[arch-commits] Commit in android-tools/trunk (PKGBUILD android-tools-gcc11.patch)
Antonio Rojas
arojas at archlinux.org
Sun Jun 20 20:30:28 UTC 2021
Date: Sunday, June 20, 2021 @ 20:30:28
Author: arojas
Revision: 966068
Fix build with GCC 11
Added:
android-tools/trunk/android-tools-gcc11.patch
Modified:
android-tools/trunk/PKGBUILD
---------------------------+
PKGBUILD | 13
android-tools-gcc11.patch | 4065 ++++++++++++++++++++++++++++++++++++++++++++
2 files changed, 4075 insertions(+), 3 deletions(-)
Modified: PKGBUILD
===================================================================
--- PKGBUILD 2021-06-20 20:22:56 UTC (rev 966067)
+++ PKGBUILD 2021-06-20 20:30:28 UTC (rev 966068)
@@ -11,10 +11,17 @@
url='http://tools.android.com/'
license=(Apache MIT)
depends=(libusb protobuf brotli zstd android-udev)
-makedepends=(pcre2 gtest cmake go ninja)
-source=(https://github.com/nmeum/android-tools/releases/download/$_tag/android-tools-$_tag.tar.xz)
-sha256sums=('51a4c3ba5f16945905449c4bd2c1c781a4df7469f6b7362f8837f4f640d8c7b6')
+makedepends=(pcre2 gtest cmake go ninja git)
+source=(https://github.com/nmeum/android-tools/releases/download/$_tag/android-tools-$_tag.tar.xz
+ android-tools-gcc11.patch)
+sha256sums=('51a4c3ba5f16945905449c4bd2c1c781a4df7469f6b7362f8837f4f640d8c7b6'
+ '75fd8517769e5cb3b9a4b54c7d2d0b728537e35a42113531e8b7dfb6f296ea84')
+prepare() {
+ cd android-tools-$_tag
+ patch -d vendor/boringssl -p1 < ../android-tools-gcc11.patch
+}
+
build() {
cd android-tools-$_tag
Added: android-tools-gcc11.patch
===================================================================
--- android-tools-gcc11.patch (rev 0)
+++ android-tools-gcc11.patch 2021-06-20 20:30:28 UTC (rev 966068)
@@ -0,0 +1,4065 @@
+From 139adff9b27eaf0bdaac664ec4c9a7db2fe3f920 Mon Sep 17 00:00:00 2001
+From: David Benjamin <davidben at google.com>
+Date: Thu, 25 Mar 2021 01:41:51 -0400
+Subject: [PATCH] Fix mismatch between header and implementation of bn_sqr_comba8.
+
+Bug: 402
+Change-Id: I6de879f44f6e3eca26f2f49c500769d944fa9bc0
+Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/46404
+Reviewed-by: Adam Langley <agl at google.com>
+---
+
+diff --git a/crypto/fipsmodule/bn/internal.h b/crypto/fipsmodule/bn/internal.h
+index 623e0c6..3d368db 100644
+--- a/crypto/fipsmodule/bn/internal.h
++++ b/crypto/fipsmodule/bn/internal.h
+@@ -297,7 +297,7 @@
+ void bn_mul_comba8(BN_ULONG r[16], const BN_ULONG a[8], const BN_ULONG b[8]);
+
+ // bn_sqr_comba8 sets |r| to |a|^2.
+-void bn_sqr_comba8(BN_ULONG r[16], const BN_ULONG a[4]);
++void bn_sqr_comba8(BN_ULONG r[16], const BN_ULONG a[8]);
+
+ // bn_sqr_comba4 sets |r| to |a|^2.
+ void bn_sqr_comba4(BN_ULONG r[8], const BN_ULONG a[4]);
+From a24ab549e6ae246b391155d7bed3790ac0e07de2 Mon Sep 17 00:00:00 2001
+From: David Benjamin <davidben at google.com>
+Date: Thu, 25 Mar 2021 15:26:25 -0400
+Subject: [PATCH] Use an unsized helper for truncated SHA-512 variants.
+
+Although it is strictly fine to call SHA512_Final in SHA384_Final
+(array sizes in C parameters are purely decorational, according to the
+language), GCC 11 reportedly checks now and gets upset about the size
+mismatch. Use an unsized helper function so all our code matches the
+specified bounds.
+
+Unfortunately, the bounds in all the functions are a bit misleading
+because SHA512_Final really outputs based on sha->md_len (which Init
+function you called) rather than which Final function. I've fixed this
+places within a library where we mismatched and added asserts to the
+smaller functions. SHA512_Final is assert-less because I've seen lots of
+code use SHA384_Init / SHA512_Update / SHA512_Final.
+
+This doesn't fix the SHA256 variant since that is generated by a pile of
+macros in a multiply-included file. This is probably a good opportunity
+to make that code less macro-heavy.
+
+Update-Note: There is a small chance the asserts will trip something,
+but hopefully not since I've left SHA512_Final alone.
+
+Bug: 402
+Change-Id: I4c9d579a63ee0a0dea103c19ef219c13bb9aa62c
+Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/46405
+Reviewed-by: Adam Langley <agl at google.com>
+---
+
+diff --git a/crypto/fipsmodule/digest/digests.c b/crypto/fipsmodule/digest/digests.c
+index 16daeba..f006ebb 100644
+--- a/crypto/fipsmodule/digest/digests.c
++++ b/crypto/fipsmodule/digest/digests.c
+@@ -247,13 +247,21 @@
+ CHECK(SHA512_256_Init(ctx->md_data));
+ }
+
++static void sha512_256_update(EVP_MD_CTX *ctx, const void *data, size_t count) {
++ CHECK(SHA512_256_Update(ctx->md_data, data, count));
++}
++
++static void sha512_256_final(EVP_MD_CTX *ctx, uint8_t *md) {
++ CHECK(SHA512_256_Final(md, ctx->md_data));
++}
++
+ DEFINE_METHOD_FUNCTION(EVP_MD, EVP_sha512_256) {
+ out->type = NID_sha512_256;
+ out->md_size = SHA512_256_DIGEST_LENGTH;
+ out->flags = 0;
+ out->init = sha512_256_init;
+- out->update = sha512_update;
+- out->final = sha512_final;
++ out->update = sha512_256_update;
++ out->final = sha512_256_final;
+ out->block_size = 128;
+ out->ctx_size = sizeof(SHA512_CTX);
+ }
+diff --git a/crypto/fipsmodule/sha/sha512.c b/crypto/fipsmodule/sha/sha512.c
+index fd02574..ba86c1e 100644
+--- a/crypto/fipsmodule/sha/sha512.c
++++ b/crypto/fipsmodule/sha/sha512.c
+@@ -70,6 +70,8 @@
+ // this writing, so there is no need for a common collector/padding
+ // implementation yet.
+
++static int sha512_final_impl(uint8_t *out, SHA512_CTX *sha);
++
+ int SHA384_Init(SHA512_CTX *sha) {
+ sha->h[0] = UINT64_C(0xcbbb9d5dc1059ed8);
+ sha->h[1] = UINT64_C(0x629a292a367cd507);
+@@ -146,8 +148,8 @@
+ uint8_t out[SHA512_256_DIGEST_LENGTH]) {
+ SHA512_CTX ctx;
+ SHA512_256_Init(&ctx);
+- SHA512_Update(&ctx, data, len);
+- SHA512_Final(out, &ctx);
++ SHA512_256_Update(&ctx, data, len);
++ SHA512_256_Final(out, &ctx);
+ OPENSSL_cleanse(&ctx, sizeof(ctx));
+ return out;
+ }
+@@ -161,7 +163,8 @@
+ int SHA384_Final(uint8_t out[SHA384_DIGEST_LENGTH], SHA512_CTX *sha) {
+ // |SHA384_Init| sets |sha->md_len| to |SHA384_DIGEST_LENGTH|, so this has a
+ // |smaller output.
+- return SHA512_Final(out, sha);
++ assert(sha->md_len == SHA384_DIGEST_LENGTH);
++ return sha512_final_impl(out, sha);
+ }
+
+ int SHA384_Update(SHA512_CTX *sha, const void *data, size_t len) {
+@@ -172,11 +175,11 @@
+ return SHA512_Update(sha, data, len);
+ }
+
+-int SHA512_256_Final(uint8_t out[SHA512_256_DIGEST_LENGTH],
+- SHA512_CTX *sha) {
++int SHA512_256_Final(uint8_t out[SHA512_256_DIGEST_LENGTH], SHA512_CTX *sha) {
+ // |SHA512_256_Init| sets |sha->md_len| to |SHA512_256_DIGEST_LENGTH|, so this
+ // has a |smaller output.
+- return SHA512_Final(out, sha);
++ assert(sha->md_len == SHA512_256_DIGEST_LENGTH);
++ return sha512_final_impl(out, sha);
+ }
+
+ void SHA512_Transform(SHA512_CTX *c, const uint8_t block[SHA512_CBLOCK]) {
+@@ -232,6 +235,15 @@
+ }
+
+ int SHA512_Final(uint8_t out[SHA512_DIGEST_LENGTH], SHA512_CTX *sha) {
++ // Ideally we would assert |sha->md_len| is |SHA512_DIGEST_LENGTH| to match
++ // the size hint, but calling code often pairs |SHA384_Init| with
++ // |SHA512_Final| and expects |sha->md_len| to carry the over.
++ //
++ // TODO(davidben): Add an assert and fix code to match them up.
++ return sha512_final_impl(out, sha);
++}
++
++static int sha512_final_impl(uint8_t *out, SHA512_CTX *sha) {
+ uint8_t *p = sha->p;
+ size_t n = sha->num;
+
+From 8c31179d81081cc9b8ce5b5ac3151088c45042f7 Mon Sep 17 00:00:00 2001
+From: David Benjamin <davidben at google.com>
+Date: Fri, 19 Mar 2021 11:53:48 -0400
+Subject: [PATCH] Fix unnecessarily direction-specific tests in cipher_tests.txt
+
+All our EVP_CIPHERs are deterministic, so there's usually no point in
+testing only one direction. Some of the ECB tests were missing free
+decryption tests. CTR is the same in both directions, but we ought to
+test the API agrees. OFB vectors are doubled up, so we can merge them
+together. Plus there are typos in the OFB-AES192.Decrypt tests, also
+present upstream, so we weren't actually testing everything we should.
+
+(I haven't removed the direction-specific logic altogether since the
+tests imported from nist_cavp rely on it. Though there may be something
+to be said for running them both ways since they don't actually double
+them up...)
+
+Change-Id: I36a77d342afa436e89ad244a87567e1a4c6ee9dc
+Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/46284
+Reviewed-by: Adam Langley <agl at google.com>
+Commit-Queue: David Benjamin <davidben at google.com>
+---
+
+diff --git a/crypto/cipher_extra/test/cipher_tests.txt b/crypto/cipher_extra/test/cipher_tests.txt
+index ced7595..52fd4af 100644
+--- a/crypto/cipher_extra/test/cipher_tests.txt
++++ b/crypto/cipher_extra/test/cipher_tests.txt
+@@ -109,7 +109,6 @@
+ # AES 128 ECB tests (from FIPS-197 test vectors, encrypt)
+ Cipher = AES-128-ECB
+ Key = 000102030405060708090A0B0C0D0E0F
+-Operation = ENCRYPT
+ Plaintext = 00112233445566778899AABBCCDDEEFF
+ Ciphertext = 69C4E0D86A7B0430D8CDB78070B4C55A
+
+@@ -117,7 +116,6 @@
+ # AES 256 ECB tests (from FIPS-197 test vectors, encrypt)
+ Cipher = AES-256-ECB
+ Key = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F
+-Operation = ENCRYPT
+ Plaintext = 00112233445566778899AABBCCDDEEFF
+ Ciphertext = 8EA2B7CA516745BFEAFC49904B496089
+
+@@ -227,42 +225,36 @@
+ Cipher = AES-128-CTR
+ Key = AE6852F8121067CC4BF7A5765577F39E
+ IV = 00000030000000000000000000000001
+-Operation = ENCRYPT
+ Plaintext = 53696E676C6520626C6F636B206D7367
+ Ciphertext = E4095D4FB7A7B3792D6175A3261311B8
+
+ Cipher = AES-128-CTR
+ Key = 7E24067817FAE0D743D6CE1F32539163
+ IV = 006CB6DBC0543B59DA48D90B00000001
+-Operation = ENCRYPT
+ Plaintext = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F
+ Ciphertext = 5104A106168A72D9790D41EE8EDAD388EB2E1EFC46DA57C8FCE630DF9141BE28
+
+ Cipher = AES-128-CTR
+ Key = 7691BE035E5020A8AC6E618529F9A0DC
+ IV = 00E0017B27777F3F4A1786F000000001
+-Operation = ENCRYPT
+ Plaintext = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F20212223
+ Ciphertext = C1CF48A89F2FFDD9CF4652E9EFDB72D74540A42BDE6D7836D59A5CEAAEF3105325B2072F
+
+ Cipher = AES-256-CTR
+ Key = 776BEFF2851DB06F4C8A0542C8696F6C6A81AF1EEC96B4D37FC1D689E6C1C104
+ IV = 00000060DB5672C97AA8F0B200000001
+-Operation = ENCRYPT
+ Plaintext = 53696E676C6520626C6F636B206D7367
+ Ciphertext = 145AD01DBF824EC7560863DC71E3E0C0
+
+ Cipher = AES-256-CTR
+ Key = F6D66D6BD52D59BB0796365879EFF886C66DD51A5B6A99744B50590C87A23884
+ IV = 00FAAC24C1585EF15A43D87500000001
+-Operation = ENCRYPT
+ Plaintext = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F
+ Ciphertext = F05E231B3894612C49EE000B804EB2A9B8306B508F839D6A5530831D9344AF1C
+
+ Cipher = AES-256-CTR
+ Key = FF7A617CE69148E4F1726E2F43581DE2AA62D9F805532EDFF1EED687FB54153D
+ IV = 001CC5B751A51D70A1C1114800000001
+-Operation = ENCRYPT
+ Plaintext = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F20212223
+ Ciphertext = EB6C52821D0BBBF7CE7594462ACA4FAAB407DF866569FD07F48CC0B583D6071F1EC0E6B8
+
+@@ -270,7 +262,6 @@
+ Cipher = AES-128-CTR
+ Key = 7E24067817FAE0D743D6CE1F32539163
+ IV = 00000000000000007FFFFFFFFFFFFFFF
+-Operation = ENCRYPT
+ Plaintext = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F
+ Ciphertext = A2D459477E6432BD74184B1B5370D2243CDC202BC43583B2A55D288CDBBD1E03
+
+@@ -462,178 +453,78 @@
+
+ # OFB tests from OpenSSL upstream.
+
+-# OFB-AES128.Encrypt
++# OFB-AES128
+ Cipher = AES-128-OFB
+ Key = 2B7E151628AED2A6ABF7158809CF4F3C
+ IV = 000102030405060708090A0B0C0D0E0F
+-Operation = ENCRYPT
+ Plaintext = 6BC1BEE22E409F96E93D7E117393172A
+ Ciphertext = 3B3FD92EB72DAD20333449F8E83CFB4A
+
+ Cipher = AES-128-OFB
+ Key = 2B7E151628AED2A6ABF7158809CF4F3C
+ IV = 50FE67CC996D32B6DA0937E99BAFEC60
+-Operation = ENCRYPT
+ Plaintext = AE2D8A571E03AC9C9EB76FAC45AF8E51
+ Ciphertext = 7789508D16918F03F53C52DAC54ED825
+
+ Cipher = AES-128-OFB
+ Key = 2B7E151628AED2A6ABF7158809CF4F3C
+ IV = D9A4DADA0892239F6B8B3D7680E15674
+-Operation = ENCRYPT
+ Plaintext = 30C81C46A35CE411E5FBC1191A0A52EF
+ Ciphertext = 9740051E9C5FECF64344F7A82260EDCC
+
+ Cipher = AES-128-OFB
+ Key = 2B7E151628AED2A6ABF7158809CF4F3C
+ IV = A78819583F0308E7A6BF36B1386ABF23
+-Operation = ENCRYPT
+ Plaintext = F69F2445DF4F9B17AD2B417BE66C3710
+ Ciphertext = 304C6528F659C77866A510D9C1D6AE5E
+
+-# OFB-AES128.Decrypt
+-Cipher = AES-128-OFB
+-Key = 2B7E151628AED2A6ABF7158809CF4F3C
+-IV = 000102030405060708090A0B0C0D0E0F
+-Operation = DECRYPT
+-Plaintext = 6BC1BEE22E409F96E93D7E117393172A
+-Ciphertext = 3B3FD92EB72DAD20333449F8E83CFB4A
+-
+-Cipher = AES-128-OFB
+-Key = 2B7E151628AED2A6ABF7158809CF4F3C
+-IV = 50FE67CC996D32B6DA0937E99BAFEC60
+-Operation = DECRYPT
+-Plaintext = AE2D8A571E03AC9C9EB76FAC45AF8E51
+-Ciphertext = 7789508D16918F03F53C52DAC54ED825
+-
+-Cipher = AES-128-OFB
+-Key = 2B7E151628AED2A6ABF7158809CF4F3C
+-IV = D9A4DADA0892239F6B8B3D7680E15674
+-Operation = DECRYPT
+-Plaintext = 30C81C46A35CE411E5FBC1191A0A52EF
+-Ciphertext = 9740051E9C5FECF64344F7A82260EDCC
+-
+-Cipher = AES-128-OFB
+-Key = 2B7E151628AED2A6ABF7158809CF4F3C
+-IV = A78819583F0308E7A6BF36B1386ABF23
+-Operation = DECRYPT
+-Plaintext = F69F2445DF4F9B17AD2B417BE66C3710
+-Ciphertext = 304C6528F659C77866A510D9C1D6AE5E
+-
+-# OFB-AES192.Encrypt
++# OFB-AES192
+ Cipher = AES-192-OFB
+ Key = 8E73B0F7DA0E6452C810F32B809079E562F8EAD2522C6B7B
+ IV = 000102030405060708090A0B0C0D0E0F
+-Operation = ENCRYPT
+ Plaintext = 6BC1BEE22E409F96E93D7E117393172A
+ Ciphertext = CDC80D6FDDF18CAB34C25909C99A4174
+
+ Cipher = AES-192-OFB
+ Key = 8E73B0F7DA0E6452C810F32B809079E562F8EAD2522C6B7B
+ IV = A609B38DF3B1133DDDFF2718BA09565E
+-Operation = ENCRYPT
+ Plaintext = AE2D8A571E03AC9C9EB76FAC45AF8E51
+ Ciphertext = FCC28B8D4C63837C09E81700C1100401
+
+ Cipher = AES-192-OFB
+ Key = 8E73B0F7DA0E6452C810F32B809079E562F8EAD2522C6B7B
+ IV = 52EF01DA52602FE0975F78AC84BF8A50
+-Operation = ENCRYPT
+ Plaintext = 30C81C46A35CE411E5FBC1191A0A52EF
+ Ciphertext = 8D9A9AEAC0F6596F559C6D4DAF59A5F2
+
+ Cipher = AES-192-OFB
+ Key = 8E73B0F7DA0E6452C810F32B809079E562F8EAD2522C6B7B
+ IV = BD5286AC63AABD7EB067AC54B553F71D
+-Operation = ENCRYPT
+ Plaintext = F69F2445DF4F9B17AD2B417BE66C3710
+ Ciphertext = 6D9F200857CA6C3E9CAC524BD9ACC92A
+
+-# OFB-AES192.Decrypt
+-Cipher = AES-192-OFB
+-Key = 8E73B0F7DA0E6452C810F32B809079E562F8EAD2522C6B7B
+-IV = 000102030405060708090A0B0C0D0E0F
+-Operation = ENCRYPT
+-Plaintext = 6BC1BEE22E409F96E93D7E117393172A
+-Ciphertext = CDC80D6FDDF18CAB34C25909C99A4174
+-
+-Cipher = AES-192-OFB
+-Key = 8E73B0F7DA0E6452C810F32B809079E562F8EAD2522C6B7B
+-IV = A609B38DF3B1133DDDFF2718BA09565E
+-Operation = ENCRYPT
+-Plaintext = AE2D8A571E03AC9C9EB76FAC45AF8E51
+-Ciphertext = FCC28B8D4C63837C09E81700C1100401
+-
+-Cipher = AES-192-OFB
+-Key = 8E73B0F7DA0E6452C810F32B809079E562F8EAD2522C6B7B
+-IV = 52EF01DA52602FE0975F78AC84BF8A50
+-Operation = ENCRYPT
+-Plaintext = 30C81C46A35CE411E5FBC1191A0A52EF
+-Ciphertext = 8D9A9AEAC0F6596F559C6D4DAF59A5F2
+-
+-Cipher = AES-192-OFB
+-Key = 8E73B0F7DA0E6452C810F32B809079E562F8EAD2522C6B7B
+-IV = BD5286AC63AABD7EB067AC54B553F71D
+-Operation = ENCRYPT
+-Plaintext = F69F2445DF4F9B17AD2B417BE66C3710
+-Ciphertext = 6D9F200857CA6C3E9CAC524BD9ACC92A
+-
+-# OFB-AES256.Encrypt
++# OFB-AES256
+ Cipher = AES-256-OFB
+ Key = 603DEB1015CA71BE2B73AEF0857D77811F352C073B6108D72D9810A30914DFF4
+ IV = 000102030405060708090A0B0C0D0E0F
+-Operation = ENCRYPT
+ Plaintext = 6BC1BEE22E409F96E93D7E117393172A
+ Ciphertext = DC7E84BFDA79164B7ECD8486985D3860
+
+ Cipher = AES-256-OFB
+ Key = 603DEB1015CA71BE2B73AEF0857D77811F352C073B6108D72D9810A30914DFF4
+ IV = B7BF3A5DF43989DD97F0FA97EBCE2F4A
+-Operation = ENCRYPT
+ Plaintext = AE2D8A571E03AC9C9EB76FAC45AF8E51
+ Ciphertext = 4FEBDC6740D20B3AC88F6AD82A4FB08D
+
+ Cipher = AES-256-OFB
+ Key = 603DEB1015CA71BE2B73AEF0857D77811F352C073B6108D72D9810A30914DFF4
+ IV = E1C656305ED1A7A6563805746FE03EDC
+-Operation = ENCRYPT
+ Plaintext = 30C81C46A35CE411E5FBC1191A0A52EF
+ Ciphertext = 71AB47A086E86EEDF39D1C5BBA97C408
+
+ Cipher = AES-256-OFB
+ Key = 603DEB1015CA71BE2B73AEF0857D77811F352C073B6108D72D9810A30914DFF4
+ IV = 41635BE625B48AFC1666DD42A09D96E7
+-Operation = ENCRYPT
+-Plaintext = F69F2445DF4F9B17AD2B417BE66C3710
+-Ciphertext = 0126141D67F37BE8538F5A8BE740E484
+-
+-
+-# OFB-AES256.Decrypt
+-Cipher = AES-256-OFB
+-Key = 603DEB1015CA71BE2B73AEF0857D77811F352C073B6108D72D9810A30914DFF4
+-IV = 000102030405060708090A0B0C0D0E0F
+-Operation = DECRYPT
+-Plaintext = 6BC1BEE22E409F96E93D7E117393172A
+-Ciphertext = DC7E84BFDA79164B7ECD8486985D3860
+-
+-Cipher = AES-256-OFB
+-Key = 603DEB1015CA71BE2B73AEF0857D77811F352C073B6108D72D9810A30914DFF4
+-IV = B7BF3A5DF43989DD97F0FA97EBCE2F4A
+-Operation = DECRYPT
+-Plaintext = AE2D8A571E03AC9C9EB76FAC45AF8E51
+-Ciphertext = 4FEBDC6740D20B3AC88F6AD82A4FB08D
+-
+-Cipher = AES-256-OFB
+-Key = 603DEB1015CA71BE2B73AEF0857D77811F352C073B6108D72D9810A30914DFF4
+-IV = E1C656305ED1A7A6563805746FE03EDC
+-Operation = DECRYPT
+-Plaintext = 30C81C46A35CE411E5FBC1191A0A52EF
+-Ciphertext = 71AB47A086E86EEDF39D1C5BBA97C408
+-
+-Cipher = AES-256-OFB
+-Key = 603DEB1015CA71BE2B73AEF0857D77811F352C073B6108D72D9810A30914DFF4
+-IV = 41635BE625B48AFC1666DD42A09D96E7
+-Operation = DECRYPT
+ Plaintext = F69F2445DF4F9B17AD2B417BE66C3710
+ Ciphertext = 0126141D67F37BE8538F5A8BE740E484
+
+@@ -667,7 +558,6 @@
+ # AES-192-ECB tests from FIPS-197
+ Cipher = AES-192-ECB
+ Key = 000102030405060708090A0B0C0D0E0F1011121314151617
+-Operation = ENCRYPT
+ Plaintext = 00112233445566778899AABBCCDDEEFF
+ Ciphertext = DDA97CA4864CDFE06EAF70A0EC0D7191
+
+From 502fceede9e9856ce9eb913d697490b58886ca38 Mon Sep 17 00:00:00 2001
+From: David Benjamin <davidben at google.com>
+Date: Fri, 19 Mar 2021 12:15:49 -0400
+Subject: [PATCH] Test empty EVP_CIPHER inputs and fix exact memcpy overlap.
+
+See also 8129ac6ac4c0ca3a488c225cde580ede7dabe874 and
+81198bf323ea9deda907714170d329ca7d2ff01f from upstream.
+
+In trying to figure out why ASan (which normally catches overlapping
+memcpys) didn't flag this, I noticed that we actually don't have tests
+for empty inputs. I've added them to cipher_tests.txt where missing and
+fixed a bad assert in ofb.c.
+
+ASan still doesn't flag this because LLVM even requires memcpy handle
+dst == src. Still, fixing it is less effort than getting a clear answer
+from GCC and MSVC. Though this puts us in the frustrating position of
+trying to follow a C rule that our main toolchain and sanitizer disavow.
+https://bugs.llvm.org/show_bug.cgi?id=11763
+https://reviews.llvm.org/D86993
+
+Change-Id: I53c64a84834ddf5cddca0b3d53a29998f666ea2f
+Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/46285
+Commit-Queue: David Benjamin <davidben at google.com>
+Reviewed-by: Adam Langley <agl at google.com>
+---
+
+diff --git a/crypto/cipher_extra/test/cipher_tests.txt b/crypto/cipher_extra/test/cipher_tests.txt
+index 52fd4af..bf7325e 100644
+--- a/crypto/cipher_extra/test/cipher_tests.txt
++++ b/crypto/cipher_extra/test/cipher_tests.txt
+@@ -29,6 +29,11 @@
+ Plaintext = 00000000000000000000
+ Ciphertext = d6a141a7ec3c38dfbd61
+
++Cipher = RC4
++Key = ef012345ef012345ef012345ef012345
++Plaintext =
++Ciphertext =
++
+
+ # DES EDE3 ECB tests
+ Cipher = DES-EDE3
+@@ -81,6 +86,11 @@
+ Plaintext = cc7569d005afd1a365f5c5836c14475fc15091199902af4a78460d56c16f91ca
+ Ciphertext = 64db8af7a30363051a017cc92ed67ac6c0e2e1ffda0c94bbf0eeb803ba6b3d22
+
++Cipher = DES-EDE3
++Key = 2e8eb05dd8a2b7a5a61a6b8a3830b12da2c4b1bea1e884d5
++Plaintext =
++Ciphertext =
++
+
+ # DES EDE3 CBC tests (from destest)
+ Cipher = DES-EDE3-CBC
+@@ -89,6 +99,12 @@
+ Plaintext = 37363534333231204E6F77206973207468652074696D6520666F722000000000
+ Ciphertext = 3FE301C962AC01D02213763C1CBD4CDC799657C064ECF5D41C673812CFDE9675
+
++Cipher = DES-EDE3-CBC
++Key = 0123456789abcdeff1e0d3c2b5a49786fedcba9876543210
++IV = fedcba9876543210
++Plaintext =
++Ciphertext =
++
+
+ # DES EDE CBC tests
+ Cipher = DES-EDE-CBC
+@@ -97,6 +113,12 @@
+ Plaintext = 37363534333231204E6F77206973207468652074696D6520666F722000000000
+ Ciphertext = 7948C0DA4FE91CD815DCA96DBC9B60A857EB954F4DEB08EB98722642AE69257B
+
++Cipher = DES-EDE-CBC
++Key = 0123456789abcdeff1e0d3c2b5a49786
++IV = fedcba9876543210
++Plaintext =
++Ciphertext =
++
+
+ # DES EDE tests
+ Cipher = DES-EDE
+@@ -105,6 +127,12 @@
+ Plaintext = 37363534333231204E6F77206973207468652074696D6520666F722000000000
+ Ciphertext = 22E889402E28422F8167AD279D90A566DA75B734E12C671FC2669AECB3E4FE8F
+
++Cipher = DES-EDE
++Key = 0123456789abcdeff1e0d3c2b5a49786
++IV = fedcba9876543210
++Plaintext =
++Ciphertext =
++
+
+ # AES 128 ECB tests (from FIPS-197 test vectors, encrypt)
+ Cipher = AES-128-ECB
+@@ -112,6 +140,11 @@
+ Plaintext = 00112233445566778899AABBCCDDEEFF
+ Ciphertext = 69C4E0D86A7B0430D8CDB78070B4C55A
+
++Cipher = AES-128-ECB
++Key = 000102030405060708090A0B0C0D0E0F
++Plaintext =
++Ciphertext =
++
+
+ # AES 256 ECB tests (from FIPS-197 test vectors, encrypt)
+ Cipher = AES-256-ECB
+@@ -119,6 +152,11 @@
+ Plaintext = 00112233445566778899AABBCCDDEEFF
+ Ciphertext = 8EA2B7CA516745BFEAFC49904B496089
+
++Cipher = AES-256-ECB
++Key = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F
++Plaintext =
++Ciphertext =
++
+
+ # AES tests from NIST document SP800-38A
+ # For all ECB encrypts and decrypts, the transformed sequence is
+@@ -194,6 +232,12 @@
+ Plaintext = F69F2445DF4F9B17AD2B417BE66C3710
+ Ciphertext = 3FF1CAA1681FAC09120ECA307586E1A7
+
++Cipher = AES-128-CBC
++Key = 2B7E151628AED2A6ABF7158809CF4F3C
++IV = 73BED6B8E3C1743B7116E69E22229516
++Plaintext =
++Ciphertext =
++
+
+ # CBC-AES256.Encrypt and CBC-AES256.Decrypt
+ Cipher = AES-256-CBC
+@@ -220,6 +264,12 @@
+ Plaintext = F69F2445DF4F9B17AD2B417BE66C3710
+ Ciphertext = B2EB05E2C39BE9FCDA6C19078C6A9D1B
+
++Cipher = AES-256-CBC
++Key = 603DEB1015CA71BE2B73AEF0857D77811F352C073B6108D72D9810A30914DFF4
++IV = 39F23369A9D9BACFA530E26304231461
++Plaintext =
++Ciphertext =
++
+
+ # AES Counter test vectors from RFC3686
+ Cipher = AES-128-CTR
+@@ -247,6 +297,12 @@
+ Ciphertext = 145AD01DBF824EC7560863DC71E3E0C0
+
+ Cipher = AES-256-CTR
++Key = 776BEFF2851DB06F4C8A0542C8696F6C6A81AF1EEC96B4D37FC1D689E6C1C104
++IV = 00000060DB5672C97AA8F0B200000001
++Plaintext =
++Ciphertext =
++
++Cipher = AES-256-CTR
+ Key = F6D66D6BD52D59BB0796365879EFF886C66DD51A5B6A99744B50590C87A23884
+ IV = 00FAAC24C1585EF15A43D87500000001
+ Plaintext = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F
+@@ -258,6 +314,12 @@
+ Plaintext = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F20212223
+ Ciphertext = EB6C52821D0BBBF7CE7594462ACA4FAAB407DF866569FD07F48CC0B583D6071F1EC0E6B8
+
++Cipher = AES-256-CTR
++Key = FF7A617CE69148E4F1726E2F43581DE2AA62D9F805532EDFF1EED687FB54153D
++IV = 001CC5B751A51D70A1C1114800000001
++Plaintext =
++Ciphertext =
++
+ # Regression test for https://github.com/openssl/openssl/issues/1916.
+ Cipher = AES-128-CTR
+ Key = 7E24067817FAE0D743D6CE1F32539163
+@@ -478,6 +540,13 @@
+ Plaintext = F69F2445DF4F9B17AD2B417BE66C3710
+ Ciphertext = 304C6528F659C77866A510D9C1D6AE5E
+
++Cipher = AES-128-OFB
++Key = 2B7E151628AED2A6ABF7158809CF4F3C
++IV = A78819583F0308E7A6BF36B1386ABF23
++Plaintext =
++Ciphertext =
++
++
+ # OFB-AES192
+ Cipher = AES-192-OFB
+ Key = 8E73B0F7DA0E6452C810F32B809079E562F8EAD2522C6B7B
+@@ -503,6 +572,13 @@
+ Plaintext = F69F2445DF4F9B17AD2B417BE66C3710
+ Ciphertext = 6D9F200857CA6C3E9CAC524BD9ACC92A
+
++Cipher = AES-192-OFB
++Key = 8E73B0F7DA0E6452C810F32B809079E562F8EAD2522C6B7B
++IV = BD5286AC63AABD7EB067AC54B553F71D
++Plaintext =
++Ciphertext =
++
++
+ # OFB-AES256
+ Cipher = AES-256-OFB
+ Key = 603DEB1015CA71BE2B73AEF0857D77811F352C073B6108D72D9810A30914DFF4
+@@ -528,6 +604,12 @@
+ Plaintext = F69F2445DF4F9B17AD2B417BE66C3710
+ Ciphertext = 0126141D67F37BE8538F5A8BE740E484
+
++Cipher = AES-256-OFB
++Key = 603DEB1015CA71BE2B73AEF0857D77811F352C073B6108D72D9810A30914DFF4
++IV = 41635BE625B48AFC1666DD42A09D96E7
++Plaintext =
++Ciphertext =
++
+
+ # AES-192 CBC-mode test from upstream OpenSSL.
+ Cipher = AES-192-CBC
+@@ -619,3 +701,8 @@
+ Key = FEDCBA9876543210
+ Plaintext = 0123456789ABCDEF
+ Ciphertext = ED39D950FA74BCC4
++
++Cipher = DES-ECB
++Key = FEDCBA9876543210
++Plaintext =
++Ciphertext =
+diff --git a/crypto/fipsmodule/modes/cbc.c b/crypto/fipsmodule/modes/cbc.c
+index 3f1d777..750c575 100644
+--- a/crypto/fipsmodule/modes/cbc.c
++++ b/crypto/fipsmodule/modes/cbc.c
+@@ -57,12 +57,15 @@
+ void CRYPTO_cbc128_encrypt(const uint8_t *in, uint8_t *out, size_t len,
+ const AES_KEY *key, uint8_t ivec[16],
+ block128_f block) {
++ assert(key != NULL && ivec != NULL);
++ if (len == 0) {
++ // Avoid |ivec| == |iv| in the |memcpy| below, which is not legal in C.
++ return;
++ }
++
++ assert(in != NULL && out != NULL);
+ size_t n;
+ const uint8_t *iv = ivec;
+-
+- assert(key != NULL && ivec != NULL);
+- assert(len == 0 || (in != NULL && out != NULL));
+-
+ while (len >= 16) {
+ for (n = 0; n < 16; n += sizeof(size_t)) {
+ store_word_le(out + n, load_word_le(in + n) ^ load_word_le(iv + n));
+@@ -97,20 +100,25 @@
+ void CRYPTO_cbc128_decrypt(const uint8_t *in, uint8_t *out, size_t len,
+ const AES_KEY *key, uint8_t ivec[16],
+ block128_f block) {
+- size_t n;
+- union {
+- size_t t[16 / sizeof(size_t)];
+- uint8_t c[16];
+- } tmp;
+-
+ assert(key != NULL && ivec != NULL);
+- assert(len == 0 || (in != NULL && out != NULL));
++ if (len == 0) {
++ // Avoid |ivec| == |iv| in the |memcpy| below, which is not legal in C.
++ return;
++ }
++
++ assert(in != NULL && out != NULL);
+
+ const uintptr_t inptr = (uintptr_t) in;
+ const uintptr_t outptr = (uintptr_t) out;
+ // If |in| and |out| alias, |in| must be ahead.
+ assert(inptr >= outptr || inptr + len <= outptr);
+
++ size_t n;
++ union {
++ size_t t[16 / sizeof(size_t)];
++ uint8_t c[16];
++ } tmp;
++
+ if ((inptr >= 32 && outptr <= inptr - 32) || inptr < outptr) {
+ // If |out| is at least two blocks behind |in| or completely disjoint, there
+ // is no need to decrypt to a temporary block.
+diff --git a/crypto/fipsmodule/modes/ofb.c b/crypto/fipsmodule/modes/ofb.c
+index 4c70ce6..9d73d8a 100644
+--- a/crypto/fipsmodule/modes/ofb.c
++++ b/crypto/fipsmodule/modes/ofb.c
+@@ -60,7 +60,8 @@
+ void CRYPTO_ofb128_encrypt(const uint8_t *in, uint8_t *out, size_t len,
+ const AES_KEY *key, uint8_t ivec[16], unsigned *num,
+ block128_f block) {
+- assert(in && out && key && ivec && num);
++ assert(key != NULL && ivec != NULL && num != NULL);
++ assert(len == 0 || (in != NULL && out != NULL));
+
+ unsigned n = *num;
+
+From 8d4c8fc41be567bca17ce7c15304dc06539a060a Mon Sep 17 00:00:00 2001
+From: David Benjamin <davidben at google.com>
+Date: Mon, 29 Mar 2021 12:59:55 -0400
+Subject: [PATCH] Make words in crypto/fipsmodule/modes actually words.
+
+It's a little confusing to have load_word_le but actually use size_t
+instead of crypto_word_t.
+
+NOTE: on some platforms, notably NaCl, crypto_word_t is larger than
+size_t. (Do we still need to support this?) We don't have a good testing
+story here, so I tested it by hacking up a 32-bit x86 build to think it
+was OPENSSL_64_BIT.
+
+Change-Id: Ia0ce469e86803f22655fe2d9659a6a5db766429f
+Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/46424
+Reviewed-by: Adam Langley <agl at google.com>
+---
+
+diff --git a/crypto/fipsmodule/modes/cbc.c b/crypto/fipsmodule/modes/cbc.c
+index 750c575..ee3a186 100644
+--- a/crypto/fipsmodule/modes/cbc.c
++++ b/crypto/fipsmodule/modes/cbc.c
+@@ -67,7 +67,7 @@
+ size_t n;
+ const uint8_t *iv = ivec;
+ while (len >= 16) {
+- for (n = 0; n < 16; n += sizeof(size_t)) {
++ for (n = 0; n < 16; n += sizeof(crypto_word_t)) {
+ store_word_le(out + n, load_word_le(in + n) ^ load_word_le(iv + n));
+ }
+ (*block)(out, out, key);
+@@ -115,19 +115,19 @@
+
+ size_t n;
+ union {
+- size_t t[16 / sizeof(size_t)];
++ crypto_word_t t[16 / sizeof(crypto_word_t)];
+ uint8_t c[16];
+ } tmp;
+
+ if ((inptr >= 32 && outptr <= inptr - 32) || inptr < outptr) {
+ // If |out| is at least two blocks behind |in| or completely disjoint, there
+ // is no need to decrypt to a temporary block.
+- OPENSSL_STATIC_ASSERT(16 % sizeof(size_t) == 0,
++ OPENSSL_STATIC_ASSERT(16 % sizeof(crypto_word_t) == 0,
+ "block cannot be evenly divided into words");
+ const uint8_t *iv = ivec;
+ while (len >= 16) {
+ (*block)(in, out, key);
+- for (n = 0; n < 16; n += sizeof(size_t)) {
++ for (n = 0; n < 16; n += sizeof(crypto_word_t)) {
+ store_word_le(out + n, load_word_le(out + n) ^ load_word_le(iv + n));
+ }
+ iv = in;
+@@ -137,15 +137,15 @@
+ }
+ OPENSSL_memcpy(ivec, iv, 16);
+ } else {
+- OPENSSL_STATIC_ASSERT(16 % sizeof(size_t) == 0,
++ OPENSSL_STATIC_ASSERT(16 % sizeof(crypto_word_t) == 0,
+ "block cannot be evenly divided into words");
+
+ while (len >= 16) {
+ (*block)(in, tmp.c, key);
+- for (n = 0; n < 16; n += sizeof(size_t)) {
+- size_t c = load_word_le(in + n);
+- store_word_le(out + n,
+- tmp.t[n / sizeof(size_t)] ^ load_word_le(ivec + n));
++ for (n = 0; n < 16; n += sizeof(crypto_word_t)) {
++ crypto_word_t c = load_word_le(in + n);
++ store_word_le(
++ out + n, tmp.t[n / sizeof(crypto_word_t)] ^ load_word_le(ivec + n));
+ store_word_le(ivec + n, c);
+ }
+ len -= 16;
+diff --git a/crypto/fipsmodule/modes/cfb.c b/crypto/fipsmodule/modes/cfb.c
+index 8ca9004..01291c8 100644
+--- a/crypto/fipsmodule/modes/cfb.c
++++ b/crypto/fipsmodule/modes/cfb.c
+@@ -72,8 +72,8 @@
+ }
+ while (len >= 16) {
+ (*block)(ivec, ivec, key);
+- for (; n < 16; n += sizeof(size_t)) {
+- size_t tmp = load_word_le(ivec + n) ^ load_word_le(in + n);
++ for (; n < 16; n += sizeof(crypto_word_t)) {
++ crypto_word_t tmp = load_word_le(ivec + n) ^ load_word_le(in + n);
+ store_word_le(ivec + n, tmp);
+ store_word_le(out + n, tmp);
+ }
+@@ -101,8 +101,8 @@
+ }
+ while (len >= 16) {
+ (*block)(ivec, ivec, key);
+- for (; n < 16; n += sizeof(size_t)) {
+- size_t t = load_word_le(in + n);
++ for (; n < 16; n += sizeof(crypto_word_t)) {
++ crypto_word_t t = load_word_le(in + n);
+ store_word_le(out + n, load_word_le(ivec + n) ^ t);
+ store_word_le(ivec + n, t);
+ }
+diff --git a/crypto/fipsmodule/modes/ctr.c b/crypto/fipsmodule/modes/ctr.c
+index 8b0e059..cfb2184 100644
+--- a/crypto/fipsmodule/modes/ctr.c
++++ b/crypto/fipsmodule/modes/ctr.c
+@@ -69,8 +69,8 @@
+ } while (n);
+ }
+
+-OPENSSL_STATIC_ASSERT(16 % sizeof(size_t) == 0,
+- "block cannot be divided into size_t");
++OPENSSL_STATIC_ASSERT(16 % sizeof(crypto_word_t) == 0,
++ "block cannot be divided into crypto_word_t");
+
+ // The input encrypted as though 128bit counter mode is being used. The extra
+ // state information to record how much of the 128bit block we have used is
+@@ -102,7 +102,7 @@
+ while (len >= 16) {
+ (*block)(ivec, ecount_buf, key);
+ ctr128_inc(ivec);
+- for (n = 0; n < 16; n += sizeof(size_t)) {
++ for (n = 0; n < 16; n += sizeof(crypto_word_t)) {
+ store_word_le(out + n,
+ load_word_le(in + n) ^ load_word_le(ecount_buf + n));
+ }
+diff --git a/crypto/fipsmodule/modes/gcm.c b/crypto/fipsmodule/modes/gcm.c
+index 14fff86..077369d 100644
+--- a/crypto/fipsmodule/modes/gcm.c
++++ b/crypto/fipsmodule/modes/gcm.c
+@@ -73,7 +73,7 @@
+
+ #if defined(GHASH_ASM_X86_64) || defined(GHASH_ASM_X86)
+ static inline void gcm_reduce_1bit(u128 *V) {
+- if (sizeof(size_t) == 8) {
++ if (sizeof(crypto_word_t) == 8) {
+ uint64_t T = UINT64_C(0xe100000000000000) & (0 - (V->hi & 1));
+ V->hi = (V->lo << 63) | (V->hi >> 1);
+ V->lo = (V->lo >> 1) ^ T;
+@@ -377,9 +377,9 @@
+ (*block)(ctx->Yi.c, ctx->EKi.c, key);
+ ++ctr;
+ ctx->Yi.d[3] = CRYPTO_bswap4(ctr);
+- for (size_t i = 0; i < 16; i += sizeof(size_t)) {
+- store_word_le(out + i,
+- load_word_le(in + i) ^ ctx->EKi.t[i / sizeof(size_t)]);
++ for (size_t i = 0; i < 16; i += sizeof(crypto_word_t)) {
++ store_word_le(out + i, load_word_le(in + i) ^
++ ctx->EKi.t[i / sizeof(crypto_word_t)]);
+ }
+ out += 16;
+ in += 16;
+@@ -394,9 +394,9 @@
+ (*block)(ctx->Yi.c, ctx->EKi.c, key);
+ ++ctr;
+ ctx->Yi.d[3] = CRYPTO_bswap4(ctr);
+- for (size_t i = 0; i < 16; i += sizeof(size_t)) {
+- store_word_le(out + i,
+- load_word_le(in + i) ^ ctx->EKi.t[i / sizeof(size_t)]);
++ for (size_t i = 0; i < 16; i += sizeof(crypto_word_t)) {
++ store_word_le(out + i, load_word_le(in + i) ^
++ ctx->EKi.t[i / sizeof(crypto_word_t)]);
+ }
+ out += 16;
+ in += 16;
+@@ -468,9 +468,9 @@
+ (*block)(ctx->Yi.c, ctx->EKi.c, key);
+ ++ctr;
+ ctx->Yi.d[3] = CRYPTO_bswap4(ctr);
+- for (size_t i = 0; i < 16; i += sizeof(size_t)) {
+- store_word_le(out + i,
+- load_word_le(in + i) ^ ctx->EKi.t[i / sizeof(size_t)]);
++ for (size_t i = 0; i < 16; i += sizeof(crypto_word_t)) {
++ store_word_le(out + i, load_word_le(in + i) ^
++ ctx->EKi.t[i / sizeof(crypto_word_t)]);
+ }
+ out += 16;
+ in += 16;
+@@ -485,9 +485,9 @@
+ (*block)(ctx->Yi.c, ctx->EKi.c, key);
+ ++ctr;
+ ctx->Yi.d[3] = CRYPTO_bswap4(ctr);
+- for (size_t i = 0; i < 16; i += sizeof(size_t)) {
+- store_word_le(out + i,
+- load_word_le(in + i) ^ ctx->EKi.t[i / sizeof(size_t)]);
++ for (size_t i = 0; i < 16; i += sizeof(crypto_word_t)) {
++ store_word_le(out + i, load_word_le(in + i) ^
++ ctx->EKi.t[i / sizeof(crypto_word_t)]);
+ }
+ out += 16;
+ in += 16;
+diff --git a/crypto/fipsmodule/modes/internal.h b/crypto/fipsmodule/modes/internal.h
+index 2693fa6..bf25023 100644
+--- a/crypto/fipsmodule/modes/internal.h
++++ b/crypto/fipsmodule/modes/internal.h
+@@ -75,13 +75,13 @@
+ OPENSSL_memcpy(out, &v, sizeof(v));
+ }
+
+-static inline size_t load_word_le(const void *in) {
+- size_t v;
++static inline crypto_word_t load_word_le(const void *in) {
++ crypto_word_t v;
+ OPENSSL_memcpy(&v, in, sizeof(v));
+ return v;
+ }
+
+-static inline void store_word_le(void *out, size_t v) {
++static inline void store_word_le(void *out, crypto_word_t v) {
+ OPENSSL_memcpy(out, &v, sizeof(v));
+ }
+
+@@ -171,7 +171,7 @@
+ uint64_t u[2];
+ uint32_t d[4];
+ uint8_t c[16];
+- size_t t[16 / sizeof(size_t)];
++ crypto_word_t t[16 / sizeof(crypto_word_t)];
+ } Yi, EKi, EK0, len, Xi;
+
+ // Note that the order of |Xi| and |gcm_key| is fixed by the MOVBE-based,
+From ca4598781a37b6d3f2f7a63593229cd7570a194f Mon Sep 17 00:00:00 2001
+From: David Benjamin <davidben at google.com>
+Date: Mon, 29 Mar 2021 12:54:16 -0400
+Subject: [PATCH] Move load/store helpers to crypto/internal.h.
+
+We have loads of variations of these. Align them in one set. This avoids
+the HOST_* macros defined by md32_common.h, so it'll be a little easier
+to make it a more conventional header.
+
+Change-Id: Id47fe7b51a8f961bd87839f8146d8a5aa8027aa6
+Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/46425
+Reviewed-by: Adam Langley <agl at google.com>
+---
+
+diff --git a/crypto/fipsmodule/digest/md32_common.h b/crypto/fipsmodule/digest/md32_common.h
+index 07d39d9..a0634d1 100644
+--- a/crypto/fipsmodule/digest/md32_common.h
++++ b/crypto/fipsmodule/digest/md32_common.h
+@@ -136,44 +136,6 @@
+ #error "HASH_MAKE_STRING must be defined!"
+ #endif
+
+-#if defined(DATA_ORDER_IS_BIG_ENDIAN)
+-
+-#define HOST_c2l(c, l) \
+- do { \
+- (l) = (((uint32_t)(*((c)++))) << 24); \
+- (l) |= (((uint32_t)(*((c)++))) << 16); \
+- (l) |= (((uint32_t)(*((c)++))) << 8); \
+- (l) |= (((uint32_t)(*((c)++)))); \
+- } while (0)
+-
+-#define HOST_l2c(l, c) \
+- do { \
+- *((c)++) = (uint8_t)(((l) >> 24) & 0xff); \
+- *((c)++) = (uint8_t)(((l) >> 16) & 0xff); \
+- *((c)++) = (uint8_t)(((l) >> 8) & 0xff); \
+- *((c)++) = (uint8_t)(((l)) & 0xff); \
+- } while (0)
+-
+-#elif defined(DATA_ORDER_IS_LITTLE_ENDIAN)
+-
+-#define HOST_c2l(c, l) \
+- do { \
+- (l) = (((uint32_t)(*((c)++)))); \
+- (l) |= (((uint32_t)(*((c)++))) << 8); \
+- (l) |= (((uint32_t)(*((c)++))) << 16); \
+- (l) |= (((uint32_t)(*((c)++))) << 24); \
+- } while (0)
+-
+-#define HOST_l2c(l, c) \
+- do { \
+- *((c)++) = (uint8_t)(((l)) & 0xff); \
+- *((c)++) = (uint8_t)(((l) >> 8) & 0xff); \
+- *((c)++) = (uint8_t)(((l) >> 16) & 0xff); \
+- *((c)++) = (uint8_t)(((l) >> 24) & 0xff); \
+- } while (0)
+-
+-#endif // DATA_ORDER
+-
+ int HASH_UPDATE(HASH_CTX *c, const void *data_, size_t len) {
+ const uint8_t *data = data_;
+
+@@ -247,13 +209,12 @@
+ // Append a 64-bit length to the block and process it.
+ uint8_t *p = c->data + HASH_CBLOCK - 8;
+ #if defined(DATA_ORDER_IS_BIG_ENDIAN)
+- HOST_l2c(c->Nh, p);
+- HOST_l2c(c->Nl, p);
++ CRYPTO_store_u32_be(p, c->Nh);
++ CRYPTO_store_u32_be(p + 4, c->Nl);
+ #elif defined(DATA_ORDER_IS_LITTLE_ENDIAN)
+- HOST_l2c(c->Nl, p);
+- HOST_l2c(c->Nh, p);
++ CRYPTO_store_u32_le(p, c->Nl);
++ CRYPTO_store_u32_le(p + 4, c->Nh);
+ #endif
+- assert(p == c->data + HASH_CBLOCK);
+ HASH_BLOCK_DATA_ORDER(c->h, c->data, 1);
+ c->num = 0;
+ OPENSSL_memset(c->data, 0, HASH_CBLOCK);
+diff --git a/crypto/fipsmodule/md4/md4.c b/crypto/fipsmodule/md4/md4.c
+index cc2a631..0551664 100644
+--- a/crypto/fipsmodule/md4/md4.c
++++ b/crypto/fipsmodule/md4/md4.c
+@@ -92,17 +92,16 @@
+ #define HASH_UPDATE MD4_Update
+ #define HASH_TRANSFORM MD4_Transform
+ #define HASH_FINAL MD4_Final
+-#define HASH_MAKE_STRING(c, s) \
+- do { \
+- uint32_t ll; \
+- ll = (c)->h[0]; \
+- HOST_l2c(ll, (s)); \
+- ll = (c)->h[1]; \
+- HOST_l2c(ll, (s)); \
+- ll = (c)->h[2]; \
+- HOST_l2c(ll, (s)); \
+- ll = (c)->h[3]; \
+- HOST_l2c(ll, (s)); \
++#define HASH_MAKE_STRING(c, s) \
++ do { \
++ CRYPTO_store_u32_le((s), (c)->h[0]); \
++ (s) += 4; \
++ CRYPTO_store_u32_le((s), (c)->h[1]); \
++ (s) += 4; \
++ CRYPTO_store_u32_le((s), (c)->h[2]); \
++ (s) += 4; \
++ CRYPTO_store_u32_le((s), (c)->h[3]); \
++ (s) += 4; \
+ } while (0)
+ #define HASH_BLOCK_DATA_ORDER md4_block_data_order
+
+@@ -136,7 +135,7 @@
+ } while (0)
+
+ void md4_block_data_order(uint32_t *state, const uint8_t *data, size_t num) {
+- uint32_t A, B, C, D, l;
++ uint32_t A, B, C, D;
+ uint32_t X0, X1, X2, X3, X4, X5, X6, X7, X8, X9, X10, X11, X12, X13, X14, X15;
+
+ A = state[0];
+@@ -145,53 +144,53 @@
+ D = state[3];
+
+ for (; num--;) {
+- HOST_c2l(data, l);
+- X0 = l;
+- HOST_c2l(data, l);
+- X1 = l;
++ X0 = CRYPTO_load_u32_le(data);
++ data += 4;
++ X1 = CRYPTO_load_u32_le(data);
++ data += 4;
+ // Round 0
+ R0(A, B, C, D, X0, 3, 0);
+- HOST_c2l(data, l);
+- X2 = l;
++ X2 = CRYPTO_load_u32_le(data);
++ data += 4;
+ R0(D, A, B, C, X1, 7, 0);
+- HOST_c2l(data, l);
+- X3 = l;
++ X3 = CRYPTO_load_u32_le(data);
++ data += 4;
+ R0(C, D, A, B, X2, 11, 0);
+- HOST_c2l(data, l);
+- X4 = l;
++ X4 = CRYPTO_load_u32_le(data);
++ data += 4;
+ R0(B, C, D, A, X3, 19, 0);
+- HOST_c2l(data, l);
+- X5 = l;
++ X5 = CRYPTO_load_u32_le(data);
++ data += 4;
+ R0(A, B, C, D, X4, 3, 0);
+- HOST_c2l(data, l);
+- X6 = l;
++ X6 = CRYPTO_load_u32_le(data);
++ data += 4;
+ R0(D, A, B, C, X5, 7, 0);
+- HOST_c2l(data, l);
+- X7 = l;
++ X7 = CRYPTO_load_u32_le(data);
++ data += 4;
+ R0(C, D, A, B, X6, 11, 0);
+- HOST_c2l(data, l);
+- X8 = l;
++ X8 = CRYPTO_load_u32_le(data);
++ data += 4;
+ R0(B, C, D, A, X7, 19, 0);
+- HOST_c2l(data, l);
+- X9 = l;
++ X9 = CRYPTO_load_u32_le(data);
++ data += 4;
+ R0(A, B, C, D, X8, 3, 0);
+- HOST_c2l(data, l);
+- X10 = l;
++ X10 = CRYPTO_load_u32_le(data);
++ data += 4;
+ R0(D, A, B, C, X9, 7, 0);
+- HOST_c2l(data, l);
+- X11 = l;
++ X11 = CRYPTO_load_u32_le(data);
++ data += 4;
+ R0(C, D, A, B, X10, 11, 0);
+- HOST_c2l(data, l);
+- X12 = l;
++ X12 = CRYPTO_load_u32_le(data);
++ data += 4;
+ R0(B, C, D, A, X11, 19, 0);
+- HOST_c2l(data, l);
+- X13 = l;
++ X13 = CRYPTO_load_u32_le(data);
++ data += 4;
+ R0(A, B, C, D, X12, 3, 0);
+- HOST_c2l(data, l);
+- X14 = l;
++ X14 = CRYPTO_load_u32_le(data);
++ data += 4;
+ R0(D, A, B, C, X13, 7, 0);
+- HOST_c2l(data, l);
+- X15 = l;
++ X15 = CRYPTO_load_u32_le(data);
++ data += 4;
+ R0(C, D, A, B, X14, 11, 0);
+ R0(B, C, D, A, X15, 19, 0);
+ // Round 1
+@@ -252,5 +251,3 @@
+ #undef R0
+ #undef R1
+ #undef R2
+-#undef HOST_c2l
+-#undef HOST_l2c
+diff --git a/crypto/fipsmodule/md5/md5.c b/crypto/fipsmodule/md5/md5.c
+index a48d704..bd6bf6a 100644
+--- a/crypto/fipsmodule/md5/md5.c
++++ b/crypto/fipsmodule/md5/md5.c
+@@ -98,17 +98,16 @@
+ #define HASH_UPDATE MD5_Update
+ #define HASH_TRANSFORM MD5_Transform
+ #define HASH_FINAL MD5_Final
+-#define HASH_MAKE_STRING(c, s) \
+- do { \
+- uint32_t ll; \
+- ll = (c)->h[0]; \
+- HOST_l2c(ll, (s)); \
+- ll = (c)->h[1]; \
+- HOST_l2c(ll, (s)); \
+- ll = (c)->h[2]; \
+- HOST_l2c(ll, (s)); \
+- ll = (c)->h[3]; \
+- HOST_l2c(ll, (s)); \
++#define HASH_MAKE_STRING(c, s) \
++ do { \
++ CRYPTO_store_u32_le((s), (c)->h[0]); \
++ (s) += 4; \
++ CRYPTO_store_u32_le((s), (c)->h[1]); \
++ (s) += 4; \
++ CRYPTO_store_u32_le((s), (c)->h[2]); \
++ (s) += 4; \
++ CRYPTO_store_u32_le((s), (c)->h[3]); \
++ (s) += 4; \
+ } while (0)
+ #define HASH_BLOCK_DATA_ORDER md5_block_data_order
+
+@@ -158,7 +157,7 @@
+ #endif
+ static void md5_block_data_order(uint32_t *state, const uint8_t *data,
+ size_t num) {
+- uint32_t A, B, C, D, l;
++ uint32_t A, B, C, D;
+ uint32_t XX0, XX1, XX2, XX3, XX4, XX5, XX6, XX7, XX8, XX9, XX10, XX11, XX12,
+ XX13, XX14, XX15;
+ #define X(i) XX##i
+@@ -169,53 +168,53 @@
+ D = state[3];
+
+ for (; num--;) {
+- HOST_c2l(data, l);
+- X(0) = l;
+- HOST_c2l(data, l);
+- X(1) = l;
++ X(0) = CRYPTO_load_u32_le(data);
++ data += 4;
++ X(1) = CRYPTO_load_u32_le(data);
++ data += 4;
+ // Round 0
+ R0(A, B, C, D, X(0), 7, 0xd76aa478L);
+- HOST_c2l(data, l);
+- X(2) = l;
++ X(2) = CRYPTO_load_u32_le(data);
++ data += 4;
+ R0(D, A, B, C, X(1), 12, 0xe8c7b756L);
+- HOST_c2l(data, l);
+- X(3) = l;
++ X(3) = CRYPTO_load_u32_le(data);
++ data += 4;
+ R0(C, D, A, B, X(2), 17, 0x242070dbL);
+- HOST_c2l(data, l);
+- X(4) = l;
++ X(4) = CRYPTO_load_u32_le(data);
++ data += 4;
+ R0(B, C, D, A, X(3), 22, 0xc1bdceeeL);
+- HOST_c2l(data, l);
+- X(5) = l;
++ X(5) = CRYPTO_load_u32_le(data);
++ data += 4;
+ R0(A, B, C, D, X(4), 7, 0xf57c0fafL);
+- HOST_c2l(data, l);
+- X(6) = l;
++ X(6) = CRYPTO_load_u32_le(data);
++ data += 4;
+ R0(D, A, B, C, X(5), 12, 0x4787c62aL);
+- HOST_c2l(data, l);
+- X(7) = l;
++ X(7) = CRYPTO_load_u32_le(data);
++ data += 4;
+ R0(C, D, A, B, X(6), 17, 0xa8304613L);
+- HOST_c2l(data, l);
+- X(8) = l;
++ X(8) = CRYPTO_load_u32_le(data);
++ data += 4;
+ R0(B, C, D, A, X(7), 22, 0xfd469501L);
+- HOST_c2l(data, l);
+- X(9) = l;
++ X(9) = CRYPTO_load_u32_le(data);
++ data += 4;
+ R0(A, B, C, D, X(8), 7, 0x698098d8L);
+- HOST_c2l(data, l);
+- X(10) = l;
++ X(10) = CRYPTO_load_u32_le(data);
++ data += 4;
+ R0(D, A, B, C, X(9), 12, 0x8b44f7afL);
+- HOST_c2l(data, l);
+- X(11) = l;
++ X(11) = CRYPTO_load_u32_le(data);
++ data += 4;
+ R0(C, D, A, B, X(10), 17, 0xffff5bb1L);
+- HOST_c2l(data, l);
+- X(12) = l;
++ X(12) = CRYPTO_load_u32_le(data);
++ data += 4;
+ R0(B, C, D, A, X(11), 22, 0x895cd7beL);
+- HOST_c2l(data, l);
+- X(13) = l;
++ X(13) = CRYPTO_load_u32_le(data);
++ data += 4;
+ R0(A, B, C, D, X(12), 7, 0x6b901122L);
+- HOST_c2l(data, l);
+- X(14) = l;
++ X(14) = CRYPTO_load_u32_le(data);
++ data += 4;
+ R0(D, A, B, C, X(13), 12, 0xfd987193L);
+- HOST_c2l(data, l);
+- X(15) = l;
++ X(15) = CRYPTO_load_u32_le(data);
++ data += 4;
+ R0(C, D, A, B, X(14), 17, 0xa679438eL);
+ R0(B, C, D, A, X(15), 22, 0x49b40821L);
+ // Round 1
+@@ -297,5 +296,3 @@
+ #undef R1
+ #undef R2
+ #undef R3
+-#undef HOST_c2l
+-#undef HOST_l2c
+diff --git a/crypto/fipsmodule/modes/cbc.c b/crypto/fipsmodule/modes/cbc.c
+index ee3a186..192580e 100644
+--- a/crypto/fipsmodule/modes/cbc.c
++++ b/crypto/fipsmodule/modes/cbc.c
+@@ -52,6 +52,7 @@
+ #include <openssl/type_check.h>
+
+ #include "internal.h"
++#include "../../internal.h"
+
+
+ void CRYPTO_cbc128_encrypt(const uint8_t *in, uint8_t *out, size_t len,
+@@ -68,7 +69,8 @@
+ const uint8_t *iv = ivec;
+ while (len >= 16) {
+ for (n = 0; n < 16; n += sizeof(crypto_word_t)) {
+- store_word_le(out + n, load_word_le(in + n) ^ load_word_le(iv + n));
++ CRYPTO_store_word_le(
++ out + n, CRYPTO_load_word_le(in + n) ^ CRYPTO_load_word_le(iv + n));
+ }
+ (*block)(out, out, key);
+ iv = out;
+@@ -128,7 +130,8 @@
+ while (len >= 16) {
+ (*block)(in, out, key);
+ for (n = 0; n < 16; n += sizeof(crypto_word_t)) {
+- store_word_le(out + n, load_word_le(out + n) ^ load_word_le(iv + n));
++ CRYPTO_store_word_le(out + n, CRYPTO_load_word_le(out + n) ^
++ CRYPTO_load_word_le(iv + n));
+ }
+ iv = in;
+ len -= 16;
+@@ -143,10 +146,10 @@
+ while (len >= 16) {
+ (*block)(in, tmp.c, key);
+ for (n = 0; n < 16; n += sizeof(crypto_word_t)) {
+- crypto_word_t c = load_word_le(in + n);
+- store_word_le(
+- out + n, tmp.t[n / sizeof(crypto_word_t)] ^ load_word_le(ivec + n));
+- store_word_le(ivec + n, c);
++ crypto_word_t c = CRYPTO_load_word_le(in + n);
++ CRYPTO_store_word_le(out + n, tmp.t[n / sizeof(crypto_word_t)] ^
++ CRYPTO_load_word_le(ivec + n));
++ CRYPTO_store_word_le(ivec + n, c);
+ }
+ len -= 16;
+ in += 16;
+diff --git a/crypto/fipsmodule/modes/cfb.c b/crypto/fipsmodule/modes/cfb.c
+index 01291c8..283a107 100644
+--- a/crypto/fipsmodule/modes/cfb.c
++++ b/crypto/fipsmodule/modes/cfb.c
+@@ -73,9 +73,10 @@
+ while (len >= 16) {
+ (*block)(ivec, ivec, key);
+ for (; n < 16; n += sizeof(crypto_word_t)) {
+- crypto_word_t tmp = load_word_le(ivec + n) ^ load_word_le(in + n);
+- store_word_le(ivec + n, tmp);
+- store_word_le(out + n, tmp);
++ crypto_word_t tmp =
++ CRYPTO_load_word_le(ivec + n) ^ CRYPTO_load_word_le(in + n);
++ CRYPTO_store_word_le(ivec + n, tmp);
++ CRYPTO_store_word_le(out + n, tmp);
+ }
+ len -= 16;
+ out += 16;
+@@ -102,9 +103,9 @@
+ while (len >= 16) {
+ (*block)(ivec, ivec, key);
+ for (; n < 16; n += sizeof(crypto_word_t)) {
+- crypto_word_t t = load_word_le(in + n);
+- store_word_le(out + n, load_word_le(ivec + n) ^ t);
+- store_word_le(ivec + n, t);
++ crypto_word_t t = CRYPTO_load_word_le(in + n);
++ CRYPTO_store_word_le(out + n, CRYPTO_load_word_le(ivec + n) ^ t);
++ CRYPTO_store_word_le(ivec + n, t);
+ }
+ len -= 16;
+ out += 16;
+diff --git a/crypto/fipsmodule/modes/ctr.c b/crypto/fipsmodule/modes/ctr.c
+index cfb2184..cea79ad 100644
+--- a/crypto/fipsmodule/modes/ctr.c
++++ b/crypto/fipsmodule/modes/ctr.c
+@@ -52,6 +52,7 @@
+ #include <string.h>
+
+ #include "internal.h"
++#include "../../internal.h"
+
+
+ // NOTE: the IV/counter CTR mode is big-endian. The code itself
+@@ -103,8 +104,8 @@
+ (*block)(ivec, ecount_buf, key);
+ ctr128_inc(ivec);
+ for (n = 0; n < 16; n += sizeof(crypto_word_t)) {
+- store_word_le(out + n,
+- load_word_le(in + n) ^ load_word_le(ecount_buf + n));
++ CRYPTO_store_word_le(out + n, CRYPTO_load_word_le(in + n) ^
++ CRYPTO_load_word_le(ecount_buf + n));
+ }
+ len -= 16;
+ out += 16;
+@@ -152,7 +153,7 @@
+ n = (n + 1) % 16;
+ }
+
+- ctr32 = GETU32(ivec + 12);
++ ctr32 = CRYPTO_load_u32_be(ivec + 12);
+ while (len >= 16) {
+ size_t blocks = len / 16;
+ // 1<<28 is just a not-so-small yet not-so-large number...
+@@ -172,7 +173,7 @@
+ }
+ (*func)(in, out, blocks, key, ivec);
+ // (*func) does not update ivec, caller does:
+- PUTU32(ivec + 12, ctr32);
++ CRYPTO_store_u32_be(ivec + 12, ctr32);
+ // ... overflow was detected, propogate carry.
+ if (ctr32 == 0) {
+ ctr96_inc(ivec);
+@@ -186,7 +187,7 @@
+ OPENSSL_memset(ecount_buf, 0, 16);
+ (*func)(ecount_buf, ecount_buf, 1, key, ivec);
+ ++ctr32;
+- PUTU32(ivec + 12, ctr32);
++ CRYPTO_store_u32_be(ivec + 12, ctr32);
+ if (ctr32 == 0) {
+ ctr96_inc(ivec);
+ }
+diff --git a/crypto/fipsmodule/modes/gcm.c b/crypto/fipsmodule/modes/gcm.c
+index 077369d..b010cd5 100644
+--- a/crypto/fipsmodule/modes/gcm.c
++++ b/crypto/fipsmodule/modes/gcm.c
+@@ -378,8 +378,9 @@
+ ++ctr;
+ ctx->Yi.d[3] = CRYPTO_bswap4(ctr);
+ for (size_t i = 0; i < 16; i += sizeof(crypto_word_t)) {
+- store_word_le(out + i, load_word_le(in + i) ^
+- ctx->EKi.t[i / sizeof(crypto_word_t)]);
++ CRYPTO_store_word_le(out + i,
++ CRYPTO_load_word_le(in + i) ^
++ ctx->EKi.t[i / sizeof(crypto_word_t)]);
+ }
+ out += 16;
+ in += 16;
+@@ -395,8 +396,9 @@
+ ++ctr;
+ ctx->Yi.d[3] = CRYPTO_bswap4(ctr);
+ for (size_t i = 0; i < 16; i += sizeof(crypto_word_t)) {
+- store_word_le(out + i, load_word_le(in + i) ^
+- ctx->EKi.t[i / sizeof(crypto_word_t)]);
++ CRYPTO_store_word_le(out + i,
++ CRYPTO_load_word_le(in + i) ^
++ ctx->EKi.t[i / sizeof(crypto_word_t)]);
+ }
+ out += 16;
+ in += 16;
+@@ -469,8 +471,9 @@
+ ++ctr;
+ ctx->Yi.d[3] = CRYPTO_bswap4(ctr);
+ for (size_t i = 0; i < 16; i += sizeof(crypto_word_t)) {
+- store_word_le(out + i, load_word_le(in + i) ^
+- ctx->EKi.t[i / sizeof(crypto_word_t)]);
++ CRYPTO_store_word_le(out + i,
++ CRYPTO_load_word_le(in + i) ^
++ ctx->EKi.t[i / sizeof(crypto_word_t)]);
+ }
+ out += 16;
+ in += 16;
+@@ -486,8 +489,9 @@
+ ++ctr;
+ ctx->Yi.d[3] = CRYPTO_bswap4(ctr);
+ for (size_t i = 0; i < 16; i += sizeof(crypto_word_t)) {
+- store_word_le(out + i, load_word_le(in + i) ^
+- ctx->EKi.t[i / sizeof(crypto_word_t)]);
++ CRYPTO_store_word_le(out + i,
++ CRYPTO_load_word_le(in + i) ^
++ ctx->EKi.t[i / sizeof(crypto_word_t)]);
+ }
+ out += 16;
+ in += 16;
+diff --git a/crypto/fipsmodule/modes/internal.h b/crypto/fipsmodule/modes/internal.h
+index bf25023..2fea558 100644
+--- a/crypto/fipsmodule/modes/internal.h
++++ b/crypto/fipsmodule/modes/internal.h
+@@ -64,27 +64,6 @@
+ #endif
+
+
+-static inline uint32_t GETU32(const void *in) {
+- uint32_t v;
+- OPENSSL_memcpy(&v, in, sizeof(v));
+- return CRYPTO_bswap4(v);
+-}
+-
+-static inline void PUTU32(void *out, uint32_t v) {
+- v = CRYPTO_bswap4(v);
+- OPENSSL_memcpy(out, &v, sizeof(v));
+-}
+-
+-static inline crypto_word_t load_word_le(const void *in) {
+- crypto_word_t v;
+- OPENSSL_memcpy(&v, in, sizeof(v));
+- return v;
+-}
+-
+-static inline void store_word_le(void *out, crypto_word_t v) {
+- OPENSSL_memcpy(out, &v, sizeof(v));
+-}
+-
+ // block128_f is the type of an AES block cipher implementation.
+ //
+ // Unlike upstream OpenSSL, it and the other functions in this file hard-code
+diff --git a/crypto/fipsmodule/sha/sha1.c b/crypto/fipsmodule/sha/sha1.c
+index 3b76194..2f50c67 100644
+--- a/crypto/fipsmodule/sha/sha1.c
++++ b/crypto/fipsmodule/sha/sha1.c
+@@ -88,19 +88,18 @@
+ #define HASH_CTX SHA_CTX
+ #define HASH_CBLOCK 64
+ #define HASH_DIGEST_LENGTH 20
+-#define HASH_MAKE_STRING(c, s) \
+- do { \
+- uint32_t ll; \
+- ll = (c)->h[0]; \
+- HOST_l2c(ll, (s)); \
+- ll = (c)->h[1]; \
+- HOST_l2c(ll, (s)); \
+- ll = (c)->h[2]; \
+- HOST_l2c(ll, (s)); \
+- ll = (c)->h[3]; \
+- HOST_l2c(ll, (s)); \
+- ll = (c)->h[4]; \
+- HOST_l2c(ll, (s)); \
++#define HASH_MAKE_STRING(c, s) \
++ do { \
++ CRYPTO_store_u32_be((s), (c)->h[0]); \
++ (s) += 4; \
++ CRYPTO_store_u32_be((s), (c)->h[1]); \
++ (s) += 4; \
++ CRYPTO_store_u32_be((s), (c)->h[2]); \
++ (s) += 4; \
++ CRYPTO_store_u32_be((s), (c)->h[3]); \
++ (s) += 4; \
++ CRYPTO_store_u32_be((s), (c)->h[4]); \
++ (s) += 4; \
+ } while (0)
+
+ #define HASH_UPDATE SHA1_Update
+@@ -193,7 +192,7 @@
+ #if !defined(SHA1_ASM)
+ static void sha1_block_data_order(uint32_t *state, const uint8_t *data,
+ size_t num) {
+- register uint32_t A, B, C, D, E, T, l;
++ register uint32_t A, B, C, D, E, T;
+ uint32_t XX0, XX1, XX2, XX3, XX4, XX5, XX6, XX7, XX8, XX9, XX10,
+ XX11, XX12, XX13, XX14, XX15;
+
+@@ -204,52 +203,52 @@
+ E = state[4];
+
+ for (;;) {
+- HOST_c2l(data, l);
+- X(0) = l;
+- HOST_c2l(data, l);
+- X(1) = l;
++ X(0) = CRYPTO_load_u32_be(data);
++ data += 4;
++ X(1) = CRYPTO_load_u32_be(data);
++ data += 4;
+ BODY_00_15(0, A, B, C, D, E, T, X(0));
+- HOST_c2l(data, l);
+- X(2) = l;
++ X(2) = CRYPTO_load_u32_be(data);
++ data += 4;
+ BODY_00_15(1, T, A, B, C, D, E, X(1));
+- HOST_c2l(data, l);
+- X(3) = l;
++ X(3) = CRYPTO_load_u32_be(data);
++ data += 4;
+ BODY_00_15(2, E, T, A, B, C, D, X(2));
+- HOST_c2l(data, l);
+- X(4) = l;
++ X(4) = CRYPTO_load_u32_be(data);
++ data += 4;
+ BODY_00_15(3, D, E, T, A, B, C, X(3));
+- HOST_c2l(data, l);
+- X(5) = l;
++ X(5) = CRYPTO_load_u32_be(data);
++ data += 4;
+ BODY_00_15(4, C, D, E, T, A, B, X(4));
+- HOST_c2l(data, l);
+- X(6) = l;
++ X(6) = CRYPTO_load_u32_be(data);
++ data += 4;
+ BODY_00_15(5, B, C, D, E, T, A, X(5));
+- HOST_c2l(data, l);
+- X(7) = l;
++ X(7) = CRYPTO_load_u32_be(data);
++ data += 4;
+ BODY_00_15(6, A, B, C, D, E, T, X(6));
+- HOST_c2l(data, l);
+- X(8) = l;
++ X(8) = CRYPTO_load_u32_be(data);
++ data += 4;
+ BODY_00_15(7, T, A, B, C, D, E, X(7));
+- HOST_c2l(data, l);
+- X(9) = l;
++ X(9) = CRYPTO_load_u32_be(data);
++ data += 4;
+ BODY_00_15(8, E, T, A, B, C, D, X(8));
+- HOST_c2l(data, l);
+- X(10) = l;
++ X(10) = CRYPTO_load_u32_be(data);
++ data += 4;
+ BODY_00_15(9, D, E, T, A, B, C, X(9));
+- HOST_c2l(data, l);
+- X(11) = l;
++ X(11) = CRYPTO_load_u32_be(data);
++ data += 4;
+ BODY_00_15(10, C, D, E, T, A, B, X(10));
+- HOST_c2l(data, l);
+- X(12) = l;
++ X(12) = CRYPTO_load_u32_be(data);
++ data += 4;
+ BODY_00_15(11, B, C, D, E, T, A, X(11));
+- HOST_c2l(data, l);
+- X(13) = l;
++ X(13) = CRYPTO_load_u32_be(data);
++ data += 4;
+ BODY_00_15(12, A, B, C, D, E, T, X(12));
+- HOST_c2l(data, l);
+- X(14) = l;
++ X(14) = CRYPTO_load_u32_be(data);
++ data += 4;
+ BODY_00_15(13, T, A, B, C, D, E, X(13));
+- HOST_c2l(data, l);
+- X(15) = l;
++ X(15) = CRYPTO_load_u32_be(data);
++ data += 4;
+ BODY_00_15(14, E, T, A, B, C, D, X(14));
+ BODY_00_15(15, D, E, T, A, B, C, X(15));
+
+@@ -367,5 +366,3 @@
+ #undef BODY_40_59
+ #undef BODY_60_79
+ #undef X
+-#undef HOST_c2l
+-#undef HOST_l2c
+diff --git a/crypto/fipsmodule/sha/sha256.c b/crypto/fipsmodule/sha/sha256.c
+index 0e42446..390ee3a 100644
+--- a/crypto/fipsmodule/sha/sha256.c
++++ b/crypto/fipsmodule/sha/sha256.c
+@@ -139,19 +139,18 @@
+ // hash 'final' function can fail. This should never happen.
+ #define HASH_MAKE_STRING(c, s) \
+ do { \
+- uint32_t ll; \
+ unsigned int nn; \
+ switch ((c)->md_len) { \
+ case SHA224_DIGEST_LENGTH: \
+ for (nn = 0; nn < SHA224_DIGEST_LENGTH / 4; nn++) { \
+- ll = (c)->h[nn]; \
+- HOST_l2c(ll, (s)); \
++ CRYPTO_store_u32_be((s), (c)->h[nn]); \
++ (s) += 4; \
+ } \
+ break; \
+ case SHA256_DIGEST_LENGTH: \
+ for (nn = 0; nn < SHA256_DIGEST_LENGTH / 4; nn++) { \
+- ll = (c)->h[nn]; \
+- HOST_l2c(ll, (s)); \
++ CRYPTO_store_u32_be((s), (c)->h[nn]); \
++ (s) += 4; \
+ } \
+ break; \
+ default: \
+@@ -159,8 +158,8 @@
+ return 0; \
+ } \
+ for (nn = 0; nn < (c)->md_len / 4; nn++) { \
+- ll = (c)->h[nn]; \
+- HOST_l2c(ll, (s)); \
++ CRYPTO_store_u32_be((s), (c)->h[nn]); \
++ (s) += 4; \
+ } \
+ break; \
+ } \
+@@ -241,55 +240,53 @@
+ g = state[6];
+ h = state[7];
+
+- uint32_t l;
+-
+- HOST_c2l(data, l);
+- T1 = X[0] = l;
++ T1 = X[0] = CRYPTO_load_u32_be(data);
++ data += 4;
+ ROUND_00_15(0, a, b, c, d, e, f, g, h);
+- HOST_c2l(data, l);
+- T1 = X[1] = l;
++ T1 = X[1] = CRYPTO_load_u32_be(data);
++ data += 4;
+ ROUND_00_15(1, h, a, b, c, d, e, f, g);
+- HOST_c2l(data, l);
+- T1 = X[2] = l;
++ T1 = X[2] = CRYPTO_load_u32_be(data);
++ data += 4;
+ ROUND_00_15(2, g, h, a, b, c, d, e, f);
+- HOST_c2l(data, l);
+- T1 = X[3] = l;
++ T1 = X[3] = CRYPTO_load_u32_be(data);
++ data += 4;
+ ROUND_00_15(3, f, g, h, a, b, c, d, e);
+- HOST_c2l(data, l);
+- T1 = X[4] = l;
++ T1 = X[4] = CRYPTO_load_u32_be(data);
++ data += 4;
+ ROUND_00_15(4, e, f, g, h, a, b, c, d);
+- HOST_c2l(data, l);
+- T1 = X[5] = l;
++ T1 = X[5] = CRYPTO_load_u32_be(data);
++ data += 4;
+ ROUND_00_15(5, d, e, f, g, h, a, b, c);
+- HOST_c2l(data, l);
+- T1 = X[6] = l;
++ T1 = X[6] = CRYPTO_load_u32_be(data);
++ data += 4;
+ ROUND_00_15(6, c, d, e, f, g, h, a, b);
+- HOST_c2l(data, l);
+- T1 = X[7] = l;
++ T1 = X[7] = CRYPTO_load_u32_be(data);
++ data += 4;
+ ROUND_00_15(7, b, c, d, e, f, g, h, a);
+- HOST_c2l(data, l);
+- T1 = X[8] = l;
++ T1 = X[8] = CRYPTO_load_u32_be(data);
++ data += 4;
+ ROUND_00_15(8, a, b, c, d, e, f, g, h);
+- HOST_c2l(data, l);
+- T1 = X[9] = l;
++ T1 = X[9] = CRYPTO_load_u32_be(data);
++ data += 4;
+ ROUND_00_15(9, h, a, b, c, d, e, f, g);
+- HOST_c2l(data, l);
+- T1 = X[10] = l;
++ T1 = X[10] = CRYPTO_load_u32_be(data);
++ data += 4;
+ ROUND_00_15(10, g, h, a, b, c, d, e, f);
+- HOST_c2l(data, l);
+- T1 = X[11] = l;
++ T1 = X[11] = CRYPTO_load_u32_be(data);
++ data += 4;
+ ROUND_00_15(11, f, g, h, a, b, c, d, e);
+- HOST_c2l(data, l);
+- T1 = X[12] = l;
++ T1 = X[12] = CRYPTO_load_u32_be(data);
++ data += 4;
+ ROUND_00_15(12, e, f, g, h, a, b, c, d);
+- HOST_c2l(data, l);
+- T1 = X[13] = l;
++ T1 = X[13] = CRYPTO_load_u32_be(data);
++ data += 4;
+ ROUND_00_15(13, d, e, f, g, h, a, b, c);
+- HOST_c2l(data, l);
+- T1 = X[14] = l;
++ T1 = X[14] = CRYPTO_load_u32_be(data);
++ data += 4;
+ ROUND_00_15(14, c, d, e, f, g, h, a, b);
+- HOST_c2l(data, l);
+- T1 = X[15] = l;
++ T1 = X[15] = CRYPTO_load_u32_be(data);
++ data += 4;
+ ROUND_00_15(15, b, c, d, e, f, g, h, a);
+
+ for (i = 16; i < 64; i += 8) {
+@@ -339,5 +336,3 @@
+ #undef Maj
+ #undef ROUND_00_15
+ #undef ROUND_16_63
+-#undef HOST_c2l
+-#undef HOST_l2c
+diff --git a/crypto/fipsmodule/sha/sha512.c b/crypto/fipsmodule/sha/sha512.c
+index ba86c1e..1f40e7a 100644
+--- a/crypto/fipsmodule/sha/sha512.c
++++ b/crypto/fipsmodule/sha/sha512.c
+@@ -256,22 +256,8 @@
+ }
+
+ OPENSSL_memset(p + n, 0, sizeof(sha->p) - 16 - n);
+- p[sizeof(sha->p) - 1] = (uint8_t)(sha->Nl);
+- p[sizeof(sha->p) - 2] = (uint8_t)(sha->Nl >> 8);
+- p[sizeof(sha->p) - 3] = (uint8_t)(sha->Nl >> 16);
+- p[sizeof(sha->p) - 4] = (uint8_t)(sha->Nl >> 24);
+- p[sizeof(sha->p) - 5] = (uint8_t)(sha->Nl >> 32);
+- p[sizeof(sha->p) - 6] = (uint8_t)(sha->Nl >> 40);
+- p[sizeof(sha->p) - 7] = (uint8_t)(sha->Nl >> 48);
+- p[sizeof(sha->p) - 8] = (uint8_t)(sha->Nl >> 56);
+- p[sizeof(sha->p) - 9] = (uint8_t)(sha->Nh);
+- p[sizeof(sha->p) - 10] = (uint8_t)(sha->Nh >> 8);
+- p[sizeof(sha->p) - 11] = (uint8_t)(sha->Nh >> 16);
+- p[sizeof(sha->p) - 12] = (uint8_t)(sha->Nh >> 24);
+- p[sizeof(sha->p) - 13] = (uint8_t)(sha->Nh >> 32);
+- p[sizeof(sha->p) - 14] = (uint8_t)(sha->Nh >> 40);
+- p[sizeof(sha->p) - 15] = (uint8_t)(sha->Nh >> 48);
+- p[sizeof(sha->p) - 16] = (uint8_t)(sha->Nh >> 56);
++ CRYPTO_store_u64_be(p + sizeof(sha->p) - 16, sha->Nh);
++ CRYPTO_store_u64_be(p + sizeof(sha->p) - 8, sha->Nl);
+
+ sha512_block_data_order(sha->h, p, 1);
+
+@@ -368,12 +354,6 @@
+ #define ROTR(x, s) (((x) >> s) | (x) << (64 - s))
+ #endif
+
+-static inline uint64_t load_u64_be(const void *ptr) {
+- uint64_t ret;
+- OPENSSL_memcpy(&ret, ptr, sizeof(ret));
+- return CRYPTO_bswap8(ret);
+-}
+-
+ #define Sigma0(x) (ROTR((x), 28) ^ ROTR((x), 34) ^ ROTR((x), 39))
+ #define Sigma1(x) (ROTR((x), 14) ^ ROTR((x), 18) ^ ROTR((x), 41))
+ #define sigma0(x) (ROTR((x), 1) ^ ROTR((x), 8) ^ ((x) >> 7))
+@@ -404,7 +384,7 @@
+ F[7] = state[7];
+
+ for (i = 0; i < 16; i++, F--) {
+- T = load_u64_be(in + i * 8);
++ T = CRYPTO_load_u64_be(in + i * 8);
+ F[0] = A;
+ F[4] = E;
+ F[8] = T;
+@@ -476,37 +456,37 @@
+ g = state[6];
+ h = state[7];
+
+- T1 = X[0] = load_u64_be(in);
++ T1 = X[0] = CRYPTO_load_u64_be(in);
+ ROUND_00_15(0, a, b, c, d, e, f, g, h);
+- T1 = X[1] = load_u64_be(in + 8);
++ T1 = X[1] = CRYPTO_load_u64_be(in + 8);
+ ROUND_00_15(1, h, a, b, c, d, e, f, g);
+- T1 = X[2] = load_u64_be(in + 2 * 8);
++ T1 = X[2] = CRYPTO_load_u64_be(in + 2 * 8);
+ ROUND_00_15(2, g, h, a, b, c, d, e, f);
+- T1 = X[3] = load_u64_be(in + 3 * 8);
++ T1 = X[3] = CRYPTO_load_u64_be(in + 3 * 8);
+ ROUND_00_15(3, f, g, h, a, b, c, d, e);
+- T1 = X[4] = load_u64_be(in + 4 * 8);
++ T1 = X[4] = CRYPTO_load_u64_be(in + 4 * 8);
+ ROUND_00_15(4, e, f, g, h, a, b, c, d);
+- T1 = X[5] = load_u64_be(in + 5 * 8);
++ T1 = X[5] = CRYPTO_load_u64_be(in + 5 * 8);
+ ROUND_00_15(5, d, e, f, g, h, a, b, c);
+- T1 = X[6] = load_u64_be(in + 6 * 8);
++ T1 = X[6] = CRYPTO_load_u64_be(in + 6 * 8);
+ ROUND_00_15(6, c, d, e, f, g, h, a, b);
+- T1 = X[7] = load_u64_be(in + 7 * 8);
++ T1 = X[7] = CRYPTO_load_u64_be(in + 7 * 8);
+ ROUND_00_15(7, b, c, d, e, f, g, h, a);
+- T1 = X[8] = load_u64_be(in + 8 * 8);
++ T1 = X[8] = CRYPTO_load_u64_be(in + 8 * 8);
+ ROUND_00_15(8, a, b, c, d, e, f, g, h);
+- T1 = X[9] = load_u64_be(in + 9 * 8);
++ T1 = X[9] = CRYPTO_load_u64_be(in + 9 * 8);
+ ROUND_00_15(9, h, a, b, c, d, e, f, g);
+- T1 = X[10] = load_u64_be(in + 10 * 8);
++ T1 = X[10] = CRYPTO_load_u64_be(in + 10 * 8);
+ ROUND_00_15(10, g, h, a, b, c, d, e, f);
+- T1 = X[11] = load_u64_be(in + 11 * 8);
++ T1 = X[11] = CRYPTO_load_u64_be(in + 11 * 8);
+ ROUND_00_15(11, f, g, h, a, b, c, d, e);
+- T1 = X[12] = load_u64_be(in + 12 * 8);
++ T1 = X[12] = CRYPTO_load_u64_be(in + 12 * 8);
+ ROUND_00_15(12, e, f, g, h, a, b, c, d);
+- T1 = X[13] = load_u64_be(in + 13 * 8);
++ T1 = X[13] = CRYPTO_load_u64_be(in + 13 * 8);
+ ROUND_00_15(13, d, e, f, g, h, a, b, c);
+- T1 = X[14] = load_u64_be(in + 14 * 8);
++ T1 = X[14] = CRYPTO_load_u64_be(in + 14 * 8);
+ ROUND_00_15(14, c, d, e, f, g, h, a, b);
+- T1 = X[15] = load_u64_be(in + 15 * 8);
++ T1 = X[15] = CRYPTO_load_u64_be(in + 15 * 8);
+ ROUND_00_15(15, b, c, d, e, f, g, h, a);
+
+ for (i = 16; i < 80; i += 16) {
+diff --git a/crypto/internal.h b/crypto/internal.h
+index 51d1d9c..14c60e0 100644
+--- a/crypto/internal.h
++++ b/crypto/internal.h
+@@ -819,6 +819,58 @@
+ return memset(dst, c, n);
+ }
+
++
++// Loads and stores.
++//
++// The following functions load and store sized integers with the specified
++// endianness. They use |memcpy|, and so avoid alignment or strict aliasing
++// requirements on the input and output pointers.
++
++static inline uint32_t CRYPTO_load_u32_le(const void *in) {
++ uint32_t v;
++ OPENSSL_memcpy(&v, in, sizeof(v));
++ return v;
++}
++
++static inline void CRYPTO_store_u32_le(void *out, uint32_t v) {
++ OPENSSL_memcpy(out, &v, sizeof(v));
++}
++
++static inline uint32_t CRYPTO_load_u32_be(const void *in) {
++ uint32_t v;
++ OPENSSL_memcpy(&v, in, sizeof(v));
++ return CRYPTO_bswap4(v);
++}
++
++static inline void CRYPTO_store_u32_be(void *out, uint32_t v) {
++ v = CRYPTO_bswap4(v);
++ OPENSSL_memcpy(out, &v, sizeof(v));
++}
++
++static inline uint64_t CRYPTO_load_u64_be(const void *ptr) {
++ uint64_t ret;
++ OPENSSL_memcpy(&ret, ptr, sizeof(ret));
++ return CRYPTO_bswap8(ret);
++}
++
++static inline void CRYPTO_store_u64_be(void *out, uint64_t v) {
++ v = CRYPTO_bswap8(v);
++ OPENSSL_memcpy(out, &v, sizeof(v));
++}
++
++static inline crypto_word_t CRYPTO_load_word_le(const void *in) {
++ crypto_word_t v;
++ OPENSSL_memcpy(&v, in, sizeof(v));
++ return v;
++}
++
++static inline void CRYPTO_store_word_le(void *out, crypto_word_t v) {
++ OPENSSL_memcpy(out, &v, sizeof(v));
++}
++
++
++// FIPS functions.
++
+ #if defined(BORINGSSL_FIPS)
+ // BORINGSSL_FIPS_abort is called when a FIPS power-on or continuous test
+ // fails. It prevents any further cryptographic operations by the current
+diff --git a/decrepit/ripemd/internal.h b/decrepit/ripemd/internal.h
+index 089be15..6be563d 100644
+--- a/decrepit/ripemd/internal.h
++++ b/decrepit/ripemd/internal.h
+@@ -59,6 +59,8 @@
+
+ #include <openssl/base.h>
+
++#include "../../crypto/internal.h"
++
+ #if defined(__cplusplus)
+ extern "C" {
+ #endif
+@@ -76,20 +78,20 @@
+ #define HASH_UPDATE RIPEMD160_Update
+ #define HASH_TRANSFORM RIPEMD160_Transform
+ #define HASH_FINAL RIPEMD160_Final
+-#define HASH_MAKE_STRING(c, s) \
+- do { \
+- unsigned long ll; \
+- ll = (c)->h[0]; \
+- HOST_l2c(ll, (s)); \
+- ll = (c)->h[1]; \
+- HOST_l2c(ll, (s)); \
+- ll = (c)->h[2]; \
+- HOST_l2c(ll, (s)); \
+- ll = (c)->h[3]; \
+- HOST_l2c(ll, (s)); \
+- ll = (c)->h[4]; \
+- HOST_l2c(ll, (s)); \
++#define HASH_MAKE_STRING(c, s) \
++ do { \
++ CRYPTO_store_u32_le((s), (c)->h[0]); \
++ (s) += 4; \
++ CRYPTO_store_u32_le((s), (c)->h[1]); \
++ (s) += 4; \
++ CRYPTO_store_u32_le((s), (c)->h[2]); \
++ (s) += 4; \
++ CRYPTO_store_u32_le((s), (c)->h[3]); \
++ (s) += 4; \
++ CRYPTO_store_u32_le((s), (c)->h[4]); \
++ (s) += 4; \
+ } while (0)
++
+ #define HASH_BLOCK_DATA_ORDER ripemd160_block_data_order
+
+ #include "../../crypto/fipsmodule/digest/md32_common.h"
+diff --git a/decrepit/ripemd/ripemd.c b/decrepit/ripemd/ripemd.c
+index 17b3fdf..f0c87cf 100644
+--- a/decrepit/ripemd/ripemd.c
++++ b/decrepit/ripemd/ripemd.c
+@@ -74,7 +74,7 @@
+ static void ripemd160_block_data_order(uint32_t h[5], const uint8_t *data,
+ size_t num) {
+ uint32_t A, B, C, D, E;
+- uint32_t a, b, c, d, e, l;
++ uint32_t a, b, c, d, e;
+ uint32_t XX0, XX1, XX2, XX3, XX4, XX5, XX6, XX7, XX8, XX9, XX10, XX11, XX12,
+ XX13, XX14, XX15;
+ #define X(i) XX##i
+@@ -86,52 +86,52 @@
+ D = h[3];
+ E = h[4];
+
+- HOST_c2l(data, l);
+- X(0) = l;
+- HOST_c2l(data, l);
+- X(1) = l;
++ X(0) = CRYPTO_load_u32_le(data);
++ data += 4;
++ X(1) = CRYPTO_load_u32_le(data);
++ data += 4;
+ RIP1(A, B, C, D, E, WL00, SL00);
+- HOST_c2l(data, l);
+- X(2) = l;
++ X(2) = CRYPTO_load_u32_le(data);
++ data += 4;
+ RIP1(E, A, B, C, D, WL01, SL01);
+- HOST_c2l(data, l);
+- X(3) = l;
++ X(3) = CRYPTO_load_u32_le(data);
++ data += 4;
+ RIP1(D, E, A, B, C, WL02, SL02);
+- HOST_c2l(data, l);
+- X(4) = l;
++ X(4) = CRYPTO_load_u32_le(data);
++ data += 4;
+ RIP1(C, D, E, A, B, WL03, SL03);
+- HOST_c2l(data, l);
+- X(5) = l;
++ X(5) = CRYPTO_load_u32_le(data);
++ data += 4;
+ RIP1(B, C, D, E, A, WL04, SL04);
+- HOST_c2l(data, l);
+- X(6) = l;
++ X(6) = CRYPTO_load_u32_le(data);
++ data += 4;
+ RIP1(A, B, C, D, E, WL05, SL05);
+- HOST_c2l(data, l);
+- X(7) = l;
++ X(7) = CRYPTO_load_u32_le(data);
++ data += 4;
+ RIP1(E, A, B, C, D, WL06, SL06);
+- HOST_c2l(data, l);
+- X(8) = l;
++ X(8) = CRYPTO_load_u32_le(data);
++ data += 4;
+ RIP1(D, E, A, B, C, WL07, SL07);
+- HOST_c2l(data, l);
+- X(9) = l;
++ X(9) = CRYPTO_load_u32_le(data);
++ data += 4;
+ RIP1(C, D, E, A, B, WL08, SL08);
+- HOST_c2l(data, l);
+- X(10) = l;
++ X(10) = CRYPTO_load_u32_le(data);
++ data += 4;
+ RIP1(B, C, D, E, A, WL09, SL09);
+- HOST_c2l(data, l);
+- X(11) = l;
++ X(11) = CRYPTO_load_u32_le(data);
++ data += 4;
+ RIP1(A, B, C, D, E, WL10, SL10);
+- HOST_c2l(data, l);
+- X(12) = l;
++ X(12) = CRYPTO_load_u32_le(data);
++ data += 4;
+ RIP1(E, A, B, C, D, WL11, SL11);
+- HOST_c2l(data, l);
+- X(13) = l;
++ X(13) = CRYPTO_load_u32_le(data);
++ data += 4;
+ RIP1(D, E, A, B, C, WL12, SL12);
+- HOST_c2l(data, l);
+- X(14) = l;
++ X(14) = CRYPTO_load_u32_le(data);
++ data += 4;
+ RIP1(C, D, E, A, B, WL13, SL13);
+- HOST_c2l(data, l);
+- X(15) = l;
++ X(15) = CRYPTO_load_u32_le(data);
++ data += 4;
+ RIP1(B, C, D, E, A, WL14, SL14);
+ RIP1(A, B, C, D, E, WL15, SL15);
+
+From 15e0f6784bb986d44a170f131c6687a54822bedf Mon Sep 17 00:00:00 2001
+From: David Benjamin <davidben at google.com>
+Date: Mon, 29 Mar 2021 14:16:58 -0400
+Subject: [PATCH] Fold ripemd/internal.h into ripemd.c.
+
+It's only used from that file and, given the names defined by it,
+probably isn't usable by other files anyway.
+
+Change-Id: Ice205408962ade00c1dcb51406da3ef2fd7f0393
+Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/46426
+Reviewed-by: Adam Langley <agl at google.com>
+---
+
+diff --git a/decrepit/ripemd/internal.h b/decrepit/ripemd/internal.h
+deleted file mode 100644
+index 6be563d..0000000
+--- a/decrepit/ripemd/internal.h
++++ /dev/null
+@@ -1,496 +0,0 @@
+-/* Copyright (C) 1995-1998 Eric Young (eay at cryptsoft.com)
+- * All rights reserved.
+- *
+- * This package is an SSL implementation written
+- * by Eric Young (eay at cryptsoft.com).
+- * The implementation was written so as to conform with Netscapes SSL.
+- *
+- * This library is free for commercial and non-commercial use as long as
+- * the following conditions are aheared to. The following conditions
+- * apply to all code found in this distribution, be it the RC4, RSA,
+- * lhash, DES, etc., code; not just the SSL code. The SSL documentation
+- * included with this distribution is covered by the same copyright terms
+- * except that the holder is Tim Hudson (tjh at cryptsoft.com).
+- *
+- * Copyright remains Eric Young's, and as such any Copyright notices in
+- * the code are not to be removed.
+- * If this package is used in a product, Eric Young should be given attribution
+- * as the author of the parts of the library used.
+- * This can be in the form of a textual message at program startup or
+- * in documentation (online or textual) provided with the package.
+- *
+- * Redistribution and use in source and binary forms, with or without
+- * modification, are permitted provided that the following conditions
+- * are met:
+- * 1. Redistributions of source code must retain the copyright
+- * notice, this list of conditions and the following disclaimer.
+- * 2. Redistributions in binary form must reproduce the above copyright
+- * notice, this list of conditions and the following disclaimer in the
+- * documentation and/or other materials provided with the distribution.
+- * 3. All advertising materials mentioning features or use of this software
+- * must display the following acknowledgement:
+- * "This product includes cryptographic software written by
+- * Eric Young (eay at cryptsoft.com)"
+- * The word 'cryptographic' can be left out if the rouines from the library
+- * being used are not cryptographic related :-).
+- * 4. If you include any Windows specific code (or a derivative thereof) from
+- * the apps directory (application code) you must include an acknowledgement:
+- * "This product includes software written by Tim Hudson (tjh at cryptsoft.com)"
+- *
+- * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
+- * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+- * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+- * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+- * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+- * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+- * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+- * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+- * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+- * SUCH DAMAGE.
+- *
+- * The licence and distribution terms for any publically available version or
+- * derivative of this code cannot be changed. i.e. this code cannot simply be
+- * copied and put under another distribution licence
+- * [including the GNU Public Licence.] */
+-
+-#ifndef OPENSSL_HEADER_RIPEMD_INTERNAL_H
+-#define OPENSSL_HEADER_RIPEMD_INTERNAL_H
+-
+-#include <openssl/base.h>
+-
+-#include "../../crypto/internal.h"
+-
+-#if defined(__cplusplus)
+-extern "C" {
+-#endif
+-
+-
+-static void ripemd160_block_data_order(uint32_t h[5], const uint8_t *data,
+- size_t num);
+-
+-#define DATA_ORDER_IS_LITTLE_ENDIAN
+-
+-#define HASH_LONG uint32_t
+-#define HASH_CTX RIPEMD160_CTX
+-#define HASH_CBLOCK RIPEMD160_CBLOCK
+-#define HASH_DIGEST_LENGTH RIPEMD160_DIGEST_LENGTH
+-#define HASH_UPDATE RIPEMD160_Update
+-#define HASH_TRANSFORM RIPEMD160_Transform
+-#define HASH_FINAL RIPEMD160_Final
+-#define HASH_MAKE_STRING(c, s) \
+- do { \
+- CRYPTO_store_u32_le((s), (c)->h[0]); \
+- (s) += 4; \
+- CRYPTO_store_u32_le((s), (c)->h[1]); \
+- (s) += 4; \
+- CRYPTO_store_u32_le((s), (c)->h[2]); \
+- (s) += 4; \
+- CRYPTO_store_u32_le((s), (c)->h[3]); \
+- (s) += 4; \
+- CRYPTO_store_u32_le((s), (c)->h[4]); \
+- (s) += 4; \
+- } while (0)
+-
+-#define HASH_BLOCK_DATA_ORDER ripemd160_block_data_order
+-
+-#include "../../crypto/fipsmodule/digest/md32_common.h"
+-
+-// Transformed F2 and F4 are courtesy of Wei Dai <weidai at eskimo.com>
+-#define F1(x, y, z) ((x) ^ (y) ^ (z))
+-#define F2(x, y, z) ((((y) ^ (z)) & (x)) ^ (z))
+-#define F3(x, y, z) (((~(y)) | (x)) ^ (z))
+-#define F4(x, y, z) ((((x) ^ (y)) & (z)) ^ (y))
+-#define F5(x, y, z) (((~(z)) | (y)) ^ (x))
+-
+-#define RIPEMD160_A 0x67452301L
+-#define RIPEMD160_B 0xEFCDAB89L
+-#define RIPEMD160_C 0x98BADCFEL
+-#define RIPEMD160_D 0x10325476L
+-#define RIPEMD160_E 0xC3D2E1F0L
+-
+-#define ROTATE(a, n) (((a) << (n)) | (((a)&0xffffffff) >> (32 - (n))))
+-
+-#define RIP1(a, b, c, d, e, w, s) \
+- { \
+- a += F1(b, c, d) + X(w); \
+- a = ROTATE(a, s) + e; \
+- c = ROTATE(c, 10); \
+- }
+-
+-#define RIP2(a, b, c, d, e, w, s, K) \
+- { \
+- a += F2(b, c, d) + X(w) + K; \
+- a = ROTATE(a, s) + e; \
+- c = ROTATE(c, 10); \
+- }
+-
+-#define RIP3(a, b, c, d, e, w, s, K) \
+- { \
+- a += F3(b, c, d) + X(w) + K; \
+- a = ROTATE(a, s) + e; \
+- c = ROTATE(c, 10); \
+- }
+-
+-#define RIP4(a, b, c, d, e, w, s, K) \
+- { \
+- a += F4(b, c, d) + X(w) + K; \
+- a = ROTATE(a, s) + e; \
+- c = ROTATE(c, 10); \
+- }
+-
+-#define RIP5(a, b, c, d, e, w, s, K) \
+- { \
+- a += F5(b, c, d) + X(w) + K; \
+- a = ROTATE(a, s) + e; \
+- c = ROTATE(c, 10); \
+- }
+-
+-#define KL0 0x00000000L
+-#define KL1 0x5A827999L
+-#define KL2 0x6ED9EBA1L
+-#define KL3 0x8F1BBCDCL
+-#define KL4 0xA953FD4EL
+-
+-#define KR0 0x50A28BE6L
+-#define KR1 0x5C4DD124L
+-#define KR2 0x6D703EF3L
+-#define KR3 0x7A6D76E9L
+-#define KR4 0x00000000L
+-
+-#define WL00 0
+-#define SL00 11
+-#define WL01 1
+-#define SL01 14
+-#define WL02 2
+-#define SL02 15
+-#define WL03 3
+-#define SL03 12
+-#define WL04 4
+-#define SL04 5
+-#define WL05 5
+-#define SL05 8
+-#define WL06 6
+-#define SL06 7
+-#define WL07 7
+-#define SL07 9
+-#define WL08 8
+-#define SL08 11
+-#define WL09 9
+-#define SL09 13
+-#define WL10 10
+-#define SL10 14
+-#define WL11 11
+-#define SL11 15
+-#define WL12 12
+-#define SL12 6
+-#define WL13 13
+-#define SL13 7
+-#define WL14 14
+-#define SL14 9
+-#define WL15 15
+-#define SL15 8
+-
+-#define WL16 7
+-#define SL16 7
+-#define WL17 4
+-#define SL17 6
+-#define WL18 13
+-#define SL18 8
+-#define WL19 1
+-#define SL19 13
+-#define WL20 10
+-#define SL20 11
+-#define WL21 6
+-#define SL21 9
+-#define WL22 15
+-#define SL22 7
+-#define WL23 3
+-#define SL23 15
+-#define WL24 12
+-#define SL24 7
+-#define WL25 0
+-#define SL25 12
+-#define WL26 9
+-#define SL26 15
+-#define WL27 5
+-#define SL27 9
+-#define WL28 2
+-#define SL28 11
+-#define WL29 14
+-#define SL29 7
+-#define WL30 11
+-#define SL30 13
+-#define WL31 8
+-#define SL31 12
+-
+-#define WL32 3
+-#define SL32 11
+-#define WL33 10
+-#define SL33 13
+-#define WL34 14
+-#define SL34 6
+-#define WL35 4
+-#define SL35 7
+-#define WL36 9
+-#define SL36 14
+-#define WL37 15
+-#define SL37 9
+-#define WL38 8
+-#define SL38 13
+-#define WL39 1
+-#define SL39 15
+-#define WL40 2
+-#define SL40 14
+-#define WL41 7
+-#define SL41 8
+-#define WL42 0
+-#define SL42 13
+-#define WL43 6
+-#define SL43 6
+-#define WL44 13
+-#define SL44 5
+-#define WL45 11
+-#define SL45 12
+-#define WL46 5
+-#define SL46 7
+-#define WL47 12
+-#define SL47 5
+-
+-#define WL48 1
+-#define SL48 11
+-#define WL49 9
+-#define SL49 12
+-#define WL50 11
+-#define SL50 14
+-#define WL51 10
+-#define SL51 15
+-#define WL52 0
+-#define SL52 14
+-#define WL53 8
+-#define SL53 15
+-#define WL54 12
+-#define SL54 9
+-#define WL55 4
+-#define SL55 8
+-#define WL56 13
+-#define SL56 9
+-#define WL57 3
+-#define SL57 14
+-#define WL58 7
+-#define SL58 5
+-#define WL59 15
+-#define SL59 6
+-#define WL60 14
+-#define SL60 8
+-#define WL61 5
+-#define SL61 6
+-#define WL62 6
+-#define SL62 5
+-#define WL63 2
+-#define SL63 12
+-
+-#define WL64 4
+-#define SL64 9
+-#define WL65 0
+-#define SL65 15
+-#define WL66 5
+-#define SL66 5
+-#define WL67 9
+-#define SL67 11
+-#define WL68 7
+-#define SL68 6
+-#define WL69 12
+-#define SL69 8
+-#define WL70 2
+-#define SL70 13
+-#define WL71 10
+-#define SL71 12
+-#define WL72 14
+-#define SL72 5
+-#define WL73 1
+-#define SL73 12
+-#define WL74 3
+-#define SL74 13
+-#define WL75 8
+-#define SL75 14
+-#define WL76 11
+-#define SL76 11
+-#define WL77 6
+-#define SL77 8
+-#define WL78 15
+-#define SL78 5
+-#define WL79 13
+-#define SL79 6
+-
+-#define WR00 5
+-#define SR00 8
+-#define WR01 14
+-#define SR01 9
+-#define WR02 7
+-#define SR02 9
+-#define WR03 0
+-#define SR03 11
+-#define WR04 9
+-#define SR04 13
+-#define WR05 2
+-#define SR05 15
+-#define WR06 11
+-#define SR06 15
+-#define WR07 4
+-#define SR07 5
+-#define WR08 13
+-#define SR08 7
+-#define WR09 6
+-#define SR09 7
+-#define WR10 15
+-#define SR10 8
+-#define WR11 8
+-#define SR11 11
+-#define WR12 1
+-#define SR12 14
+-#define WR13 10
+-#define SR13 14
+-#define WR14 3
+-#define SR14 12
+-#define WR15 12
+-#define SR15 6
+-
+-#define WR16 6
+-#define SR16 9
+-#define WR17 11
+-#define SR17 13
+-#define WR18 3
+-#define SR18 15
+-#define WR19 7
+-#define SR19 7
+-#define WR20 0
+-#define SR20 12
+-#define WR21 13
+-#define SR21 8
+-#define WR22 5
+-#define SR22 9
+-#define WR23 10
+-#define SR23 11
+-#define WR24 14
+-#define SR24 7
+-#define WR25 15
+-#define SR25 7
+-#define WR26 8
+-#define SR26 12
+-#define WR27 12
+-#define SR27 7
+-#define WR28 4
+-#define SR28 6
+-#define WR29 9
+-#define SR29 15
+-#define WR30 1
+-#define SR30 13
+-#define WR31 2
+-#define SR31 11
+-
+-#define WR32 15
+-#define SR32 9
+-#define WR33 5
+-#define SR33 7
+-#define WR34 1
+-#define SR34 15
+-#define WR35 3
+-#define SR35 11
+-#define WR36 7
+-#define SR36 8
+-#define WR37 14
+-#define SR37 6
+-#define WR38 6
+-#define SR38 6
+-#define WR39 9
+-#define SR39 14
+-#define WR40 11
+-#define SR40 12
+-#define WR41 8
+-#define SR41 13
+-#define WR42 12
+-#define SR42 5
+-#define WR43 2
+-#define SR43 14
+-#define WR44 10
+-#define SR44 13
+-#define WR45 0
+-#define SR45 13
+-#define WR46 4
+-#define SR46 7
+-#define WR47 13
+-#define SR47 5
+-
+-#define WR48 8
+-#define SR48 15
+-#define WR49 6
+-#define SR49 5
+-#define WR50 4
+-#define SR50 8
+-#define WR51 1
+-#define SR51 11
+-#define WR52 3
+-#define SR52 14
+-#define WR53 11
+-#define SR53 14
+-#define WR54 15
+-#define SR54 6
+-#define WR55 0
+-#define SR55 14
+-#define WR56 5
+-#define SR56 6
+-#define WR57 12
+-#define SR57 9
+-#define WR58 2
+-#define SR58 12
+-#define WR59 13
+-#define SR59 9
+-#define WR60 9
+-#define SR60 12
+-#define WR61 7
+-#define SR61 5
+-#define WR62 10
+-#define SR62 15
+-#define WR63 14
+-#define SR63 8
+-
+-#define WR64 12
+-#define SR64 8
+-#define WR65 15
+-#define SR65 5
+-#define WR66 10
+-#define SR66 12
+-#define WR67 4
+-#define SR67 9
+-#define WR68 1
+-#define SR68 12
+-#define WR69 5
+-#define SR69 5
+-#define WR70 8
+-#define SR70 14
+-#define WR71 7
+-#define SR71 6
+-#define WR72 6
+-#define SR72 8
+-#define WR73 2
+-#define SR73 13
+-#define WR74 13
+-#define SR74 6
+-#define WR75 14
+-#define SR75 5
+-#define WR76 0
+-#define SR76 15
+-#define WR77 3
+-#define SR77 13
+-#define WR78 9
+-#define SR78 11
+-#define WR79 11
+-#define SR79 11
+-
+-
+-#if defined(__cplusplus)
+-} // extern C
+-#endif
+-
+-#endif // OPENSSL_HEADER_RIPEMD_INTERNAL_H
+diff --git a/decrepit/ripemd/ripemd.c b/decrepit/ripemd/ripemd.c
+index f0c87cf..50329c7 100644
+--- a/decrepit/ripemd/ripemd.c
++++ b/decrepit/ripemd/ripemd.c
+@@ -58,9 +58,15 @@
+
+ #include <string.h>
+
+-#include "internal.h"
++#include "../../crypto/internal.h"
+
+
++#define RIPEMD160_A 0x67452301L
++#define RIPEMD160_B 0xEFCDAB89L
++#define RIPEMD160_C 0x98BADCFEL
++#define RIPEMD160_D 0x10325476L
++#define RIPEMD160_E 0xC3D2E1F0L
++
+ int RIPEMD160_Init(RIPEMD160_CTX *ctx) {
+ OPENSSL_memset(ctx, 0, sizeof(*ctx));
+ ctx->h[0] = RIPEMD160_A;
+@@ -72,6 +78,422 @@
+ }
+
+ static void ripemd160_block_data_order(uint32_t h[5], const uint8_t *data,
++ size_t num);
++
++#define DATA_ORDER_IS_LITTLE_ENDIAN
++
++#define HASH_LONG uint32_t
++#define HASH_CTX RIPEMD160_CTX
++#define HASH_CBLOCK RIPEMD160_CBLOCK
++#define HASH_DIGEST_LENGTH RIPEMD160_DIGEST_LENGTH
++#define HASH_UPDATE RIPEMD160_Update
++#define HASH_TRANSFORM RIPEMD160_Transform
++#define HASH_FINAL RIPEMD160_Final
++#define HASH_MAKE_STRING(c, s) \
++ do { \
++ CRYPTO_store_u32_le((s), (c)->h[0]); \
++ (s) += 4; \
++ CRYPTO_store_u32_le((s), (c)->h[1]); \
++ (s) += 4; \
++ CRYPTO_store_u32_le((s), (c)->h[2]); \
++ (s) += 4; \
++ CRYPTO_store_u32_le((s), (c)->h[3]); \
++ (s) += 4; \
++ CRYPTO_store_u32_le((s), (c)->h[4]); \
++ (s) += 4; \
++ } while (0)
++
++#define HASH_BLOCK_DATA_ORDER ripemd160_block_data_order
++
++#include "../../crypto/fipsmodule/digest/md32_common.h"
++
++// Transformed F2 and F4 are courtesy of Wei Dai <weidai at eskimo.com>
++#define F1(x, y, z) ((x) ^ (y) ^ (z))
++#define F2(x, y, z) ((((y) ^ (z)) & (x)) ^ (z))
++#define F3(x, y, z) (((~(y)) | (x)) ^ (z))
++#define F4(x, y, z) ((((x) ^ (y)) & (z)) ^ (y))
++#define F5(x, y, z) (((~(z)) | (y)) ^ (x))
++
++#define ROTATE(a, n) (((a) << (n)) | (((a)&0xffffffff) >> (32 - (n))))
++
++#define RIP1(a, b, c, d, e, w, s) \
++ { \
++ a += F1(b, c, d) + X(w); \
++ a = ROTATE(a, s) + e; \
++ c = ROTATE(c, 10); \
++ }
++
++#define RIP2(a, b, c, d, e, w, s, K) \
++ { \
++ a += F2(b, c, d) + X(w) + K; \
++ a = ROTATE(a, s) + e; \
++ c = ROTATE(c, 10); \
++ }
++
++#define RIP3(a, b, c, d, e, w, s, K) \
++ { \
++ a += F3(b, c, d) + X(w) + K; \
++ a = ROTATE(a, s) + e; \
++ c = ROTATE(c, 10); \
++ }
++
++#define RIP4(a, b, c, d, e, w, s, K) \
++ { \
++ a += F4(b, c, d) + X(w) + K; \
++ a = ROTATE(a, s) + e; \
++ c = ROTATE(c, 10); \
++ }
++
++#define RIP5(a, b, c, d, e, w, s, K) \
++ { \
++ a += F5(b, c, d) + X(w) + K; \
++ a = ROTATE(a, s) + e; \
++ c = ROTATE(c, 10); \
++ }
++
++#define KL0 0x00000000L
++#define KL1 0x5A827999L
++#define KL2 0x6ED9EBA1L
++#define KL3 0x8F1BBCDCL
++#define KL4 0xA953FD4EL
++
++#define KR0 0x50A28BE6L
++#define KR1 0x5C4DD124L
++#define KR2 0x6D703EF3L
++#define KR3 0x7A6D76E9L
++#define KR4 0x00000000L
++
++#define WL00 0
++#define SL00 11
++#define WL01 1
++#define SL01 14
++#define WL02 2
++#define SL02 15
++#define WL03 3
++#define SL03 12
++#define WL04 4
++#define SL04 5
++#define WL05 5
++#define SL05 8
++#define WL06 6
++#define SL06 7
++#define WL07 7
++#define SL07 9
++#define WL08 8
++#define SL08 11
++#define WL09 9
++#define SL09 13
++#define WL10 10
++#define SL10 14
++#define WL11 11
++#define SL11 15
++#define WL12 12
++#define SL12 6
++#define WL13 13
++#define SL13 7
++#define WL14 14
++#define SL14 9
++#define WL15 15
++#define SL15 8
++
++#define WL16 7
++#define SL16 7
++#define WL17 4
++#define SL17 6
++#define WL18 13
++#define SL18 8
++#define WL19 1
++#define SL19 13
++#define WL20 10
++#define SL20 11
++#define WL21 6
++#define SL21 9
++#define WL22 15
++#define SL22 7
++#define WL23 3
++#define SL23 15
++#define WL24 12
++#define SL24 7
++#define WL25 0
++#define SL25 12
++#define WL26 9
++#define SL26 15
++#define WL27 5
++#define SL27 9
++#define WL28 2
++#define SL28 11
++#define WL29 14
++#define SL29 7
++#define WL30 11
++#define SL30 13
++#define WL31 8
++#define SL31 12
++
++#define WL32 3
++#define SL32 11
++#define WL33 10
++#define SL33 13
++#define WL34 14
++#define SL34 6
++#define WL35 4
++#define SL35 7
++#define WL36 9
++#define SL36 14
++#define WL37 15
++#define SL37 9
++#define WL38 8
++#define SL38 13
++#define WL39 1
++#define SL39 15
++#define WL40 2
++#define SL40 14
++#define WL41 7
++#define SL41 8
++#define WL42 0
++#define SL42 13
++#define WL43 6
++#define SL43 6
++#define WL44 13
++#define SL44 5
++#define WL45 11
++#define SL45 12
++#define WL46 5
++#define SL46 7
++#define WL47 12
++#define SL47 5
++
++#define WL48 1
++#define SL48 11
++#define WL49 9
++#define SL49 12
++#define WL50 11
++#define SL50 14
++#define WL51 10
++#define SL51 15
++#define WL52 0
++#define SL52 14
++#define WL53 8
++#define SL53 15
++#define WL54 12
++#define SL54 9
++#define WL55 4
++#define SL55 8
++#define WL56 13
++#define SL56 9
++#define WL57 3
++#define SL57 14
++#define WL58 7
++#define SL58 5
++#define WL59 15
++#define SL59 6
++#define WL60 14
++#define SL60 8
++#define WL61 5
++#define SL61 6
++#define WL62 6
++#define SL62 5
++#define WL63 2
++#define SL63 12
++
++#define WL64 4
++#define SL64 9
++#define WL65 0
++#define SL65 15
++#define WL66 5
++#define SL66 5
++#define WL67 9
++#define SL67 11
++#define WL68 7
++#define SL68 6
++#define WL69 12
++#define SL69 8
++#define WL70 2
++#define SL70 13
++#define WL71 10
++#define SL71 12
++#define WL72 14
++#define SL72 5
++#define WL73 1
++#define SL73 12
++#define WL74 3
++#define SL74 13
++#define WL75 8
++#define SL75 14
++#define WL76 11
++#define SL76 11
++#define WL77 6
++#define SL77 8
++#define WL78 15
++#define SL78 5
++#define WL79 13
++#define SL79 6
++
++#define WR00 5
++#define SR00 8
++#define WR01 14
++#define SR01 9
++#define WR02 7
++#define SR02 9
++#define WR03 0
++#define SR03 11
++#define WR04 9
++#define SR04 13
++#define WR05 2
++#define SR05 15
++#define WR06 11
++#define SR06 15
++#define WR07 4
++#define SR07 5
++#define WR08 13
++#define SR08 7
++#define WR09 6
++#define SR09 7
++#define WR10 15
++#define SR10 8
++#define WR11 8
++#define SR11 11
++#define WR12 1
++#define SR12 14
++#define WR13 10
++#define SR13 14
++#define WR14 3
++#define SR14 12
++#define WR15 12
++#define SR15 6
++
++#define WR16 6
++#define SR16 9
++#define WR17 11
++#define SR17 13
++#define WR18 3
++#define SR18 15
++#define WR19 7
++#define SR19 7
++#define WR20 0
++#define SR20 12
++#define WR21 13
++#define SR21 8
++#define WR22 5
++#define SR22 9
++#define WR23 10
++#define SR23 11
++#define WR24 14
++#define SR24 7
++#define WR25 15
++#define SR25 7
++#define WR26 8
++#define SR26 12
++#define WR27 12
++#define SR27 7
++#define WR28 4
++#define SR28 6
++#define WR29 9
++#define SR29 15
++#define WR30 1
++#define SR30 13
++#define WR31 2
++#define SR31 11
++
++#define WR32 15
++#define SR32 9
++#define WR33 5
++#define SR33 7
++#define WR34 1
++#define SR34 15
++#define WR35 3
++#define SR35 11
++#define WR36 7
++#define SR36 8
++#define WR37 14
++#define SR37 6
++#define WR38 6
++#define SR38 6
++#define WR39 9
++#define SR39 14
++#define WR40 11
++#define SR40 12
++#define WR41 8
++#define SR41 13
++#define WR42 12
++#define SR42 5
++#define WR43 2
++#define SR43 14
++#define WR44 10
++#define SR44 13
++#define WR45 0
++#define SR45 13
++#define WR46 4
++#define SR46 7
++#define WR47 13
++#define SR47 5
++
++#define WR48 8
++#define SR48 15
++#define WR49 6
++#define SR49 5
++#define WR50 4
++#define SR50 8
++#define WR51 1
++#define SR51 11
++#define WR52 3
++#define SR52 14
++#define WR53 11
++#define SR53 14
++#define WR54 15
++#define SR54 6
++#define WR55 0
++#define SR55 14
++#define WR56 5
++#define SR56 6
++#define WR57 12
++#define SR57 9
++#define WR58 2
++#define SR58 12
++#define WR59 13
++#define SR59 9
++#define WR60 9
++#define SR60 12
++#define WR61 7
++#define SR61 5
++#define WR62 10
++#define SR62 15
++#define WR63 14
++#define SR63 8
++
++#define WR64 12
++#define SR64 8
++#define WR65 15
++#define SR65 5
++#define WR66 10
++#define SR66 12
++#define WR67 4
++#define SR67 9
++#define WR68 1
++#define SR68 12
++#define WR69 5
++#define SR69 5
++#define WR70 8
++#define SR70 14
++#define WR71 7
++#define SR71 6
++#define WR72 6
++#define SR72 8
++#define WR73 2
++#define SR73 13
++#define WR74 13
++#define SR74 6
++#define WR75 14
++#define SR75 5
++#define WR76 0
++#define SR76 15
++#define WR77 3
++#define SR77 13
++#define WR78 9
++#define SR78 11
++#define WR79 11
++#define SR79 11
++
++static void ripemd160_block_data_order(uint32_t h[5], const uint8_t *data,
+ size_t num) {
+ uint32_t A, B, C, D, E;
+ uint32_t a, b, c, d, e;
+From 4320bc47617a66d4219e66e2420311dbfb6c3cb0 Mon Sep 17 00:00:00 2001
+From: David Benjamin <davidben at google.com>
+Date: Mon, 29 Mar 2021 14:26:07 -0400
+Subject: [PATCH] Pull HASH_TRANSFORM out of md32_common.h.
+
+The macro isn't doing any work here.
+
+Change-Id: Id97dfa4b027407c5e4b3e7eb1586c3c2a2d977d8
+Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/47806
+Commit-Queue: David Benjamin <davidben at google.com>
+Reviewed-by: Adam Langley <agl at google.com>
+---
+
+diff --git a/crypto/fipsmodule/digest/md32_common.h b/crypto/fipsmodule/digest/md32_common.h
+index a0634d1..8a14108 100644
+--- a/crypto/fipsmodule/digest/md32_common.h
++++ b/crypto/fipsmodule/digest/md32_common.h
+@@ -86,9 +86,6 @@
+ // |HASH_UPDATE| must be defined as the name of the "Update" function to
+ // generate.
+ //
+-// |HASH_TRANSFORM| must be defined as the the name of the "Transform"
+-// function to generate.
+-//
+ // |HASH_FINAL| must be defined as the name of "Final" function to generate.
+ //
+ // |HASH_BLOCK_DATA_ORDER| must be defined as the name of the "Block" function.
+@@ -121,9 +118,6 @@
+ #ifndef HASH_UPDATE
+ #error "HASH_UPDATE must be defined!"
+ #endif
+-#ifndef HASH_TRANSFORM
+-#error "HASH_TRANSFORM must be defined!"
+-#endif
+ #ifndef HASH_FINAL
+ #error "HASH_FINAL must be defined!"
+ #endif
+@@ -185,11 +179,6 @@
+ }
+
+
+-void HASH_TRANSFORM(HASH_CTX *c, const uint8_t data[HASH_CBLOCK]) {
+- HASH_BLOCK_DATA_ORDER(c->h, data, 1);
+-}
+-
+-
+ int HASH_FINAL(uint8_t out[HASH_DIGEST_LENGTH], HASH_CTX *c) {
+ // |c->data| always has room for at least one byte. A full block would have
+ // been consumed.
+diff --git a/crypto/fipsmodule/md4/md4.c b/crypto/fipsmodule/md4/md4.c
+index 0551664..9d229bf 100644
+--- a/crypto/fipsmodule/md4/md4.c
++++ b/crypto/fipsmodule/md4/md4.c
+@@ -84,13 +84,16 @@
+
+ void md4_block_data_order(uint32_t *state, const uint8_t *data, size_t num);
+
++void MD4_Transform(MD4_CTX *c, const uint8_t data[MD4_CBLOCK]) {
++ md4_block_data_order(c->h, data, 1);
++}
++
+ #define DATA_ORDER_IS_LITTLE_ENDIAN
+
+ #define HASH_CTX MD4_CTX
+ #define HASH_CBLOCK 64
+ #define HASH_DIGEST_LENGTH 16
+ #define HASH_UPDATE MD4_Update
+-#define HASH_TRANSFORM MD4_Transform
+ #define HASH_FINAL MD4_Final
+ #define HASH_MAKE_STRING(c, s) \
+ do { \
+@@ -240,7 +243,6 @@
+ #undef HASH_CBLOCK
+ #undef HASH_DIGEST_LENGTH
+ #undef HASH_UPDATE
+-#undef HASH_TRANSFORM
+ #undef HASH_FINAL
+ #undef HASH_MAKE_STRING
+ #undef HASH_BLOCK_DATA_ORDER
+diff --git a/crypto/fipsmodule/md5/md5.c b/crypto/fipsmodule/md5/md5.c
+index bd6bf6a..e454a84 100644
+--- a/crypto/fipsmodule/md5/md5.c
++++ b/crypto/fipsmodule/md5/md5.c
+@@ -89,6 +89,9 @@
+ size_t num);
+ #endif
+
++void MD5_Transform(MD5_CTX *c, const uint8_t data[MD5_CBLOCK]) {
++ md5_block_data_order(c->h, data, 1);
++}
+
+ #define DATA_ORDER_IS_LITTLE_ENDIAN
+
+@@ -96,7 +99,6 @@
+ #define HASH_CBLOCK 64
+ #define HASH_DIGEST_LENGTH 16
+ #define HASH_UPDATE MD5_Update
+-#define HASH_TRANSFORM MD5_Transform
+ #define HASH_FINAL MD5_Final
+ #define HASH_MAKE_STRING(c, s) \
+ do { \
+@@ -283,7 +285,6 @@
+ #undef HASH_CBLOCK
+ #undef HASH_DIGEST_LENGTH
+ #undef HASH_UPDATE
+-#undef HASH_TRANSFORM
+ #undef HASH_FINAL
+ #undef HASH_MAKE_STRING
+ #undef HASH_BLOCK_DATA_ORDER
+diff --git a/crypto/fipsmodule/sha/sha1.c b/crypto/fipsmodule/sha/sha1.c
+index 2f50c67..7149d11 100644
+--- a/crypto/fipsmodule/sha/sha1.c
++++ b/crypto/fipsmodule/sha/sha1.c
+@@ -83,6 +83,15 @@
+ return out;
+ }
+
++#if !defined(SHA1_ASM)
++static void sha1_block_data_order(uint32_t *state, const uint8_t *data,
++ size_t num);
++#endif
++
++void SHA1_Transform(SHA_CTX *c, const uint8_t data[SHA_CBLOCK]) {
++ sha1_block_data_order(c->h, data, 1);
++}
++
+ #define DATA_ORDER_IS_BIG_ENDIAN
+
+ #define HASH_CTX SHA_CTX
+@@ -103,7 +112,6 @@
+ } while (0)
+
+ #define HASH_UPDATE SHA1_Update
+-#define HASH_TRANSFORM SHA1_Transform
+ #define HASH_FINAL SHA1_Final
+ #define HASH_BLOCK_DATA_ORDER sha1_block_data_order
+ #define ROTATE(a, n) (((a) << (n)) | ((a) >> (32 - (n))))
+@@ -113,11 +121,6 @@
+ (ix) = (a) = ROTATE((a), 1); \
+ } while (0)
+
+-#if !defined(SHA1_ASM)
+-static void sha1_block_data_order(uint32_t *state, const uint8_t *data,
+- size_t num);
+-#endif
+-
+ #include "../digest/md32_common.h"
+
+ #define K_00_19 0x5a827999UL
+@@ -346,7 +349,6 @@
+ #undef HASH_DIGEST_LENGTH
+ #undef HASH_MAKE_STRING
+ #undef HASH_UPDATE
+-#undef HASH_TRANSFORM
+ #undef HASH_FINAL
+ #undef HASH_BLOCK_DATA_ORDER
+ #undef ROTATE
+diff --git a/crypto/fipsmodule/sha/sha256.c b/crypto/fipsmodule/sha/sha256.c
+index 390ee3a..ff961c8 100644
+--- a/crypto/fipsmodule/sha/sha256.c
++++ b/crypto/fipsmodule/sha/sha256.c
+@@ -122,6 +122,15 @@
+ return SHA256_Final(out, ctx);
+ }
+
++#ifndef SHA256_ASM
++static void sha256_block_data_order(uint32_t *state, const uint8_t *in,
++ size_t num);
++#endif
++
++void SHA256_Transform(SHA256_CTX *c, const uint8_t data[SHA256_CBLOCK]) {
++ sha256_block_data_order(c->h, data, 1);
++}
++
+ #define DATA_ORDER_IS_BIG_ENDIAN
+
+ #define HASH_CTX SHA256_CTX
+@@ -167,13 +176,8 @@
+
+
+ #define HASH_UPDATE SHA256_Update
+-#define HASH_TRANSFORM SHA256_Transform
+ #define HASH_FINAL SHA256_Final
+ #define HASH_BLOCK_DATA_ORDER sha256_block_data_order
+-#ifndef SHA256_ASM
+-static void sha256_block_data_order(uint32_t *state, const uint8_t *in,
+- size_t num);
+-#endif
+
+ #include "../digest/md32_common.h"
+
+@@ -324,7 +328,6 @@
+ #undef HASH_DIGEST_LENGTH
+ #undef HASH_MAKE_STRING
+ #undef HASH_UPDATE
+-#undef HASH_TRANSFORM
+ #undef HASH_FINAL
+ #undef HASH_BLOCK_DATA_ORDER
+ #undef ROTATE
+diff --git a/decrepit/ripemd/ripemd.c b/decrepit/ripemd/ripemd.c
+index 50329c7..ac6bd83 100644
+--- a/decrepit/ripemd/ripemd.c
++++ b/decrepit/ripemd/ripemd.c
+@@ -80,6 +80,11 @@
+ static void ripemd160_block_data_order(uint32_t h[5], const uint8_t *data,
+ size_t num);
+
++void RIPEMD160_Transform(RIPEMD160_CTX *c,
++ const uint8_t data[RIPEMD160_CBLOCK]) {
++ ripemd160_block_data_order(c->h, data, 1);
++}
++
+ #define DATA_ORDER_IS_LITTLE_ENDIAN
+
+ #define HASH_LONG uint32_t
+@@ -87,7 +92,6 @@
+ #define HASH_CBLOCK RIPEMD160_CBLOCK
+ #define HASH_DIGEST_LENGTH RIPEMD160_DIGEST_LENGTH
+ #define HASH_UPDATE RIPEMD160_Update
+-#define HASH_TRANSFORM RIPEMD160_Transform
+ #define HASH_FINAL RIPEMD160_Final
+ #define HASH_MAKE_STRING(c, s) \
+ do { \
+From 597ffef971dd980b7de5e97a0c9b7ca26eec94bc Mon Sep 17 00:00:00 2001
+From: David Benjamin <davidben at google.com>
+Date: Mon, 29 Mar 2021 14:45:13 -0400
+Subject: [PATCH] Make md32_common.h single-included and use an unsized helper for SHA-256.
+
+Similar to
+https://boringssl-review.googlesource.com/c/boringssl/+/46405,
+SHA256_Final and SHA224_Final hit array size warnings in the new GCC.
+The array sizes are, strictly speaking, purely decoration, but this is a
+good warning so we should be clean with it on.
+
+That same change is difficult to apply to md32_common.h because
+md32_common.h generates the functions for us. md32_common.h is already
+strange in that it is multiply-included and changes behavior based on
+macros defined by the caller.
+
+Instead, replace it with inline functions, which are a bit more
+conventional and typesafe. This allows each hash function to define the
+function prototype. Use this to add an unsized helper for SHA-256.
+
+Bug: 402
+Change-Id: I61bc30fb58c54dd40a55c9b1ebf3fb9adde5e038
+Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/47807
+Reviewed-by: Adam Langley <agl at google.com>
+Reviewed-by: Peter Foley <pefoley at google.com>
+Commit-Queue: David Benjamin <davidben at google.com>
+---
+
+diff --git a/crypto/fipsmodule/digest/md32_common.h b/crypto/fipsmodule/digest/md32_common.h
+index 8a14108..129ec48 100644
+--- a/crypto/fipsmodule/digest/md32_common.h
++++ b/crypto/fipsmodule/digest/md32_common.h
+@@ -46,6 +46,9 @@
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ==================================================================== */
+
++#ifndef OPENSSL_HEADER_DIGEST_MD32_COMMON_H
++#define OPENSSL_HEADER_DIGEST_MD32_COMMON_H
++
+ #include <openssl/base.h>
+
+ #include <assert.h>
+@@ -59,22 +62,15 @@
+
+ // This is a generic 32-bit "collector" for message digest algorithms. It
+ // collects input character stream into chunks of 32-bit values and invokes the
+-// block function that performs the actual hash calculations. To make use of
+-// this mechanism, the following macros must be defined before including
+-// md32_common.h.
++// block function that performs the actual hash calculations.
+ //
+-// One of |DATA_ORDER_IS_BIG_ENDIAN| or |DATA_ORDER_IS_LITTLE_ENDIAN| must be
+-// defined to specify the byte order of the input stream.
+-//
+-// |HASH_CBLOCK| must be defined as the integer block size, in bytes.
+-//
+-// |HASH_CTX| must be defined as the name of the context structure, which must
+-// have at least the following members:
++// To make use of this mechanism, the hash context should be defined with the
++// following parameters.
+ //
+ // typedef struct <name>_state_st {
+ // uint32_t h[<chaining length> / sizeof(uint32_t)];
+ // uint32_t Nl, Nh;
+-// uint8_t data[HASH_CBLOCK];
++// uint8_t data[<block size>];
+ // unsigned num;
+ // ...
+ // } <NAME>_CTX;
+@@ -83,136 +79,117 @@
+ // any truncation (e.g. 64 for SHA-224 and SHA-256, 128 for SHA-384 and
+ // SHA-512).
+ //
+-// |HASH_UPDATE| must be defined as the name of the "Update" function to
+-// generate.
+-//
+-// |HASH_FINAL| must be defined as the name of "Final" function to generate.
+-//
+-// |HASH_BLOCK_DATA_ORDER| must be defined as the name of the "Block" function.
+-// That function must be implemented manually. It must be capable of operating
+-// on *unaligned* input data in its original (data) byte order. It must have
+-// this signature:
+-//
+-// void HASH_BLOCK_DATA_ORDER(uint32_t *state, const uint8_t *data,
+-// size_t num);
+-//
+-// It must update the hash state |state| with |num| blocks of data from |data|,
+-// where each block is |HASH_CBLOCK| bytes; i.e. |data| points to a array of
+-// |HASH_CBLOCK * num| bytes. |state| points to the |h| member of a |HASH_CTX|,
+-// and so will have |<chaining length> / sizeof(uint32_t)| elements.
+-//
+-// |HASH_MAKE_STRING(c, s)| must be defined as a block statement that converts
+-// the hash state |c->h| into the output byte order, storing the result in |s|.
++// |h| is the hash state and is updated by a function of type
++// |crypto_md32_block_func|. |data| is the partial unprocessed block and has
++// |num| bytes. |Nl| and |Nh| maintain the number of bits processed so far.
+
+-#if !defined(DATA_ORDER_IS_BIG_ENDIAN) && !defined(DATA_ORDER_IS_LITTLE_ENDIAN)
+-#error "DATA_ORDER must be defined!"
+-#endif
++// A crypto_md32_block_func should incorporate |num_blocks| of input from |data|
++// into |state|. It is assumed the caller has sized |state| and |data| for the
++// hash function.
++typedef void (*crypto_md32_block_func)(uint32_t *state, const uint8_t *data,
++ size_t num_blocks);
+
+-#ifndef HASH_CBLOCK
+-#error "HASH_CBLOCK must be defined!"
+-#endif
+-#ifndef HASH_CTX
+-#error "HASH_CTX must be defined!"
+-#endif
+-
+-#ifndef HASH_UPDATE
+-#error "HASH_UPDATE must be defined!"
+-#endif
+-#ifndef HASH_FINAL
+-#error "HASH_FINAL must be defined!"
+-#endif
+-
+-#ifndef HASH_BLOCK_DATA_ORDER
+-#error "HASH_BLOCK_DATA_ORDER must be defined!"
+-#endif
+-
+-#ifndef HASH_MAKE_STRING
+-#error "HASH_MAKE_STRING must be defined!"
+-#endif
+-
+-int HASH_UPDATE(HASH_CTX *c, const void *data_, size_t len) {
+- const uint8_t *data = data_;
+-
++// crypto_md32_update adds |len| bytes from |in| to the digest. |data| must be a
++// buffer of length |block_size| with the first |*num| bytes containing a
++// partial block. This function combines the partial block with |in| and
++// incorporates any complete blocks into the digest state |h|. It then updates
++// |data| and |*num| with the new partial block and updates |*Nh| and |*Nl| with
++// the data consumed.
++static inline void crypto_md32_update(crypto_md32_block_func block_func,
++ uint32_t *h, uint8_t *data,
++ size_t block_size, unsigned *num,
++ uint32_t *Nh, uint32_t *Nl,
++ const uint8_t *in, size_t len) {
+ if (len == 0) {
+- return 1;
++ return;
+ }
+
+- uint32_t l = c->Nl + (((uint32_t)len) << 3);
+- if (l < c->Nl) {
++ uint32_t l = *Nl + (((uint32_t)len) << 3);
++ if (l < *Nl) {
+ // Handle carries.
+- c->Nh++;
++ (*Nh)++;
+ }
+- c->Nh += (uint32_t)(len >> 29);
+- c->Nl = l;
++ *Nh += (uint32_t)(len >> 29);
++ *Nl = l;
+
+- size_t n = c->num;
++ size_t n = *num;
+ if (n != 0) {
+- if (len >= HASH_CBLOCK || len + n >= HASH_CBLOCK) {
+- OPENSSL_memcpy(c->data + n, data, HASH_CBLOCK - n);
+- HASH_BLOCK_DATA_ORDER(c->h, c->data, 1);
+- n = HASH_CBLOCK - n;
+- data += n;
++ if (len >= block_size || len + n >= block_size) {
++ OPENSSL_memcpy(data + n, in, block_size - n);
++ block_func(h, data, 1);
++ n = block_size - n;
++ in += n;
+ len -= n;
+- c->num = 0;
+- // Keep |c->data| zeroed when unused.
+- OPENSSL_memset(c->data, 0, HASH_CBLOCK);
++ *num = 0;
++ // Keep |data| zeroed when unused.
++ OPENSSL_memset(data, 0, block_size);
+ } else {
+- OPENSSL_memcpy(c->data + n, data, len);
+- c->num += (unsigned)len;
+- return 1;
++ OPENSSL_memcpy(data + n, in, len);
++ *num += (unsigned)len;
++ return;
+ }
+ }
+
+- n = len / HASH_CBLOCK;
++ n = len / block_size;
+ if (n > 0) {
+- HASH_BLOCK_DATA_ORDER(c->h, data, n);
+- n *= HASH_CBLOCK;
+- data += n;
++ block_func(h, in, n);
++ n *= block_size;
++ in += n;
+ len -= n;
+ }
+
+ if (len != 0) {
+- c->num = (unsigned)len;
+- OPENSSL_memcpy(c->data, data, len);
++ *num = (unsigned)len;
++ OPENSSL_memcpy(data, in, len);
+ }
+- return 1;
+ }
+
+-
+-int HASH_FINAL(uint8_t out[HASH_DIGEST_LENGTH], HASH_CTX *c) {
+- // |c->data| always has room for at least one byte. A full block would have
++// crypto_md32_final incorporates the partial block and trailing length into the
++// digest state |h|. The trailing length is encoded in little-endian if
++// |is_big_endian| is zero and big-endian otherwise. |data| must be a buffer of
++// length |block_size| with the first |*num| bytes containing a partial block.
++// |Nh| and |Nl| contain the total number of bits processed. On return, this
++// function clears the partial block in |data| and
++// |*num|.
++//
++// This function does not serialize |h| into a final digest. This is the
++// responsibility of the caller.
++static inline void crypto_md32_final(crypto_md32_block_func block_func,
++ uint32_t *h, uint8_t *data,
++ size_t block_size, unsigned *num,
++ uint32_t Nh, uint32_t Nl,
++ int is_big_endian) {
++ // |data| always has room for at least one byte. A full block would have
+ // been consumed.
+- size_t n = c->num;
+- assert(n < HASH_CBLOCK);
+- c->data[n] = 0x80;
++ size_t n = *num;
++ assert(n < block_size);
++ data[n] = 0x80;
+ n++;
+
+ // Fill the block with zeros if there isn't room for a 64-bit length.
+- if (n > (HASH_CBLOCK - 8)) {
+- OPENSSL_memset(c->data + n, 0, HASH_CBLOCK - n);
++ if (n > block_size - 8) {
++ OPENSSL_memset(data + n, 0, block_size - n);
+ n = 0;
+- HASH_BLOCK_DATA_ORDER(c->h, c->data, 1);
++ block_func(h, data, 1);
+ }
+- OPENSSL_memset(c->data + n, 0, HASH_CBLOCK - 8 - n);
++ OPENSSL_memset(data + n, 0, block_size - 8 - n);
+
+ // Append a 64-bit length to the block and process it.
+- uint8_t *p = c->data + HASH_CBLOCK - 8;
+-#if defined(DATA_ORDER_IS_BIG_ENDIAN)
+- CRYPTO_store_u32_be(p, c->Nh);
+- CRYPTO_store_u32_be(p + 4, c->Nl);
+-#elif defined(DATA_ORDER_IS_LITTLE_ENDIAN)
+- CRYPTO_store_u32_le(p, c->Nl);
+- CRYPTO_store_u32_le(p + 4, c->Nh);
+-#endif
+- HASH_BLOCK_DATA_ORDER(c->h, c->data, 1);
+- c->num = 0;
+- OPENSSL_memset(c->data, 0, HASH_CBLOCK);
+-
+- HASH_MAKE_STRING(c, out);
+- return 1;
++ if (is_big_endian) {
++ CRYPTO_store_u32_be(data + block_size - 8, Nh);
++ CRYPTO_store_u32_be(data + block_size - 4, Nl);
++ } else {
++ CRYPTO_store_u32_le(data + block_size - 8, Nl);
++ CRYPTO_store_u32_le(data + block_size - 4, Nh);
++ }
++ block_func(h, data, 1);
++ *num = 0;
++ OPENSSL_memset(data, 0, block_size);
+ }
+
+
+ #if defined(__cplusplus)
+ } // extern C
+ #endif
++
++#endif // OPENSSL_HEADER_DIGEST_MD32_COMMON_H
+diff --git a/crypto/fipsmodule/md4/md4.c b/crypto/fipsmodule/md4/md4.c
+index 9d229bf..8779402 100644
+--- a/crypto/fipsmodule/md4/md4.c
++++ b/crypto/fipsmodule/md4/md4.c
+@@ -60,6 +60,7 @@
+ #include <string.h>
+
+ #include "../../internal.h"
++#include "../digest/md32_common.h"
+
+
+ uint8_t *MD4(const uint8_t *data, size_t len, uint8_t out[MD4_DIGEST_LENGTH]) {
+@@ -88,27 +89,22 @@
+ md4_block_data_order(c->h, data, 1);
+ }
+
+-#define DATA_ORDER_IS_LITTLE_ENDIAN
++int MD4_Update(MD4_CTX *c, const void *data, size_t len) {
++ crypto_md32_update(&md4_block_data_order, c->h, c->data, MD4_CBLOCK, &c->num,
++ &c->Nh, &c->Nl, data, len);
++ return 1;
++}
+
+-#define HASH_CTX MD4_CTX
+-#define HASH_CBLOCK 64
+-#define HASH_DIGEST_LENGTH 16
+-#define HASH_UPDATE MD4_Update
+-#define HASH_FINAL MD4_Final
+-#define HASH_MAKE_STRING(c, s) \
+- do { \
+- CRYPTO_store_u32_le((s), (c)->h[0]); \
+- (s) += 4; \
+- CRYPTO_store_u32_le((s), (c)->h[1]); \
+- (s) += 4; \
+- CRYPTO_store_u32_le((s), (c)->h[2]); \
+- (s) += 4; \
+- CRYPTO_store_u32_le((s), (c)->h[3]); \
+- (s) += 4; \
+- } while (0)
+-#define HASH_BLOCK_DATA_ORDER md4_block_data_order
++int MD4_Final(uint8_t out[MD4_DIGEST_LENGTH], MD4_CTX *c) {
++ crypto_md32_final(&md4_block_data_order, c->h, c->data, MD4_CBLOCK, &c->num,
++ c->Nh, c->Nl, /*is_big_endian=*/0);
+
+-#include "../digest/md32_common.h"
++ CRYPTO_store_u32_le(out, c->h[0]);
++ CRYPTO_store_u32_le(out + 4, c->h[1]);
++ CRYPTO_store_u32_le(out + 8, c->h[2]);
++ CRYPTO_store_u32_le(out + 12, c->h[3]);
++ return 1;
++}
+
+ // As pointed out by Wei Dai <weidai at eskimo.com>, the above can be
+ // simplified to the code below. Wei attributes these optimizations
+@@ -238,14 +234,6 @@
+ }
+ }
+
+-#undef DATA_ORDER_IS_LITTLE_ENDIAN
+-#undef HASH_CTX
+-#undef HASH_CBLOCK
+-#undef HASH_DIGEST_LENGTH
+-#undef HASH_UPDATE
+-#undef HASH_FINAL
+-#undef HASH_MAKE_STRING
+-#undef HASH_BLOCK_DATA_ORDER
+ #undef F
+ #undef G
+ #undef H
+diff --git a/crypto/fipsmodule/md5/md5.c b/crypto/fipsmodule/md5/md5.c
+index e454a84..eba34bc 100644
+--- a/crypto/fipsmodule/md5/md5.c
++++ b/crypto/fipsmodule/md5/md5.c
+@@ -60,8 +60,9 @@
+
+ #include <openssl/mem.h>
+
+-#include "internal.h"
+ #include "../../internal.h"
++#include "../digest/md32_common.h"
++#include "internal.h"
+
+
+ uint8_t *MD5(const uint8_t *data, size_t len, uint8_t out[MD5_DIGEST_LENGTH]) {
+@@ -93,27 +94,22 @@
+ md5_block_data_order(c->h, data, 1);
+ }
+
+-#define DATA_ORDER_IS_LITTLE_ENDIAN
++int MD5_Update(MD5_CTX *c, const void *data, size_t len) {
++ crypto_md32_update(&md5_block_data_order, c->h, c->data, MD5_CBLOCK, &c->num,
++ &c->Nh, &c->Nl, data, len);
++ return 1;
++}
+
+-#define HASH_CTX MD5_CTX
+-#define HASH_CBLOCK 64
+-#define HASH_DIGEST_LENGTH 16
+-#define HASH_UPDATE MD5_Update
+-#define HASH_FINAL MD5_Final
+-#define HASH_MAKE_STRING(c, s) \
+- do { \
+- CRYPTO_store_u32_le((s), (c)->h[0]); \
+- (s) += 4; \
+- CRYPTO_store_u32_le((s), (c)->h[1]); \
+- (s) += 4; \
+- CRYPTO_store_u32_le((s), (c)->h[2]); \
+- (s) += 4; \
+- CRYPTO_store_u32_le((s), (c)->h[3]); \
+- (s) += 4; \
+- } while (0)
+-#define HASH_BLOCK_DATA_ORDER md5_block_data_order
++int MD5_Final(uint8_t out[MD5_DIGEST_LENGTH], MD5_CTX *c) {
++ crypto_md32_final(&md5_block_data_order, c->h, c->data, MD5_CBLOCK, &c->num,
++ c->Nh, c->Nl, /*is_big_endian=*/0);
+
+-#include "../digest/md32_common.h"
++ CRYPTO_store_u32_le(out, c->h[0]);
++ CRYPTO_store_u32_le(out + 4, c->h[1]);
++ CRYPTO_store_u32_le(out + 8, c->h[2]);
++ CRYPTO_store_u32_le(out + 12, c->h[3]);
++ return 1;
++}
+
+ // As pointed out by Wei Dai <weidai at eskimo.com>, the above can be
+ // simplified to the code below. Wei attributes these optimizations
+@@ -280,14 +276,6 @@
+ #undef X
+ #endif
+
+-#undef DATA_ORDER_IS_LITTLE_ENDIAN
+-#undef HASH_CTX
+-#undef HASH_CBLOCK
+-#undef HASH_DIGEST_LENGTH
+-#undef HASH_UPDATE
+-#undef HASH_FINAL
+-#undef HASH_MAKE_STRING
+-#undef HASH_BLOCK_DATA_ORDER
+ #undef F
+ #undef G
+ #undef H
+diff --git a/crypto/fipsmodule/sha/sha1.c b/crypto/fipsmodule/sha/sha1.c
+index 7149d11..c629308 100644
+--- a/crypto/fipsmodule/sha/sha1.c
++++ b/crypto/fipsmodule/sha/sha1.c
+@@ -60,8 +60,9 @@
+
+ #include <openssl/mem.h>
+
+-#include "internal.h"
+ #include "../../internal.h"
++#include "../digest/md32_common.h"
++#include "internal.h"
+
+
+ int SHA1_Init(SHA_CTX *sha) {
+@@ -92,28 +93,24 @@
+ sha1_block_data_order(c->h, data, 1);
+ }
+
+-#define DATA_ORDER_IS_BIG_ENDIAN
++int SHA1_Update(SHA_CTX *c, const void *data, size_t len) {
++ crypto_md32_update(&sha1_block_data_order, c->h, c->data, SHA_CBLOCK, &c->num,
++ &c->Nh, &c->Nl, data, len);
++ return 1;
++}
+
+-#define HASH_CTX SHA_CTX
+-#define HASH_CBLOCK 64
+-#define HASH_DIGEST_LENGTH 20
+-#define HASH_MAKE_STRING(c, s) \
+- do { \
+- CRYPTO_store_u32_be((s), (c)->h[0]); \
+- (s) += 4; \
+- CRYPTO_store_u32_be((s), (c)->h[1]); \
+- (s) += 4; \
+- CRYPTO_store_u32_be((s), (c)->h[2]); \
+- (s) += 4; \
+- CRYPTO_store_u32_be((s), (c)->h[3]); \
+- (s) += 4; \
+- CRYPTO_store_u32_be((s), (c)->h[4]); \
+- (s) += 4; \
+- } while (0)
++int SHA1_Final(uint8_t out[SHA_DIGEST_LENGTH], SHA_CTX *c) {
++ crypto_md32_final(&sha1_block_data_order, c->h, c->data, SHA_CBLOCK, &c->num,
++ c->Nh, c->Nl, /*is_big_endian=*/1);
+
+-#define HASH_UPDATE SHA1_Update
+-#define HASH_FINAL SHA1_Final
+-#define HASH_BLOCK_DATA_ORDER sha1_block_data_order
++ CRYPTO_store_u32_be(out, c->h[0]);
++ CRYPTO_store_u32_be(out + 4, c->h[1]);
++ CRYPTO_store_u32_be(out + 8, c->h[2]);
++ CRYPTO_store_u32_be(out + 12, c->h[3]);
++ CRYPTO_store_u32_be(out + 16, c->h[4]);
++ return 1;
++}
++
+ #define ROTATE(a, n) (((a) << (n)) | ((a) >> (32 - (n))))
+ #define Xupdate(a, ix, ia, ib, ic, id) \
+ do { \
+@@ -121,8 +118,6 @@
+ (ix) = (a) = ROTATE((a), 1); \
+ } while (0)
+
+-#include "../digest/md32_common.h"
+-
+ #define K_00_19 0x5a827999UL
+ #define K_20_39 0x6ed9eba1UL
+ #define K_40_59 0x8f1bbcdcUL
+@@ -343,14 +338,6 @@
+ }
+ #endif
+
+-#undef DATA_ORDER_IS_BIG_ENDIAN
+-#undef HASH_CTX
+-#undef HASH_CBLOCK
+-#undef HASH_DIGEST_LENGTH
+-#undef HASH_MAKE_STRING
+-#undef HASH_UPDATE
+-#undef HASH_FINAL
+-#undef HASH_BLOCK_DATA_ORDER
+ #undef ROTATE
+ #undef Xupdate
+ #undef K_00_19
+diff --git a/crypto/fipsmodule/sha/sha256.c b/crypto/fipsmodule/sha/sha256.c
+index ff961c8..4394f4a 100644
+--- a/crypto/fipsmodule/sha/sha256.c
++++ b/crypto/fipsmodule/sha/sha256.c
+@@ -60,8 +60,9 @@
+
+ #include <openssl/mem.h>
+
+-#include "internal.h"
+ #include "../../internal.h"
++#include "../digest/md32_common.h"
++#include "internal.h"
+
+
+ int SHA224_Init(SHA256_CTX *sha) {
+@@ -112,16 +113,6 @@
+ return out;
+ }
+
+-int SHA224_Update(SHA256_CTX *ctx, const void *data, size_t len) {
+- return SHA256_Update(ctx, data, len);
+-}
+-
+-int SHA224_Final(uint8_t out[SHA224_DIGEST_LENGTH], SHA256_CTX *ctx) {
+- // SHA224_Init sets |ctx->md_len| to |SHA224_DIGEST_LENGTH|, so this has a
+- // smaller output.
+- return SHA256_Final(out, ctx);
+-}
+-
+ #ifndef SHA256_ASM
+ static void sha256_block_data_order(uint32_t *state, const uint8_t *in,
+ size_t num);
+@@ -131,55 +122,51 @@
+ sha256_block_data_order(c->h, data, 1);
+ }
+
+-#define DATA_ORDER_IS_BIG_ENDIAN
++int SHA256_Update(SHA256_CTX *c, const void *data, size_t len) {
++ crypto_md32_update(&sha256_block_data_order, c->h, c->data, SHA256_CBLOCK,
++ &c->num, &c->Nh, &c->Nl, data, len);
++ return 1;
++}
+
+-#define HASH_CTX SHA256_CTX
+-#define HASH_CBLOCK 64
+-#define HASH_DIGEST_LENGTH 32
++int SHA224_Update(SHA256_CTX *ctx, const void *data, size_t len) {
++ return SHA256_Update(ctx, data, len);
++}
+
+-// Note that FIPS180-2 discusses "Truncation of the Hash Function Output."
+-// default: case below covers for it. It's not clear however if it's permitted
+-// to truncate to amount of bytes not divisible by 4. I bet not, but if it is,
+-// then default: case shall be extended. For reference. Idea behind separate
+-// cases for pre-defined lenghts is to let the compiler decide if it's
+-// appropriate to unroll small loops.
+-//
+-// TODO(davidben): The small |md_len| case is one of the few places a low-level
+-// hash 'final' function can fail. This should never happen.
+-#define HASH_MAKE_STRING(c, s) \
+- do { \
+- unsigned int nn; \
+- switch ((c)->md_len) { \
+- case SHA224_DIGEST_LENGTH: \
+- for (nn = 0; nn < SHA224_DIGEST_LENGTH / 4; nn++) { \
+- CRYPTO_store_u32_be((s), (c)->h[nn]); \
+- (s) += 4; \
+- } \
+- break; \
+- case SHA256_DIGEST_LENGTH: \
+- for (nn = 0; nn < SHA256_DIGEST_LENGTH / 4; nn++) { \
+- CRYPTO_store_u32_be((s), (c)->h[nn]); \
+- (s) += 4; \
+- } \
+- break; \
+- default: \
+- if ((c)->md_len > SHA256_DIGEST_LENGTH) { \
+- return 0; \
+- } \
+- for (nn = 0; nn < (c)->md_len / 4; nn++) { \
+- CRYPTO_store_u32_be((s), (c)->h[nn]); \
+- (s) += 4; \
+- } \
+- break; \
+- } \
+- } while (0)
++static int sha256_final_impl(uint8_t *out, SHA256_CTX *c) {
++ crypto_md32_final(&sha256_block_data_order, c->h, c->data, SHA256_CBLOCK,
++ &c->num, c->Nh, c->Nl, /*is_big_endian=*/1);
+
++ // TODO(davidben): This overflow check one of the few places a low-level hash
++ // 'final' function can fail. SHA-512 does not have a corresponding check.
++ // These functions already misbehave if the caller arbitrarily mutates |c|, so
++ // can we assume one of |SHA256_Init| or |SHA224_Init| was used?
++ if (c->md_len > SHA256_DIGEST_LENGTH) {
++ return 0;
++ }
+
+-#define HASH_UPDATE SHA256_Update
+-#define HASH_FINAL SHA256_Final
+-#define HASH_BLOCK_DATA_ORDER sha256_block_data_order
++ assert(c->md_len % 4 == 0);
++ const size_t out_words = c->md_len / 4;
++ for (size_t i = 0; i < out_words; i++) {
++ CRYPTO_store_u32_be(out, c->h[i]);
++ out += 4;
++ }
++ return 1;
++}
+
+-#include "../digest/md32_common.h"
++int SHA256_Final(uint8_t out[SHA256_DIGEST_LENGTH], SHA256_CTX *c) {
++ // Ideally we would assert |sha->md_len| is |SHA256_DIGEST_LENGTH| to match
++ // the size hint, but calling code often pairs |SHA224_Init| with
++ // |SHA256_Final| and expects |sha->md_len| to carry the size over.
++ //
++ // TODO(davidben): Add an assert and fix code to match them up.
++ return sha256_final_impl(out, c);
++}
++int SHA224_Final(uint8_t out[SHA224_DIGEST_LENGTH], SHA256_CTX *ctx) {
++ // SHA224_Init sets |ctx->md_len| to |SHA224_DIGEST_LENGTH|, so this has a
++ // smaller output.
++ assert(ctx->md_len == SHA224_DIGEST_LENGTH);
++ return sha256_final_impl(out, ctx);
++}
+
+ #ifndef SHA256_ASM
+ static const uint32_t K256[64] = {
+@@ -322,14 +309,6 @@
+ sha256_block_data_order(state, data, num_blocks);
+ }
+
+-#undef DATA_ORDER_IS_BIG_ENDIAN
+-#undef HASH_CTX
+-#undef HASH_CBLOCK
+-#undef HASH_DIGEST_LENGTH
+-#undef HASH_MAKE_STRING
+-#undef HASH_UPDATE
+-#undef HASH_FINAL
+-#undef HASH_BLOCK_DATA_ORDER
+ #undef ROTATE
+ #undef Sigma0
+ #undef Sigma1
+diff --git a/crypto/fipsmodule/sha/sha512.c b/crypto/fipsmodule/sha/sha512.c
+index 1f40e7a..befdd52 100644
+--- a/crypto/fipsmodule/sha/sha512.c
++++ b/crypto/fipsmodule/sha/sha512.c
+@@ -162,7 +162,7 @@
+
+ int SHA384_Final(uint8_t out[SHA384_DIGEST_LENGTH], SHA512_CTX *sha) {
+ // |SHA384_Init| sets |sha->md_len| to |SHA384_DIGEST_LENGTH|, so this has a
+- // |smaller output.
++ // smaller output.
+ assert(sha->md_len == SHA384_DIGEST_LENGTH);
+ return sha512_final_impl(out, sha);
+ }
+@@ -237,7 +237,7 @@
+ int SHA512_Final(uint8_t out[SHA512_DIGEST_LENGTH], SHA512_CTX *sha) {
+ // Ideally we would assert |sha->md_len| is |SHA512_DIGEST_LENGTH| to match
+ // the size hint, but calling code often pairs |SHA384_Init| with
+- // |SHA512_Final| and expects |sha->md_len| to carry the over.
++ // |SHA512_Final| and expects |sha->md_len| to carry the size over.
+ //
+ // TODO(davidben): Add an assert and fix code to match them up.
+ return sha512_final_impl(out, sha);
+@@ -270,9 +270,8 @@
+ assert(sha->md_len % 8 == 0);
+ const size_t out_words = sha->md_len / 8;
+ for (size_t i = 0; i < out_words; i++) {
+- const uint64_t t = CRYPTO_bswap8(sha->h[i]);
+- memcpy(out, &t, sizeof(t));
+- out += sizeof(t);
++ CRYPTO_store_u64_be(out, sha->h[i]);
++ out += 8;
+ }
+
+ return 1;
+diff --git a/decrepit/ripemd/ripemd.c b/decrepit/ripemd/ripemd.c
+index ac6bd83..9120cdd 100644
+--- a/decrepit/ripemd/ripemd.c
++++ b/decrepit/ripemd/ripemd.c
+@@ -59,6 +59,7 @@
+ #include <string.h>
+
+ #include "../../crypto/internal.h"
++#include "../../crypto/fipsmodule/digest/md32_common.h"
+
+
+ #define RIPEMD160_A 0x67452301L
+@@ -85,31 +86,24 @@
+ ripemd160_block_data_order(c->h, data, 1);
+ }
+
+-#define DATA_ORDER_IS_LITTLE_ENDIAN
++int RIPEMD160_Update(RIPEMD160_CTX *c, const void *data, size_t len) {
++ crypto_md32_update(&ripemd160_block_data_order, c->h, c->data,
++ RIPEMD160_CBLOCK, &c->num, &c->Nh, &c->Nl, data, len);
++ return 1;
++}
+
+-#define HASH_LONG uint32_t
+-#define HASH_CTX RIPEMD160_CTX
+-#define HASH_CBLOCK RIPEMD160_CBLOCK
+-#define HASH_DIGEST_LENGTH RIPEMD160_DIGEST_LENGTH
+-#define HASH_UPDATE RIPEMD160_Update
+-#define HASH_FINAL RIPEMD160_Final
+-#define HASH_MAKE_STRING(c, s) \
+- do { \
+- CRYPTO_store_u32_le((s), (c)->h[0]); \
+- (s) += 4; \
+- CRYPTO_store_u32_le((s), (c)->h[1]); \
+- (s) += 4; \
+- CRYPTO_store_u32_le((s), (c)->h[2]); \
+- (s) += 4; \
+- CRYPTO_store_u32_le((s), (c)->h[3]); \
+- (s) += 4; \
+- CRYPTO_store_u32_le((s), (c)->h[4]); \
+- (s) += 4; \
+- } while (0)
++int RIPEMD160_Final(uint8_t out[RIPEMD160_DIGEST_LENGTH], RIPEMD160_CTX *c) {
++ crypto_md32_final(&ripemd160_block_data_order, c->h, c->data,
++ RIPEMD160_CBLOCK, &c->num, c->Nh, c->Nl,
++ /*is_big_endian=*/0);
+
+-#define HASH_BLOCK_DATA_ORDER ripemd160_block_data_order
+-
+-#include "../../crypto/fipsmodule/digest/md32_common.h"
++ CRYPTO_store_u32_le(out, c->h[0]);
++ CRYPTO_store_u32_le(out + 4, c->h[1]);
++ CRYPTO_store_u32_le(out + 8, c->h[2]);
++ CRYPTO_store_u32_le(out + 12, c->h[3]);
++ CRYPTO_store_u32_le(out + 16, c->h[4]);
++ return 1;
++}
+
+ // Transformed F2 and F4 are courtesy of Wei Dai <weidai at eskimo.com>
+ #define F1(x, y, z) ((x) ^ (y) ^ (z))
+From 92c6fbfc4c44dc8462d260d836020d2b793e7804 Mon Sep 17 00:00:00 2001
+From: Peter Foley <pefoley2 at pefoley.com>
+Date: Fri, 28 May 2021 14:16:23 -0400
+Subject: [PATCH] Fix array-parameter warnings
+
+e.g.
+/home/peter/boringssl/crypto/curve25519/curve25519.c:503:57: error: argument 2 of type 'const uint8_t[32]' {aka 'const unsigned char[32'} with mismatched bound [-Werror=array-parameter=]
+ 503 | int x25519_ge_frombytes_vartime(ge_p3 *h, const uint8_t s[32]) {
+ | ~~~~~~~~~~~~~~^~~~~
+In file included from /home/peter/boringssl/crypto/curve25519/curve25519.c:33:
+/home/peter/boringssl/crypto/curve25519/internal.h:109:58: note: previously declared as 'const uint8_t *' {aka 'const unsigned char *'}
+ 109 | int x25519_ge_frombytes_vartime(ge_p3 *h, const uint8_t *s);
+ | ~~~~~~~~~~~~~~~^
+/home/peter/boringssl/crypto/curve25519/curve25519.c:823:57: error: argument 2 of type 'const uint8_t *' {aka 'const unsigned char *'} declared as a pointer [-Werror=array-parameter=]
+ 823 | void x25519_ge_scalarmult_base(ge_p3 *h, const uint8_t *a) {
+ | ~~~~~~~~~~~~~~~^
+In file included from /home/peter/boringssl/crypto/curve25519/curve25519.c:33:
+/home/peter/boringssl/crypto/curve25519/internal.h:117:56: note: previously declared as an array 'const uint8_t[32]' {aka 'const unsigned char[32]'}
+ 117 | void x25519_ge_scalarmult_base(ge_p3 *h, const uint8_t a[32]);
+ | ~~~~~~~~~~~~~~^~~~~
+cc1: all warnings being treated as errors
+
+Change-Id: I7e9b68fe261a94834f519057adb6ff90c0cb73cf
+Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/47805
+Reviewed-by: David Benjamin <davidben at google.com>
+Commit-Queue: David Benjamin <davidben at google.com>
+---
+
+diff --git a/crypto/curve25519/curve25519.c b/crypto/curve25519/curve25519.c
+index 232f6e0..ea48810 100644
+--- a/crypto/curve25519/curve25519.c
++++ b/crypto/curve25519/curve25519.c
+@@ -820,7 +820,7 @@
+ //
+ // Preconditions:
+ // a[31] <= 127
+-void x25519_ge_scalarmult_base(ge_p3 *h, const uint8_t *a) {
++void x25519_ge_scalarmult_base(ge_p3 *h, const uint8_t a[32]) {
+ signed char e[64];
+ signed char carry;
+ ge_p1p1 r;
+diff --git a/crypto/curve25519/internal.h b/crypto/curve25519/internal.h
+index 01be307..76ff78f 100644
+--- a/crypto/curve25519/internal.h
++++ b/crypto/curve25519/internal.h
+@@ -106,7 +106,7 @@
+ } ge_cached;
+
+ void x25519_ge_tobytes(uint8_t s[32], const ge_p2 *h);
+-int x25519_ge_frombytes_vartime(ge_p3 *h, const uint8_t *s);
++int x25519_ge_frombytes_vartime(ge_p3 *h, const uint8_t s[32]);
+ void x25519_ge_p3_to_cached(ge_cached *r, const ge_p3 *p);
+ void x25519_ge_p1p1_to_p2(ge_p2 *r, const ge_p1p1 *p);
+ void x25519_ge_p1p1_to_p3(ge_p3 *r, const ge_p1p1 *p);
More information about the arch-commits
mailing list