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/46404 +Reviewed-by: Adam Langley +--- + +diff --git a/crypto/fipsmodule/bn/internal.h b/crypto/fipsmodule/bn/internal.h +index 623e0c6..3d368db 100644 +--- a/crypto/fipsmodule/bn/internal.h ++++ b/crypto/fipsmodule/bn/internal.h +@@ -297,7 +297,7 @@ + void bn_mul_comba8(BN_ULONG r[16], const BN_ULONG a[8], const BN_ULONG b[8]); + + // bn_sqr_comba8 sets |r| to |a|^2. +-void bn_sqr_comba8(BN_ULONG r[16], const BN_ULONG a[4]); ++void bn_sqr_comba8(BN_ULONG r[16], const BN_ULONG a[8]); + + // bn_sqr_comba4 sets |r| to |a|^2. + void bn_sqr_comba4(BN_ULONG r[8], const BN_ULONG a[4]); diff --git a/patches/boringssl/0002-Use-an-unsized-helper-for-truncated-SHA-512-variants.patch b/patches/boringssl/0002-Use-an-unsized-helper-for-truncated-SHA-512-variants.patch new file mode 100644 index 0000000..6206459 --- /dev/null +++ b/patches/boringssl/0002-Use-an-unsized-helper-for-truncated-SHA-512-variants.patch @@ -0,0 +1,124 @@ +From a24ab549e6ae246b391155d7bed3790ac0e07de2 Mon Sep 17 00:00:00 2001 +From: David Benjamin +Date: Thu, 25 Mar 2021 15:26:25 -0400 +Subject: [PATCH] Use an unsized helper for truncated SHA-512 variants. + +Although it is strictly fine to call SHA512_Final in SHA384_Final +(array sizes in C parameters are purely decorational, according to the +language), GCC 11 reportedly checks now and gets upset about the size +mismatch. Use an unsized helper function so all our code matches the +specified bounds. + +Unfortunately, the bounds in all the functions are a bit misleading +because SHA512_Final really outputs based on sha->md_len (which Init +function you called) rather than which Final function. I've fixed this +places within a library where we mismatched and added asserts to the +smaller functions. SHA512_Final is assert-less because I've seen lots of +code use SHA384_Init / SHA512_Update / SHA512_Final. + +This doesn't fix the SHA256 variant since that is generated by a pile of +macros in a multiply-included file. This is probably a good opportunity +to make that code less macro-heavy. + +Update-Note: There is a small chance the asserts will trip something, +but hopefully not since I've left SHA512_Final alone. + +Bug: 402 +Change-Id: I4c9d579a63ee0a0dea103c19ef219c13bb9aa62c +Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/46405 +Reviewed-by: Adam Langley +--- + +diff --git a/crypto/fipsmodule/digest/digests.c b/crypto/fipsmodule/digest/digests.c +index 16daeba..f006ebb 100644 +--- a/crypto/fipsmodule/digest/digests.c ++++ b/crypto/fipsmodule/digest/digests.c +@@ -247,13 +247,21 @@ + CHECK(SHA512_256_Init(ctx->md_data)); + } + ++static void sha512_256_update(EVP_MD_CTX *ctx, const void *data, size_t count) { ++ CHECK(SHA512_256_Update(ctx->md_data, data, count)); ++} ++ ++static void sha512_256_final(EVP_MD_CTX *ctx, uint8_t *md) { ++ CHECK(SHA512_256_Final(md, ctx->md_data)); ++} ++ + DEFINE_METHOD_FUNCTION(EVP_MD, EVP_sha512_256) { + out->type = NID_sha512_256; + out->md_size = SHA512_256_DIGEST_LENGTH; + out->flags = 0; + out->init = sha512_256_init; +- out->update = sha512_update; +- out->final = sha512_final; ++ out->update = sha512_256_update; ++ out->final = sha512_256_final; + out->block_size = 128; + out->ctx_size = sizeof(SHA512_CTX); + } +diff --git a/crypto/fipsmodule/sha/sha512.c b/crypto/fipsmodule/sha/sha512.c +index fd02574..ba86c1e 100644 +--- a/crypto/fipsmodule/sha/sha512.c ++++ b/crypto/fipsmodule/sha/sha512.c +@@ -70,6 +70,8 @@ + // this writing, so there is no need for a common collector/padding + // implementation yet. + ++static int sha512_final_impl(uint8_t *out, SHA512_CTX *sha); ++ + int SHA384_Init(SHA512_CTX *sha) { + sha->h[0] = UINT64_C(0xcbbb9d5dc1059ed8); + sha->h[1] = UINT64_C(0x629a292a367cd507); +@@ -146,8 +148,8 @@ + uint8_t out[SHA512_256_DIGEST_LENGTH]) { + SHA512_CTX ctx; + SHA512_256_Init(&ctx); +- SHA512_Update(&ctx, data, len); +- SHA512_Final(out, &ctx); ++ SHA512_256_Update(&ctx, data, len); ++ SHA512_256_Final(out, &ctx); + OPENSSL_cleanse(&ctx, sizeof(ctx)); + return out; + } +@@ -161,7 +163,8 @@ + int SHA384_Final(uint8_t out[SHA384_DIGEST_LENGTH], SHA512_CTX *sha) { + // |SHA384_Init| sets |sha->md_len| to |SHA384_DIGEST_LENGTH|, so this has a + // |smaller output. +- return SHA512_Final(out, sha); ++ assert(sha->md_len == SHA384_DIGEST_LENGTH); ++ return sha512_final_impl(out, sha); + } + + int SHA384_Update(SHA512_CTX *sha, const void *data, size_t len) { +@@ -172,11 +175,11 @@ + return SHA512_Update(sha, data, len); + } + +-int SHA512_256_Final(uint8_t out[SHA512_256_DIGEST_LENGTH], +- SHA512_CTX *sha) { ++int SHA512_256_Final(uint8_t out[SHA512_256_DIGEST_LENGTH], SHA512_CTX *sha) { + // |SHA512_256_Init| sets |sha->md_len| to |SHA512_256_DIGEST_LENGTH|, so this + // has a |smaller output. +- return SHA512_Final(out, sha); ++ assert(sha->md_len == SHA512_256_DIGEST_LENGTH); ++ return sha512_final_impl(out, sha); + } + + void SHA512_Transform(SHA512_CTX *c, const uint8_t block[SHA512_CBLOCK]) { +@@ -232,6 +235,15 @@ + } + + int SHA512_Final(uint8_t out[SHA512_DIGEST_LENGTH], SHA512_CTX *sha) { ++ // Ideally we would assert |sha->md_len| is |SHA512_DIGEST_LENGTH| to match ++ // the size hint, but calling code often pairs |SHA384_Init| with ++ // |SHA512_Final| and expects |sha->md_len| to carry the over. ++ // ++ // TODO(davidben): Add an assert and fix code to match them up. ++ return sha512_final_impl(out, sha); ++} ++ ++static int sha512_final_impl(uint8_t *out, SHA512_CTX *sha) { + uint8_t *p = sha->p; + size_t n = sha->num; + diff --git a/patches/boringssl/0003-Fix-unnecessarily-direction-specific-tests-in-cipher_tests.txt.patch b/patches/boringssl/0003-Fix-unnecessarily-direction-specific-tests-in-cipher_tests.txt.patch new file mode 100644 index 0000000..c61d648 --- /dev/null +++ b/patches/boringssl/0003-Fix-unnecessarily-direction-specific-tests-in-cipher_tests.txt.patch @@ -0,0 +1,284 @@ +From 8c31179d81081cc9b8ce5b5ac3151088c45042f7 Mon Sep 17 00:00:00 2001 +From: David Benjamin +Date: Fri, 19 Mar 2021 11:53:48 -0400 +Subject: [PATCH] Fix unnecessarily direction-specific tests in cipher_tests.txt + +All our EVP_CIPHERs are deterministic, so there's usually no point in +testing only one direction. Some of the ECB tests were missing free +decryption tests. CTR is the same in both directions, but we ought to +test the API agrees. OFB vectors are doubled up, so we can merge them +together. Plus there are typos in the OFB-AES192.Decrypt tests, also +present upstream, so we weren't actually testing everything we should. + +(I haven't removed the direction-specific logic altogether since the +tests imported from nist_cavp rely on it. Though there may be something +to be said for running them both ways since they don't actually double +them up...) + +Change-Id: I36a77d342afa436e89ad244a87567e1a4c6ee9dc +Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/46284 +Reviewed-by: Adam Langley +Commit-Queue: David Benjamin +--- + +diff --git a/crypto/cipher_extra/test/cipher_tests.txt b/crypto/cipher_extra/test/cipher_tests.txt +index ced7595..52fd4af 100644 +--- a/crypto/cipher_extra/test/cipher_tests.txt ++++ b/crypto/cipher_extra/test/cipher_tests.txt +@@ -109,7 +109,6 @@ + # AES 128 ECB tests (from FIPS-197 test vectors, encrypt) + Cipher = AES-128-ECB + Key = 000102030405060708090A0B0C0D0E0F +-Operation = ENCRYPT + Plaintext = 00112233445566778899AABBCCDDEEFF + Ciphertext = 69C4E0D86A7B0430D8CDB78070B4C55A + +@@ -117,7 +116,6 @@ + # AES 256 ECB tests (from FIPS-197 test vectors, encrypt) + Cipher = AES-256-ECB + Key = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F +-Operation = ENCRYPT + Plaintext = 00112233445566778899AABBCCDDEEFF + Ciphertext = 8EA2B7CA516745BFEAFC49904B496089 + +@@ -227,42 +225,36 @@ + Cipher = AES-128-CTR + Key = AE6852F8121067CC4BF7A5765577F39E + IV = 00000030000000000000000000000001 +-Operation = ENCRYPT + Plaintext = 53696E676C6520626C6F636B206D7367 + Ciphertext = E4095D4FB7A7B3792D6175A3261311B8 + + Cipher = AES-128-CTR + Key = 7E24067817FAE0D743D6CE1F32539163 + IV = 006CB6DBC0543B59DA48D90B00000001 +-Operation = ENCRYPT + Plaintext = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F + Ciphertext = 5104A106168A72D9790D41EE8EDAD388EB2E1EFC46DA57C8FCE630DF9141BE28 + + Cipher = AES-128-CTR + Key = 7691BE035E5020A8AC6E618529F9A0DC + IV = 00E0017B27777F3F4A1786F000000001 +-Operation = ENCRYPT + Plaintext = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F20212223 + Ciphertext = C1CF48A89F2FFDD9CF4652E9EFDB72D74540A42BDE6D7836D59A5CEAAEF3105325B2072F + + Cipher = AES-256-CTR + Key = 776BEFF2851DB06F4C8A0542C8696F6C6A81AF1EEC96B4D37FC1D689E6C1C104 + IV = 00000060DB5672C97AA8F0B200000001 +-Operation = ENCRYPT + Plaintext = 53696E676C6520626C6F636B206D7367 + Ciphertext = 145AD01DBF824EC7560863DC71E3E0C0 + + Cipher = AES-256-CTR + Key = F6D66D6BD52D59BB0796365879EFF886C66DD51A5B6A99744B50590C87A23884 + IV = 00FAAC24C1585EF15A43D87500000001 +-Operation = ENCRYPT + Plaintext = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F + Ciphertext = F05E231B3894612C49EE000B804EB2A9B8306B508F839D6A5530831D9344AF1C + + Cipher = AES-256-CTR + Key = FF7A617CE69148E4F1726E2F43581DE2AA62D9F805532EDFF1EED687FB54153D + IV = 001CC5B751A51D70A1C1114800000001 +-Operation = ENCRYPT + Plaintext = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F20212223 + Ciphertext = EB6C52821D0BBBF7CE7594462ACA4FAAB407DF866569FD07F48CC0B583D6071F1EC0E6B8 + +@@ -270,7 +262,6 @@ + Cipher = AES-128-CTR + Key = 7E24067817FAE0D743D6CE1F32539163 + IV = 00000000000000007FFFFFFFFFFFFFFF +-Operation = ENCRYPT + Plaintext = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F + Ciphertext = A2D459477E6432BD74184B1B5370D2243CDC202BC43583B2A55D288CDBBD1E03 + +@@ -462,178 +453,78 @@ + + # OFB tests from OpenSSL upstream. + +-# OFB-AES128.Encrypt ++# OFB-AES128 + Cipher = AES-128-OFB + Key = 2B7E151628AED2A6ABF7158809CF4F3C + IV = 000102030405060708090A0B0C0D0E0F +-Operation = ENCRYPT + Plaintext = 6BC1BEE22E409F96E93D7E117393172A + Ciphertext = 3B3FD92EB72DAD20333449F8E83CFB4A + + Cipher = AES-128-OFB + Key = 2B7E151628AED2A6ABF7158809CF4F3C + IV = 50FE67CC996D32B6DA0937E99BAFEC60 +-Operation = ENCRYPT + Plaintext = AE2D8A571E03AC9C9EB76FAC45AF8E51 + Ciphertext = 7789508D16918F03F53C52DAC54ED825 + + Cipher = AES-128-OFB + Key = 2B7E151628AED2A6ABF7158809CF4F3C + IV = D9A4DADA0892239F6B8B3D7680E15674 +-Operation = ENCRYPT + Plaintext = 30C81C46A35CE411E5FBC1191A0A52EF + Ciphertext = 9740051E9C5FECF64344F7A82260EDCC + + Cipher = AES-128-OFB + Key = 2B7E151628AED2A6ABF7158809CF4F3C + IV = A78819583F0308E7A6BF36B1386ABF23 +-Operation = ENCRYPT + Plaintext = F69F2445DF4F9B17AD2B417BE66C3710 + Ciphertext = 304C6528F659C77866A510D9C1D6AE5E + +-# OFB-AES128.Decrypt +-Cipher = AES-128-OFB +-Key = 2B7E151628AED2A6ABF7158809CF4F3C +-IV = 000102030405060708090A0B0C0D0E0F +-Operation = DECRYPT +-Plaintext = 6BC1BEE22E409F96E93D7E117393172A +-Ciphertext = 3B3FD92EB72DAD20333449F8E83CFB4A +- +-Cipher = AES-128-OFB +-Key = 2B7E151628AED2A6ABF7158809CF4F3C +-IV = 50FE67CC996D32B6DA0937E99BAFEC60 +-Operation = DECRYPT +-Plaintext = AE2D8A571E03AC9C9EB76FAC45AF8E51 +-Ciphertext = 7789508D16918F03F53C52DAC54ED825 +- +-Cipher = AES-128-OFB +-Key = 2B7E151628AED2A6ABF7158809CF4F3C +-IV = D9A4DADA0892239F6B8B3D7680E15674 +-Operation = DECRYPT +-Plaintext = 30C81C46A35CE411E5FBC1191A0A52EF +-Ciphertext = 9740051E9C5FECF64344F7A82260EDCC +- +-Cipher = AES-128-OFB +-Key = 2B7E151628AED2A6ABF7158809CF4F3C +-IV = A78819583F0308E7A6BF36B1386ABF23 +-Operation = DECRYPT +-Plaintext = F69F2445DF4F9B17AD2B417BE66C3710 +-Ciphertext = 304C6528F659C77866A510D9C1D6AE5E +- +-# OFB-AES192.Encrypt ++# OFB-AES192 + Cipher = AES-192-OFB + Key = 8E73B0F7DA0E6452C810F32B809079E562F8EAD2522C6B7B + IV = 000102030405060708090A0B0C0D0E0F +-Operation = ENCRYPT + Plaintext = 6BC1BEE22E409F96E93D7E117393172A + Ciphertext = CDC80D6FDDF18CAB34C25909C99A4174 + + Cipher = AES-192-OFB + Key = 8E73B0F7DA0E6452C810F32B809079E562F8EAD2522C6B7B + IV = A609B38DF3B1133DDDFF2718BA09565E +-Operation = ENCRYPT + Plaintext = AE2D8A571E03AC9C9EB76FAC45AF8E51 + Ciphertext = FCC28B8D4C63837C09E81700C1100401 + + Cipher = AES-192-OFB + Key = 8E73B0F7DA0E6452C810F32B809079E562F8EAD2522C6B7B + IV = 52EF01DA52602FE0975F78AC84BF8A50 +-Operation = ENCRYPT + Plaintext = 30C81C46A35CE411E5FBC1191A0A52EF + Ciphertext = 8D9A9AEAC0F6596F559C6D4DAF59A5F2 + + Cipher = AES-192-OFB + Key = 8E73B0F7DA0E6452C810F32B809079E562F8EAD2522C6B7B + IV = BD5286AC63AABD7EB067AC54B553F71D +-Operation = ENCRYPT + Plaintext = F69F2445DF4F9B17AD2B417BE66C3710 + Ciphertext = 6D9F200857CA6C3E9CAC524BD9ACC92A + +-# OFB-AES192.Decrypt +-Cipher = AES-192-OFB +-Key = 8E73B0F7DA0E6452C810F32B809079E562F8EAD2522C6B7B +-IV = 000102030405060708090A0B0C0D0E0F +-Operation = ENCRYPT +-Plaintext = 6BC1BEE22E409F96E93D7E117393172A +-Ciphertext = CDC80D6FDDF18CAB34C25909C99A4174 +- +-Cipher = AES-192-OFB +-Key = 8E73B0F7DA0E6452C810F32B809079E562F8EAD2522C6B7B +-IV = A609B38DF3B1133DDDFF2718BA09565E +-Operation = ENCRYPT +-Plaintext = AE2D8A571E03AC9C9EB76FAC45AF8E51 +-Ciphertext = FCC28B8D4C63837C09E81700C1100401 +- +-Cipher = AES-192-OFB +-Key = 8E73B0F7DA0E6452C810F32B809079E562F8EAD2522C6B7B +-IV = 52EF01DA52602FE0975F78AC84BF8A50 +-Operation = ENCRYPT +-Plaintext = 30C81C46A35CE411E5FBC1191A0A52EF +-Ciphertext = 8D9A9AEAC0F6596F559C6D4DAF59A5F2 +- +-Cipher = AES-192-OFB +-Key = 8E73B0F7DA0E6452C810F32B809079E562F8EAD2522C6B7B +-IV = BD5286AC63AABD7EB067AC54B553F71D +-Operation = ENCRYPT +-Plaintext = F69F2445DF4F9B17AD2B417BE66C3710 +-Ciphertext = 6D9F200857CA6C3E9CAC524BD9ACC92A +- +-# OFB-AES256.Encrypt ++# OFB-AES256 + Cipher = AES-256-OFB + Key = 603DEB1015CA71BE2B73AEF0857D77811F352C073B6108D72D9810A30914DFF4 + IV = 000102030405060708090A0B0C0D0E0F +-Operation = ENCRYPT + Plaintext = 6BC1BEE22E409F96E93D7E117393172A + Ciphertext = DC7E84BFDA79164B7ECD8486985D3860 + + Cipher = AES-256-OFB + Key = 603DEB1015CA71BE2B73AEF0857D77811F352C073B6108D72D9810A30914DFF4 + IV = B7BF3A5DF43989DD97F0FA97EBCE2F4A +-Operation = ENCRYPT + Plaintext = AE2D8A571E03AC9C9EB76FAC45AF8E51 + Ciphertext = 4FEBDC6740D20B3AC88F6AD82A4FB08D + + Cipher = AES-256-OFB + Key = 603DEB1015CA71BE2B73AEF0857D77811F352C073B6108D72D9810A30914DFF4 + IV = E1C656305ED1A7A6563805746FE03EDC +-Operation = ENCRYPT + Plaintext = 30C81C46A35CE411E5FBC1191A0A52EF + Ciphertext = 71AB47A086E86EEDF39D1C5BBA97C408 + + Cipher = AES-256-OFB + Key = 603DEB1015CA71BE2B73AEF0857D77811F352C073B6108D72D9810A30914DFF4 + IV = 41635BE625B48AFC1666DD42A09D96E7 +-Operation = ENCRYPT +-Plaintext = F69F2445DF4F9B17AD2B417BE66C3710 +-Ciphertext = 0126141D67F37BE8538F5A8BE740E484 +- +- +-# OFB-AES256.Decrypt +-Cipher = AES-256-OFB +-Key = 603DEB1015CA71BE2B73AEF0857D77811F352C073B6108D72D9810A30914DFF4 +-IV = 000102030405060708090A0B0C0D0E0F +-Operation = DECRYPT +-Plaintext = 6BC1BEE22E409F96E93D7E117393172A +-Ciphertext = DC7E84BFDA79164B7ECD8486985D3860 +- +-Cipher = AES-256-OFB +-Key = 603DEB1015CA71BE2B73AEF0857D77811F352C073B6108D72D9810A30914DFF4 +-IV = B7BF3A5DF43989DD97F0FA97EBCE2F4A +-Operation = DECRYPT +-Plaintext = AE2D8A571E03AC9C9EB76FAC45AF8E51 +-Ciphertext = 4FEBDC6740D20B3AC88F6AD82A4FB08D +- +-Cipher = AES-256-OFB +-Key = 603DEB1015CA71BE2B73AEF0857D77811F352C073B6108D72D9810A30914DFF4 +-IV = E1C656305ED1A7A6563805746FE03EDC +-Operation = DECRYPT +-Plaintext = 30C81C46A35CE411E5FBC1191A0A52EF +-Ciphertext = 71AB47A086E86EEDF39D1C5BBA97C408 +- +-Cipher = AES-256-OFB +-Key = 603DEB1015CA71BE2B73AEF0857D77811F352C073B6108D72D9810A30914DFF4 +-IV = 41635BE625B48AFC1666DD42A09D96E7 +-Operation = DECRYPT + Plaintext = F69F2445DF4F9B17AD2B417BE66C3710 + Ciphertext = 0126141D67F37BE8538F5A8BE740E484 + +@@ -667,7 +558,6 @@ + # AES-192-ECB tests from FIPS-197 + Cipher = AES-192-ECB + Key = 000102030405060708090A0B0C0D0E0F1011121314151617 +-Operation = ENCRYPT + Plaintext = 00112233445566778899AABBCCDDEEFF + Ciphertext = DDA97CA4864CDFE06EAF70A0EC0D7191 + diff --git a/patches/boringssl/0004-Test-empty-EVP_CIPHER-inputs-and-fix-exact-memcpy-overlap.patch b/patches/boringssl/0004-Test-empty-EVP_CIPHER-inputs-and-fix-exact-memcpy-overlap.patch new file mode 100644 index 0000000..fffb168 --- /dev/null +++ b/patches/boringssl/0004-Test-empty-EVP_CIPHER-inputs-and-fix-exact-memcpy-overlap.patch @@ -0,0 +1,290 @@ +From 502fceede9e9856ce9eb913d697490b58886ca38 Mon Sep 17 00:00:00 2001 +From: David Benjamin +Date: Fri, 19 Mar 2021 12:15:49 -0400 +Subject: [PATCH] Test empty EVP_CIPHER inputs and fix exact memcpy overlap. + +See also 8129ac6ac4c0ca3a488c225cde580ede7dabe874 and +81198bf323ea9deda907714170d329ca7d2ff01f from upstream. + +In trying to figure out why ASan (which normally catches overlapping +memcpys) didn't flag this, I noticed that we actually don't have tests +for empty inputs. I've added them to cipher_tests.txt where missing and +fixed a bad assert in ofb.c. + +ASan still doesn't flag this because LLVM even requires memcpy handle +dst == src. Still, fixing it is less effort than getting a clear answer +from GCC and MSVC. Though this puts us in the frustrating position of +trying to follow a C rule that our main toolchain and sanitizer disavow. +https://bugs.llvm.org/show_bug.cgi?id=11763 +https://reviews.llvm.org/D86993 + +Change-Id: I53c64a84834ddf5cddca0b3d53a29998f666ea2f +Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/46285 +Commit-Queue: David Benjamin +Reviewed-by: Adam Langley +--- + +diff --git a/crypto/cipher_extra/test/cipher_tests.txt b/crypto/cipher_extra/test/cipher_tests.txt +index 52fd4af..bf7325e 100644 +--- a/crypto/cipher_extra/test/cipher_tests.txt ++++ b/crypto/cipher_extra/test/cipher_tests.txt +@@ -29,6 +29,11 @@ + Plaintext = 00000000000000000000 + Ciphertext = d6a141a7ec3c38dfbd61 + ++Cipher = RC4 ++Key = ef012345ef012345ef012345ef012345 ++Plaintext = ++Ciphertext = ++ + + # DES EDE3 ECB tests + Cipher = DES-EDE3 +@@ -81,6 +86,11 @@ + Plaintext = cc7569d005afd1a365f5c5836c14475fc15091199902af4a78460d56c16f91ca + Ciphertext = 64db8af7a30363051a017cc92ed67ac6c0e2e1ffda0c94bbf0eeb803ba6b3d22 + ++Cipher = DES-EDE3 ++Key = 2e8eb05dd8a2b7a5a61a6b8a3830b12da2c4b1bea1e884d5 ++Plaintext = ++Ciphertext = ++ + + # DES EDE3 CBC tests (from destest) + Cipher = DES-EDE3-CBC +@@ -89,6 +99,12 @@ + Plaintext = 37363534333231204E6F77206973207468652074696D6520666F722000000000 + Ciphertext = 3FE301C962AC01D02213763C1CBD4CDC799657C064ECF5D41C673812CFDE9675 + ++Cipher = DES-EDE3-CBC ++Key = 0123456789abcdeff1e0d3c2b5a49786fedcba9876543210 ++IV = fedcba9876543210 ++Plaintext = ++Ciphertext = ++ + + # DES EDE CBC tests + Cipher = DES-EDE-CBC +@@ -97,6 +113,12 @@ + Plaintext = 37363534333231204E6F77206973207468652074696D6520666F722000000000 + Ciphertext = 7948C0DA4FE91CD815DCA96DBC9B60A857EB954F4DEB08EB98722642AE69257B + ++Cipher = DES-EDE-CBC ++Key = 0123456789abcdeff1e0d3c2b5a49786 ++IV = fedcba9876543210 ++Plaintext = ++Ciphertext = ++ + + # DES EDE tests + Cipher = DES-EDE +@@ -105,6 +127,12 @@ + Plaintext = 37363534333231204E6F77206973207468652074696D6520666F722000000000 + Ciphertext = 22E889402E28422F8167AD279D90A566DA75B734E12C671FC2669AECB3E4FE8F + ++Cipher = DES-EDE ++Key = 0123456789abcdeff1e0d3c2b5a49786 ++IV = fedcba9876543210 ++Plaintext = ++Ciphertext = ++ + + # AES 128 ECB tests (from FIPS-197 test vectors, encrypt) + Cipher = AES-128-ECB +@@ -112,6 +140,11 @@ + Plaintext = 00112233445566778899AABBCCDDEEFF + Ciphertext = 69C4E0D86A7B0430D8CDB78070B4C55A + ++Cipher = AES-128-ECB ++Key = 000102030405060708090A0B0C0D0E0F ++Plaintext = ++Ciphertext = ++ + + # AES 256 ECB tests (from FIPS-197 test vectors, encrypt) + Cipher = AES-256-ECB +@@ -119,6 +152,11 @@ + Plaintext = 00112233445566778899AABBCCDDEEFF + Ciphertext = 8EA2B7CA516745BFEAFC49904B496089 + ++Cipher = AES-256-ECB ++Key = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F ++Plaintext = ++Ciphertext = ++ + + # AES tests from NIST document SP800-38A + # For all ECB encrypts and decrypts, the transformed sequence is +@@ -194,6 +232,12 @@ + Plaintext = F69F2445DF4F9B17AD2B417BE66C3710 + Ciphertext = 3FF1CAA1681FAC09120ECA307586E1A7 + ++Cipher = AES-128-CBC ++Key = 2B7E151628AED2A6ABF7158809CF4F3C ++IV = 73BED6B8E3C1743B7116E69E22229516 ++Plaintext = ++Ciphertext = ++ + + # CBC-AES256.Encrypt and CBC-AES256.Decrypt + Cipher = AES-256-CBC +@@ -220,6 +264,12 @@ + Plaintext = F69F2445DF4F9B17AD2B417BE66C3710 + Ciphertext = B2EB05E2C39BE9FCDA6C19078C6A9D1B + ++Cipher = AES-256-CBC ++Key = 603DEB1015CA71BE2B73AEF0857D77811F352C073B6108D72D9810A30914DFF4 ++IV = 39F23369A9D9BACFA530E26304231461 ++Plaintext = ++Ciphertext = ++ + + # AES Counter test vectors from RFC3686 + Cipher = AES-128-CTR +@@ -247,6 +297,12 @@ + Ciphertext = 145AD01DBF824EC7560863DC71E3E0C0 + + Cipher = AES-256-CTR ++Key = 776BEFF2851DB06F4C8A0542C8696F6C6A81AF1EEC96B4D37FC1D689E6C1C104 ++IV = 00000060DB5672C97AA8F0B200000001 ++Plaintext = ++Ciphertext = ++ ++Cipher = AES-256-CTR + Key = F6D66D6BD52D59BB0796365879EFF886C66DD51A5B6A99744B50590C87A23884 + IV = 00FAAC24C1585EF15A43D87500000001 + Plaintext = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F +@@ -258,6 +314,12 @@ + Plaintext = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F20212223 + Ciphertext = EB6C52821D0BBBF7CE7594462ACA4FAAB407DF866569FD07F48CC0B583D6071F1EC0E6B8 + ++Cipher = AES-256-CTR ++Key = FF7A617CE69148E4F1726E2F43581DE2AA62D9F805532EDFF1EED687FB54153D ++IV = 001CC5B751A51D70A1C1114800000001 ++Plaintext = ++Ciphertext = ++ + # Regression test for https://github.com/openssl/openssl/issues/1916. + Cipher = AES-128-CTR + Key = 7E24067817FAE0D743D6CE1F32539163 +@@ -478,6 +540,13 @@ + Plaintext = F69F2445DF4F9B17AD2B417BE66C3710 + Ciphertext = 304C6528F659C77866A510D9C1D6AE5E + ++Cipher = AES-128-OFB ++Key = 2B7E151628AED2A6ABF7158809CF4F3C ++IV = A78819583F0308E7A6BF36B1386ABF23 ++Plaintext = ++Ciphertext = ++ ++ + # OFB-AES192 + Cipher = AES-192-OFB + Key = 8E73B0F7DA0E6452C810F32B809079E562F8EAD2522C6B7B +@@ -503,6 +572,13 @@ + Plaintext = F69F2445DF4F9B17AD2B417BE66C3710 + Ciphertext = 6D9F200857CA6C3E9CAC524BD9ACC92A + ++Cipher = AES-192-OFB ++Key = 8E73B0F7DA0E6452C810F32B809079E562F8EAD2522C6B7B ++IV = BD5286AC63AABD7EB067AC54B553F71D ++Plaintext = ++Ciphertext = ++ ++ + # OFB-AES256 + Cipher = AES-256-OFB + Key = 603DEB1015CA71BE2B73AEF0857D77811F352C073B6108D72D9810A30914DFF4 +@@ -528,6 +604,12 @@ + Plaintext = F69F2445DF4F9B17AD2B417BE66C3710 + Ciphertext = 0126141D67F37BE8538F5A8BE740E484 + ++Cipher = AES-256-OFB ++Key = 603DEB1015CA71BE2B73AEF0857D77811F352C073B6108D72D9810A30914DFF4 ++IV = 41635BE625B48AFC1666DD42A09D96E7 ++Plaintext = ++Ciphertext = ++ + + # AES-192 CBC-mode test from upstream OpenSSL. + Cipher = AES-192-CBC +@@ -619,3 +701,8 @@ + Key = FEDCBA9876543210 + Plaintext = 0123456789ABCDEF + Ciphertext = ED39D950FA74BCC4 ++ ++Cipher = DES-ECB ++Key = FEDCBA9876543210 ++Plaintext = ++Ciphertext = +diff --git a/crypto/fipsmodule/modes/cbc.c b/crypto/fipsmodule/modes/cbc.c +index 3f1d777..750c575 100644 +--- a/crypto/fipsmodule/modes/cbc.c ++++ b/crypto/fipsmodule/modes/cbc.c +@@ -57,12 +57,15 @@ + void CRYPTO_cbc128_encrypt(const uint8_t *in, uint8_t *out, size_t len, + const AES_KEY *key, uint8_t ivec[16], + block128_f block) { ++ assert(key != NULL && ivec != NULL); ++ if (len == 0) { ++ // Avoid |ivec| == |iv| in the |memcpy| below, which is not legal in C. ++ return; ++ } ++ ++ assert(in != NULL && out != NULL); + size_t n; + const uint8_t *iv = ivec; +- +- assert(key != NULL && ivec != NULL); +- assert(len == 0 || (in != NULL && out != NULL)); +- + while (len >= 16) { + for (n = 0; n < 16; n += sizeof(size_t)) { + store_word_le(out + n, load_word_le(in + n) ^ load_word_le(iv + n)); +@@ -97,20 +100,25 @@ + void CRYPTO_cbc128_decrypt(const uint8_t *in, uint8_t *out, size_t len, + const AES_KEY *key, uint8_t ivec[16], + block128_f block) { +- size_t n; +- union { +- size_t t[16 / sizeof(size_t)]; +- uint8_t c[16]; +- } tmp; +- + assert(key != NULL && ivec != NULL); +- assert(len == 0 || (in != NULL && out != NULL)); ++ if (len == 0) { ++ // Avoid |ivec| == |iv| in the |memcpy| below, which is not legal in C. ++ return; ++ } ++ ++ assert(in != NULL && out != NULL); + + const uintptr_t inptr = (uintptr_t) in; + const uintptr_t outptr = (uintptr_t) out; + // If |in| and |out| alias, |in| must be ahead. + assert(inptr >= outptr || inptr + len <= outptr); + ++ size_t n; ++ union { ++ size_t t[16 / sizeof(size_t)]; ++ uint8_t c[16]; ++ } tmp; ++ + if ((inptr >= 32 && outptr <= inptr - 32) || inptr < outptr) { + // If |out| is at least two blocks behind |in| or completely disjoint, there + // is no need to decrypt to a temporary block. +diff --git a/crypto/fipsmodule/modes/ofb.c b/crypto/fipsmodule/modes/ofb.c +index 4c70ce6..9d73d8a 100644 +--- a/crypto/fipsmodule/modes/ofb.c ++++ b/crypto/fipsmodule/modes/ofb.c +@@ -60,7 +60,8 @@ + void CRYPTO_ofb128_encrypt(const uint8_t *in, uint8_t *out, size_t len, + const AES_KEY *key, uint8_t ivec[16], unsigned *num, + block128_f block) { +- assert(in && out && key && ivec && num); ++ assert(key != NULL && ivec != NULL && num != NULL); ++ assert(len == 0 || (in != NULL && out != NULL)); + + unsigned n = *num; + diff --git a/patches/boringssl/0005-Make-words-in-crypto-fipsmodule-modes-actually-words.patch b/patches/boringssl/0005-Make-words-in-crypto-fipsmodule-modes-actually-words.patch new file mode 100644 index 0000000..6057934 --- /dev/null +++ b/patches/boringssl/0005-Make-words-in-crypto-fipsmodule-modes-actually-words.patch @@ -0,0 +1,220 @@ +From 8d4c8fc41be567bca17ce7c15304dc06539a060a Mon Sep 17 00:00:00 2001 +From: David Benjamin +Date: Mon, 29 Mar 2021 12:59:55 -0400 +Subject: [PATCH] Make words in crypto/fipsmodule/modes actually words. + +It's a little confusing to have load_word_le but actually use size_t +instead of crypto_word_t. + +NOTE: on some platforms, notably NaCl, crypto_word_t is larger than +size_t. (Do we still need to support this?) We don't have a good testing +story here, so I tested it by hacking up a 32-bit x86 build to think it +was OPENSSL_64_BIT. + +Change-Id: Ia0ce469e86803f22655fe2d9659a6a5db766429f +Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/46424 +Reviewed-by: Adam Langley +--- + +diff --git a/crypto/fipsmodule/modes/cbc.c b/crypto/fipsmodule/modes/cbc.c +index 750c575..ee3a186 100644 +--- a/crypto/fipsmodule/modes/cbc.c ++++ b/crypto/fipsmodule/modes/cbc.c +@@ -67,7 +67,7 @@ + size_t n; + const uint8_t *iv = ivec; + while (len >= 16) { +- for (n = 0; n < 16; n += sizeof(size_t)) { ++ for (n = 0; n < 16; n += sizeof(crypto_word_t)) { + store_word_le(out + n, load_word_le(in + n) ^ load_word_le(iv + n)); + } + (*block)(out, out, key); +@@ -115,19 +115,19 @@ + + size_t n; + union { +- size_t t[16 / sizeof(size_t)]; ++ crypto_word_t t[16 / sizeof(crypto_word_t)]; + uint8_t c[16]; + } tmp; + + if ((inptr >= 32 && outptr <= inptr - 32) || inptr < outptr) { + // If |out| is at least two blocks behind |in| or completely disjoint, there + // is no need to decrypt to a temporary block. +- OPENSSL_STATIC_ASSERT(16 % sizeof(size_t) == 0, ++ OPENSSL_STATIC_ASSERT(16 % sizeof(crypto_word_t) == 0, + "block cannot be evenly divided into words"); + const uint8_t *iv = ivec; + while (len >= 16) { + (*block)(in, out, key); +- for (n = 0; n < 16; n += sizeof(size_t)) { ++ for (n = 0; n < 16; n += sizeof(crypto_word_t)) { + store_word_le(out + n, load_word_le(out + n) ^ load_word_le(iv + n)); + } + iv = in; +@@ -137,15 +137,15 @@ + } + OPENSSL_memcpy(ivec, iv, 16); + } else { +- OPENSSL_STATIC_ASSERT(16 % sizeof(size_t) == 0, ++ OPENSSL_STATIC_ASSERT(16 % sizeof(crypto_word_t) == 0, + "block cannot be evenly divided into words"); + + while (len >= 16) { + (*block)(in, tmp.c, key); +- for (n = 0; n < 16; n += sizeof(size_t)) { +- size_t c = load_word_le(in + n); +- store_word_le(out + n, +- tmp.t[n / sizeof(size_t)] ^ load_word_le(ivec + n)); ++ for (n = 0; n < 16; n += sizeof(crypto_word_t)) { ++ crypto_word_t c = load_word_le(in + n); ++ store_word_le( ++ out + n, tmp.t[n / sizeof(crypto_word_t)] ^ load_word_le(ivec + n)); + store_word_le(ivec + n, c); + } + len -= 16; +diff --git a/crypto/fipsmodule/modes/cfb.c b/crypto/fipsmodule/modes/cfb.c +index 8ca9004..01291c8 100644 +--- a/crypto/fipsmodule/modes/cfb.c ++++ b/crypto/fipsmodule/modes/cfb.c +@@ -72,8 +72,8 @@ + } + while (len >= 16) { + (*block)(ivec, ivec, key); +- for (; n < 16; n += sizeof(size_t)) { +- size_t tmp = load_word_le(ivec + n) ^ load_word_le(in + n); ++ for (; n < 16; n += sizeof(crypto_word_t)) { ++ crypto_word_t tmp = load_word_le(ivec + n) ^ load_word_le(in + n); + store_word_le(ivec + n, tmp); + store_word_le(out + n, tmp); + } +@@ -101,8 +101,8 @@ + } + while (len >= 16) { + (*block)(ivec, ivec, key); +- for (; n < 16; n += sizeof(size_t)) { +- size_t t = load_word_le(in + n); ++ for (; n < 16; n += sizeof(crypto_word_t)) { ++ crypto_word_t t = load_word_le(in + n); + store_word_le(out + n, load_word_le(ivec + n) ^ t); + store_word_le(ivec + n, t); + } +diff --git a/crypto/fipsmodule/modes/ctr.c b/crypto/fipsmodule/modes/ctr.c +index 8b0e059..cfb2184 100644 +--- a/crypto/fipsmodule/modes/ctr.c ++++ b/crypto/fipsmodule/modes/ctr.c +@@ -69,8 +69,8 @@ + } while (n); + } + +-OPENSSL_STATIC_ASSERT(16 % sizeof(size_t) == 0, +- "block cannot be divided into size_t"); ++OPENSSL_STATIC_ASSERT(16 % sizeof(crypto_word_t) == 0, ++ "block cannot be divided into crypto_word_t"); + + // The input encrypted as though 128bit counter mode is being used. The extra + // state information to record how much of the 128bit block we have used is +@@ -102,7 +102,7 @@ + while (len >= 16) { + (*block)(ivec, ecount_buf, key); + ctr128_inc(ivec); +- for (n = 0; n < 16; n += sizeof(size_t)) { ++ for (n = 0; n < 16; n += sizeof(crypto_word_t)) { + store_word_le(out + n, + load_word_le(in + n) ^ load_word_le(ecount_buf + n)); + } +diff --git a/crypto/fipsmodule/modes/gcm.c b/crypto/fipsmodule/modes/gcm.c +index 14fff86..077369d 100644 +--- a/crypto/fipsmodule/modes/gcm.c ++++ b/crypto/fipsmodule/modes/gcm.c +@@ -73,7 +73,7 @@ + + #if defined(GHASH_ASM_X86_64) || defined(GHASH_ASM_X86) + static inline void gcm_reduce_1bit(u128 *V) { +- if (sizeof(size_t) == 8) { ++ if (sizeof(crypto_word_t) == 8) { + uint64_t T = UINT64_C(0xe100000000000000) & (0 - (V->hi & 1)); + V->hi = (V->lo << 63) | (V->hi >> 1); + V->lo = (V->lo >> 1) ^ T; +@@ -377,9 +377,9 @@ + (*block)(ctx->Yi.c, ctx->EKi.c, key); + ++ctr; + ctx->Yi.d[3] = CRYPTO_bswap4(ctr); +- for (size_t i = 0; i < 16; i += sizeof(size_t)) { +- store_word_le(out + i, +- load_word_le(in + i) ^ ctx->EKi.t[i / sizeof(size_t)]); ++ for (size_t i = 0; i < 16; i += sizeof(crypto_word_t)) { ++ store_word_le(out + i, load_word_le(in + i) ^ ++ ctx->EKi.t[i / sizeof(crypto_word_t)]); + } + out += 16; + in += 16; +@@ -394,9 +394,9 @@ + (*block)(ctx->Yi.c, ctx->EKi.c, key); + ++ctr; + ctx->Yi.d[3] = CRYPTO_bswap4(ctr); +- for (size_t i = 0; i < 16; i += sizeof(size_t)) { +- store_word_le(out + i, +- load_word_le(in + i) ^ ctx->EKi.t[i / sizeof(size_t)]); ++ for (size_t i = 0; i < 16; i += sizeof(crypto_word_t)) { ++ store_word_le(out + i, load_word_le(in + i) ^ ++ ctx->EKi.t[i / sizeof(crypto_word_t)]); + } + out += 16; + in += 16; +@@ -468,9 +468,9 @@ + (*block)(ctx->Yi.c, ctx->EKi.c, key); + ++ctr; + ctx->Yi.d[3] = CRYPTO_bswap4(ctr); +- for (size_t i = 0; i < 16; i += sizeof(size_t)) { +- store_word_le(out + i, +- load_word_le(in + i) ^ ctx->EKi.t[i / sizeof(size_t)]); ++ for (size_t i = 0; i < 16; i += sizeof(crypto_word_t)) { ++ store_word_le(out + i, load_word_le(in + i) ^ ++ ctx->EKi.t[i / sizeof(crypto_word_t)]); + } + out += 16; + in += 16; +@@ -485,9 +485,9 @@ + (*block)(ctx->Yi.c, ctx->EKi.c, key); + ++ctr; + ctx->Yi.d[3] = CRYPTO_bswap4(ctr); +- for (size_t i = 0; i < 16; i += sizeof(size_t)) { +- store_word_le(out + i, +- load_word_le(in + i) ^ ctx->EKi.t[i / sizeof(size_t)]); ++ for (size_t i = 0; i < 16; i += sizeof(crypto_word_t)) { ++ store_word_le(out + i, load_word_le(in + i) ^ ++ ctx->EKi.t[i / sizeof(crypto_word_t)]); + } + out += 16; + in += 16; +diff --git a/crypto/fipsmodule/modes/internal.h b/crypto/fipsmodule/modes/internal.h +index 2693fa6..bf25023 100644 +--- a/crypto/fipsmodule/modes/internal.h ++++ b/crypto/fipsmodule/modes/internal.h +@@ -75,13 +75,13 @@ + OPENSSL_memcpy(out, &v, sizeof(v)); + } + +-static inline size_t load_word_le(const void *in) { +- size_t v; ++static inline crypto_word_t load_word_le(const void *in) { ++ crypto_word_t v; + OPENSSL_memcpy(&v, in, sizeof(v)); + return v; + } + +-static inline void store_word_le(void *out, size_t v) { ++static inline void store_word_le(void *out, crypto_word_t v) { + OPENSSL_memcpy(out, &v, sizeof(v)); + } + +@@ -171,7 +171,7 @@ + uint64_t u[2]; + uint32_t d[4]; + uint8_t c[16]; +- size_t t[16 / sizeof(size_t)]; ++ crypto_word_t t[16 / sizeof(crypto_word_t)]; + } Yi, EKi, EK0, len, Xi; + + // Note that the order of |Xi| and |gcm_key| is fixed by the MOVBE-based, diff --git a/patches/boringssl/0006-Move-load-store-helpers-to-crypto-internal.h.patch b/patches/boringssl/0006-Move-load-store-helpers-to-crypto-internal.h.patch new file mode 100644 index 0000000..e335efd --- /dev/null +++ b/patches/boringssl/0006-Move-load-store-helpers-to-crypto-internal.h.patch @@ -0,0 +1,1141 @@ +From ca4598781a37b6d3f2f7a63593229cd7570a194f Mon Sep 17 00:00:00 2001 +From: David Benjamin +Date: Mon, 29 Mar 2021 12:54:16 -0400 +Subject: [PATCH] Move load/store helpers to crypto/internal.h. + +We have loads of variations of these. Align them in one set. This avoids +the HOST_* macros defined by md32_common.h, so it'll be a little easier +to make it a more conventional header. + +Change-Id: Id47fe7b51a8f961bd87839f8146d8a5aa8027aa6 +Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/46425 +Reviewed-by: Adam Langley +--- + +diff --git a/crypto/fipsmodule/digest/md32_common.h b/crypto/fipsmodule/digest/md32_common.h +index 07d39d9..a0634d1 100644 +--- a/crypto/fipsmodule/digest/md32_common.h ++++ b/crypto/fipsmodule/digest/md32_common.h +@@ -136,44 +136,6 @@ + #error "HASH_MAKE_STRING must be defined!" + #endif + +-#if defined(DATA_ORDER_IS_BIG_ENDIAN) +- +-#define HOST_c2l(c, l) \ +- do { \ +- (l) = (((uint32_t)(*((c)++))) << 24); \ +- (l) |= (((uint32_t)(*((c)++))) << 16); \ +- (l) |= (((uint32_t)(*((c)++))) << 8); \ +- (l) |= (((uint32_t)(*((c)++)))); \ +- } while (0) +- +-#define HOST_l2c(l, c) \ +- do { \ +- *((c)++) = (uint8_t)(((l) >> 24) & 0xff); \ +- *((c)++) = (uint8_t)(((l) >> 16) & 0xff); \ +- *((c)++) = (uint8_t)(((l) >> 8) & 0xff); \ +- *((c)++) = (uint8_t)(((l)) & 0xff); \ +- } while (0) +- +-#elif defined(DATA_ORDER_IS_LITTLE_ENDIAN) +- +-#define HOST_c2l(c, l) \ +- do { \ +- (l) = (((uint32_t)(*((c)++)))); \ +- (l) |= (((uint32_t)(*((c)++))) << 8); \ +- (l) |= (((uint32_t)(*((c)++))) << 16); \ +- (l) |= (((uint32_t)(*((c)++))) << 24); \ +- } while (0) +- +-#define HOST_l2c(l, c) \ +- do { \ +- *((c)++) = (uint8_t)(((l)) & 0xff); \ +- *((c)++) = (uint8_t)(((l) >> 8) & 0xff); \ +- *((c)++) = (uint8_t)(((l) >> 16) & 0xff); \ +- *((c)++) = (uint8_t)(((l) >> 24) & 0xff); \ +- } while (0) +- +-#endif // DATA_ORDER +- + int HASH_UPDATE(HASH_CTX *c, const void *data_, size_t len) { + const uint8_t *data = data_; + +@@ -247,13 +209,12 @@ + // Append a 64-bit length to the block and process it. + uint8_t *p = c->data + HASH_CBLOCK - 8; + #if defined(DATA_ORDER_IS_BIG_ENDIAN) +- HOST_l2c(c->Nh, p); +- HOST_l2c(c->Nl, p); ++ CRYPTO_store_u32_be(p, c->Nh); ++ CRYPTO_store_u32_be(p + 4, c->Nl); + #elif defined(DATA_ORDER_IS_LITTLE_ENDIAN) +- HOST_l2c(c->Nl, p); +- HOST_l2c(c->Nh, p); ++ CRYPTO_store_u32_le(p, c->Nl); ++ CRYPTO_store_u32_le(p + 4, c->Nh); + #endif +- assert(p == c->data + HASH_CBLOCK); + HASH_BLOCK_DATA_ORDER(c->h, c->data, 1); + c->num = 0; + OPENSSL_memset(c->data, 0, HASH_CBLOCK); +diff --git a/crypto/fipsmodule/md4/md4.c b/crypto/fipsmodule/md4/md4.c +index cc2a631..0551664 100644 +--- a/crypto/fipsmodule/md4/md4.c ++++ b/crypto/fipsmodule/md4/md4.c +@@ -92,17 +92,16 @@ + #define HASH_UPDATE MD4_Update + #define HASH_TRANSFORM MD4_Transform + #define HASH_FINAL MD4_Final +-#define HASH_MAKE_STRING(c, s) \ +- do { \ +- uint32_t ll; \ +- ll = (c)->h[0]; \ +- HOST_l2c(ll, (s)); \ +- ll = (c)->h[1]; \ +- HOST_l2c(ll, (s)); \ +- ll = (c)->h[2]; \ +- HOST_l2c(ll, (s)); \ +- ll = (c)->h[3]; \ +- HOST_l2c(ll, (s)); \ ++#define HASH_MAKE_STRING(c, s) \ ++ do { \ ++ CRYPTO_store_u32_le((s), (c)->h[0]); \ ++ (s) += 4; \ ++ CRYPTO_store_u32_le((s), (c)->h[1]); \ ++ (s) += 4; \ ++ CRYPTO_store_u32_le((s), (c)->h[2]); \ ++ (s) += 4; \ ++ CRYPTO_store_u32_le((s), (c)->h[3]); \ ++ (s) += 4; \ + } while (0) + #define HASH_BLOCK_DATA_ORDER md4_block_data_order + +@@ -136,7 +135,7 @@ + } while (0) + + void md4_block_data_order(uint32_t *state, const uint8_t *data, size_t num) { +- uint32_t A, B, C, D, l; ++ uint32_t A, B, C, D; + uint32_t X0, X1, X2, X3, X4, X5, X6, X7, X8, X9, X10, X11, X12, X13, X14, X15; + + A = state[0]; +@@ -145,53 +144,53 @@ + D = state[3]; + + for (; num--;) { +- HOST_c2l(data, l); +- X0 = l; +- HOST_c2l(data, l); +- X1 = l; ++ X0 = CRYPTO_load_u32_le(data); ++ data += 4; ++ X1 = CRYPTO_load_u32_le(data); ++ data += 4; + // Round 0 + R0(A, B, C, D, X0, 3, 0); +- HOST_c2l(data, l); +- X2 = l; ++ X2 = CRYPTO_load_u32_le(data); ++ data += 4; + R0(D, A, B, C, X1, 7, 0); +- HOST_c2l(data, l); +- X3 = l; ++ X3 = CRYPTO_load_u32_le(data); ++ data += 4; + R0(C, D, A, B, X2, 11, 0); +- HOST_c2l(data, l); +- X4 = l; ++ X4 = CRYPTO_load_u32_le(data); ++ data += 4; + R0(B, C, D, A, X3, 19, 0); +- HOST_c2l(data, l); +- X5 = l; ++ X5 = CRYPTO_load_u32_le(data); ++ data += 4; + R0(A, B, C, D, X4, 3, 0); +- HOST_c2l(data, l); +- X6 = l; ++ X6 = CRYPTO_load_u32_le(data); ++ data += 4; + R0(D, A, B, C, X5, 7, 0); +- HOST_c2l(data, l); +- X7 = l; ++ X7 = CRYPTO_load_u32_le(data); ++ data += 4; + R0(C, D, A, B, X6, 11, 0); +- HOST_c2l(data, l); +- X8 = l; ++ X8 = CRYPTO_load_u32_le(data); ++ data += 4; + R0(B, C, D, A, X7, 19, 0); +- HOST_c2l(data, l); +- X9 = l; ++ X9 = CRYPTO_load_u32_le(data); ++ data += 4; + R0(A, B, C, D, X8, 3, 0); +- HOST_c2l(data, l); +- X10 = l; ++ X10 = CRYPTO_load_u32_le(data); ++ data += 4; + R0(D, A, B, C, X9, 7, 0); +- HOST_c2l(data, l); +- X11 = l; ++ X11 = CRYPTO_load_u32_le(data); ++ data += 4; + R0(C, D, A, B, X10, 11, 0); +- HOST_c2l(data, l); +- X12 = l; ++ X12 = CRYPTO_load_u32_le(data); ++ data += 4; + R0(B, C, D, A, X11, 19, 0); +- HOST_c2l(data, l); +- X13 = l; ++ X13 = CRYPTO_load_u32_le(data); ++ data += 4; + R0(A, B, C, D, X12, 3, 0); +- HOST_c2l(data, l); +- X14 = l; ++ X14 = CRYPTO_load_u32_le(data); ++ data += 4; + R0(D, A, B, C, X13, 7, 0); +- HOST_c2l(data, l); +- X15 = l; ++ X15 = CRYPTO_load_u32_le(data); ++ data += 4; + R0(C, D, A, B, X14, 11, 0); + R0(B, C, D, A, X15, 19, 0); + // Round 1 +@@ -252,5 +251,3 @@ + #undef R0 + #undef R1 + #undef R2 +-#undef HOST_c2l +-#undef HOST_l2c +diff --git a/crypto/fipsmodule/md5/md5.c b/crypto/fipsmodule/md5/md5.c +index a48d704..bd6bf6a 100644 +--- a/crypto/fipsmodule/md5/md5.c ++++ b/crypto/fipsmodule/md5/md5.c +@@ -98,17 +98,16 @@ + #define HASH_UPDATE MD5_Update + #define HASH_TRANSFORM MD5_Transform + #define HASH_FINAL MD5_Final +-#define HASH_MAKE_STRING(c, s) \ +- do { \ +- uint32_t ll; \ +- ll = (c)->h[0]; \ +- HOST_l2c(ll, (s)); \ +- ll = (c)->h[1]; \ +- HOST_l2c(ll, (s)); \ +- ll = (c)->h[2]; \ +- HOST_l2c(ll, (s)); \ +- ll = (c)->h[3]; \ +- HOST_l2c(ll, (s)); \ ++#define HASH_MAKE_STRING(c, s) \ ++ do { \ ++ CRYPTO_store_u32_le((s), (c)->h[0]); \ ++ (s) += 4; \ ++ CRYPTO_store_u32_le((s), (c)->h[1]); \ ++ (s) += 4; \ ++ CRYPTO_store_u32_le((s), (c)->h[2]); \ ++ (s) += 4; \ ++ CRYPTO_store_u32_le((s), (c)->h[3]); \ ++ (s) += 4; \ + } while (0) + #define HASH_BLOCK_DATA_ORDER md5_block_data_order + +@@ -158,7 +157,7 @@ + #endif + static void md5_block_data_order(uint32_t *state, const uint8_t *data, + size_t num) { +- uint32_t A, B, C, D, l; ++ uint32_t A, B, C, D; + uint32_t XX0, XX1, XX2, XX3, XX4, XX5, XX6, XX7, XX8, XX9, XX10, XX11, XX12, + XX13, XX14, XX15; + #define X(i) XX##i +@@ -169,53 +168,53 @@ + D = state[3]; + + for (; num--;) { +- HOST_c2l(data, l); +- X(0) = l; +- HOST_c2l(data, l); +- X(1) = l; ++ X(0) = CRYPTO_load_u32_le(data); ++ data += 4; ++ X(1) = CRYPTO_load_u32_le(data); ++ data += 4; + // Round 0 + R0(A, B, C, D, X(0), 7, 0xd76aa478L); +- HOST_c2l(data, l); +- X(2) = l; ++ X(2) = CRYPTO_load_u32_le(data); ++ data += 4; + R0(D, A, B, C, X(1), 12, 0xe8c7b756L); +- HOST_c2l(data, l); +- X(3) = l; ++ X(3) = CRYPTO_load_u32_le(data); ++ data += 4; + R0(C, D, A, B, X(2), 17, 0x242070dbL); +- HOST_c2l(data, l); +- X(4) = l; ++ X(4) = CRYPTO_load_u32_le(data); ++ data += 4; + R0(B, C, D, A, X(3), 22, 0xc1bdceeeL); +- HOST_c2l(data, l); +- X(5) = l; ++ X(5) = CRYPTO_load_u32_le(data); ++ data += 4; + R0(A, B, C, D, X(4), 7, 0xf57c0fafL); +- HOST_c2l(data, l); +- X(6) = l; ++ X(6) = CRYPTO_load_u32_le(data); ++ data += 4; + R0(D, A, B, C, X(5), 12, 0x4787c62aL); +- HOST_c2l(data, l); +- X(7) = l; ++ X(7) = CRYPTO_load_u32_le(data); ++ data += 4; + R0(C, D, A, B, X(6), 17, 0xa8304613L); +- HOST_c2l(data, l); +- X(8) = l; ++ X(8) = CRYPTO_load_u32_le(data); ++ data += 4; + R0(B, C, D, A, X(7), 22, 0xfd469501L); +- HOST_c2l(data, l); +- X(9) = l; ++ X(9) = CRYPTO_load_u32_le(data); ++ data += 4; + R0(A, B, C, D, X(8), 7, 0x698098d8L); +- HOST_c2l(data, l); +- X(10) = l; ++ X(10) = CRYPTO_load_u32_le(data); ++ data += 4; + R0(D, A, B, C, X(9), 12, 0x8b44f7afL); +- HOST_c2l(data, l); +- X(11) = l; ++ X(11) = CRYPTO_load_u32_le(data); ++ data += 4; + R0(C, D, A, B, X(10), 17, 0xffff5bb1L); +- HOST_c2l(data, l); +- X(12) = l; ++ X(12) = CRYPTO_load_u32_le(data); ++ data += 4; + R0(B, C, D, A, X(11), 22, 0x895cd7beL); +- HOST_c2l(data, l); +- X(13) = l; ++ X(13) = CRYPTO_load_u32_le(data); ++ data += 4; + R0(A, B, C, D, X(12), 7, 0x6b901122L); +- HOST_c2l(data, l); +- X(14) = l; ++ X(14) = CRYPTO_load_u32_le(data); ++ data += 4; + R0(D, A, B, C, X(13), 12, 0xfd987193L); +- HOST_c2l(data, l); +- X(15) = l; ++ X(15) = CRYPTO_load_u32_le(data); ++ data += 4; + R0(C, D, A, B, X(14), 17, 0xa679438eL); + R0(B, C, D, A, X(15), 22, 0x49b40821L); + // Round 1 +@@ -297,5 +296,3 @@ + #undef R1 + #undef R2 + #undef R3 +-#undef HOST_c2l +-#undef HOST_l2c +diff --git a/crypto/fipsmodule/modes/cbc.c b/crypto/fipsmodule/modes/cbc.c +index ee3a186..192580e 100644 +--- a/crypto/fipsmodule/modes/cbc.c ++++ b/crypto/fipsmodule/modes/cbc.c +@@ -52,6 +52,7 @@ + #include + + #include "internal.h" ++#include "../../internal.h" + + + void CRYPTO_cbc128_encrypt(const uint8_t *in, uint8_t *out, size_t len, +@@ -68,7 +69,8 @@ + const uint8_t *iv = ivec; + while (len >= 16) { + for (n = 0; n < 16; n += sizeof(crypto_word_t)) { +- store_word_le(out + n, load_word_le(in + n) ^ load_word_le(iv + n)); ++ CRYPTO_store_word_le( ++ out + n, CRYPTO_load_word_le(in + n) ^ CRYPTO_load_word_le(iv + n)); + } + (*block)(out, out, key); + iv = out; +@@ -128,7 +130,8 @@ + while (len >= 16) { + (*block)(in, out, key); + for (n = 0; n < 16; n += sizeof(crypto_word_t)) { +- store_word_le(out + n, load_word_le(out + n) ^ load_word_le(iv + n)); ++ CRYPTO_store_word_le(out + n, CRYPTO_load_word_le(out + n) ^ ++ CRYPTO_load_word_le(iv + n)); + } + iv = in; + len -= 16; +@@ -143,10 +146,10 @@ + while (len >= 16) { + (*block)(in, tmp.c, key); + for (n = 0; n < 16; n += sizeof(crypto_word_t)) { +- crypto_word_t c = load_word_le(in + n); +- store_word_le( +- out + n, tmp.t[n / sizeof(crypto_word_t)] ^ load_word_le(ivec + n)); +- store_word_le(ivec + n, c); ++ crypto_word_t c = CRYPTO_load_word_le(in + n); ++ CRYPTO_store_word_le(out + n, tmp.t[n / sizeof(crypto_word_t)] ^ ++ CRYPTO_load_word_le(ivec + n)); ++ CRYPTO_store_word_le(ivec + n, c); + } + len -= 16; + in += 16; +diff --git a/crypto/fipsmodule/modes/cfb.c b/crypto/fipsmodule/modes/cfb.c +index 01291c8..283a107 100644 +--- a/crypto/fipsmodule/modes/cfb.c ++++ b/crypto/fipsmodule/modes/cfb.c +@@ -73,9 +73,10 @@ + while (len >= 16) { + (*block)(ivec, ivec, key); + for (; n < 16; n += sizeof(crypto_word_t)) { +- crypto_word_t tmp = load_word_le(ivec + n) ^ load_word_le(in + n); +- store_word_le(ivec + n, tmp); +- store_word_le(out + n, tmp); ++ crypto_word_t tmp = ++ CRYPTO_load_word_le(ivec + n) ^ CRYPTO_load_word_le(in + n); ++ CRYPTO_store_word_le(ivec + n, tmp); ++ CRYPTO_store_word_le(out + n, tmp); + } + len -= 16; + out += 16; +@@ -102,9 +103,9 @@ + while (len >= 16) { + (*block)(ivec, ivec, key); + for (; n < 16; n += sizeof(crypto_word_t)) { +- crypto_word_t t = load_word_le(in + n); +- store_word_le(out + n, load_word_le(ivec + n) ^ t); +- store_word_le(ivec + n, t); ++ crypto_word_t t = CRYPTO_load_word_le(in + n); ++ CRYPTO_store_word_le(out + n, CRYPTO_load_word_le(ivec + n) ^ t); ++ CRYPTO_store_word_le(ivec + n, t); + } + len -= 16; + out += 16; +diff --git a/crypto/fipsmodule/modes/ctr.c b/crypto/fipsmodule/modes/ctr.c +index cfb2184..cea79ad 100644 +--- a/crypto/fipsmodule/modes/ctr.c ++++ b/crypto/fipsmodule/modes/ctr.c +@@ -52,6 +52,7 @@ + #include + + #include "internal.h" ++#include "../../internal.h" + + + // NOTE: the IV/counter CTR mode is big-endian. The code itself +@@ -103,8 +104,8 @@ + (*block)(ivec, ecount_buf, key); + ctr128_inc(ivec); + for (n = 0; n < 16; n += sizeof(crypto_word_t)) { +- store_word_le(out + n, +- load_word_le(in + n) ^ load_word_le(ecount_buf + n)); ++ CRYPTO_store_word_le(out + n, CRYPTO_load_word_le(in + n) ^ ++ CRYPTO_load_word_le(ecount_buf + n)); + } + len -= 16; + out += 16; +@@ -152,7 +153,7 @@ + n = (n + 1) % 16; + } + +- ctr32 = GETU32(ivec + 12); ++ ctr32 = CRYPTO_load_u32_be(ivec + 12); + while (len >= 16) { + size_t blocks = len / 16; + // 1<<28 is just a not-so-small yet not-so-large number... +@@ -172,7 +173,7 @@ + } + (*func)(in, out, blocks, key, ivec); + // (*func) does not update ivec, caller does: +- PUTU32(ivec + 12, ctr32); ++ CRYPTO_store_u32_be(ivec + 12, ctr32); + // ... overflow was detected, propogate carry. + if (ctr32 == 0) { + ctr96_inc(ivec); +@@ -186,7 +187,7 @@ + OPENSSL_memset(ecount_buf, 0, 16); + (*func)(ecount_buf, ecount_buf, 1, key, ivec); + ++ctr32; +- PUTU32(ivec + 12, ctr32); ++ CRYPTO_store_u32_be(ivec + 12, ctr32); + if (ctr32 == 0) { + ctr96_inc(ivec); + } +diff --git a/crypto/fipsmodule/modes/gcm.c b/crypto/fipsmodule/modes/gcm.c +index 077369d..b010cd5 100644 +--- a/crypto/fipsmodule/modes/gcm.c ++++ b/crypto/fipsmodule/modes/gcm.c +@@ -378,8 +378,9 @@ + ++ctr; + ctx->Yi.d[3] = CRYPTO_bswap4(ctr); + for (size_t i = 0; i < 16; i += sizeof(crypto_word_t)) { +- store_word_le(out + i, load_word_le(in + i) ^ +- ctx->EKi.t[i / sizeof(crypto_word_t)]); ++ CRYPTO_store_word_le(out + i, ++ CRYPTO_load_word_le(in + i) ^ ++ ctx->EKi.t[i / sizeof(crypto_word_t)]); + } + out += 16; + in += 16; +@@ -395,8 +396,9 @@ + ++ctr; + ctx->Yi.d[3] = CRYPTO_bswap4(ctr); + for (size_t i = 0; i < 16; i += sizeof(crypto_word_t)) { +- store_word_le(out + i, load_word_le(in + i) ^ +- ctx->EKi.t[i / sizeof(crypto_word_t)]); ++ CRYPTO_store_word_le(out + i, ++ CRYPTO_load_word_le(in + i) ^ ++ ctx->EKi.t[i / sizeof(crypto_word_t)]); + } + out += 16; + in += 16; +@@ -469,8 +471,9 @@ + ++ctr; + ctx->Yi.d[3] = CRYPTO_bswap4(ctr); + for (size_t i = 0; i < 16; i += sizeof(crypto_word_t)) { +- store_word_le(out + i, load_word_le(in + i) ^ +- ctx->EKi.t[i / sizeof(crypto_word_t)]); ++ CRYPTO_store_word_le(out + i, ++ CRYPTO_load_word_le(in + i) ^ ++ ctx->EKi.t[i / sizeof(crypto_word_t)]); + } + out += 16; + in += 16; +@@ -486,8 +489,9 @@ + ++ctr; + ctx->Yi.d[3] = CRYPTO_bswap4(ctr); + for (size_t i = 0; i < 16; i += sizeof(crypto_word_t)) { +- store_word_le(out + i, load_word_le(in + i) ^ +- ctx->EKi.t[i / sizeof(crypto_word_t)]); ++ CRYPTO_store_word_le(out + i, ++ CRYPTO_load_word_le(in + i) ^ ++ ctx->EKi.t[i / sizeof(crypto_word_t)]); + } + out += 16; + in += 16; +diff --git a/crypto/fipsmodule/modes/internal.h b/crypto/fipsmodule/modes/internal.h +index bf25023..2fea558 100644 +--- a/crypto/fipsmodule/modes/internal.h ++++ b/crypto/fipsmodule/modes/internal.h +@@ -64,27 +64,6 @@ + #endif + + +-static inline uint32_t GETU32(const void *in) { +- uint32_t v; +- OPENSSL_memcpy(&v, in, sizeof(v)); +- return CRYPTO_bswap4(v); +-} +- +-static inline void PUTU32(void *out, uint32_t v) { +- v = CRYPTO_bswap4(v); +- OPENSSL_memcpy(out, &v, sizeof(v)); +-} +- +-static inline crypto_word_t load_word_le(const void *in) { +- crypto_word_t v; +- OPENSSL_memcpy(&v, in, sizeof(v)); +- return v; +-} +- +-static inline void store_word_le(void *out, crypto_word_t v) { +- OPENSSL_memcpy(out, &v, sizeof(v)); +-} +- + // block128_f is the type of an AES block cipher implementation. + // + // Unlike upstream OpenSSL, it and the other functions in this file hard-code +diff --git a/crypto/fipsmodule/sha/sha1.c b/crypto/fipsmodule/sha/sha1.c +index 3b76194..2f50c67 100644 +--- a/crypto/fipsmodule/sha/sha1.c ++++ b/crypto/fipsmodule/sha/sha1.c +@@ -88,19 +88,18 @@ + #define HASH_CTX SHA_CTX + #define HASH_CBLOCK 64 + #define HASH_DIGEST_LENGTH 20 +-#define HASH_MAKE_STRING(c, s) \ +- do { \ +- uint32_t ll; \ +- ll = (c)->h[0]; \ +- HOST_l2c(ll, (s)); \ +- ll = (c)->h[1]; \ +- HOST_l2c(ll, (s)); \ +- ll = (c)->h[2]; \ +- HOST_l2c(ll, (s)); \ +- ll = (c)->h[3]; \ +- HOST_l2c(ll, (s)); \ +- ll = (c)->h[4]; \ +- HOST_l2c(ll, (s)); \ ++#define HASH_MAKE_STRING(c, s) \ ++ do { \ ++ CRYPTO_store_u32_be((s), (c)->h[0]); \ ++ (s) += 4; \ ++ CRYPTO_store_u32_be((s), (c)->h[1]); \ ++ (s) += 4; \ ++ CRYPTO_store_u32_be((s), (c)->h[2]); \ ++ (s) += 4; \ ++ CRYPTO_store_u32_be((s), (c)->h[3]); \ ++ (s) += 4; \ ++ CRYPTO_store_u32_be((s), (c)->h[4]); \ ++ (s) += 4; \ + } while (0) + + #define HASH_UPDATE SHA1_Update +@@ -193,7 +192,7 @@ + #if !defined(SHA1_ASM) + static void sha1_block_data_order(uint32_t *state, const uint8_t *data, + size_t num) { +- register uint32_t A, B, C, D, E, T, l; ++ register uint32_t A, B, C, D, E, T; + uint32_t XX0, XX1, XX2, XX3, XX4, XX5, XX6, XX7, XX8, XX9, XX10, + XX11, XX12, XX13, XX14, XX15; + +@@ -204,52 +203,52 @@ + E = state[4]; + + for (;;) { +- HOST_c2l(data, l); +- X(0) = l; +- HOST_c2l(data, l); +- X(1) = l; ++ X(0) = CRYPTO_load_u32_be(data); ++ data += 4; ++ X(1) = CRYPTO_load_u32_be(data); ++ data += 4; + BODY_00_15(0, A, B, C, D, E, T, X(0)); +- HOST_c2l(data, l); +- X(2) = l; ++ X(2) = CRYPTO_load_u32_be(data); ++ data += 4; + BODY_00_15(1, T, A, B, C, D, E, X(1)); +- HOST_c2l(data, l); +- X(3) = l; ++ X(3) = CRYPTO_load_u32_be(data); ++ data += 4; + BODY_00_15(2, E, T, A, B, C, D, X(2)); +- HOST_c2l(data, l); +- X(4) = l; ++ X(4) = CRYPTO_load_u32_be(data); ++ data += 4; + BODY_00_15(3, D, E, T, A, B, C, X(3)); +- HOST_c2l(data, l); +- X(5) = l; ++ X(5) = CRYPTO_load_u32_be(data); ++ data += 4; + BODY_00_15(4, C, D, E, T, A, B, X(4)); +- HOST_c2l(data, l); +- X(6) = l; ++ X(6) = CRYPTO_load_u32_be(data); ++ data += 4; + BODY_00_15(5, B, C, D, E, T, A, X(5)); +- HOST_c2l(data, l); +- X(7) = l; ++ X(7) = CRYPTO_load_u32_be(data); ++ data += 4; + BODY_00_15(6, A, B, C, D, E, T, X(6)); +- HOST_c2l(data, l); +- X(8) = l; ++ X(8) = CRYPTO_load_u32_be(data); ++ data += 4; + BODY_00_15(7, T, A, B, C, D, E, X(7)); +- HOST_c2l(data, l); +- X(9) = l; ++ X(9) = CRYPTO_load_u32_be(data); ++ data += 4; + BODY_00_15(8, E, T, A, B, C, D, X(8)); +- HOST_c2l(data, l); +- X(10) = l; ++ X(10) = CRYPTO_load_u32_be(data); ++ data += 4; + BODY_00_15(9, D, E, T, A, B, C, X(9)); +- HOST_c2l(data, l); +- X(11) = l; ++ X(11) = CRYPTO_load_u32_be(data); ++ data += 4; + BODY_00_15(10, C, D, E, T, A, B, X(10)); +- HOST_c2l(data, l); +- X(12) = l; ++ X(12) = CRYPTO_load_u32_be(data); ++ data += 4; + BODY_00_15(11, B, C, D, E, T, A, X(11)); +- HOST_c2l(data, l); +- X(13) = l; ++ X(13) = CRYPTO_load_u32_be(data); ++ data += 4; + BODY_00_15(12, A, B, C, D, E, T, X(12)); +- HOST_c2l(data, l); +- X(14) = l; ++ X(14) = CRYPTO_load_u32_be(data); ++ data += 4; + BODY_00_15(13, T, A, B, C, D, E, X(13)); +- HOST_c2l(data, l); +- X(15) = l; ++ X(15) = CRYPTO_load_u32_be(data); ++ data += 4; + BODY_00_15(14, E, T, A, B, C, D, X(14)); + BODY_00_15(15, D, E, T, A, B, C, X(15)); + +@@ -367,5 +366,3 @@ + #undef BODY_40_59 + #undef BODY_60_79 + #undef X +-#undef HOST_c2l +-#undef HOST_l2c +diff --git a/crypto/fipsmodule/sha/sha256.c b/crypto/fipsmodule/sha/sha256.c +index 0e42446..390ee3a 100644 +--- a/crypto/fipsmodule/sha/sha256.c ++++ b/crypto/fipsmodule/sha/sha256.c +@@ -139,19 +139,18 @@ + // hash 'final' function can fail. This should never happen. + #define HASH_MAKE_STRING(c, s) \ + do { \ +- uint32_t ll; \ + unsigned int nn; \ + switch ((c)->md_len) { \ + case SHA224_DIGEST_LENGTH: \ + for (nn = 0; nn < SHA224_DIGEST_LENGTH / 4; nn++) { \ +- ll = (c)->h[nn]; \ +- HOST_l2c(ll, (s)); \ ++ CRYPTO_store_u32_be((s), (c)->h[nn]); \ ++ (s) += 4; \ + } \ + break; \ + case SHA256_DIGEST_LENGTH: \ + for (nn = 0; nn < SHA256_DIGEST_LENGTH / 4; nn++) { \ +- ll = (c)->h[nn]; \ +- HOST_l2c(ll, (s)); \ ++ CRYPTO_store_u32_be((s), (c)->h[nn]); \ ++ (s) += 4; \ + } \ + break; \ + default: \ +@@ -159,8 +158,8 @@ + return 0; \ + } \ + for (nn = 0; nn < (c)->md_len / 4; nn++) { \ +- ll = (c)->h[nn]; \ +- HOST_l2c(ll, (s)); \ ++ CRYPTO_store_u32_be((s), (c)->h[nn]); \ ++ (s) += 4; \ + } \ + break; \ + } \ +@@ -241,55 +240,53 @@ + g = state[6]; + h = state[7]; + +- uint32_t l; +- +- HOST_c2l(data, l); +- T1 = X[0] = l; ++ T1 = X[0] = CRYPTO_load_u32_be(data); ++ data += 4; + ROUND_00_15(0, a, b, c, d, e, f, g, h); +- HOST_c2l(data, l); +- T1 = X[1] = l; ++ T1 = X[1] = CRYPTO_load_u32_be(data); ++ data += 4; + ROUND_00_15(1, h, a, b, c, d, e, f, g); +- HOST_c2l(data, l); +- T1 = X[2] = l; ++ T1 = X[2] = CRYPTO_load_u32_be(data); ++ data += 4; + ROUND_00_15(2, g, h, a, b, c, d, e, f); +- HOST_c2l(data, l); +- T1 = X[3] = l; ++ T1 = X[3] = CRYPTO_load_u32_be(data); ++ data += 4; + ROUND_00_15(3, f, g, h, a, b, c, d, e); +- HOST_c2l(data, l); +- T1 = X[4] = l; ++ T1 = X[4] = CRYPTO_load_u32_be(data); ++ data += 4; + ROUND_00_15(4, e, f, g, h, a, b, c, d); +- HOST_c2l(data, l); +- T1 = X[5] = l; ++ T1 = X[5] = CRYPTO_load_u32_be(data); ++ data += 4; + ROUND_00_15(5, d, e, f, g, h, a, b, c); +- HOST_c2l(data, l); +- T1 = X[6] = l; ++ T1 = X[6] = CRYPTO_load_u32_be(data); ++ data += 4; + ROUND_00_15(6, c, d, e, f, g, h, a, b); +- HOST_c2l(data, l); +- T1 = X[7] = l; ++ T1 = X[7] = CRYPTO_load_u32_be(data); ++ data += 4; + ROUND_00_15(7, b, c, d, e, f, g, h, a); +- HOST_c2l(data, l); +- T1 = X[8] = l; ++ T1 = X[8] = CRYPTO_load_u32_be(data); ++ data += 4; + ROUND_00_15(8, a, b, c, d, e, f, g, h); +- HOST_c2l(data, l); +- T1 = X[9] = l; ++ T1 = X[9] = CRYPTO_load_u32_be(data); ++ data += 4; + ROUND_00_15(9, h, a, b, c, d, e, f, g); +- HOST_c2l(data, l); +- T1 = X[10] = l; ++ T1 = X[10] = CRYPTO_load_u32_be(data); ++ data += 4; + ROUND_00_15(10, g, h, a, b, c, d, e, f); +- HOST_c2l(data, l); +- T1 = X[11] = l; ++ T1 = X[11] = CRYPTO_load_u32_be(data); ++ data += 4; + ROUND_00_15(11, f, g, h, a, b, c, d, e); +- HOST_c2l(data, l); +- T1 = X[12] = l; ++ T1 = X[12] = CRYPTO_load_u32_be(data); ++ data += 4; + ROUND_00_15(12, e, f, g, h, a, b, c, d); +- HOST_c2l(data, l); +- T1 = X[13] = l; ++ T1 = X[13] = CRYPTO_load_u32_be(data); ++ data += 4; + ROUND_00_15(13, d, e, f, g, h, a, b, c); +- HOST_c2l(data, l); +- T1 = X[14] = l; ++ T1 = X[14] = CRYPTO_load_u32_be(data); ++ data += 4; + ROUND_00_15(14, c, d, e, f, g, h, a, b); +- HOST_c2l(data, l); +- T1 = X[15] = l; ++ T1 = X[15] = CRYPTO_load_u32_be(data); ++ data += 4; + ROUND_00_15(15, b, c, d, e, f, g, h, a); + + for (i = 16; i < 64; i += 8) { +@@ -339,5 +336,3 @@ + #undef Maj + #undef ROUND_00_15 + #undef ROUND_16_63 +-#undef HOST_c2l +-#undef HOST_l2c +diff --git a/crypto/fipsmodule/sha/sha512.c b/crypto/fipsmodule/sha/sha512.c +index ba86c1e..1f40e7a 100644 +--- a/crypto/fipsmodule/sha/sha512.c ++++ b/crypto/fipsmodule/sha/sha512.c +@@ -256,22 +256,8 @@ + } + + OPENSSL_memset(p + n, 0, sizeof(sha->p) - 16 - n); +- p[sizeof(sha->p) - 1] = (uint8_t)(sha->Nl); +- p[sizeof(sha->p) - 2] = (uint8_t)(sha->Nl >> 8); +- p[sizeof(sha->p) - 3] = (uint8_t)(sha->Nl >> 16); +- p[sizeof(sha->p) - 4] = (uint8_t)(sha->Nl >> 24); +- p[sizeof(sha->p) - 5] = (uint8_t)(sha->Nl >> 32); +- p[sizeof(sha->p) - 6] = (uint8_t)(sha->Nl >> 40); +- p[sizeof(sha->p) - 7] = (uint8_t)(sha->Nl >> 48); +- p[sizeof(sha->p) - 8] = (uint8_t)(sha->Nl >> 56); +- p[sizeof(sha->p) - 9] = (uint8_t)(sha->Nh); +- p[sizeof(sha->p) - 10] = (uint8_t)(sha->Nh >> 8); +- p[sizeof(sha->p) - 11] = (uint8_t)(sha->Nh >> 16); +- p[sizeof(sha->p) - 12] = (uint8_t)(sha->Nh >> 24); +- p[sizeof(sha->p) - 13] = (uint8_t)(sha->Nh >> 32); +- p[sizeof(sha->p) - 14] = (uint8_t)(sha->Nh >> 40); +- p[sizeof(sha->p) - 15] = (uint8_t)(sha->Nh >> 48); +- p[sizeof(sha->p) - 16] = (uint8_t)(sha->Nh >> 56); ++ CRYPTO_store_u64_be(p + sizeof(sha->p) - 16, sha->Nh); ++ CRYPTO_store_u64_be(p + sizeof(sha->p) - 8, sha->Nl); + + sha512_block_data_order(sha->h, p, 1); + +@@ -368,12 +354,6 @@ + #define ROTR(x, s) (((x) >> s) | (x) << (64 - s)) + #endif + +-static inline uint64_t load_u64_be(const void *ptr) { +- uint64_t ret; +- OPENSSL_memcpy(&ret, ptr, sizeof(ret)); +- return CRYPTO_bswap8(ret); +-} +- + #define Sigma0(x) (ROTR((x), 28) ^ ROTR((x), 34) ^ ROTR((x), 39)) + #define Sigma1(x) (ROTR((x), 14) ^ ROTR((x), 18) ^ ROTR((x), 41)) + #define sigma0(x) (ROTR((x), 1) ^ ROTR((x), 8) ^ ((x) >> 7)) +@@ -404,7 +384,7 @@ + F[7] = state[7]; + + for (i = 0; i < 16; i++, F--) { +- T = load_u64_be(in + i * 8); ++ T = CRYPTO_load_u64_be(in + i * 8); + F[0] = A; + F[4] = E; + F[8] = T; +@@ -476,37 +456,37 @@ + g = state[6]; + h = state[7]; + +- T1 = X[0] = load_u64_be(in); ++ T1 = X[0] = CRYPTO_load_u64_be(in); + ROUND_00_15(0, a, b, c, d, e, f, g, h); +- T1 = X[1] = load_u64_be(in + 8); ++ T1 = X[1] = CRYPTO_load_u64_be(in + 8); + ROUND_00_15(1, h, a, b, c, d, e, f, g); +- T1 = X[2] = load_u64_be(in + 2 * 8); ++ T1 = X[2] = CRYPTO_load_u64_be(in + 2 * 8); + ROUND_00_15(2, g, h, a, b, c, d, e, f); +- T1 = X[3] = load_u64_be(in + 3 * 8); ++ T1 = X[3] = CRYPTO_load_u64_be(in + 3 * 8); + ROUND_00_15(3, f, g, h, a, b, c, d, e); +- T1 = X[4] = load_u64_be(in + 4 * 8); ++ T1 = X[4] = CRYPTO_load_u64_be(in + 4 * 8); + ROUND_00_15(4, e, f, g, h, a, b, c, d); +- T1 = X[5] = load_u64_be(in + 5 * 8); ++ T1 = X[5] = CRYPTO_load_u64_be(in + 5 * 8); + ROUND_00_15(5, d, e, f, g, h, a, b, c); +- T1 = X[6] = load_u64_be(in + 6 * 8); ++ T1 = X[6] = CRYPTO_load_u64_be(in + 6 * 8); + ROUND_00_15(6, c, d, e, f, g, h, a, b); +- T1 = X[7] = load_u64_be(in + 7 * 8); ++ T1 = X[7] = CRYPTO_load_u64_be(in + 7 * 8); + ROUND_00_15(7, b, c, d, e, f, g, h, a); +- T1 = X[8] = load_u64_be(in + 8 * 8); ++ T1 = X[8] = CRYPTO_load_u64_be(in + 8 * 8); + ROUND_00_15(8, a, b, c, d, e, f, g, h); +- T1 = X[9] = load_u64_be(in + 9 * 8); ++ T1 = X[9] = CRYPTO_load_u64_be(in + 9 * 8); + ROUND_00_15(9, h, a, b, c, d, e, f, g); +- T1 = X[10] = load_u64_be(in + 10 * 8); ++ T1 = X[10] = CRYPTO_load_u64_be(in + 10 * 8); + ROUND_00_15(10, g, h, a, b, c, d, e, f); +- T1 = X[11] = load_u64_be(in + 11 * 8); ++ T1 = X[11] = CRYPTO_load_u64_be(in + 11 * 8); + ROUND_00_15(11, f, g, h, a, b, c, d, e); +- T1 = X[12] = load_u64_be(in + 12 * 8); ++ T1 = X[12] = CRYPTO_load_u64_be(in + 12 * 8); + ROUND_00_15(12, e, f, g, h, a, b, c, d); +- T1 = X[13] = load_u64_be(in + 13 * 8); ++ T1 = X[13] = CRYPTO_load_u64_be(in + 13 * 8); + ROUND_00_15(13, d, e, f, g, h, a, b, c); +- T1 = X[14] = load_u64_be(in + 14 * 8); ++ T1 = X[14] = CRYPTO_load_u64_be(in + 14 * 8); + ROUND_00_15(14, c, d, e, f, g, h, a, b); +- T1 = X[15] = load_u64_be(in + 15 * 8); ++ T1 = X[15] = CRYPTO_load_u64_be(in + 15 * 8); + ROUND_00_15(15, b, c, d, e, f, g, h, a); + + for (i = 16; i < 80; i += 16) { +diff --git a/crypto/internal.h b/crypto/internal.h +index 51d1d9c..14c60e0 100644 +--- a/crypto/internal.h ++++ b/crypto/internal.h +@@ -819,6 +819,58 @@ + return memset(dst, c, n); + } + ++ ++// Loads and stores. ++// ++// The following functions load and store sized integers with the specified ++// endianness. They use |memcpy|, and so avoid alignment or strict aliasing ++// requirements on the input and output pointers. ++ ++static inline uint32_t CRYPTO_load_u32_le(const void *in) { ++ uint32_t v; ++ OPENSSL_memcpy(&v, in, sizeof(v)); ++ return v; ++} ++ ++static inline void CRYPTO_store_u32_le(void *out, uint32_t v) { ++ OPENSSL_memcpy(out, &v, sizeof(v)); ++} ++ ++static inline uint32_t CRYPTO_load_u32_be(const void *in) { ++ uint32_t v; ++ OPENSSL_memcpy(&v, in, sizeof(v)); ++ return CRYPTO_bswap4(v); ++} ++ ++static inline void CRYPTO_store_u32_be(void *out, uint32_t v) { ++ v = CRYPTO_bswap4(v); ++ OPENSSL_memcpy(out, &v, sizeof(v)); ++} ++ ++static inline uint64_t CRYPTO_load_u64_be(const void *ptr) { ++ uint64_t ret; ++ OPENSSL_memcpy(&ret, ptr, sizeof(ret)); ++ return CRYPTO_bswap8(ret); ++} ++ ++static inline void CRYPTO_store_u64_be(void *out, uint64_t v) { ++ v = CRYPTO_bswap8(v); ++ OPENSSL_memcpy(out, &v, sizeof(v)); ++} ++ ++static inline crypto_word_t CRYPTO_load_word_le(const void *in) { ++ crypto_word_t v; ++ OPENSSL_memcpy(&v, in, sizeof(v)); ++ return v; ++} ++ ++static inline void CRYPTO_store_word_le(void *out, crypto_word_t v) { ++ OPENSSL_memcpy(out, &v, sizeof(v)); ++} ++ ++ ++// FIPS functions. ++ + #if defined(BORINGSSL_FIPS) + // BORINGSSL_FIPS_abort is called when a FIPS power-on or continuous test + // fails. It prevents any further cryptographic operations by the current +diff --git a/decrepit/ripemd/internal.h b/decrepit/ripemd/internal.h +index 089be15..6be563d 100644 +--- a/decrepit/ripemd/internal.h ++++ b/decrepit/ripemd/internal.h +@@ -59,6 +59,8 @@ + + #include + ++#include "../../crypto/internal.h" ++ + #if defined(__cplusplus) + extern "C" { + #endif +@@ -76,20 +78,20 @@ + #define HASH_UPDATE RIPEMD160_Update + #define HASH_TRANSFORM RIPEMD160_Transform + #define HASH_FINAL RIPEMD160_Final +-#define HASH_MAKE_STRING(c, s) \ +- do { \ +- unsigned long ll; \ +- ll = (c)->h[0]; \ +- HOST_l2c(ll, (s)); \ +- ll = (c)->h[1]; \ +- HOST_l2c(ll, (s)); \ +- ll = (c)->h[2]; \ +- HOST_l2c(ll, (s)); \ +- ll = (c)->h[3]; \ +- HOST_l2c(ll, (s)); \ +- ll = (c)->h[4]; \ +- HOST_l2c(ll, (s)); \ ++#define HASH_MAKE_STRING(c, s) \ ++ do { \ ++ CRYPTO_store_u32_le((s), (c)->h[0]); \ ++ (s) += 4; \ ++ CRYPTO_store_u32_le((s), (c)->h[1]); \ ++ (s) += 4; \ ++ CRYPTO_store_u32_le((s), (c)->h[2]); \ ++ (s) += 4; \ ++ CRYPTO_store_u32_le((s), (c)->h[3]); \ ++ (s) += 4; \ ++ CRYPTO_store_u32_le((s), (c)->h[4]); \ ++ (s) += 4; \ + } while (0) ++ + #define HASH_BLOCK_DATA_ORDER ripemd160_block_data_order + + #include "../../crypto/fipsmodule/digest/md32_common.h" +diff --git a/decrepit/ripemd/ripemd.c b/decrepit/ripemd/ripemd.c +index 17b3fdf..f0c87cf 100644 +--- a/decrepit/ripemd/ripemd.c ++++ b/decrepit/ripemd/ripemd.c +@@ -74,7 +74,7 @@ + static void ripemd160_block_data_order(uint32_t h[5], const uint8_t *data, + size_t num) { + uint32_t A, B, C, D, E; +- uint32_t a, b, c, d, e, l; ++ uint32_t a, b, c, d, e; + uint32_t XX0, XX1, XX2, XX3, XX4, XX5, XX6, XX7, XX8, XX9, XX10, XX11, XX12, + XX13, XX14, XX15; + #define X(i) XX##i +@@ -86,52 +86,52 @@ + D = h[3]; + E = h[4]; + +- HOST_c2l(data, l); +- X(0) = l; +- HOST_c2l(data, l); +- X(1) = l; ++ X(0) = CRYPTO_load_u32_le(data); ++ data += 4; ++ X(1) = CRYPTO_load_u32_le(data); ++ data += 4; + RIP1(A, B, C, D, E, WL00, SL00); +- HOST_c2l(data, l); +- X(2) = l; ++ X(2) = CRYPTO_load_u32_le(data); ++ data += 4; + RIP1(E, A, B, C, D, WL01, SL01); +- HOST_c2l(data, l); +- X(3) = l; ++ X(3) = CRYPTO_load_u32_le(data); ++ data += 4; + RIP1(D, E, A, B, C, WL02, SL02); +- HOST_c2l(data, l); +- X(4) = l; ++ X(4) = CRYPTO_load_u32_le(data); ++ data += 4; + RIP1(C, D, E, A, B, WL03, SL03); +- HOST_c2l(data, l); +- X(5) = l; ++ X(5) = CRYPTO_load_u32_le(data); ++ data += 4; + RIP1(B, C, D, E, A, WL04, SL04); +- HOST_c2l(data, l); +- X(6) = l; ++ X(6) = CRYPTO_load_u32_le(data); ++ data += 4; + RIP1(A, B, C, D, E, WL05, SL05); +- HOST_c2l(data, l); +- X(7) = l; ++ X(7) = CRYPTO_load_u32_le(data); ++ data += 4; + RIP1(E, A, B, C, D, WL06, SL06); +- HOST_c2l(data, l); +- X(8) = l; ++ X(8) = CRYPTO_load_u32_le(data); ++ data += 4; + RIP1(D, E, A, B, C, WL07, SL07); +- HOST_c2l(data, l); +- X(9) = l; ++ X(9) = CRYPTO_load_u32_le(data); ++ data += 4; + RIP1(C, D, E, A, B, WL08, SL08); +- HOST_c2l(data, l); +- X(10) = l; ++ X(10) = CRYPTO_load_u32_le(data); ++ data += 4; + RIP1(B, C, D, E, A, WL09, SL09); +- HOST_c2l(data, l); +- X(11) = l; ++ X(11) = CRYPTO_load_u32_le(data); ++ data += 4; + RIP1(A, B, C, D, E, WL10, SL10); +- HOST_c2l(data, l); +- X(12) = l; ++ X(12) = CRYPTO_load_u32_le(data); ++ data += 4; + RIP1(E, A, B, C, D, WL11, SL11); +- HOST_c2l(data, l); +- X(13) = l; ++ X(13) = CRYPTO_load_u32_le(data); ++ data += 4; + RIP1(D, E, A, B, C, WL12, SL12); +- HOST_c2l(data, l); +- X(14) = l; ++ X(14) = CRYPTO_load_u32_le(data); ++ data += 4; + RIP1(C, D, E, A, B, WL13, SL13); +- HOST_c2l(data, l); +- X(15) = l; ++ X(15) = CRYPTO_load_u32_le(data); ++ data += 4; + RIP1(B, C, D, E, A, WL14, SL14); + RIP1(A, B, C, D, E, WL15, SL15); + diff --git a/patches/boringssl/0007-Fold-ripemd-internal.h-into-ripemd.c.patch b/patches/boringssl/0007-Fold-ripemd-internal.h-into-ripemd.c.patch new file mode 100644 index 0000000..8a0adde --- /dev/null +++ b/patches/boringssl/0007-Fold-ripemd-internal.h-into-ripemd.c.patch @@ -0,0 +1,959 @@ +From 15e0f6784bb986d44a170f131c6687a54822bedf Mon Sep 17 00:00:00 2001 +From: David Benjamin +Date: Mon, 29 Mar 2021 14:16:58 -0400 +Subject: [PATCH] Fold ripemd/internal.h into ripemd.c. + +It's only used from that file and, given the names defined by it, +probably isn't usable by other files anyway. + +Change-Id: Ice205408962ade00c1dcb51406da3ef2fd7f0393 +Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/46426 +Reviewed-by: Adam Langley +--- + +diff --git a/decrepit/ripemd/internal.h b/decrepit/ripemd/internal.h +deleted file mode 100644 +index 6be563d..0000000 +--- a/decrepit/ripemd/internal.h ++++ /dev/null +@@ -1,496 +0,0 @@ +-/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) +- * All rights reserved. +- * +- * This package is an SSL implementation written +- * by Eric Young (eay@cryptsoft.com). +- * The implementation was written so as to conform with Netscapes SSL. +- * +- * This library is free for commercial and non-commercial use as long as +- * the following conditions are aheared to. The following conditions +- * apply to all code found in this distribution, be it the RC4, RSA, +- * lhash, DES, etc., code; not just the SSL code. The SSL documentation +- * included with this distribution is covered by the same copyright terms +- * except that the holder is Tim Hudson (tjh@cryptsoft.com). +- * +- * Copyright remains Eric Young's, and as such any Copyright notices in +- * the code are not to be removed. +- * If this package is used in a product, Eric Young should be given attribution +- * as the author of the parts of the library used. +- * This can be in the form of a textual message at program startup or +- * in documentation (online or textual) provided with the package. +- * +- * Redistribution and use in source and binary forms, with or without +- * modification, are permitted provided that the following conditions +- * are met: +- * 1. Redistributions of source code must retain the copyright +- * notice, this list of conditions and the following disclaimer. +- * 2. Redistributions in binary form must reproduce the above copyright +- * notice, this list of conditions and the following disclaimer in the +- * documentation and/or other materials provided with the distribution. +- * 3. All advertising materials mentioning features or use of this software +- * must display the following acknowledgement: +- * "This product includes cryptographic software written by +- * Eric Young (eay@cryptsoft.com)" +- * The word 'cryptographic' can be left out if the rouines from the library +- * being used are not cryptographic related :-). +- * 4. If you include any Windows specific code (or a derivative thereof) from +- * the apps directory (application code) you must include an acknowledgement: +- * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)" +- * +- * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND +- * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE +- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE +- * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE +- * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL +- * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS +- * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) +- * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT +- * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY +- * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF +- * SUCH DAMAGE. +- * +- * The licence and distribution terms for any publically available version or +- * derivative of this code cannot be changed. i.e. this code cannot simply be +- * copied and put under another distribution licence +- * [including the GNU Public Licence.] */ +- +-#ifndef OPENSSL_HEADER_RIPEMD_INTERNAL_H +-#define OPENSSL_HEADER_RIPEMD_INTERNAL_H +- +-#include +- +-#include "../../crypto/internal.h" +- +-#if defined(__cplusplus) +-extern "C" { +-#endif +- +- +-static void ripemd160_block_data_order(uint32_t h[5], const uint8_t *data, +- size_t num); +- +-#define DATA_ORDER_IS_LITTLE_ENDIAN +- +-#define HASH_LONG uint32_t +-#define HASH_CTX RIPEMD160_CTX +-#define HASH_CBLOCK RIPEMD160_CBLOCK +-#define HASH_DIGEST_LENGTH RIPEMD160_DIGEST_LENGTH +-#define HASH_UPDATE RIPEMD160_Update +-#define HASH_TRANSFORM RIPEMD160_Transform +-#define HASH_FINAL RIPEMD160_Final +-#define HASH_MAKE_STRING(c, s) \ +- do { \ +- CRYPTO_store_u32_le((s), (c)->h[0]); \ +- (s) += 4; \ +- CRYPTO_store_u32_le((s), (c)->h[1]); \ +- (s) += 4; \ +- CRYPTO_store_u32_le((s), (c)->h[2]); \ +- (s) += 4; \ +- CRYPTO_store_u32_le((s), (c)->h[3]); \ +- (s) += 4; \ +- CRYPTO_store_u32_le((s), (c)->h[4]); \ +- (s) += 4; \ +- } while (0) +- +-#define HASH_BLOCK_DATA_ORDER ripemd160_block_data_order +- +-#include "../../crypto/fipsmodule/digest/md32_common.h" +- +-// Transformed F2 and F4 are courtesy of Wei Dai +-#define F1(x, y, z) ((x) ^ (y) ^ (z)) +-#define F2(x, y, z) ((((y) ^ (z)) & (x)) ^ (z)) +-#define F3(x, y, z) (((~(y)) | (x)) ^ (z)) +-#define F4(x, y, z) ((((x) ^ (y)) & (z)) ^ (y)) +-#define F5(x, y, z) (((~(z)) | (y)) ^ (x)) +- +-#define RIPEMD160_A 0x67452301L +-#define RIPEMD160_B 0xEFCDAB89L +-#define RIPEMD160_C 0x98BADCFEL +-#define RIPEMD160_D 0x10325476L +-#define RIPEMD160_E 0xC3D2E1F0L +- +-#define ROTATE(a, n) (((a) << (n)) | (((a)&0xffffffff) >> (32 - (n)))) +- +-#define RIP1(a, b, c, d, e, w, s) \ +- { \ +- a += F1(b, c, d) + X(w); \ +- a = ROTATE(a, s) + e; \ +- c = ROTATE(c, 10); \ +- } +- +-#define RIP2(a, b, c, d, e, w, s, K) \ +- { \ +- a += F2(b, c, d) + X(w) + K; \ +- a = ROTATE(a, s) + e; \ +- c = ROTATE(c, 10); \ +- } +- +-#define RIP3(a, b, c, d, e, w, s, K) \ +- { \ +- a += F3(b, c, d) + X(w) + K; \ +- a = ROTATE(a, s) + e; \ +- c = ROTATE(c, 10); \ +- } +- +-#define RIP4(a, b, c, d, e, w, s, K) \ +- { \ +- a += F4(b, c, d) + X(w) + K; \ +- a = ROTATE(a, s) + e; \ +- c = ROTATE(c, 10); \ +- } +- +-#define RIP5(a, b, c, d, e, w, s, K) \ +- { \ +- a += F5(b, c, d) + X(w) + K; \ +- a = ROTATE(a, s) + e; \ +- c = ROTATE(c, 10); \ +- } +- +-#define KL0 0x00000000L +-#define KL1 0x5A827999L +-#define KL2 0x6ED9EBA1L +-#define KL3 0x8F1BBCDCL +-#define KL4 0xA953FD4EL +- +-#define KR0 0x50A28BE6L +-#define KR1 0x5C4DD124L +-#define KR2 0x6D703EF3L +-#define KR3 0x7A6D76E9L +-#define KR4 0x00000000L +- +-#define WL00 0 +-#define SL00 11 +-#define WL01 1 +-#define SL01 14 +-#define WL02 2 +-#define SL02 15 +-#define WL03 3 +-#define SL03 12 +-#define WL04 4 +-#define SL04 5 +-#define WL05 5 +-#define SL05 8 +-#define WL06 6 +-#define SL06 7 +-#define WL07 7 +-#define SL07 9 +-#define WL08 8 +-#define SL08 11 +-#define WL09 9 +-#define SL09 13 +-#define WL10 10 +-#define SL10 14 +-#define WL11 11 +-#define SL11 15 +-#define WL12 12 +-#define SL12 6 +-#define WL13 13 +-#define SL13 7 +-#define WL14 14 +-#define SL14 9 +-#define WL15 15 +-#define SL15 8 +- +-#define WL16 7 +-#define SL16 7 +-#define WL17 4 +-#define SL17 6 +-#define WL18 13 +-#define SL18 8 +-#define WL19 1 +-#define SL19 13 +-#define WL20 10 +-#define SL20 11 +-#define WL21 6 +-#define SL21 9 +-#define WL22 15 +-#define SL22 7 +-#define WL23 3 +-#define SL23 15 +-#define WL24 12 +-#define SL24 7 +-#define WL25 0 +-#define SL25 12 +-#define WL26 9 +-#define SL26 15 +-#define WL27 5 +-#define SL27 9 +-#define WL28 2 +-#define SL28 11 +-#define WL29 14 +-#define SL29 7 +-#define WL30 11 +-#define SL30 13 +-#define WL31 8 +-#define SL31 12 +- +-#define WL32 3 +-#define SL32 11 +-#define WL33 10 +-#define SL33 13 +-#define WL34 14 +-#define SL34 6 +-#define WL35 4 +-#define SL35 7 +-#define WL36 9 +-#define SL36 14 +-#define WL37 15 +-#define SL37 9 +-#define WL38 8 +-#define SL38 13 +-#define WL39 1 +-#define SL39 15 +-#define WL40 2 +-#define SL40 14 +-#define WL41 7 +-#define SL41 8 +-#define WL42 0 +-#define SL42 13 +-#define WL43 6 +-#define SL43 6 +-#define WL44 13 +-#define SL44 5 +-#define WL45 11 +-#define SL45 12 +-#define WL46 5 +-#define SL46 7 +-#define WL47 12 +-#define SL47 5 +- +-#define WL48 1 +-#define SL48 11 +-#define WL49 9 +-#define SL49 12 +-#define WL50 11 +-#define SL50 14 +-#define WL51 10 +-#define SL51 15 +-#define WL52 0 +-#define SL52 14 +-#define WL53 8 +-#define SL53 15 +-#define WL54 12 +-#define SL54 9 +-#define WL55 4 +-#define SL55 8 +-#define WL56 13 +-#define SL56 9 +-#define WL57 3 +-#define SL57 14 +-#define WL58 7 +-#define SL58 5 +-#define WL59 15 +-#define SL59 6 +-#define WL60 14 +-#define SL60 8 +-#define WL61 5 +-#define SL61 6 +-#define WL62 6 +-#define SL62 5 +-#define WL63 2 +-#define SL63 12 +- +-#define WL64 4 +-#define SL64 9 +-#define WL65 0 +-#define SL65 15 +-#define WL66 5 +-#define SL66 5 +-#define WL67 9 +-#define SL67 11 +-#define WL68 7 +-#define SL68 6 +-#define WL69 12 +-#define SL69 8 +-#define WL70 2 +-#define SL70 13 +-#define WL71 10 +-#define SL71 12 +-#define WL72 14 +-#define SL72 5 +-#define WL73 1 +-#define SL73 12 +-#define WL74 3 +-#define SL74 13 +-#define WL75 8 +-#define SL75 14 +-#define WL76 11 +-#define SL76 11 +-#define WL77 6 +-#define SL77 8 +-#define WL78 15 +-#define SL78 5 +-#define WL79 13 +-#define SL79 6 +- +-#define WR00 5 +-#define SR00 8 +-#define WR01 14 +-#define SR01 9 +-#define WR02 7 +-#define SR02 9 +-#define WR03 0 +-#define SR03 11 +-#define WR04 9 +-#define SR04 13 +-#define WR05 2 +-#define SR05 15 +-#define WR06 11 +-#define SR06 15 +-#define WR07 4 +-#define SR07 5 +-#define WR08 13 +-#define SR08 7 +-#define WR09 6 +-#define SR09 7 +-#define WR10 15 +-#define SR10 8 +-#define WR11 8 +-#define SR11 11 +-#define WR12 1 +-#define SR12 14 +-#define WR13 10 +-#define SR13 14 +-#define WR14 3 +-#define SR14 12 +-#define WR15 12 +-#define SR15 6 +- +-#define WR16 6 +-#define SR16 9 +-#define WR17 11 +-#define SR17 13 +-#define WR18 3 +-#define SR18 15 +-#define WR19 7 +-#define SR19 7 +-#define WR20 0 +-#define SR20 12 +-#define WR21 13 +-#define SR21 8 +-#define WR22 5 +-#define SR22 9 +-#define WR23 10 +-#define SR23 11 +-#define WR24 14 +-#define SR24 7 +-#define WR25 15 +-#define SR25 7 +-#define WR26 8 +-#define SR26 12 +-#define WR27 12 +-#define SR27 7 +-#define WR28 4 +-#define SR28 6 +-#define WR29 9 +-#define SR29 15 +-#define WR30 1 +-#define SR30 13 +-#define WR31 2 +-#define SR31 11 +- +-#define WR32 15 +-#define SR32 9 +-#define WR33 5 +-#define SR33 7 +-#define WR34 1 +-#define SR34 15 +-#define WR35 3 +-#define SR35 11 +-#define WR36 7 +-#define SR36 8 +-#define WR37 14 +-#define SR37 6 +-#define WR38 6 +-#define SR38 6 +-#define WR39 9 +-#define SR39 14 +-#define WR40 11 +-#define SR40 12 +-#define WR41 8 +-#define SR41 13 +-#define WR42 12 +-#define SR42 5 +-#define WR43 2 +-#define SR43 14 +-#define WR44 10 +-#define SR44 13 +-#define WR45 0 +-#define SR45 13 +-#define WR46 4 +-#define SR46 7 +-#define WR47 13 +-#define SR47 5 +- +-#define WR48 8 +-#define SR48 15 +-#define WR49 6 +-#define SR49 5 +-#define WR50 4 +-#define SR50 8 +-#define WR51 1 +-#define SR51 11 +-#define WR52 3 +-#define SR52 14 +-#define WR53 11 +-#define SR53 14 +-#define WR54 15 +-#define SR54 6 +-#define WR55 0 +-#define SR55 14 +-#define WR56 5 +-#define SR56 6 +-#define WR57 12 +-#define SR57 9 +-#define WR58 2 +-#define SR58 12 +-#define WR59 13 +-#define SR59 9 +-#define WR60 9 +-#define SR60 12 +-#define WR61 7 +-#define SR61 5 +-#define WR62 10 +-#define SR62 15 +-#define WR63 14 +-#define SR63 8 +- +-#define WR64 12 +-#define SR64 8 +-#define WR65 15 +-#define SR65 5 +-#define WR66 10 +-#define SR66 12 +-#define WR67 4 +-#define SR67 9 +-#define WR68 1 +-#define SR68 12 +-#define WR69 5 +-#define SR69 5 +-#define WR70 8 +-#define SR70 14 +-#define WR71 7 +-#define SR71 6 +-#define WR72 6 +-#define SR72 8 +-#define WR73 2 +-#define SR73 13 +-#define WR74 13 +-#define SR74 6 +-#define WR75 14 +-#define SR75 5 +-#define WR76 0 +-#define SR76 15 +-#define WR77 3 +-#define SR77 13 +-#define WR78 9 +-#define SR78 11 +-#define WR79 11 +-#define SR79 11 +- +- +-#if defined(__cplusplus) +-} // extern C +-#endif +- +-#endif // OPENSSL_HEADER_RIPEMD_INTERNAL_H +diff --git a/decrepit/ripemd/ripemd.c b/decrepit/ripemd/ripemd.c +index f0c87cf..50329c7 100644 +--- a/decrepit/ripemd/ripemd.c ++++ b/decrepit/ripemd/ripemd.c +@@ -58,9 +58,15 @@ + + #include + +-#include "internal.h" ++#include "../../crypto/internal.h" + + ++#define RIPEMD160_A 0x67452301L ++#define RIPEMD160_B 0xEFCDAB89L ++#define RIPEMD160_C 0x98BADCFEL ++#define RIPEMD160_D 0x10325476L ++#define RIPEMD160_E 0xC3D2E1F0L ++ + int RIPEMD160_Init(RIPEMD160_CTX *ctx) { + OPENSSL_memset(ctx, 0, sizeof(*ctx)); + ctx->h[0] = RIPEMD160_A; +@@ -72,6 +78,422 @@ + } + + static void ripemd160_block_data_order(uint32_t h[5], const uint8_t *data, ++ size_t num); ++ ++#define DATA_ORDER_IS_LITTLE_ENDIAN ++ ++#define HASH_LONG uint32_t ++#define HASH_CTX RIPEMD160_CTX ++#define HASH_CBLOCK RIPEMD160_CBLOCK ++#define HASH_DIGEST_LENGTH RIPEMD160_DIGEST_LENGTH ++#define HASH_UPDATE RIPEMD160_Update ++#define HASH_TRANSFORM RIPEMD160_Transform ++#define HASH_FINAL RIPEMD160_Final ++#define HASH_MAKE_STRING(c, s) \ ++ do { \ ++ CRYPTO_store_u32_le((s), (c)->h[0]); \ ++ (s) += 4; \ ++ CRYPTO_store_u32_le((s), (c)->h[1]); \ ++ (s) += 4; \ ++ CRYPTO_store_u32_le((s), (c)->h[2]); \ ++ (s) += 4; \ ++ CRYPTO_store_u32_le((s), (c)->h[3]); \ ++ (s) += 4; \ ++ CRYPTO_store_u32_le((s), (c)->h[4]); \ ++ (s) += 4; \ ++ } while (0) ++ ++#define HASH_BLOCK_DATA_ORDER ripemd160_block_data_order ++ ++#include "../../crypto/fipsmodule/digest/md32_common.h" ++ ++// Transformed F2 and F4 are courtesy of Wei Dai ++#define F1(x, y, z) ((x) ^ (y) ^ (z)) ++#define F2(x, y, z) ((((y) ^ (z)) & (x)) ^ (z)) ++#define F3(x, y, z) (((~(y)) | (x)) ^ (z)) ++#define F4(x, y, z) ((((x) ^ (y)) & (z)) ^ (y)) ++#define F5(x, y, z) (((~(z)) | (y)) ^ (x)) ++ ++#define ROTATE(a, n) (((a) << (n)) | (((a)&0xffffffff) >> (32 - (n)))) ++ ++#define RIP1(a, b, c, d, e, w, s) \ ++ { \ ++ a += F1(b, c, d) + X(w); \ ++ a = ROTATE(a, s) + e; \ ++ c = ROTATE(c, 10); \ ++ } ++ ++#define RIP2(a, b, c, d, e, w, s, K) \ ++ { \ ++ a += F2(b, c, d) + X(w) + K; \ ++ a = ROTATE(a, s) + e; \ ++ c = ROTATE(c, 10); \ ++ } ++ ++#define RIP3(a, b, c, d, e, w, s, K) \ ++ { \ ++ a += F3(b, c, d) + X(w) + K; \ ++ a = ROTATE(a, s) + e; \ ++ c = ROTATE(c, 10); \ ++ } ++ ++#define RIP4(a, b, c, d, e, w, s, K) \ ++ { \ ++ a += F4(b, c, d) + X(w) + K; \ ++ a = ROTATE(a, s) + e; \ ++ c = ROTATE(c, 10); \ ++ } ++ ++#define RIP5(a, b, c, d, e, w, s, K) \ ++ { \ ++ a += F5(b, c, d) + X(w) + K; \ ++ a = ROTATE(a, s) + e; \ ++ c = ROTATE(c, 10); \ ++ } ++ ++#define KL0 0x00000000L ++#define KL1 0x5A827999L ++#define KL2 0x6ED9EBA1L ++#define KL3 0x8F1BBCDCL ++#define KL4 0xA953FD4EL ++ ++#define KR0 0x50A28BE6L ++#define KR1 0x5C4DD124L ++#define KR2 0x6D703EF3L ++#define KR3 0x7A6D76E9L ++#define KR4 0x00000000L ++ ++#define WL00 0 ++#define SL00 11 ++#define WL01 1 ++#define SL01 14 ++#define WL02 2 ++#define SL02 15 ++#define WL03 3 ++#define SL03 12 ++#define WL04 4 ++#define SL04 5 ++#define WL05 5 ++#define SL05 8 ++#define WL06 6 ++#define SL06 7 ++#define WL07 7 ++#define SL07 9 ++#define WL08 8 ++#define SL08 11 ++#define WL09 9 ++#define SL09 13 ++#define WL10 10 ++#define SL10 14 ++#define WL11 11 ++#define SL11 15 ++#define WL12 12 ++#define SL12 6 ++#define WL13 13 ++#define SL13 7 ++#define WL14 14 ++#define SL14 9 ++#define WL15 15 ++#define SL15 8 ++ ++#define WL16 7 ++#define SL16 7 ++#define WL17 4 ++#define SL17 6 ++#define WL18 13 ++#define SL18 8 ++#define WL19 1 ++#define SL19 13 ++#define WL20 10 ++#define SL20 11 ++#define WL21 6 ++#define SL21 9 ++#define WL22 15 ++#define SL22 7 ++#define WL23 3 ++#define SL23 15 ++#define WL24 12 ++#define SL24 7 ++#define WL25 0 ++#define SL25 12 ++#define WL26 9 ++#define SL26 15 ++#define WL27 5 ++#define SL27 9 ++#define WL28 2 ++#define SL28 11 ++#define WL29 14 ++#define SL29 7 ++#define WL30 11 ++#define SL30 13 ++#define WL31 8 ++#define SL31 12 ++ ++#define WL32 3 ++#define SL32 11 ++#define WL33 10 ++#define SL33 13 ++#define WL34 14 ++#define SL34 6 ++#define WL35 4 ++#define SL35 7 ++#define WL36 9 ++#define SL36 14 ++#define WL37 15 ++#define SL37 9 ++#define WL38 8 ++#define SL38 13 ++#define WL39 1 ++#define SL39 15 ++#define WL40 2 ++#define SL40 14 ++#define WL41 7 ++#define SL41 8 ++#define WL42 0 ++#define SL42 13 ++#define WL43 6 ++#define SL43 6 ++#define WL44 13 ++#define SL44 5 ++#define WL45 11 ++#define SL45 12 ++#define WL46 5 ++#define SL46 7 ++#define WL47 12 ++#define SL47 5 ++ ++#define WL48 1 ++#define SL48 11 ++#define WL49 9 ++#define SL49 12 ++#define WL50 11 ++#define SL50 14 ++#define WL51 10 ++#define SL51 15 ++#define WL52 0 ++#define SL52 14 ++#define WL53 8 ++#define SL53 15 ++#define WL54 12 ++#define SL54 9 ++#define WL55 4 ++#define SL55 8 ++#define WL56 13 ++#define SL56 9 ++#define WL57 3 ++#define SL57 14 ++#define WL58 7 ++#define SL58 5 ++#define WL59 15 ++#define SL59 6 ++#define WL60 14 ++#define SL60 8 ++#define WL61 5 ++#define SL61 6 ++#define WL62 6 ++#define SL62 5 ++#define WL63 2 ++#define SL63 12 ++ ++#define WL64 4 ++#define SL64 9 ++#define WL65 0 ++#define SL65 15 ++#define WL66 5 ++#define SL66 5 ++#define WL67 9 ++#define SL67 11 ++#define WL68 7 ++#define SL68 6 ++#define WL69 12 ++#define SL69 8 ++#define WL70 2 ++#define SL70 13 ++#define WL71 10 ++#define SL71 12 ++#define WL72 14 ++#define SL72 5 ++#define WL73 1 ++#define SL73 12 ++#define WL74 3 ++#define SL74 13 ++#define WL75 8 ++#define SL75 14 ++#define WL76 11 ++#define SL76 11 ++#define WL77 6 ++#define SL77 8 ++#define WL78 15 ++#define SL78 5 ++#define WL79 13 ++#define SL79 6 ++ ++#define WR00 5 ++#define SR00 8 ++#define WR01 14 ++#define SR01 9 ++#define WR02 7 ++#define SR02 9 ++#define WR03 0 ++#define SR03 11 ++#define WR04 9 ++#define SR04 13 ++#define WR05 2 ++#define SR05 15 ++#define WR06 11 ++#define SR06 15 ++#define WR07 4 ++#define SR07 5 ++#define WR08 13 ++#define SR08 7 ++#define WR09 6 ++#define SR09 7 ++#define WR10 15 ++#define SR10 8 ++#define WR11 8 ++#define SR11 11 ++#define WR12 1 ++#define SR12 14 ++#define WR13 10 ++#define SR13 14 ++#define WR14 3 ++#define SR14 12 ++#define WR15 12 ++#define SR15 6 ++ ++#define WR16 6 ++#define SR16 9 ++#define WR17 11 ++#define SR17 13 ++#define WR18 3 ++#define SR18 15 ++#define WR19 7 ++#define SR19 7 ++#define WR20 0 ++#define SR20 12 ++#define WR21 13 ++#define SR21 8 ++#define WR22 5 ++#define SR22 9 ++#define WR23 10 ++#define SR23 11 ++#define WR24 14 ++#define SR24 7 ++#define WR25 15 ++#define SR25 7 ++#define WR26 8 ++#define SR26 12 ++#define WR27 12 ++#define SR27 7 ++#define WR28 4 ++#define SR28 6 ++#define WR29 9 ++#define SR29 15 ++#define WR30 1 ++#define SR30 13 ++#define WR31 2 ++#define SR31 11 ++ ++#define WR32 15 ++#define SR32 9 ++#define WR33 5 ++#define SR33 7 ++#define WR34 1 ++#define SR34 15 ++#define WR35 3 ++#define SR35 11 ++#define WR36 7 ++#define SR36 8 ++#define WR37 14 ++#define SR37 6 ++#define WR38 6 ++#define SR38 6 ++#define WR39 9 ++#define SR39 14 ++#define WR40 11 ++#define SR40 12 ++#define WR41 8 ++#define SR41 13 ++#define WR42 12 ++#define SR42 5 ++#define WR43 2 ++#define SR43 14 ++#define WR44 10 ++#define SR44 13 ++#define WR45 0 ++#define SR45 13 ++#define WR46 4 ++#define SR46 7 ++#define WR47 13 ++#define SR47 5 ++ ++#define WR48 8 ++#define SR48 15 ++#define WR49 6 ++#define SR49 5 ++#define WR50 4 ++#define SR50 8 ++#define WR51 1 ++#define SR51 11 ++#define WR52 3 ++#define SR52 14 ++#define WR53 11 ++#define SR53 14 ++#define WR54 15 ++#define SR54 6 ++#define WR55 0 ++#define SR55 14 ++#define WR56 5 ++#define SR56 6 ++#define WR57 12 ++#define SR57 9 ++#define WR58 2 ++#define SR58 12 ++#define WR59 13 ++#define SR59 9 ++#define WR60 9 ++#define SR60 12 ++#define WR61 7 ++#define SR61 5 ++#define WR62 10 ++#define SR62 15 ++#define WR63 14 ++#define SR63 8 ++ ++#define WR64 12 ++#define SR64 8 ++#define WR65 15 ++#define SR65 5 ++#define WR66 10 ++#define SR66 12 ++#define WR67 4 ++#define SR67 9 ++#define WR68 1 ++#define SR68 12 ++#define WR69 5 ++#define SR69 5 ++#define WR70 8 ++#define SR70 14 ++#define WR71 7 ++#define SR71 6 ++#define WR72 6 ++#define SR72 8 ++#define WR73 2 ++#define SR73 13 ++#define WR74 13 ++#define SR74 6 ++#define WR75 14 ++#define SR75 5 ++#define WR76 0 ++#define SR76 15 ++#define WR77 3 ++#define SR77 13 ++#define WR78 9 ++#define SR78 11 ++#define WR79 11 ++#define SR79 11 ++ ++static void ripemd160_block_data_order(uint32_t h[5], const uint8_t *data, + size_t num) { + uint32_t A, B, C, D, E; + uint32_t a, b, c, d, e; diff --git a/patches/boringssl/0008-Pull-HASH_TRANSFORM-out-of-md32_common.h.patch b/patches/boringssl/0008-Pull-HASH_TRANSFORM-out-of-md32_common.h.patch new file mode 100644 index 0000000..bb2769e --- /dev/null +++ b/patches/boringssl/0008-Pull-HASH_TRANSFORM-out-of-md32_common.h.patch @@ -0,0 +1,223 @@ +From 4320bc47617a66d4219e66e2420311dbfb6c3cb0 Mon Sep 17 00:00:00 2001 +From: David Benjamin +Date: Mon, 29 Mar 2021 14:26:07 -0400 +Subject: [PATCH] Pull HASH_TRANSFORM out of md32_common.h. + +The macro isn't doing any work here. + +Change-Id: Id97dfa4b027407c5e4b3e7eb1586c3c2a2d977d8 +Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/47806 +Commit-Queue: David Benjamin +Reviewed-by: Adam Langley +--- + +diff --git a/crypto/fipsmodule/digest/md32_common.h b/crypto/fipsmodule/digest/md32_common.h +index a0634d1..8a14108 100644 +--- a/crypto/fipsmodule/digest/md32_common.h ++++ b/crypto/fipsmodule/digest/md32_common.h +@@ -86,9 +86,6 @@ + // |HASH_UPDATE| must be defined as the name of the "Update" function to + // generate. + // +-// |HASH_TRANSFORM| must be defined as the the name of the "Transform" +-// function to generate. +-// + // |HASH_FINAL| must be defined as the name of "Final" function to generate. + // + // |HASH_BLOCK_DATA_ORDER| must be defined as the name of the "Block" function. +@@ -121,9 +118,6 @@ + #ifndef HASH_UPDATE + #error "HASH_UPDATE must be defined!" + #endif +-#ifndef HASH_TRANSFORM +-#error "HASH_TRANSFORM must be defined!" +-#endif + #ifndef HASH_FINAL + #error "HASH_FINAL must be defined!" + #endif +@@ -185,11 +179,6 @@ + } + + +-void HASH_TRANSFORM(HASH_CTX *c, const uint8_t data[HASH_CBLOCK]) { +- HASH_BLOCK_DATA_ORDER(c->h, data, 1); +-} +- +- + int HASH_FINAL(uint8_t out[HASH_DIGEST_LENGTH], HASH_CTX *c) { + // |c->data| always has room for at least one byte. A full block would have + // been consumed. +diff --git a/crypto/fipsmodule/md4/md4.c b/crypto/fipsmodule/md4/md4.c +index 0551664..9d229bf 100644 +--- a/crypto/fipsmodule/md4/md4.c ++++ b/crypto/fipsmodule/md4/md4.c +@@ -84,13 +84,16 @@ + + void md4_block_data_order(uint32_t *state, const uint8_t *data, size_t num); + ++void MD4_Transform(MD4_CTX *c, const uint8_t data[MD4_CBLOCK]) { ++ md4_block_data_order(c->h, data, 1); ++} ++ + #define DATA_ORDER_IS_LITTLE_ENDIAN + + #define HASH_CTX MD4_CTX + #define HASH_CBLOCK 64 + #define HASH_DIGEST_LENGTH 16 + #define HASH_UPDATE MD4_Update +-#define HASH_TRANSFORM MD4_Transform + #define HASH_FINAL MD4_Final + #define HASH_MAKE_STRING(c, s) \ + do { \ +@@ -240,7 +243,6 @@ + #undef HASH_CBLOCK + #undef HASH_DIGEST_LENGTH + #undef HASH_UPDATE +-#undef HASH_TRANSFORM + #undef HASH_FINAL + #undef HASH_MAKE_STRING + #undef HASH_BLOCK_DATA_ORDER +diff --git a/crypto/fipsmodule/md5/md5.c b/crypto/fipsmodule/md5/md5.c +index bd6bf6a..e454a84 100644 +--- a/crypto/fipsmodule/md5/md5.c ++++ b/crypto/fipsmodule/md5/md5.c +@@ -89,6 +89,9 @@ + size_t num); + #endif + ++void MD5_Transform(MD5_CTX *c, const uint8_t data[MD5_CBLOCK]) { ++ md5_block_data_order(c->h, data, 1); ++} + + #define DATA_ORDER_IS_LITTLE_ENDIAN + +@@ -96,7 +99,6 @@ + #define HASH_CBLOCK 64 + #define HASH_DIGEST_LENGTH 16 + #define HASH_UPDATE MD5_Update +-#define HASH_TRANSFORM MD5_Transform + #define HASH_FINAL MD5_Final + #define HASH_MAKE_STRING(c, s) \ + do { \ +@@ -283,7 +285,6 @@ + #undef HASH_CBLOCK + #undef HASH_DIGEST_LENGTH + #undef HASH_UPDATE +-#undef HASH_TRANSFORM + #undef HASH_FINAL + #undef HASH_MAKE_STRING + #undef HASH_BLOCK_DATA_ORDER +diff --git a/crypto/fipsmodule/sha/sha1.c b/crypto/fipsmodule/sha/sha1.c +index 2f50c67..7149d11 100644 +--- a/crypto/fipsmodule/sha/sha1.c ++++ b/crypto/fipsmodule/sha/sha1.c +@@ -83,6 +83,15 @@ + return out; + } + ++#if !defined(SHA1_ASM) ++static void sha1_block_data_order(uint32_t *state, const uint8_t *data, ++ size_t num); ++#endif ++ ++void SHA1_Transform(SHA_CTX *c, const uint8_t data[SHA_CBLOCK]) { ++ sha1_block_data_order(c->h, data, 1); ++} ++ + #define DATA_ORDER_IS_BIG_ENDIAN + + #define HASH_CTX SHA_CTX +@@ -103,7 +112,6 @@ + } while (0) + + #define HASH_UPDATE SHA1_Update +-#define HASH_TRANSFORM SHA1_Transform + #define HASH_FINAL SHA1_Final + #define HASH_BLOCK_DATA_ORDER sha1_block_data_order + #define ROTATE(a, n) (((a) << (n)) | ((a) >> (32 - (n)))) +@@ -113,11 +121,6 @@ + (ix) = (a) = ROTATE((a), 1); \ + } while (0) + +-#if !defined(SHA1_ASM) +-static void sha1_block_data_order(uint32_t *state, const uint8_t *data, +- size_t num); +-#endif +- + #include "../digest/md32_common.h" + + #define K_00_19 0x5a827999UL +@@ -346,7 +349,6 @@ + #undef HASH_DIGEST_LENGTH + #undef HASH_MAKE_STRING + #undef HASH_UPDATE +-#undef HASH_TRANSFORM + #undef HASH_FINAL + #undef HASH_BLOCK_DATA_ORDER + #undef ROTATE +diff --git a/crypto/fipsmodule/sha/sha256.c b/crypto/fipsmodule/sha/sha256.c +index 390ee3a..ff961c8 100644 +--- a/crypto/fipsmodule/sha/sha256.c ++++ b/crypto/fipsmodule/sha/sha256.c +@@ -122,6 +122,15 @@ + return SHA256_Final(out, ctx); + } + ++#ifndef SHA256_ASM ++static void sha256_block_data_order(uint32_t *state, const uint8_t *in, ++ size_t num); ++#endif ++ ++void SHA256_Transform(SHA256_CTX *c, const uint8_t data[SHA256_CBLOCK]) { ++ sha256_block_data_order(c->h, data, 1); ++} ++ + #define DATA_ORDER_IS_BIG_ENDIAN + + #define HASH_CTX SHA256_CTX +@@ -167,13 +176,8 @@ + + + #define HASH_UPDATE SHA256_Update +-#define HASH_TRANSFORM SHA256_Transform + #define HASH_FINAL SHA256_Final + #define HASH_BLOCK_DATA_ORDER sha256_block_data_order +-#ifndef SHA256_ASM +-static void sha256_block_data_order(uint32_t *state, const uint8_t *in, +- size_t num); +-#endif + + #include "../digest/md32_common.h" + +@@ -324,7 +328,6 @@ + #undef HASH_DIGEST_LENGTH + #undef HASH_MAKE_STRING + #undef HASH_UPDATE +-#undef HASH_TRANSFORM + #undef HASH_FINAL + #undef HASH_BLOCK_DATA_ORDER + #undef ROTATE +diff --git a/decrepit/ripemd/ripemd.c b/decrepit/ripemd/ripemd.c +index 50329c7..ac6bd83 100644 +--- a/decrepit/ripemd/ripemd.c ++++ b/decrepit/ripemd/ripemd.c +@@ -80,6 +80,11 @@ + static void ripemd160_block_data_order(uint32_t h[5], const uint8_t *data, + size_t num); + ++void RIPEMD160_Transform(RIPEMD160_CTX *c, ++ const uint8_t data[RIPEMD160_CBLOCK]) { ++ ripemd160_block_data_order(c->h, data, 1); ++} ++ + #define DATA_ORDER_IS_LITTLE_ENDIAN + + #define HASH_LONG uint32_t +@@ -87,7 +92,6 @@ + #define HASH_CBLOCK RIPEMD160_CBLOCK + #define HASH_DIGEST_LENGTH RIPEMD160_DIGEST_LENGTH + #define HASH_UPDATE RIPEMD160_Update +-#define HASH_TRANSFORM RIPEMD160_Transform + #define HASH_FINAL RIPEMD160_Final + #define HASH_MAKE_STRING(c, s) \ + do { \ diff --git a/patches/boringssl/0009-Make-md32_common.h-single-included-and-use-an-unsized-helper-for-SHA-256.patch b/patches/boringssl/0009-Make-md32_common.h-single-included-and-use-an-unsized-helper-for-SHA-256.patch new file mode 100644 index 0000000..30507fe --- /dev/null +++ b/patches/boringssl/0009-Make-md32_common.h-single-included-and-use-an-unsized-helper-for-SHA-256.patch @@ -0,0 +1,746 @@ +From 597ffef971dd980b7de5e97a0c9b7ca26eec94bc Mon Sep 17 00:00:00 2001 +From: David Benjamin +Date: Mon, 29 Mar 2021 14:45:13 -0400 +Subject: [PATCH] Make md32_common.h single-included and use an unsized helper for SHA-256. + +Similar to +https://boringssl-review.googlesource.com/c/boringssl/+/46405, +SHA256_Final and SHA224_Final hit array size warnings in the new GCC. +The array sizes are, strictly speaking, purely decoration, but this is a +good warning so we should be clean with it on. + +That same change is difficult to apply to md32_common.h because +md32_common.h generates the functions for us. md32_common.h is already +strange in that it is multiply-included and changes behavior based on +macros defined by the caller. + +Instead, replace it with inline functions, which are a bit more +conventional and typesafe. This allows each hash function to define the +function prototype. Use this to add an unsized helper for SHA-256. + +Bug: 402 +Change-Id: I61bc30fb58c54dd40a55c9b1ebf3fb9adde5e038 +Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/47807 +Reviewed-by: Adam Langley +Reviewed-by: Peter Foley +Commit-Queue: David Benjamin +--- + +diff --git a/crypto/fipsmodule/digest/md32_common.h b/crypto/fipsmodule/digest/md32_common.h +index 8a14108..129ec48 100644 +--- a/crypto/fipsmodule/digest/md32_common.h ++++ b/crypto/fipsmodule/digest/md32_common.h +@@ -46,6 +46,9 @@ + * OF THE POSSIBILITY OF SUCH DAMAGE. + * ==================================================================== */ + ++#ifndef OPENSSL_HEADER_DIGEST_MD32_COMMON_H ++#define OPENSSL_HEADER_DIGEST_MD32_COMMON_H ++ + #include + + #include +@@ -59,22 +62,15 @@ + + // This is a generic 32-bit "collector" for message digest algorithms. It + // collects input character stream into chunks of 32-bit values and invokes the +-// block function that performs the actual hash calculations. To make use of +-// this mechanism, the following macros must be defined before including +-// md32_common.h. ++// block function that performs the actual hash calculations. + // +-// One of |DATA_ORDER_IS_BIG_ENDIAN| or |DATA_ORDER_IS_LITTLE_ENDIAN| must be +-// defined to specify the byte order of the input stream. +-// +-// |HASH_CBLOCK| must be defined as the integer block size, in bytes. +-// +-// |HASH_CTX| must be defined as the name of the context structure, which must +-// have at least the following members: ++// To make use of this mechanism, the hash context should be defined with the ++// following parameters. + // + // typedef struct _state_st { + // uint32_t h[ / sizeof(uint32_t)]; + // uint32_t Nl, Nh; +-// uint8_t data[HASH_CBLOCK]; ++// uint8_t data[]; + // unsigned num; + // ... + // } _CTX; +@@ -83,136 +79,117 @@ + // any truncation (e.g. 64 for SHA-224 and SHA-256, 128 for SHA-384 and + // SHA-512). + // +-// |HASH_UPDATE| must be defined as the name of the "Update" function to +-// generate. +-// +-// |HASH_FINAL| must be defined as the name of "Final" function to generate. +-// +-// |HASH_BLOCK_DATA_ORDER| must be defined as the name of the "Block" function. +-// That function must be implemented manually. It must be capable of operating +-// on *unaligned* input data in its original (data) byte order. It must have +-// this signature: +-// +-// void HASH_BLOCK_DATA_ORDER(uint32_t *state, const uint8_t *data, +-// size_t num); +-// +-// It must update the hash state |state| with |num| blocks of data from |data|, +-// where each block is |HASH_CBLOCK| bytes; i.e. |data| points to a array of +-// |HASH_CBLOCK * num| bytes. |state| points to the |h| member of a |HASH_CTX|, +-// and so will have | / sizeof(uint32_t)| elements. +-// +-// |HASH_MAKE_STRING(c, s)| must be defined as a block statement that converts +-// the hash state |c->h| into the output byte order, storing the result in |s|. ++// |h| is the hash state and is updated by a function of type ++// |crypto_md32_block_func|. |data| is the partial unprocessed block and has ++// |num| bytes. |Nl| and |Nh| maintain the number of bits processed so far. + +-#if !defined(DATA_ORDER_IS_BIG_ENDIAN) && !defined(DATA_ORDER_IS_LITTLE_ENDIAN) +-#error "DATA_ORDER must be defined!" +-#endif ++// A crypto_md32_block_func should incorporate |num_blocks| of input from |data| ++// into |state|. It is assumed the caller has sized |state| and |data| for the ++// hash function. ++typedef void (*crypto_md32_block_func)(uint32_t *state, const uint8_t *data, ++ size_t num_blocks); + +-#ifndef HASH_CBLOCK +-#error "HASH_CBLOCK must be defined!" +-#endif +-#ifndef HASH_CTX +-#error "HASH_CTX must be defined!" +-#endif +- +-#ifndef HASH_UPDATE +-#error "HASH_UPDATE must be defined!" +-#endif +-#ifndef HASH_FINAL +-#error "HASH_FINAL must be defined!" +-#endif +- +-#ifndef HASH_BLOCK_DATA_ORDER +-#error "HASH_BLOCK_DATA_ORDER must be defined!" +-#endif +- +-#ifndef HASH_MAKE_STRING +-#error "HASH_MAKE_STRING must be defined!" +-#endif +- +-int HASH_UPDATE(HASH_CTX *c, const void *data_, size_t len) { +- const uint8_t *data = data_; +- ++// crypto_md32_update adds |len| bytes from |in| to the digest. |data| must be a ++// buffer of length |block_size| with the first |*num| bytes containing a ++// partial block. This function combines the partial block with |in| and ++// incorporates any complete blocks into the digest state |h|. It then updates ++// |data| and |*num| with the new partial block and updates |*Nh| and |*Nl| with ++// the data consumed. ++static inline void crypto_md32_update(crypto_md32_block_func block_func, ++ uint32_t *h, uint8_t *data, ++ size_t block_size, unsigned *num, ++ uint32_t *Nh, uint32_t *Nl, ++ const uint8_t *in, size_t len) { + if (len == 0) { +- return 1; ++ return; + } + +- uint32_t l = c->Nl + (((uint32_t)len) << 3); +- if (l < c->Nl) { ++ uint32_t l = *Nl + (((uint32_t)len) << 3); ++ if (l < *Nl) { + // Handle carries. +- c->Nh++; ++ (*Nh)++; + } +- c->Nh += (uint32_t)(len >> 29); +- c->Nl = l; ++ *Nh += (uint32_t)(len >> 29); ++ *Nl = l; + +- size_t n = c->num; ++ size_t n = *num; + if (n != 0) { +- if (len >= HASH_CBLOCK || len + n >= HASH_CBLOCK) { +- OPENSSL_memcpy(c->data + n, data, HASH_CBLOCK - n); +- HASH_BLOCK_DATA_ORDER(c->h, c->data, 1); +- n = HASH_CBLOCK - n; +- data += n; ++ if (len >= block_size || len + n >= block_size) { ++ OPENSSL_memcpy(data + n, in, block_size - n); ++ block_func(h, data, 1); ++ n = block_size - n; ++ in += n; + len -= n; +- c->num = 0; +- // Keep |c->data| zeroed when unused. +- OPENSSL_memset(c->data, 0, HASH_CBLOCK); ++ *num = 0; ++ // Keep |data| zeroed when unused. ++ OPENSSL_memset(data, 0, block_size); + } else { +- OPENSSL_memcpy(c->data + n, data, len); +- c->num += (unsigned)len; +- return 1; ++ OPENSSL_memcpy(data + n, in, len); ++ *num += (unsigned)len; ++ return; + } + } + +- n = len / HASH_CBLOCK; ++ n = len / block_size; + if (n > 0) { +- HASH_BLOCK_DATA_ORDER(c->h, data, n); +- n *= HASH_CBLOCK; +- data += n; ++ block_func(h, in, n); ++ n *= block_size; ++ in += n; + len -= n; + } + + if (len != 0) { +- c->num = (unsigned)len; +- OPENSSL_memcpy(c->data, data, len); ++ *num = (unsigned)len; ++ OPENSSL_memcpy(data, in, len); + } +- return 1; + } + +- +-int HASH_FINAL(uint8_t out[HASH_DIGEST_LENGTH], HASH_CTX *c) { +- // |c->data| always has room for at least one byte. A full block would have ++// crypto_md32_final incorporates the partial block and trailing length into the ++// digest state |h|. The trailing length is encoded in little-endian if ++// |is_big_endian| is zero and big-endian otherwise. |data| must be a buffer of ++// length |block_size| with the first |*num| bytes containing a partial block. ++// |Nh| and |Nl| contain the total number of bits processed. On return, this ++// function clears the partial block in |data| and ++// |*num|. ++// ++// This function does not serialize |h| into a final digest. This is the ++// responsibility of the caller. ++static inline void crypto_md32_final(crypto_md32_block_func block_func, ++ uint32_t *h, uint8_t *data, ++ size_t block_size, unsigned *num, ++ uint32_t Nh, uint32_t Nl, ++ int is_big_endian) { ++ // |data| always has room for at least one byte. A full block would have + // been consumed. +- size_t n = c->num; +- assert(n < HASH_CBLOCK); +- c->data[n] = 0x80; ++ size_t n = *num; ++ assert(n < block_size); ++ data[n] = 0x80; + n++; + + // Fill the block with zeros if there isn't room for a 64-bit length. +- if (n > (HASH_CBLOCK - 8)) { +- OPENSSL_memset(c->data + n, 0, HASH_CBLOCK - n); ++ if (n > block_size - 8) { ++ OPENSSL_memset(data + n, 0, block_size - n); + n = 0; +- HASH_BLOCK_DATA_ORDER(c->h, c->data, 1); ++ block_func(h, data, 1); + } +- OPENSSL_memset(c->data + n, 0, HASH_CBLOCK - 8 - n); ++ OPENSSL_memset(data + n, 0, block_size - 8 - n); + + // Append a 64-bit length to the block and process it. +- uint8_t *p = c->data + HASH_CBLOCK - 8; +-#if defined(DATA_ORDER_IS_BIG_ENDIAN) +- CRYPTO_store_u32_be(p, c->Nh); +- CRYPTO_store_u32_be(p + 4, c->Nl); +-#elif defined(DATA_ORDER_IS_LITTLE_ENDIAN) +- CRYPTO_store_u32_le(p, c->Nl); +- CRYPTO_store_u32_le(p + 4, c->Nh); +-#endif +- HASH_BLOCK_DATA_ORDER(c->h, c->data, 1); +- c->num = 0; +- OPENSSL_memset(c->data, 0, HASH_CBLOCK); +- +- HASH_MAKE_STRING(c, out); +- return 1; ++ if (is_big_endian) { ++ CRYPTO_store_u32_be(data + block_size - 8, Nh); ++ CRYPTO_store_u32_be(data + block_size - 4, Nl); ++ } else { ++ CRYPTO_store_u32_le(data + block_size - 8, Nl); ++ CRYPTO_store_u32_le(data + block_size - 4, Nh); ++ } ++ block_func(h, data, 1); ++ *num = 0; ++ OPENSSL_memset(data, 0, block_size); + } + + + #if defined(__cplusplus) + } // extern C + #endif ++ ++#endif // OPENSSL_HEADER_DIGEST_MD32_COMMON_H +diff --git a/crypto/fipsmodule/md4/md4.c b/crypto/fipsmodule/md4/md4.c +index 9d229bf..8779402 100644 +--- a/crypto/fipsmodule/md4/md4.c ++++ b/crypto/fipsmodule/md4/md4.c +@@ -60,6 +60,7 @@ + #include + + #include "../../internal.h" ++#include "../digest/md32_common.h" + + + uint8_t *MD4(const uint8_t *data, size_t len, uint8_t out[MD4_DIGEST_LENGTH]) { +@@ -88,27 +89,22 @@ + md4_block_data_order(c->h, data, 1); + } + +-#define DATA_ORDER_IS_LITTLE_ENDIAN ++int MD4_Update(MD4_CTX *c, const void *data, size_t len) { ++ crypto_md32_update(&md4_block_data_order, c->h, c->data, MD4_CBLOCK, &c->num, ++ &c->Nh, &c->Nl, data, len); ++ return 1; ++} + +-#define HASH_CTX MD4_CTX +-#define HASH_CBLOCK 64 +-#define HASH_DIGEST_LENGTH 16 +-#define HASH_UPDATE MD4_Update +-#define HASH_FINAL MD4_Final +-#define HASH_MAKE_STRING(c, s) \ +- do { \ +- CRYPTO_store_u32_le((s), (c)->h[0]); \ +- (s) += 4; \ +- CRYPTO_store_u32_le((s), (c)->h[1]); \ +- (s) += 4; \ +- CRYPTO_store_u32_le((s), (c)->h[2]); \ +- (s) += 4; \ +- CRYPTO_store_u32_le((s), (c)->h[3]); \ +- (s) += 4; \ +- } while (0) +-#define HASH_BLOCK_DATA_ORDER md4_block_data_order ++int MD4_Final(uint8_t out[MD4_DIGEST_LENGTH], MD4_CTX *c) { ++ crypto_md32_final(&md4_block_data_order, c->h, c->data, MD4_CBLOCK, &c->num, ++ c->Nh, c->Nl, /*is_big_endian=*/0); + +-#include "../digest/md32_common.h" ++ CRYPTO_store_u32_le(out, c->h[0]); ++ CRYPTO_store_u32_le(out + 4, c->h[1]); ++ CRYPTO_store_u32_le(out + 8, c->h[2]); ++ CRYPTO_store_u32_le(out + 12, c->h[3]); ++ return 1; ++} + + // As pointed out by Wei Dai , the above can be + // simplified to the code below. Wei attributes these optimizations +@@ -238,14 +234,6 @@ + } + } + +-#undef DATA_ORDER_IS_LITTLE_ENDIAN +-#undef HASH_CTX +-#undef HASH_CBLOCK +-#undef HASH_DIGEST_LENGTH +-#undef HASH_UPDATE +-#undef HASH_FINAL +-#undef HASH_MAKE_STRING +-#undef HASH_BLOCK_DATA_ORDER + #undef F + #undef G + #undef H +diff --git a/crypto/fipsmodule/md5/md5.c b/crypto/fipsmodule/md5/md5.c +index e454a84..eba34bc 100644 +--- a/crypto/fipsmodule/md5/md5.c ++++ b/crypto/fipsmodule/md5/md5.c +@@ -60,8 +60,9 @@ + + #include + +-#include "internal.h" + #include "../../internal.h" ++#include "../digest/md32_common.h" ++#include "internal.h" + + + uint8_t *MD5(const uint8_t *data, size_t len, uint8_t out[MD5_DIGEST_LENGTH]) { +@@ -93,27 +94,22 @@ + md5_block_data_order(c->h, data, 1); + } + +-#define DATA_ORDER_IS_LITTLE_ENDIAN ++int MD5_Update(MD5_CTX *c, const void *data, size_t len) { ++ crypto_md32_update(&md5_block_data_order, c->h, c->data, MD5_CBLOCK, &c->num, ++ &c->Nh, &c->Nl, data, len); ++ return 1; ++} + +-#define HASH_CTX MD5_CTX +-#define HASH_CBLOCK 64 +-#define HASH_DIGEST_LENGTH 16 +-#define HASH_UPDATE MD5_Update +-#define HASH_FINAL MD5_Final +-#define HASH_MAKE_STRING(c, s) \ +- do { \ +- CRYPTO_store_u32_le((s), (c)->h[0]); \ +- (s) += 4; \ +- CRYPTO_store_u32_le((s), (c)->h[1]); \ +- (s) += 4; \ +- CRYPTO_store_u32_le((s), (c)->h[2]); \ +- (s) += 4; \ +- CRYPTO_store_u32_le((s), (c)->h[3]); \ +- (s) += 4; \ +- } while (0) +-#define HASH_BLOCK_DATA_ORDER md5_block_data_order ++int MD5_Final(uint8_t out[MD5_DIGEST_LENGTH], MD5_CTX *c) { ++ crypto_md32_final(&md5_block_data_order, c->h, c->data, MD5_CBLOCK, &c->num, ++ c->Nh, c->Nl, /*is_big_endian=*/0); + +-#include "../digest/md32_common.h" ++ CRYPTO_store_u32_le(out, c->h[0]); ++ CRYPTO_store_u32_le(out + 4, c->h[1]); ++ CRYPTO_store_u32_le(out + 8, c->h[2]); ++ CRYPTO_store_u32_le(out + 12, c->h[3]); ++ return 1; ++} + + // As pointed out by Wei Dai , the above can be + // simplified to the code below. Wei attributes these optimizations +@@ -280,14 +276,6 @@ + #undef X + #endif + +-#undef DATA_ORDER_IS_LITTLE_ENDIAN +-#undef HASH_CTX +-#undef HASH_CBLOCK +-#undef HASH_DIGEST_LENGTH +-#undef HASH_UPDATE +-#undef HASH_FINAL +-#undef HASH_MAKE_STRING +-#undef HASH_BLOCK_DATA_ORDER + #undef F + #undef G + #undef H +diff --git a/crypto/fipsmodule/sha/sha1.c b/crypto/fipsmodule/sha/sha1.c +index 7149d11..c629308 100644 +--- a/crypto/fipsmodule/sha/sha1.c ++++ b/crypto/fipsmodule/sha/sha1.c +@@ -60,8 +60,9 @@ + + #include + +-#include "internal.h" + #include "../../internal.h" ++#include "../digest/md32_common.h" ++#include "internal.h" + + + int SHA1_Init(SHA_CTX *sha) { +@@ -92,28 +93,24 @@ + sha1_block_data_order(c->h, data, 1); + } + +-#define DATA_ORDER_IS_BIG_ENDIAN ++int SHA1_Update(SHA_CTX *c, const void *data, size_t len) { ++ crypto_md32_update(&sha1_block_data_order, c->h, c->data, SHA_CBLOCK, &c->num, ++ &c->Nh, &c->Nl, data, len); ++ return 1; ++} + +-#define HASH_CTX SHA_CTX +-#define HASH_CBLOCK 64 +-#define HASH_DIGEST_LENGTH 20 +-#define HASH_MAKE_STRING(c, s) \ +- do { \ +- CRYPTO_store_u32_be((s), (c)->h[0]); \ +- (s) += 4; \ +- CRYPTO_store_u32_be((s), (c)->h[1]); \ +- (s) += 4; \ +- CRYPTO_store_u32_be((s), (c)->h[2]); \ +- (s) += 4; \ +- CRYPTO_store_u32_be((s), (c)->h[3]); \ +- (s) += 4; \ +- CRYPTO_store_u32_be((s), (c)->h[4]); \ +- (s) += 4; \ +- } while (0) ++int SHA1_Final(uint8_t out[SHA_DIGEST_LENGTH], SHA_CTX *c) { ++ crypto_md32_final(&sha1_block_data_order, c->h, c->data, SHA_CBLOCK, &c->num, ++ c->Nh, c->Nl, /*is_big_endian=*/1); + +-#define HASH_UPDATE SHA1_Update +-#define HASH_FINAL SHA1_Final +-#define HASH_BLOCK_DATA_ORDER sha1_block_data_order ++ CRYPTO_store_u32_be(out, c->h[0]); ++ CRYPTO_store_u32_be(out + 4, c->h[1]); ++ CRYPTO_store_u32_be(out + 8, c->h[2]); ++ CRYPTO_store_u32_be(out + 12, c->h[3]); ++ CRYPTO_store_u32_be(out + 16, c->h[4]); ++ return 1; ++} ++ + #define ROTATE(a, n) (((a) << (n)) | ((a) >> (32 - (n)))) + #define Xupdate(a, ix, ia, ib, ic, id) \ + do { \ +@@ -121,8 +118,6 @@ + (ix) = (a) = ROTATE((a), 1); \ + } while (0) + +-#include "../digest/md32_common.h" +- + #define K_00_19 0x5a827999UL + #define K_20_39 0x6ed9eba1UL + #define K_40_59 0x8f1bbcdcUL +@@ -343,14 +338,6 @@ + } + #endif + +-#undef DATA_ORDER_IS_BIG_ENDIAN +-#undef HASH_CTX +-#undef HASH_CBLOCK +-#undef HASH_DIGEST_LENGTH +-#undef HASH_MAKE_STRING +-#undef HASH_UPDATE +-#undef HASH_FINAL +-#undef HASH_BLOCK_DATA_ORDER + #undef ROTATE + #undef Xupdate + #undef K_00_19 +diff --git a/crypto/fipsmodule/sha/sha256.c b/crypto/fipsmodule/sha/sha256.c +index ff961c8..4394f4a 100644 +--- a/crypto/fipsmodule/sha/sha256.c ++++ b/crypto/fipsmodule/sha/sha256.c +@@ -60,8 +60,9 @@ + + #include + +-#include "internal.h" + #include "../../internal.h" ++#include "../digest/md32_common.h" ++#include "internal.h" + + + int SHA224_Init(SHA256_CTX *sha) { +@@ -112,16 +113,6 @@ + return out; + } + +-int SHA224_Update(SHA256_CTX *ctx, const void *data, size_t len) { +- return SHA256_Update(ctx, data, len); +-} +- +-int SHA224_Final(uint8_t out[SHA224_DIGEST_LENGTH], SHA256_CTX *ctx) { +- // SHA224_Init sets |ctx->md_len| to |SHA224_DIGEST_LENGTH|, so this has a +- // smaller output. +- return SHA256_Final(out, ctx); +-} +- + #ifndef SHA256_ASM + static void sha256_block_data_order(uint32_t *state, const uint8_t *in, + size_t num); +@@ -131,55 +122,51 @@ + sha256_block_data_order(c->h, data, 1); + } + +-#define DATA_ORDER_IS_BIG_ENDIAN ++int SHA256_Update(SHA256_CTX *c, const void *data, size_t len) { ++ crypto_md32_update(&sha256_block_data_order, c->h, c->data, SHA256_CBLOCK, ++ &c->num, &c->Nh, &c->Nl, data, len); ++ return 1; ++} + +-#define HASH_CTX SHA256_CTX +-#define HASH_CBLOCK 64 +-#define HASH_DIGEST_LENGTH 32 ++int SHA224_Update(SHA256_CTX *ctx, const void *data, size_t len) { ++ return SHA256_Update(ctx, data, len); ++} + +-// Note that FIPS180-2 discusses "Truncation of the Hash Function Output." +-// default: case below covers for it. It's not clear however if it's permitted +-// to truncate to amount of bytes not divisible by 4. I bet not, but if it is, +-// then default: case shall be extended. For reference. Idea behind separate +-// cases for pre-defined lenghts is to let the compiler decide if it's +-// appropriate to unroll small loops. +-// +-// TODO(davidben): The small |md_len| case is one of the few places a low-level +-// hash 'final' function can fail. This should never happen. +-#define HASH_MAKE_STRING(c, s) \ +- do { \ +- unsigned int nn; \ +- switch ((c)->md_len) { \ +- case SHA224_DIGEST_LENGTH: \ +- for (nn = 0; nn < SHA224_DIGEST_LENGTH / 4; nn++) { \ +- CRYPTO_store_u32_be((s), (c)->h[nn]); \ +- (s) += 4; \ +- } \ +- break; \ +- case SHA256_DIGEST_LENGTH: \ +- for (nn = 0; nn < SHA256_DIGEST_LENGTH / 4; nn++) { \ +- CRYPTO_store_u32_be((s), (c)->h[nn]); \ +- (s) += 4; \ +- } \ +- break; \ +- default: \ +- if ((c)->md_len > SHA256_DIGEST_LENGTH) { \ +- return 0; \ +- } \ +- for (nn = 0; nn < (c)->md_len / 4; nn++) { \ +- CRYPTO_store_u32_be((s), (c)->h[nn]); \ +- (s) += 4; \ +- } \ +- break; \ +- } \ +- } while (0) ++static int sha256_final_impl(uint8_t *out, SHA256_CTX *c) { ++ crypto_md32_final(&sha256_block_data_order, c->h, c->data, SHA256_CBLOCK, ++ &c->num, c->Nh, c->Nl, /*is_big_endian=*/1); + ++ // TODO(davidben): This overflow check one of the few places a low-level hash ++ // 'final' function can fail. SHA-512 does not have a corresponding check. ++ // These functions already misbehave if the caller arbitrarily mutates |c|, so ++ // can we assume one of |SHA256_Init| or |SHA224_Init| was used? ++ if (c->md_len > SHA256_DIGEST_LENGTH) { ++ return 0; ++ } + +-#define HASH_UPDATE SHA256_Update +-#define HASH_FINAL SHA256_Final +-#define HASH_BLOCK_DATA_ORDER sha256_block_data_order ++ assert(c->md_len % 4 == 0); ++ const size_t out_words = c->md_len / 4; ++ for (size_t i = 0; i < out_words; i++) { ++ CRYPTO_store_u32_be(out, c->h[i]); ++ out += 4; ++ } ++ return 1; ++} + +-#include "../digest/md32_common.h" ++int SHA256_Final(uint8_t out[SHA256_DIGEST_LENGTH], SHA256_CTX *c) { ++ // Ideally we would assert |sha->md_len| is |SHA256_DIGEST_LENGTH| to match ++ // the size hint, but calling code often pairs |SHA224_Init| with ++ // |SHA256_Final| and expects |sha->md_len| to carry the size over. ++ // ++ // TODO(davidben): Add an assert and fix code to match them up. ++ return sha256_final_impl(out, c); ++} ++int SHA224_Final(uint8_t out[SHA224_DIGEST_LENGTH], SHA256_CTX *ctx) { ++ // SHA224_Init sets |ctx->md_len| to |SHA224_DIGEST_LENGTH|, so this has a ++ // smaller output. ++ assert(ctx->md_len == SHA224_DIGEST_LENGTH); ++ return sha256_final_impl(out, ctx); ++} + + #ifndef SHA256_ASM + static const uint32_t K256[64] = { +@@ -322,14 +309,6 @@ + sha256_block_data_order(state, data, num_blocks); + } + +-#undef DATA_ORDER_IS_BIG_ENDIAN +-#undef HASH_CTX +-#undef HASH_CBLOCK +-#undef HASH_DIGEST_LENGTH +-#undef HASH_MAKE_STRING +-#undef HASH_UPDATE +-#undef HASH_FINAL +-#undef HASH_BLOCK_DATA_ORDER + #undef ROTATE + #undef Sigma0 + #undef Sigma1 +diff --git a/crypto/fipsmodule/sha/sha512.c b/crypto/fipsmodule/sha/sha512.c +index 1f40e7a..befdd52 100644 +--- a/crypto/fipsmodule/sha/sha512.c ++++ b/crypto/fipsmodule/sha/sha512.c +@@ -162,7 +162,7 @@ + + int SHA384_Final(uint8_t out[SHA384_DIGEST_LENGTH], SHA512_CTX *sha) { + // |SHA384_Init| sets |sha->md_len| to |SHA384_DIGEST_LENGTH|, so this has a +- // |smaller output. ++ // smaller output. + assert(sha->md_len == SHA384_DIGEST_LENGTH); + return sha512_final_impl(out, sha); + } +@@ -237,7 +237,7 @@ + int SHA512_Final(uint8_t out[SHA512_DIGEST_LENGTH], SHA512_CTX *sha) { + // Ideally we would assert |sha->md_len| is |SHA512_DIGEST_LENGTH| to match + // the size hint, but calling code often pairs |SHA384_Init| with +- // |SHA512_Final| and expects |sha->md_len| to carry the over. ++ // |SHA512_Final| and expects |sha->md_len| to carry the size over. + // + // TODO(davidben): Add an assert and fix code to match them up. + return sha512_final_impl(out, sha); +@@ -270,9 +270,8 @@ + assert(sha->md_len % 8 == 0); + const size_t out_words = sha->md_len / 8; + for (size_t i = 0; i < out_words; i++) { +- const uint64_t t = CRYPTO_bswap8(sha->h[i]); +- memcpy(out, &t, sizeof(t)); +- out += sizeof(t); ++ CRYPTO_store_u64_be(out, sha->h[i]); ++ out += 8; + } + + return 1; +diff --git a/decrepit/ripemd/ripemd.c b/decrepit/ripemd/ripemd.c +index ac6bd83..9120cdd 100644 +--- a/decrepit/ripemd/ripemd.c ++++ b/decrepit/ripemd/ripemd.c +@@ -59,6 +59,7 @@ + #include + + #include "../../crypto/internal.h" ++#include "../../crypto/fipsmodule/digest/md32_common.h" + + + #define RIPEMD160_A 0x67452301L +@@ -85,31 +86,24 @@ + ripemd160_block_data_order(c->h, data, 1); + } + +-#define DATA_ORDER_IS_LITTLE_ENDIAN ++int RIPEMD160_Update(RIPEMD160_CTX *c, const void *data, size_t len) { ++ crypto_md32_update(&ripemd160_block_data_order, c->h, c->data, ++ RIPEMD160_CBLOCK, &c->num, &c->Nh, &c->Nl, data, len); ++ return 1; ++} + +-#define HASH_LONG uint32_t +-#define HASH_CTX RIPEMD160_CTX +-#define HASH_CBLOCK RIPEMD160_CBLOCK +-#define HASH_DIGEST_LENGTH RIPEMD160_DIGEST_LENGTH +-#define HASH_UPDATE RIPEMD160_Update +-#define HASH_FINAL RIPEMD160_Final +-#define HASH_MAKE_STRING(c, s) \ +- do { \ +- CRYPTO_store_u32_le((s), (c)->h[0]); \ +- (s) += 4; \ +- CRYPTO_store_u32_le((s), (c)->h[1]); \ +- (s) += 4; \ +- CRYPTO_store_u32_le((s), (c)->h[2]); \ +- (s) += 4; \ +- CRYPTO_store_u32_le((s), (c)->h[3]); \ +- (s) += 4; \ +- CRYPTO_store_u32_le((s), (c)->h[4]); \ +- (s) += 4; \ +- } while (0) ++int RIPEMD160_Final(uint8_t out[RIPEMD160_DIGEST_LENGTH], RIPEMD160_CTX *c) { ++ crypto_md32_final(&ripemd160_block_data_order, c->h, c->data, ++ RIPEMD160_CBLOCK, &c->num, c->Nh, c->Nl, ++ /*is_big_endian=*/0); + +-#define HASH_BLOCK_DATA_ORDER ripemd160_block_data_order +- +-#include "../../crypto/fipsmodule/digest/md32_common.h" ++ CRYPTO_store_u32_le(out, c->h[0]); ++ CRYPTO_store_u32_le(out + 4, c->h[1]); ++ CRYPTO_store_u32_le(out + 8, c->h[2]); ++ CRYPTO_store_u32_le(out + 12, c->h[3]); ++ CRYPTO_store_u32_le(out + 16, c->h[4]); ++ return 1; ++} + + // Transformed F2 and F4 are courtesy of Wei Dai + #define F1(x, y, z) ((x) ^ (y) ^ (z)) diff --git a/patches/boringssl/0010-Fix-array-parametes-warnings.patch b/patches/boringssl/0010-Fix-array-parametes-warnings.patch new file mode 100644 index 0000000..2caff97 --- /dev/null +++ b/patches/boringssl/0010-Fix-array-parametes-warnings.patch @@ -0,0 +1,54 @@ +From 92c6fbfc4c44dc8462d260d836020d2b793e7804 Mon Sep 17 00:00:00 2001 +From: Peter Foley +Date: Fri, 28 May 2021 14:16:23 -0400 +Subject: [PATCH] Fix array-parameter warnings + +e.g. +/home/peter/boringssl/crypto/curve25519/curve25519.c:503:57: error: argument 2 of type 'const uint8_t[32]' {aka 'const unsigned char[32'} with mismatched bound [-Werror=array-parameter=] + 503 | int x25519_ge_frombytes_vartime(ge_p3 *h, const uint8_t s[32]) { + | ~~~~~~~~~~~~~~^~~~~ +In file included from /home/peter/boringssl/crypto/curve25519/curve25519.c:33: +/home/peter/boringssl/crypto/curve25519/internal.h:109:58: note: previously declared as 'const uint8_t *' {aka 'const unsigned char *'} + 109 | int x25519_ge_frombytes_vartime(ge_p3 *h, const uint8_t *s); + | ~~~~~~~~~~~~~~~^ +/home/peter/boringssl/crypto/curve25519/curve25519.c:823:57: error: argument 2 of type 'const uint8_t *' {aka 'const unsigned char *'} declared as a pointer [-Werror=array-parameter=] + 823 | void x25519_ge_scalarmult_base(ge_p3 *h, const uint8_t *a) { + | ~~~~~~~~~~~~~~~^ +In file included from /home/peter/boringssl/crypto/curve25519/curve25519.c:33: +/home/peter/boringssl/crypto/curve25519/internal.h:117:56: note: previously declared as an array 'const uint8_t[32]' {aka 'const unsigned char[32]'} + 117 | void x25519_ge_scalarmult_base(ge_p3 *h, const uint8_t a[32]); + | ~~~~~~~~~~~~~~^~~~~ +cc1: all warnings being treated as errors + +Change-Id: I7e9b68fe261a94834f519057adb6ff90c0cb73cf +Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/47805 +Reviewed-by: David Benjamin +Commit-Queue: David Benjamin +--- + +diff --git a/crypto/curve25519/curve25519.c b/crypto/curve25519/curve25519.c +index 232f6e0..ea48810 100644 +--- a/crypto/curve25519/curve25519.c ++++ b/crypto/curve25519/curve25519.c +@@ -820,7 +820,7 @@ + // + // Preconditions: + // a[31] <= 127 +-void x25519_ge_scalarmult_base(ge_p3 *h, const uint8_t *a) { ++void x25519_ge_scalarmult_base(ge_p3 *h, const uint8_t a[32]) { + signed char e[64]; + signed char carry; + ge_p1p1 r; +diff --git a/crypto/curve25519/internal.h b/crypto/curve25519/internal.h +index 01be307..76ff78f 100644 +--- a/crypto/curve25519/internal.h ++++ b/crypto/curve25519/internal.h +@@ -106,7 +106,7 @@ + } ge_cached; + + void x25519_ge_tobytes(uint8_t s[32], const ge_p2 *h); +-int x25519_ge_frombytes_vartime(ge_p3 *h, const uint8_t *s); ++int x25519_ge_frombytes_vartime(ge_p3 *h, const uint8_t s[32]); + void x25519_ge_p3_to_cached(ge_cached *r, const ge_p3 *p); + void x25519_ge_p1p1_to_p2(ge_p2 *r, const ge_p1p1 *p); + void x25519_ge_p1p1_to_p3(ge_p3 *r, const ge_p1p1 *p); diff --git a/vendor/CMakeLists.txt b/vendor/CMakeLists.txt index 1e6eee9..fb826ab 100644 --- a/vendor/CMakeLists.txt +++ b/vendor/CMakeLists.txt @@ -1,7 +1,6 @@ # TODO: https://cmake.org/cmake/help/v3.0/module/ExternalProject.html # To patch the submodule -add_subdirectory(boringssl EXCLUDE_FROM_ALL) set(android-vendored avb adb @@ -15,7 +14,8 @@ set(android-vendored selinux f2fs-tools e2fsprogs - incremental_delivery) + incremental_delivery + boringssl) if(EXISTS "${ANDROID_PATCH_DIR}/") execute_process(COMMAND git submodule --quiet update) @@ -33,6 +33,7 @@ if(EXISTS "${ANDROID_PATCH_DIR}/") endforeach(v) endif() +add_subdirectory(boringssl EXCLUDE_FROM_ALL) find_package(Protobuf REQUIRED) find_package(fmt REQUIRED) include_directories(${fmt_INCLUDE_DIRS})