1*0ae430aaSDon Lewis--- misc/nss-3.39/nss/cmd/signtool/sign.c 2016-06-20 14:11:28.000000000 -0300 2*0ae430aaSDon Lewis+++ misc/build/nss-3.39/nss/cmd/signtool/sign.c 2019-11-01 13:32:56.496828470 -0300 3*0ae430aaSDon Lewis@@ -8,6 +8,10 @@ 4*0ae430aaSDon Lewis #include "blapi.h" 5*0ae430aaSDon Lewis #include "sechash.h" /* for HASH_GetHashObject() */ 6*0ae430aaSDon Lewis 7*0ae430aaSDon Lewis+#if defined(_MSC_VER) && _MSC_VER < 1900 8*0ae430aaSDon Lewis+#define snprintf _snprintf 9*0ae430aaSDon Lewis+#endif 10*0ae430aaSDon Lewis+ 11*0ae430aaSDon Lewis static int create_pk7(char *dir, char *keyName, int *keyType); 12*0ae430aaSDon Lewis static int jar_find_key_type(CERTCertificate *cert); 13*0ae430aaSDon Lewis static int manifesto(char *dirname, char *install_script, PRBool recurse); 14*0ae430aaSDon Lewisdiff -ur misc/nss-3.39/nss/cmd/Makefile misc/build/nss-3.39/nss/cmd/Makefile 15*0ae430aaSDon Lewis--- misc/nss-3.39/nss/cmd/Makefile 2018-08-31 05:55:53.000000000 -0700 16*0ae430aaSDon Lewis+++ misc/build/nss-3.39/nss/cmd/Makefile 2018-10-22 14:53:30.297923000 -0700 17*0ae430aaSDon Lewis@@ -21,7 +21,8 @@ 18*0ae430aaSDon Lewis FIPSTEST_SRCDIR = 19*0ae430aaSDon Lewis SHLIBSIGN_SRCDIR = 20*0ae430aaSDon Lewis else 21*0ae430aaSDon Lewis-BLTEST_SRCDIR = bltest 22*0ae430aaSDon Lewis+# BLTEST_SRCDIR = bltest 23*0ae430aaSDon Lewis+BLTEST_SRCDIR = 24*0ae430aaSDon Lewis ECPERF_SRCDIR = ecperf 25*0ae430aaSDon Lewis FREEBL_ECTEST_SRCDIR = fbectest 26*0ae430aaSDon Lewis FIPSTEST_SRCDIR = fipstest 27*0ae430aaSDon Lewisdiff -ur misc/nss-3.39/nss/cmd/lib/secutil.c misc/build/nss-3.39/nss/cmd/lib/secutil.c 28*0ae430aaSDon Lewis--- misc/nss-3.39/nss/cmd/lib/secutil.c 2018-08-31 05:55:53.000000000 -0700 29*0ae430aaSDon Lewis+++ misc/build/nss-3.39/nss/cmd/lib/secutil.c 2018-10-22 10:44:05.694582000 -0700 30*0ae430aaSDon Lewis@@ -217,6 +217,7 @@ 31*0ae430aaSDon Lewis secuPWData *pwdata = (secuPWData *)arg; 32*0ae430aaSDon Lewis secuPWData pwnull = { PW_NONE, 0 }; 33*0ae430aaSDon Lewis secuPWData pwxtrn = { PW_EXTERNAL, "external" }; 34*0ae430aaSDon Lewis+ char *pw; 35*0ae430aaSDon Lewis 36*0ae430aaSDon Lewis if (pwdata == NULL) 37*0ae430aaSDon Lewis pwdata = &pwnull; 38*0ae430aaSDon Lewis@@ -240,7 +241,7 @@ 39*0ae430aaSDon Lewis sprintf(prompt, 40*0ae430aaSDon Lewis "Press Enter, then enter PIN for \"%s\" on external device.\n", 41*0ae430aaSDon Lewis PK11_GetTokenName(slot)); 42*0ae430aaSDon Lewis- char *pw = SECU_GetPasswordString(NULL, prompt); 43*0ae430aaSDon Lewis+ pw = SECU_GetPasswordString(NULL, prompt); 44*0ae430aaSDon Lewis PORT_Free(pw); 45*0ae430aaSDon Lewis /* Fall Through */ 46*0ae430aaSDon Lewis case PW_PLAINTEXT: 47*0ae430aaSDon Lewis@@ -3841,10 +3842,11 @@ 48*0ae430aaSDon Lewis countItems(const char *arg, unsigned int *numItems) 49*0ae430aaSDon Lewis { 50*0ae430aaSDon Lewis char *str = PORT_Strdup(arg); 51*0ae430aaSDon Lewis+ char *p; 52*0ae430aaSDon Lewis if (!str) { 53*0ae430aaSDon Lewis return SECFailure; 54*0ae430aaSDon Lewis } 55*0ae430aaSDon Lewis- char *p = strtok(str, ","); 56*0ae430aaSDon Lewis+ p = strtok(str, ","); 57*0ae430aaSDon Lewis while (p) { 58*0ae430aaSDon Lewis ++(*numItems); 59*0ae430aaSDon Lewis p = strtok(NULL, ","); 60*0ae430aaSDon Lewis@@ -3943,6 +3945,8 @@ 61*0ae430aaSDon Lewis SSLSignatureScheme *schemes; 62*0ae430aaSDon Lewis unsigned int numValues = 0; 63*0ae430aaSDon Lewis unsigned int count = 0; 64*0ae430aaSDon Lewis+ char *str; 65*0ae430aaSDon Lewis+ char *p; 66*0ae430aaSDon Lewis 67*0ae430aaSDon Lewis if (countItems(arg, &numValues) != SECSuccess) { 68*0ae430aaSDon Lewis return SECFailure; 69*0ae430aaSDon Lewis@@ -3953,11 +3957,11 @@ 70*0ae430aaSDon Lewis } 71*0ae430aaSDon Lewis 72*0ae430aaSDon Lewis /* Get group names. */ 73*0ae430aaSDon Lewis- char *str = PORT_Strdup(arg); 74*0ae430aaSDon Lewis+ str = PORT_Strdup(arg); 75*0ae430aaSDon Lewis if (!str) { 76*0ae430aaSDon Lewis goto done; 77*0ae430aaSDon Lewis } 78*0ae430aaSDon Lewis- char *p = strtok(str, ","); 79*0ae430aaSDon Lewis+ p = strtok(str, ","); 80*0ae430aaSDon Lewis while (p) { 81*0ae430aaSDon Lewis SSLSignatureScheme scheme = schemeNameToScheme(p); 82*0ae430aaSDon Lewis if (scheme == ssl_sig_none) { 83*0ae430aaSDon Lewisdiff -ur misc/nss-3.39/nss/cmd/signtool/javascript.c misc/build/nss-3.39/nss/cmd/signtool/javascript.c 84*0ae430aaSDon Lewis--- misc/nss-3.39/nss/cmd/signtool/javascript.c 2018-08-31 05:55:53.000000000 -0700 85*0ae430aaSDon Lewis+++ misc/build/nss-3.39/nss/cmd/signtool/javascript.c 2018-10-22 15:02:16.878938000 -0700 86*0ae430aaSDon Lewis@@ -1672,7 +1672,7 @@ 87*0ae430aaSDon Lewis { 88*0ae430aaSDon Lewis char fn[FNSIZE]; 89*0ae430aaSDon Lewis PRDir *dir; 90*0ae430aaSDon Lewis- int c = snprintf(fn, sizeof(fn), "%s/%s", basepath, path); 91*0ae430aaSDon Lewis+ int c = PR_snprintf(fn, sizeof(fn), "%s/%s", basepath, path); 92*0ae430aaSDon Lewis if (c >= sizeof(fn)) { 93*0ae430aaSDon Lewis return PR_FAILURE; 94*0ae430aaSDon Lewis } 95*0ae430aaSDon Lewisdiff -ur misc/nss-3.39/nss/cmd/signtool/sign.c misc/build/nss-3.39/nss/cmd/signtool/sign.c 96*0ae430aaSDon Lewis--- misc/nss-3.39/nss/cmd/signtool/sign.c 2018-08-31 05:55:53.000000000 -0700 97*0ae430aaSDon Lewis+++ misc/build/nss-3.39/nss/cmd/signtool/sign.c 2018-10-22 15:01:53.353243000 -0700 98*0ae430aaSDon Lewis@@ -82,13 +82,13 @@ 99*0ae430aaSDon Lewis } 100*0ae430aaSDon Lewis 101*0ae430aaSDon Lewis /* rsa/dsa to zip */ 102*0ae430aaSDon Lewis- count = snprintf(tempfn, sizeof(tempfn), "META-INF/%s.%s", base, (keyType == dsaKey ? "dsa" : "rsa")); 103*0ae430aaSDon Lewis+ count = PR_snprintf(tempfn, sizeof(tempfn), "META-INF/%s.%s", base, (keyType == dsaKey ? "dsa" : "rsa")); 104*0ae430aaSDon Lewis if (count >= sizeof(tempfn)) { 105*0ae430aaSDon Lewis PR_fprintf(errorFD, "unable to write key metadata\n"); 106*0ae430aaSDon Lewis errorCount++; 107*0ae430aaSDon Lewis exit(ERRX); 108*0ae430aaSDon Lewis } 109*0ae430aaSDon Lewis- count = snprintf(fullfn, sizeof(fullfn), "%s/%s", tree, tempfn); 110*0ae430aaSDon Lewis+ count = PR_snprintf(fullfn, sizeof(fullfn), "%s/%s", tree, tempfn); 111*0ae430aaSDon Lewis if (count >= sizeof(fullfn)) { 112*0ae430aaSDon Lewis PR_fprintf(errorFD, "unable to write key metadata\n"); 113*0ae430aaSDon Lewis errorCount++; 114*0ae430aaSDon Lewis@@ -103,7 +103,7 @@ 115*0ae430aaSDon Lewis } 116*0ae430aaSDon Lewis /* mf to zip */ 117*0ae430aaSDon Lewis strcpy(tempfn, "META-INF/manifest.mf"); 118*0ae430aaSDon Lewis- count = snprintf(fullfn, sizeof(fullfn), "%s/%s", tree, tempfn); 119*0ae430aaSDon Lewis+ count = PR_snprintf(fullfn, sizeof(fullfn), "%s/%s", tree, tempfn); 120*0ae430aaSDon Lewis if (count >= sizeof(fullfn)) { 121*0ae430aaSDon Lewis PR_fprintf(errorFD, "unable to write manifest\n"); 122*0ae430aaSDon Lewis errorCount++; 123*0ae430aaSDon Lewis@@ -112,13 +112,13 @@ 124*0ae430aaSDon Lewis JzipAdd(fullfn, tempfn, zipfile, compression_level); 125*0ae430aaSDon Lewis 126*0ae430aaSDon Lewis /* sf to zip */ 127*0ae430aaSDon Lewis- count = snprintf(tempfn, sizeof(tempfn), "META-INF/%s.sf", base); 128*0ae430aaSDon Lewis+ count = PR_snprintf(tempfn, sizeof(tempfn), "META-INF/%s.sf", base); 129*0ae430aaSDon Lewis if (count >= sizeof(tempfn)) { 130*0ae430aaSDon Lewis PR_fprintf(errorFD, "unable to write sf metadata\n"); 131*0ae430aaSDon Lewis errorCount++; 132*0ae430aaSDon Lewis exit(ERRX); 133*0ae430aaSDon Lewis } 134*0ae430aaSDon Lewis- count = snprintf(fullfn, sizeof(fullfn), "%s/%s", tree, tempfn); 135*0ae430aaSDon Lewis+ count = PR_snprintf(fullfn, sizeof(fullfn), "%s/%s", tree, tempfn); 136*0ae430aaSDon Lewis if (count >= sizeof(fullfn)) { 137*0ae430aaSDon Lewis PR_fprintf(errorFD, "unable to write sf metadata\n"); 138*0ae430aaSDon Lewis errorCount++; 139*0ae430aaSDon Lewis@@ -129,13 +129,13 @@ 140*0ae430aaSDon Lewis /* Add the rsa/dsa file to the zip archive normally */ 141*0ae430aaSDon Lewis if (!xpi_arc) { 142*0ae430aaSDon Lewis /* rsa/dsa to zip */ 143*0ae430aaSDon Lewis- count = snprintf(tempfn, sizeof(tempfn), "META-INF/%s.%s", base, (keyType == dsaKey ? "dsa" : "rsa")); 144*0ae430aaSDon Lewis+ count = PR_snprintf(tempfn, sizeof(tempfn), "META-INF/%s.%s", base, (keyType == dsaKey ? "dsa" : "rsa")); 145*0ae430aaSDon Lewis if (count >= sizeof(tempfn)) { 146*0ae430aaSDon Lewis PR_fprintf(errorFD, "unable to write key metadata\n"); 147*0ae430aaSDon Lewis errorCount++; 148*0ae430aaSDon Lewis exit(ERRX); 149*0ae430aaSDon Lewis } 150*0ae430aaSDon Lewis- count = snprintf(fullfn, sizeof(fullfn), "%s/%s", tree, tempfn); 151*0ae430aaSDon Lewis+ count = PR_snprintf(fullfn, sizeof(fullfn), "%s/%s", tree, tempfn); 152*0ae430aaSDon Lewis if (count >= sizeof(fullfn)) { 153*0ae430aaSDon Lewis PR_fprintf(errorFD, "unable to write key metadata\n"); 154*0ae430aaSDon Lewis errorCount++; 155*0ae430aaSDon Lewis@@ -456,7 +456,7 @@ 156*0ae430aaSDon Lewis if (!PL_HashTableLookup(extensions, ext)) 157*0ae430aaSDon Lewis return 0; 158*0ae430aaSDon Lewis } 159*0ae430aaSDon Lewis- count = snprintf(fullname, sizeof(fullname), "%s/%s", basedir, relpath); 160*0ae430aaSDon Lewis+ count = PR_snprintf(fullname, sizeof(fullname), "%s/%s", basedir, relpath); 161*0ae430aaSDon Lewis if (count >= sizeof(fullname)) { 162*0ae430aaSDon Lewis return 1; 163*0ae430aaSDon Lewis } 164*0ae430aaSDon Lewisdiff -ur misc/nss-3.39/nss/gtests/freebl_gtest/kat/blake2b_kat.h misc/build/nss-3.39/nss/gtests/freebl_gtest/kat/blake2b_kat.h 165*0ae430aaSDon Lewis--- misc/nss-3.39/nss/gtests/freebl_gtest/kat/blake2b_kat.h 2018-08-31 05:55:53.000000000 -0700 166*0ae430aaSDon Lewis+++ misc/build/nss-3.39/nss/gtests/freebl_gtest/kat/blake2b_kat.h 2018-10-21 01:47:24.131348000 -0700 167*0ae430aaSDon Lewis@@ -5,7 +5,23 @@ 168*0ae430aaSDon Lewis /* https://github.com/BLAKE2/BLAKE2/blob/master/testvectors/blake2b-kat.txt */ 169*0ae430aaSDon Lewis 170*0ae430aaSDon Lewis #include <vector> 171*0ae430aaSDon Lewis-#include <stdint.h> 172*0ae430aaSDon Lewis+#if defined(_MSC_VER) && _MSC_VER < 1600 173*0ae430aaSDon Lewis+ #ifdef _WIN64 174*0ae430aaSDon Lewis+typedef unsigned __int64 uintptr_t; 175*0ae430aaSDon Lewis+ #else 176*0ae430aaSDon Lewis+typedef unsigned int uintptr_t; 177*0ae430aaSDon Lewis+ #endif 178*0ae430aaSDon Lewis+typedef unsigned char uint8_t; 179*0ae430aaSDon Lewis+typedef unsigned short uint16_t; 180*0ae430aaSDon Lewis+typedef unsigned int uint32_t; 181*0ae430aaSDon Lewis+typedef unsigned __int64 uint64_t; 182*0ae430aaSDon Lewis+#define UINT8_MAX 0xff 183*0ae430aaSDon Lewis+#define UINT16_MAX 0xffff 184*0ae430aaSDon Lewis+#define UINT32_MAX 0xffffffffu 185*0ae430aaSDon Lewis+#define UINT64_MAX 0xffffffffffffffffU 186*0ae430aaSDon Lewis+#else 187*0ae430aaSDon Lewis+ #include <stdint.h> 188*0ae430aaSDon Lewis+#endif 189*0ae430aaSDon Lewis 190*0ae430aaSDon Lewis const std::vector<uint8_t> kat_key = { 191*0ae430aaSDon Lewis 0, 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 192*0ae430aaSDon Lewis@@ -4643,4 +4659,4 @@ 193*0ae430aaSDon Lewis 0x10, 0x70, 0xfa, 0xa0, 0x37, 0x2a, 0xa4, 0x3e, 0x92, 0x48, 0x4b, 194*0ae430aaSDon Lewis 0xe1, 0xc1, 0xe7, 0x3b, 0xa1, 0x09, 0x06, 0xd5, 0xd1, 0x85, 0x3d, 195*0ae430aaSDon Lewis 0xb6, 0xa4, 0x10, 0x6e, 0x0a, 0x7b, 0xf9, 0x80, 0x0d, 0x37, 0x3d, 196*0ae430aaSDon Lewis- 0x6d, 0xee, 0x2d, 0x46, 0xd6, 0x2e, 0xf2, 0xa4, 0x61}))}; 197*0ae430aaSDon Lewis\ No newline at end of file 198*0ae430aaSDon Lewis+ 0x6d, 0xee, 0x2d, 0x46, 0xd6, 0x2e, 0xf2, 0xa4, 0x61}))}; 199*0ae430aaSDon Lewisdiff -ur misc/nss-3.39/nss/gtests/ssl_gtest/libssl_internals.h misc/build/nss-3.39/nss/gtests/ssl_gtest/libssl_internals.h 200*0ae430aaSDon Lewis--- misc/nss-3.39/nss/gtests/ssl_gtest/libssl_internals.h 2018-08-31 05:55:53.000000000 -0700 201*0ae430aaSDon Lewis+++ misc/build/nss-3.39/nss/gtests/ssl_gtest/libssl_internals.h 2018-10-21 01:47:16.342484000 -0700 202*0ae430aaSDon Lewis@@ -7,7 +7,23 @@ 203*0ae430aaSDon Lewis #ifndef libssl_internals_h_ 204*0ae430aaSDon Lewis #define libssl_internals_h_ 205*0ae430aaSDon Lewis 206*0ae430aaSDon Lewis-#include <stdint.h> 207*0ae430aaSDon Lewis+#if defined(_MSC_VER) && _MSC_VER < 1600 208*0ae430aaSDon Lewis+ #ifdef _WIN64 209*0ae430aaSDon Lewis+typedef unsigned __int64 uintptr_t; 210*0ae430aaSDon Lewis+ #else 211*0ae430aaSDon Lewis+typedef unsigned int uintptr_t; 212*0ae430aaSDon Lewis+ #endif 213*0ae430aaSDon Lewis+typedef unsigned char uint8_t; 214*0ae430aaSDon Lewis+typedef unsigned short uint16_t; 215*0ae430aaSDon Lewis+typedef unsigned int uint32_t; 216*0ae430aaSDon Lewis+typedef unsigned __int64 uint64_t; 217*0ae430aaSDon Lewis+#define UINT8_MAX 0xff 218*0ae430aaSDon Lewis+#define UINT16_MAX 0xffff 219*0ae430aaSDon Lewis+#define UINT32_MAX 0xffffffffu 220*0ae430aaSDon Lewis+#define UINT64_MAX 0xffffffffffffffffU 221*0ae430aaSDon Lewis+#else 222*0ae430aaSDon Lewis+ #include <stdint.h> 223*0ae430aaSDon Lewis+#endif 224*0ae430aaSDon Lewis 225*0ae430aaSDon Lewis #include "prio.h" 226*0ae430aaSDon Lewis #include "seccomon.h" 227*0ae430aaSDon Lewisdiff -ur misc/nss-3.39/nss/lib/freebl/blake2b.c misc/build/nss-3.39/nss/lib/freebl/blake2b.c 228*0ae430aaSDon Lewis--- misc/nss-3.39/nss/lib/freebl/blake2b.c 2018-08-31 05:55:53.000000000 -0700 229*0ae430aaSDon Lewis+++ misc/build/nss-3.39/nss/lib/freebl/blake2b.c 2018-10-21 15:08:03.065644000 -0700 230*0ae430aaSDon Lewis@@ -147,6 +147,7 @@ 231*0ae430aaSDon Lewis blake2b_Begin(BLAKE2BContext* ctx, uint8_t outlen, const uint8_t* key, 232*0ae430aaSDon Lewis size_t keylen) 233*0ae430aaSDon Lewis { 234*0ae430aaSDon Lewis+ uint64_t param; 235*0ae430aaSDon Lewis PORT_Assert(ctx != NULL); 236*0ae430aaSDon Lewis if (!ctx) { 237*0ae430aaSDon Lewis goto failure; 238*0ae430aaSDon Lewis@@ -164,7 +165,7 @@ 239*0ae430aaSDon Lewis } 240*0ae430aaSDon Lewis 241*0ae430aaSDon Lewis /* Mix key size(keylen) and desired hash length(outlen) into h0 */ 242*0ae430aaSDon Lewis- uint64_t param = outlen ^ (keylen << 8) ^ (1 << 16) ^ (1 << 24); 243*0ae430aaSDon Lewis+ param = outlen ^ (keylen << 8) ^ (1 << 16) ^ (1 << 24); 244*0ae430aaSDon Lewis PORT_Memcpy(ctx->h, iv, 8 * 8); 245*0ae430aaSDon Lewis ctx->h[0] ^= param; 246*0ae430aaSDon Lewis ctx->outlen = outlen; 247*0ae430aaSDon Lewis@@ -402,12 +403,13 @@ 248*0ae430aaSDon Lewis BLAKE2BContext* 249*0ae430aaSDon Lewis BLAKE2B_Resurrect(unsigned char* space, void* arg) 250*0ae430aaSDon Lewis { 251*0ae430aaSDon Lewis+ BLAKE2BContext* ctx; 252*0ae430aaSDon Lewis PORT_Assert(space != NULL); 253*0ae430aaSDon Lewis if (!space) { 254*0ae430aaSDon Lewis PORT_SetError(SEC_ERROR_INVALID_ARGS); 255*0ae430aaSDon Lewis return NULL; 256*0ae430aaSDon Lewis } 257*0ae430aaSDon Lewis- BLAKE2BContext* ctx = BLAKE2B_NewContext(); 258*0ae430aaSDon Lewis+ ctx = BLAKE2B_NewContext(); 259*0ae430aaSDon Lewis if (ctx == NULL) { 260*0ae430aaSDon Lewis PORT_SetError(SEC_ERROR_INVALID_ARGS); 261*0ae430aaSDon Lewis return NULL; 262*0ae430aaSDon Lewisdiff -ur misc/nss-3.39/nss/lib/freebl/blake2b.h misc/build/nss-3.39/nss/lib/freebl/blake2b.h 263*0ae430aaSDon Lewis--- misc/nss-3.39/nss/lib/freebl/blake2b.h 2018-08-31 05:55:53.000000000 -0700 264*0ae430aaSDon Lewis+++ misc/build/nss-3.39/nss/lib/freebl/blake2b.h 2018-10-21 01:46:57.467020000 -0700 265*0ae430aaSDon Lewis@@ -9,7 +9,23 @@ 266*0ae430aaSDon Lewis #define BLAKE_H 267*0ae430aaSDon Lewis 268*0ae430aaSDon Lewis #include <stddef.h> 269*0ae430aaSDon Lewis-#include <stdint.h> 270*0ae430aaSDon Lewis+#if defined(_MSC_VER) && _MSC_VER < 1600 271*0ae430aaSDon Lewis+ #ifdef _WIN64 272*0ae430aaSDon Lewis+typedef unsigned __int64 uintptr_t; 273*0ae430aaSDon Lewis+ #else 274*0ae430aaSDon Lewis+typedef unsigned int uintptr_t; 275*0ae430aaSDon Lewis+ #endif 276*0ae430aaSDon Lewis+typedef unsigned char uint8_t; 277*0ae430aaSDon Lewis+typedef unsigned short uint16_t; 278*0ae430aaSDon Lewis+typedef unsigned int uint32_t; 279*0ae430aaSDon Lewis+typedef unsigned __int64 uint64_t; 280*0ae430aaSDon Lewis+#define UINT8_MAX 0xff 281*0ae430aaSDon Lewis+#define UINT16_MAX 0xffff 282*0ae430aaSDon Lewis+#define UINT32_MAX 0xffffffffu 283*0ae430aaSDon Lewis+#define UINT64_MAX 0xffffffffffffffffU 284*0ae430aaSDon Lewis+#else 285*0ae430aaSDon Lewis+ #include <stdint.h> 286*0ae430aaSDon Lewis+#endif 287*0ae430aaSDon Lewis 288*0ae430aaSDon Lewis struct Blake2bContextStr { 289*0ae430aaSDon Lewis uint64_t h[8]; /* chained state */ 290*0ae430aaSDon Lewisdiff -ur misc/nss-3.39/nss/lib/freebl/chacha20poly1305.c misc/build/nss-3.39/nss/lib/freebl/chacha20poly1305.c 291*0ae430aaSDon Lewis--- misc/nss-3.39/nss/lib/freebl/chacha20poly1305.c 2018-08-31 05:55:53.000000000 -0700 292*0ae430aaSDon Lewis+++ misc/build/nss-3.39/nss/lib/freebl/chacha20poly1305.c 2018-10-21 21:01:18.295557000 -0700 293*0ae430aaSDon Lewis@@ -77,14 +77,14 @@ 294*0ae430aaSDon Lewis Hacl_Poly1305_mk_state(stateStack, stateStack + offset); 295*0ae430aaSDon Lewis 296*0ae430aaSDon Lewis unsigned char block[16] = { 0 }; 297*0ae430aaSDon Lewis+ unsigned int i; 298*0ae430aaSDon Lewis+ unsigned int j; 299*0ae430aaSDon Lewis Hacl_Poly1305_init(state, (uint8_t *)key); 300*0ae430aaSDon Lewis 301*0ae430aaSDon Lewis Poly1305PadUpdate(state, block, ad, adLen); 302*0ae430aaSDon Lewis memset(block, 0, 16); 303*0ae430aaSDon Lewis Poly1305PadUpdate(state, block, ciphertext, ciphertextLen); 304*0ae430aaSDon Lewis 305*0ae430aaSDon Lewis- unsigned int i; 306*0ae430aaSDon Lewis- unsigned int j; 307*0ae430aaSDon Lewis for (i = 0, j = adLen; i < 8; i++, j >>= 8) { 308*0ae430aaSDon Lewis block[i] = j; 309*0ae430aaSDon Lewis } 310*0ae430aaSDon Lewisdiff -ur misc/nss-3.39/nss/lib/freebl/ecl/ecp_25519.c misc/build/nss-3.39/nss/lib/freebl/ecl/ecp_25519.c 311*0ae430aaSDon Lewis--- misc/nss-3.39/nss/lib/freebl/ecl/ecp_25519.c 2018-08-31 05:55:53.000000000 -0700 312*0ae430aaSDon Lewis+++ misc/build/nss-3.39/nss/lib/freebl/ecl/ecp_25519.c 2018-10-21 21:06:07.350639000 -0700 313*0ae430aaSDon Lewis@@ -104,6 +104,7 @@ 314*0ae430aaSDon Lewis { 315*0ae430aaSDon Lewis PRUint8 *px; 316*0ae430aaSDon Lewis PRUint8 basePoint[32] = { 9 }; 317*0ae430aaSDon Lewis+ SECStatus rv; 318*0ae430aaSDon Lewis 319*0ae430aaSDon Lewis if (!P) { 320*0ae430aaSDon Lewis px = basePoint; 321*0ae430aaSDon Lewis@@ -115,7 +116,7 @@ 322*0ae430aaSDon Lewis px = P->data; 323*0ae430aaSDon Lewis } 324*0ae430aaSDon Lewis 325*0ae430aaSDon Lewis- SECStatus rv = ec_Curve25519_mul(X->data, k->data, px); 326*0ae430aaSDon Lewis+ rv = ec_Curve25519_mul(X->data, k->data, px); 327*0ae430aaSDon Lewis if (NSS_SecureMemcmpZero(X->data, X->len) == 0) { 328*0ae430aaSDon Lewis return SECFailure; 329*0ae430aaSDon Lewis } 330*0ae430aaSDon Lewisdiff -ur misc/nss-3.39/nss/lib/freebl/gcm.h misc/build/nss-3.39/nss/lib/freebl/gcm.h 331*0ae430aaSDon Lewis--- misc/nss-3.39/nss/lib/freebl/gcm.h 2018-08-31 05:55:53.000000000 -0700 332*0ae430aaSDon Lewis+++ misc/build/nss-3.39/nss/lib/freebl/gcm.h 2018-10-21 01:46:50.706497000 -0700 333*0ae430aaSDon Lewis@@ -6,7 +6,23 @@ 334*0ae430aaSDon Lewis #define GCM_H 1 335*0ae430aaSDon Lewis 336*0ae430aaSDon Lewis #include "blapii.h" 337*0ae430aaSDon Lewis-#include <stdint.h> 338*0ae430aaSDon Lewis+#if defined(_MSC_VER) && _MSC_VER < 1600 339*0ae430aaSDon Lewis+ #ifdef _WIN64 340*0ae430aaSDon Lewis+typedef unsigned __int64 uintptr_t; 341*0ae430aaSDon Lewis+ #else 342*0ae430aaSDon Lewis+typedef unsigned int uintptr_t; 343*0ae430aaSDon Lewis+ #endif 344*0ae430aaSDon Lewis+typedef unsigned char uint8_t; 345*0ae430aaSDon Lewis+typedef unsigned short uint16_t; 346*0ae430aaSDon Lewis+typedef unsigned int uint32_t; 347*0ae430aaSDon Lewis+typedef unsigned __int64 uint64_t; 348*0ae430aaSDon Lewis+#define UINT8_MAX 0xff 349*0ae430aaSDon Lewis+#define UINT16_MAX 0xffff 350*0ae430aaSDon Lewis+#define UINT32_MAX 0xffffffffu 351*0ae430aaSDon Lewis+#define UINT64_MAX 0xffffffffffffffffU 352*0ae430aaSDon Lewis+#else 353*0ae430aaSDon Lewis+ #include <stdint.h> 354*0ae430aaSDon Lewis+#endif 355*0ae430aaSDon Lewis 356*0ae430aaSDon Lewis #ifdef NSS_X86_OR_X64 357*0ae430aaSDon Lewis /* GCC <= 4.8 doesn't support including emmintrin.h without enabling SSE2 */ 358*0ae430aaSDon Lewisdiff -ur misc/nss-3.39/nss/lib/freebl/rijndael.h misc/build/nss-3.39/nss/lib/freebl/rijndael.h 359*0ae430aaSDon Lewis--- misc/nss-3.39/nss/lib/freebl/rijndael.h 2018-08-31 05:55:53.000000000 -0700 360*0ae430aaSDon Lewis+++ misc/build/nss-3.39/nss/lib/freebl/rijndael.h 2018-10-21 01:47:05.758087000 -0700 361*0ae430aaSDon Lewis@@ -6,7 +6,23 @@ 362*0ae430aaSDon Lewis #define _RIJNDAEL_H_ 1 363*0ae430aaSDon Lewis 364*0ae430aaSDon Lewis #include "blapii.h" 365*0ae430aaSDon Lewis-#include <stdint.h> 366*0ae430aaSDon Lewis+#if defined(_MSC_VER) && _MSC_VER < 1600 367*0ae430aaSDon Lewis+ #ifdef _WIN64 368*0ae430aaSDon Lewis+typedef unsigned __int64 uintptr_t; 369*0ae430aaSDon Lewis+ #else 370*0ae430aaSDon Lewis+typedef unsigned int uintptr_t; 371*0ae430aaSDon Lewis+ #endif 372*0ae430aaSDon Lewis+typedef unsigned char uint8_t; 373*0ae430aaSDon Lewis+typedef unsigned short uint16_t; 374*0ae430aaSDon Lewis+typedef unsigned int uint32_t; 375*0ae430aaSDon Lewis+typedef unsigned __int64 uint64_t; 376*0ae430aaSDon Lewis+#define UINT8_MAX 0xff 377*0ae430aaSDon Lewis+#define UINT16_MAX 0xffff 378*0ae430aaSDon Lewis+#define UINT32_MAX 0xffffffffu 379*0ae430aaSDon Lewis+#define UINT64_MAX 0xffffffffffffffffU 380*0ae430aaSDon Lewis+#else 381*0ae430aaSDon Lewis+ #include <stdint.h> 382*0ae430aaSDon Lewis+#endif 383*0ae430aaSDon Lewis 384*0ae430aaSDon Lewis #if defined(NSS_X86_OR_X64) 385*0ae430aaSDon Lewis /* GCC <= 4.8 doesn't support including emmintrin.h without enabling SSE2 */ 386*0ae430aaSDon Lewisdiff -ur misc/nss-3.39/nss/lib/freebl/verified/FStar.c misc/build/nss-3.39/nss/lib/freebl/verified/FStar.c 387*0ae430aaSDon Lewis--- misc/nss-3.39/nss/lib/freebl/verified/FStar.c 2018-08-31 05:55:53.000000000 -0700 388*0ae430aaSDon Lewis+++ misc/build/nss-3.39/nss/lib/freebl/verified/FStar.c 2018-10-21 23:50:44.099188000 -0700 389*0ae430aaSDon Lewis@@ -32,37 +32,37 @@ 390*0ae430aaSDon Lewis FStar_UInt128_uint128 391*0ae430aaSDon Lewis FStar_UInt128_add(FStar_UInt128_uint128 a, FStar_UInt128_uint128 b) 392*0ae430aaSDon Lewis { 393*0ae430aaSDon Lewis- return ( 394*0ae430aaSDon Lewis- (FStar_UInt128_uint128){ 395*0ae430aaSDon Lewis- .low = a.low + b.low, 396*0ae430aaSDon Lewis- .high = a.high + b.high + FStar_UInt128_carry(a.low + b.low, b.low) }); 397*0ae430aaSDon Lewis+ FStar_UInt128_uint128 ret; 398*0ae430aaSDon Lewis+ ret.low = a.low + b.low; 399*0ae430aaSDon Lewis+ ret.high = a.high + b.high + FStar_UInt128_carry(a.low + b.low, b.low); 400*0ae430aaSDon Lewis+ return (ret); 401*0ae430aaSDon Lewis } 402*0ae430aaSDon Lewis 403*0ae430aaSDon Lewis FStar_UInt128_uint128 404*0ae430aaSDon Lewis FStar_UInt128_add_mod(FStar_UInt128_uint128 a, FStar_UInt128_uint128 b) 405*0ae430aaSDon Lewis { 406*0ae430aaSDon Lewis- return ( 407*0ae430aaSDon Lewis- (FStar_UInt128_uint128){ 408*0ae430aaSDon Lewis- .low = a.low + b.low, 409*0ae430aaSDon Lewis- .high = a.high + b.high + FStar_UInt128_carry(a.low + b.low, b.low) }); 410*0ae430aaSDon Lewis+ FStar_UInt128_uint128 ret; 411*0ae430aaSDon Lewis+ ret.low = a.low + b.low; 412*0ae430aaSDon Lewis+ ret.high = a.high + b.high + FStar_UInt128_carry(a.low + b.low, b.low); 413*0ae430aaSDon Lewis+ return (ret); 414*0ae430aaSDon Lewis } 415*0ae430aaSDon Lewis 416*0ae430aaSDon Lewis FStar_UInt128_uint128 417*0ae430aaSDon Lewis FStar_UInt128_sub(FStar_UInt128_uint128 a, FStar_UInt128_uint128 b) 418*0ae430aaSDon Lewis { 419*0ae430aaSDon Lewis- return ( 420*0ae430aaSDon Lewis- (FStar_UInt128_uint128){ 421*0ae430aaSDon Lewis- .low = a.low - b.low, 422*0ae430aaSDon Lewis- .high = a.high - b.high - FStar_UInt128_carry(a.low, a.low - b.low) }); 423*0ae430aaSDon Lewis+ FStar_UInt128_uint128 ret; 424*0ae430aaSDon Lewis+ ret.low = a.low - b.low; 425*0ae430aaSDon Lewis+ ret.high = a.high - b.high - FStar_UInt128_carry(a.low, a.low - b.low); 426*0ae430aaSDon Lewis+ return (ret); 427*0ae430aaSDon Lewis } 428*0ae430aaSDon Lewis 429*0ae430aaSDon Lewis static FStar_UInt128_uint128 430*0ae430aaSDon Lewis FStar_UInt128_sub_mod_impl(FStar_UInt128_uint128 a, FStar_UInt128_uint128 b) 431*0ae430aaSDon Lewis { 432*0ae430aaSDon Lewis- return ( 433*0ae430aaSDon Lewis- (FStar_UInt128_uint128){ 434*0ae430aaSDon Lewis- .low = a.low - b.low, 435*0ae430aaSDon Lewis- .high = a.high - b.high - FStar_UInt128_carry(a.low, a.low - b.low) }); 436*0ae430aaSDon Lewis+ FStar_UInt128_uint128 ret; 437*0ae430aaSDon Lewis+ ret.low = a.low - b.low; 438*0ae430aaSDon Lewis+ ret.high = a.high - b.high - FStar_UInt128_carry(a.low, a.low - b.low); 439*0ae430aaSDon Lewis+ return (ret); 440*0ae430aaSDon Lewis } 441*0ae430aaSDon Lewis 442*0ae430aaSDon Lewis FStar_UInt128_uint128 443*0ae430aaSDon Lewis@@ -74,25 +74,37 @@ 444*0ae430aaSDon Lewis FStar_UInt128_uint128 445*0ae430aaSDon Lewis FStar_UInt128_logand(FStar_UInt128_uint128 a, FStar_UInt128_uint128 b) 446*0ae430aaSDon Lewis { 447*0ae430aaSDon Lewis- return ((FStar_UInt128_uint128){.low = a.low & b.low, .high = a.high & b.high }); 448*0ae430aaSDon Lewis+ FStar_UInt128_uint128 ret; 449*0ae430aaSDon Lewis+ ret.low = a.low & b.low; 450*0ae430aaSDon Lewis+ ret.high = a.high & b.high; 451*0ae430aaSDon Lewis+ return (ret); 452*0ae430aaSDon Lewis } 453*0ae430aaSDon Lewis 454*0ae430aaSDon Lewis FStar_UInt128_uint128 455*0ae430aaSDon Lewis FStar_UInt128_logxor(FStar_UInt128_uint128 a, FStar_UInt128_uint128 b) 456*0ae430aaSDon Lewis { 457*0ae430aaSDon Lewis- return ((FStar_UInt128_uint128){.low = a.low ^ b.low, .high = a.high ^ b.high }); 458*0ae430aaSDon Lewis+ FStar_UInt128_uint128 ret; 459*0ae430aaSDon Lewis+ ret.low = a.low ^ b.low; 460*0ae430aaSDon Lewis+ ret.high = a.high ^ b.high; 461*0ae430aaSDon Lewis+ return (ret); 462*0ae430aaSDon Lewis } 463*0ae430aaSDon Lewis 464*0ae430aaSDon Lewis FStar_UInt128_uint128 465*0ae430aaSDon Lewis FStar_UInt128_logor(FStar_UInt128_uint128 a, FStar_UInt128_uint128 b) 466*0ae430aaSDon Lewis { 467*0ae430aaSDon Lewis- return ((FStar_UInt128_uint128){.low = a.low | b.low, .high = a.high | b.high }); 468*0ae430aaSDon Lewis+ FStar_UInt128_uint128 ret; 469*0ae430aaSDon Lewis+ ret.low = a.low | b.low; 470*0ae430aaSDon Lewis+ ret.high = a.high | b.high; 471*0ae430aaSDon Lewis+ return (ret); 472*0ae430aaSDon Lewis } 473*0ae430aaSDon Lewis 474*0ae430aaSDon Lewis FStar_UInt128_uint128 475*0ae430aaSDon Lewis FStar_UInt128_lognot(FStar_UInt128_uint128 a) 476*0ae430aaSDon Lewis { 477*0ae430aaSDon Lewis- return ((FStar_UInt128_uint128){.low = ~a.low, .high = ~a.high }); 478*0ae430aaSDon Lewis+ FStar_UInt128_uint128 ret; 479*0ae430aaSDon Lewis+ ret.low = ~a.low; 480*0ae430aaSDon Lewis+ ret.high = ~a.high; 481*0ae430aaSDon Lewis+ return (ret); 482*0ae430aaSDon Lewis } 483*0ae430aaSDon Lewis 484*0ae430aaSDon Lewis static uint32_t FStar_UInt128_u32_64 = (uint32_t)64U; 485*0ae430aaSDon Lewis@@ -112,19 +124,23 @@ 486*0ae430aaSDon Lewis static FStar_UInt128_uint128 487*0ae430aaSDon Lewis FStar_UInt128_shift_left_small(FStar_UInt128_uint128 a, uint32_t s) 488*0ae430aaSDon Lewis { 489*0ae430aaSDon Lewis+ FStar_UInt128_uint128 ret; 490*0ae430aaSDon Lewis if (s == (uint32_t)0U) 491*0ae430aaSDon Lewis return a; 492*0ae430aaSDon Lewis- else 493*0ae430aaSDon Lewis- return ( 494*0ae430aaSDon Lewis- (FStar_UInt128_uint128){ 495*0ae430aaSDon Lewis- .low = a.low << s, 496*0ae430aaSDon Lewis- .high = FStar_UInt128_add_u64_shift_left_respec(a.high, a.low, s) }); 497*0ae430aaSDon Lewis+ else { 498*0ae430aaSDon Lewis+ ret.low = a.low << s; 499*0ae430aaSDon Lewis+ ret.high = FStar_UInt128_add_u64_shift_left_respec(a.high, a.low, s); 500*0ae430aaSDon Lewis+ return (ret); 501*0ae430aaSDon Lewis+ } 502*0ae430aaSDon Lewis } 503*0ae430aaSDon Lewis 504*0ae430aaSDon Lewis static FStar_UInt128_uint128 505*0ae430aaSDon Lewis FStar_UInt128_shift_left_large(FStar_UInt128_uint128 a, uint32_t s) 506*0ae430aaSDon Lewis { 507*0ae430aaSDon Lewis- return ((FStar_UInt128_uint128){.low = (uint64_t)0U, .high = a.low << (s - FStar_UInt128_u32_64) }); 508*0ae430aaSDon Lewis+ FStar_UInt128_uint128 ret; 509*0ae430aaSDon Lewis+ ret.low = (uint64_t)0U; 510*0ae430aaSDon Lewis+ ret.high = a.low << (s - FStar_UInt128_u32_64); 511*0ae430aaSDon Lewis+ return (ret); 512*0ae430aaSDon Lewis } 513*0ae430aaSDon Lewis 514*0ae430aaSDon Lewis FStar_UInt128_uint128 515*0ae430aaSDon Lewis@@ -151,19 +167,23 @@ 516*0ae430aaSDon Lewis static FStar_UInt128_uint128 517*0ae430aaSDon Lewis FStar_UInt128_shift_right_small(FStar_UInt128_uint128 a, uint32_t s) 518*0ae430aaSDon Lewis { 519*0ae430aaSDon Lewis+ FStar_UInt128_uint128 ret; 520*0ae430aaSDon Lewis if (s == (uint32_t)0U) 521*0ae430aaSDon Lewis return a; 522*0ae430aaSDon Lewis- else 523*0ae430aaSDon Lewis- return ( 524*0ae430aaSDon Lewis- (FStar_UInt128_uint128){ 525*0ae430aaSDon Lewis- .low = FStar_UInt128_add_u64_shift_right_respec(a.high, a.low, s), 526*0ae430aaSDon Lewis- .high = a.high >> s }); 527*0ae430aaSDon Lewis+ else { 528*0ae430aaSDon Lewis+ ret.low = FStar_UInt128_add_u64_shift_right_respec(a.high, a.low, s); 529*0ae430aaSDon Lewis+ ret.high = a.high >> s; 530*0ae430aaSDon Lewis+ return (ret); 531*0ae430aaSDon Lewis+ } 532*0ae430aaSDon Lewis } 533*0ae430aaSDon Lewis 534*0ae430aaSDon Lewis static FStar_UInt128_uint128 535*0ae430aaSDon Lewis FStar_UInt128_shift_right_large(FStar_UInt128_uint128 a, uint32_t s) 536*0ae430aaSDon Lewis { 537*0ae430aaSDon Lewis- return ((FStar_UInt128_uint128){.low = a.high >> (s - FStar_UInt128_u32_64), .high = (uint64_t)0U }); 538*0ae430aaSDon Lewis+ FStar_UInt128_uint128 ret; 539*0ae430aaSDon Lewis+ ret.low = a.high >> (s - FStar_UInt128_u32_64); 540*0ae430aaSDon Lewis+ ret.high = (uint64_t)0U; 541*0ae430aaSDon Lewis+ return (ret); 542*0ae430aaSDon Lewis } 543*0ae430aaSDon Lewis 544*0ae430aaSDon Lewis FStar_UInt128_uint128 545*0ae430aaSDon Lewis@@ -178,25 +198,28 @@ 546*0ae430aaSDon Lewis FStar_UInt128_uint128 547*0ae430aaSDon Lewis FStar_UInt128_eq_mask(FStar_UInt128_uint128 a, FStar_UInt128_uint128 b) 548*0ae430aaSDon Lewis { 549*0ae430aaSDon Lewis- return ( 550*0ae430aaSDon Lewis- (FStar_UInt128_uint128){ 551*0ae430aaSDon Lewis- .low = FStar_UInt64_eq_mask(a.low, b.low) & FStar_UInt64_eq_mask(a.high, b.high), 552*0ae430aaSDon Lewis- .high = FStar_UInt64_eq_mask(a.low, b.low) & FStar_UInt64_eq_mask(a.high, b.high) }); 553*0ae430aaSDon Lewis+ FStar_UInt128_uint128 ret; 554*0ae430aaSDon Lewis+ ret.low = FStar_UInt64_eq_mask(a.low, b.low) & FStar_UInt64_eq_mask(a.high, b.high); 555*0ae430aaSDon Lewis+ ret.high = FStar_UInt64_eq_mask(a.low, b.low) & FStar_UInt64_eq_mask(a.high, b.high); 556*0ae430aaSDon Lewis+ return (ret); 557*0ae430aaSDon Lewis } 558*0ae430aaSDon Lewis 559*0ae430aaSDon Lewis FStar_UInt128_uint128 560*0ae430aaSDon Lewis FStar_UInt128_gte_mask(FStar_UInt128_uint128 a, FStar_UInt128_uint128 b) 561*0ae430aaSDon Lewis { 562*0ae430aaSDon Lewis- return ( 563*0ae430aaSDon Lewis- (FStar_UInt128_uint128){ 564*0ae430aaSDon Lewis- .low = (FStar_UInt64_gte_mask(a.high, b.high) & ~FStar_UInt64_eq_mask(a.high, b.high)) | (FStar_UInt64_eq_mask(a.high, b.high) & FStar_UInt64_gte_mask(a.low, b.low)), 565*0ae430aaSDon Lewis- .high = (FStar_UInt64_gte_mask(a.high, b.high) & ~FStar_UInt64_eq_mask(a.high, b.high)) | (FStar_UInt64_eq_mask(a.high, b.high) & FStar_UInt64_gte_mask(a.low, b.low)) }); 566*0ae430aaSDon Lewis+ FStar_UInt128_uint128 ret; 567*0ae430aaSDon Lewis+ ret.low = (FStar_UInt64_gte_mask(a.high, b.high) & ~FStar_UInt64_eq_mask(a.high, b.high)) | (FStar_UInt64_eq_mask(a.high, b.high) & FStar_UInt64_gte_mask(a.low, b.low)); 568*0ae430aaSDon Lewis+ ret.high = (FStar_UInt64_gte_mask(a.high, b.high) & ~FStar_UInt64_eq_mask(a.high, b.high)) | (FStar_UInt64_eq_mask(a.high, b.high) & FStar_UInt64_gte_mask(a.low, b.low)); 569*0ae430aaSDon Lewis+ return (ret); 570*0ae430aaSDon Lewis } 571*0ae430aaSDon Lewis 572*0ae430aaSDon Lewis FStar_UInt128_uint128 573*0ae430aaSDon Lewis FStar_UInt128_uint64_to_uint128(uint64_t a) 574*0ae430aaSDon Lewis { 575*0ae430aaSDon Lewis- return ((FStar_UInt128_uint128){.low = a, .high = (uint64_t)0U }); 576*0ae430aaSDon Lewis+ FStar_UInt128_uint128 ret; 577*0ae430aaSDon Lewis+ ret.low = a; 578*0ae430aaSDon Lewis+ ret.high = (uint64_t)0U; 579*0ae430aaSDon Lewis+ return (ret); 580*0ae430aaSDon Lewis } 581*0ae430aaSDon Lewis 582*0ae430aaSDon Lewis uint64_t 583*0ae430aaSDon Lewis@@ -218,12 +241,13 @@ 584*0ae430aaSDon Lewis static K___uint64_t_uint64_t_uint64_t_uint64_t 585*0ae430aaSDon Lewis FStar_UInt128_mul_wide_impl_t_(uint64_t x, uint64_t y) 586*0ae430aaSDon Lewis { 587*0ae430aaSDon Lewis- return ( 588*0ae430aaSDon Lewis- (K___uint64_t_uint64_t_uint64_t_uint64_t){ 589*0ae430aaSDon Lewis- .fst = FStar_UInt128_u64_mod_32(x), 590*0ae430aaSDon Lewis- .snd = FStar_UInt128_u64_mod_32(FStar_UInt128_u64_mod_32(x) * FStar_UInt128_u64_mod_32(y)), 591*0ae430aaSDon Lewis- .thd = x >> FStar_UInt128_u32_32, 592*0ae430aaSDon Lewis- .f3 = (x >> FStar_UInt128_u32_32) * FStar_UInt128_u64_mod_32(y) + (FStar_UInt128_u64_mod_32(x) * FStar_UInt128_u64_mod_32(y) >> FStar_UInt128_u32_32) }); 593*0ae430aaSDon Lewis+ 594*0ae430aaSDon Lewis+ K___uint64_t_uint64_t_uint64_t_uint64_t ret; 595*0ae430aaSDon Lewis+ ret.fst = FStar_UInt128_u64_mod_32(x); 596*0ae430aaSDon Lewis+ ret.snd = FStar_UInt128_u64_mod_32(FStar_UInt128_u64_mod_32(x) * FStar_UInt128_u64_mod_32(y)); 597*0ae430aaSDon Lewis+ ret.thd = x >> FStar_UInt128_u32_32; 598*0ae430aaSDon Lewis+ ret.f3 = (x >> FStar_UInt128_u32_32) * FStar_UInt128_u64_mod_32(y) + (FStar_UInt128_u64_mod_32(x) * FStar_UInt128_u64_mod_32(y) >> FStar_UInt128_u32_32); 599*0ae430aaSDon Lewis+ return (ret); 600*0ae430aaSDon Lewis } 601*0ae430aaSDon Lewis 602*0ae430aaSDon Lewis static uint64_t 603*0ae430aaSDon Lewis@@ -240,12 +264,12 @@ 604*0ae430aaSDon Lewis uint64_t w3 = scrut.snd; 605*0ae430aaSDon Lewis uint64_t x_ = scrut.thd; 606*0ae430aaSDon Lewis uint64_t t_ = scrut.f3; 607*0ae430aaSDon Lewis- return ( 608*0ae430aaSDon Lewis- (FStar_UInt128_uint128){ 609*0ae430aaSDon Lewis- .low = FStar_UInt128_u32_combine_(u1 * (y >> FStar_UInt128_u32_32) + FStar_UInt128_u64_mod_32(t_), 610*0ae430aaSDon Lewis- w3), 611*0ae430aaSDon Lewis- .high = x_ * (y >> FStar_UInt128_u32_32) + (t_ >> FStar_UInt128_u32_32) + 612*0ae430aaSDon Lewis- ((u1 * (y >> FStar_UInt128_u32_32) + FStar_UInt128_u64_mod_32(t_)) >> FStar_UInt128_u32_32) }); 613*0ae430aaSDon Lewis+ FStar_UInt128_uint128 ret; 614*0ae430aaSDon Lewis+ ret.low = FStar_UInt128_u32_combine_(u1 * (y >> FStar_UInt128_u32_32) + FStar_UInt128_u64_mod_32(t_), 615*0ae430aaSDon Lewis+ w3); 616*0ae430aaSDon Lewis+ ret.high = x_ * (y >> FStar_UInt128_u32_32) + (t_ >> FStar_UInt128_u32_32) + 617*0ae430aaSDon Lewis+ ((u1 * (y >> FStar_UInt128_u32_32) + FStar_UInt128_u64_mod_32(t_)) >> FStar_UInt128_u32_32); 618*0ae430aaSDon Lewis+ return (ret); 619*0ae430aaSDon Lewis } 620*0ae430aaSDon Lewis 621*0ae430aaSDon Lewis FStar_UInt128_uint128 622*0ae430aaSDon Lewisdiff -ur misc/nss-3.39/nss/lib/freebl/verified/FStar.h misc/build/nss-3.39/nss/lib/freebl/verified/FStar.h 623*0ae430aaSDon Lewis--- misc/nss-3.39/nss/lib/freebl/verified/FStar.h 2018-08-31 05:55:53.000000000 -0700 624*0ae430aaSDon Lewis+++ misc/build/nss-3.39/nss/lib/freebl/verified/FStar.h 2018-10-21 23:03:05.151005000 -0700 625*0ae430aaSDon Lewis@@ -17,6 +17,7 @@ 626*0ae430aaSDon Lewis #ifndef __FStar_H 627*0ae430aaSDon Lewis #define __FStar_H 628*0ae430aaSDon Lewis 629*0ae430aaSDon Lewis+#include "secport.h" 630*0ae430aaSDon Lewis #include "kremlib_base.h" 631*0ae430aaSDon Lewis 632*0ae430aaSDon Lewis typedef struct 633*0ae430aaSDon Lewisdiff -ur misc/nss-3.39/nss/lib/freebl/verified/Hacl_Chacha20.c misc/build/nss-3.39/nss/lib/freebl/verified/Hacl_Chacha20.c 634*0ae430aaSDon Lewis--- misc/nss-3.39/nss/lib/freebl/verified/Hacl_Chacha20.c 2018-08-31 05:55:53.000000000 -0700 635*0ae430aaSDon Lewis+++ misc/build/nss-3.39/nss/lib/freebl/verified/Hacl_Chacha20.c 2018-10-21 21:47:24.553180000 -0700 636*0ae430aaSDon Lewis@@ -18,7 +18,8 @@ 637*0ae430aaSDon Lewis static void 638*0ae430aaSDon Lewis Hacl_Lib_LoadStore32_uint32s_from_le_bytes(uint32_t *output, uint8_t *input, uint32_t len) 639*0ae430aaSDon Lewis { 640*0ae430aaSDon Lewis- for (uint32_t i = (uint32_t)0U; i < len; i = i + (uint32_t)1U) { 641*0ae430aaSDon Lewis+ uint32_t i; 642*0ae430aaSDon Lewis+ for (i = (uint32_t)0U; i < len; i = i + (uint32_t)1U) { 643*0ae430aaSDon Lewis uint8_t *x0 = input + (uint32_t)4U * i; 644*0ae430aaSDon Lewis uint32_t inputi = load32_le(x0); 645*0ae430aaSDon Lewis output[i] = inputi; 646*0ae430aaSDon Lewis@@ -28,7 +29,8 @@ 647*0ae430aaSDon Lewis static void 648*0ae430aaSDon Lewis Hacl_Lib_LoadStore32_uint32s_to_le_bytes(uint8_t *output, uint32_t *input, uint32_t len) 649*0ae430aaSDon Lewis { 650*0ae430aaSDon Lewis- for (uint32_t i = (uint32_t)0U; i < len; i = i + (uint32_t)1U) { 651*0ae430aaSDon Lewis+ uint32_t i; 652*0ae430aaSDon Lewis+ for (i = (uint32_t)0U; i < len; i = i + (uint32_t)1U) { 653*0ae430aaSDon Lewis uint32_t hd1 = input[i]; 654*0ae430aaSDon Lewis uint8_t *x0 = output + (uint32_t)4U * i; 655*0ae430aaSDon Lewis store32_le(x0, hd1); 656*0ae430aaSDon Lewis@@ -46,31 +48,49 @@ 657*0ae430aaSDon Lewis { 658*0ae430aaSDon Lewis uint32_t sa = st[a]; 659*0ae430aaSDon Lewis uint32_t sb0 = st[b]; 660*0ae430aaSDon Lewis+ uint32_t sd; 661*0ae430aaSDon Lewis+ uint32_t sa10; 662*0ae430aaSDon Lewis+ uint32_t sda; 663*0ae430aaSDon Lewis+ uint32_t sa0; 664*0ae430aaSDon Lewis+ uint32_t sb1; 665*0ae430aaSDon Lewis+ uint32_t sd0; 666*0ae430aaSDon Lewis+ uint32_t sa11; 667*0ae430aaSDon Lewis+ uint32_t sda0; 668*0ae430aaSDon Lewis+ uint32_t sa2; 669*0ae430aaSDon Lewis+ uint32_t sb2; 670*0ae430aaSDon Lewis+ uint32_t sd1; 671*0ae430aaSDon Lewis+ uint32_t sa12; 672*0ae430aaSDon Lewis+ uint32_t sda1; 673*0ae430aaSDon Lewis+ uint32_t sa3; 674*0ae430aaSDon Lewis+ uint32_t sb; 675*0ae430aaSDon Lewis+ uint32_t sd2; 676*0ae430aaSDon Lewis+ uint32_t sa1; 677*0ae430aaSDon Lewis+ uint32_t sda2; 678*0ae430aaSDon Lewis st[a] = sa + sb0; 679*0ae430aaSDon Lewis- uint32_t sd = st[d]; 680*0ae430aaSDon Lewis- uint32_t sa10 = st[a]; 681*0ae430aaSDon Lewis- uint32_t sda = sd ^ sa10; 682*0ae430aaSDon Lewis+ sd = st[d]; 683*0ae430aaSDon Lewis+ sa10 = st[a]; 684*0ae430aaSDon Lewis+ sda = sd ^ sa10; 685*0ae430aaSDon Lewis st[d] = Hacl_Impl_Chacha20_rotate_left(sda, (uint32_t)16U); 686*0ae430aaSDon Lewis- uint32_t sa0 = st[c]; 687*0ae430aaSDon Lewis- uint32_t sb1 = st[d]; 688*0ae430aaSDon Lewis+ sa0 = st[c]; 689*0ae430aaSDon Lewis+ sb1 = st[d]; 690*0ae430aaSDon Lewis st[c] = sa0 + sb1; 691*0ae430aaSDon Lewis- uint32_t sd0 = st[b]; 692*0ae430aaSDon Lewis- uint32_t sa11 = st[c]; 693*0ae430aaSDon Lewis- uint32_t sda0 = sd0 ^ sa11; 694*0ae430aaSDon Lewis+ sd0 = st[b]; 695*0ae430aaSDon Lewis+ sa11 = st[c]; 696*0ae430aaSDon Lewis+ sda0 = sd0 ^ sa11; 697*0ae430aaSDon Lewis st[b] = Hacl_Impl_Chacha20_rotate_left(sda0, (uint32_t)12U); 698*0ae430aaSDon Lewis- uint32_t sa2 = st[a]; 699*0ae430aaSDon Lewis- uint32_t sb2 = st[b]; 700*0ae430aaSDon Lewis+ sa2 = st[a]; 701*0ae430aaSDon Lewis+ sb2 = st[b]; 702*0ae430aaSDon Lewis st[a] = sa2 + sb2; 703*0ae430aaSDon Lewis- uint32_t sd1 = st[d]; 704*0ae430aaSDon Lewis- uint32_t sa12 = st[a]; 705*0ae430aaSDon Lewis- uint32_t sda1 = sd1 ^ sa12; 706*0ae430aaSDon Lewis+ sd1 = st[d]; 707*0ae430aaSDon Lewis+ sa12 = st[a]; 708*0ae430aaSDon Lewis+ sda1 = sd1 ^ sa12; 709*0ae430aaSDon Lewis st[d] = Hacl_Impl_Chacha20_rotate_left(sda1, (uint32_t)8U); 710*0ae430aaSDon Lewis- uint32_t sa3 = st[c]; 711*0ae430aaSDon Lewis- uint32_t sb = st[d]; 712*0ae430aaSDon Lewis+ sa3 = st[c]; 713*0ae430aaSDon Lewis+ sb = st[d]; 714*0ae430aaSDon Lewis st[c] = sa3 + sb; 715*0ae430aaSDon Lewis- uint32_t sd2 = st[b]; 716*0ae430aaSDon Lewis- uint32_t sa1 = st[c]; 717*0ae430aaSDon Lewis- uint32_t sda2 = sd2 ^ sa1; 718*0ae430aaSDon Lewis+ sd2 = st[b]; 719*0ae430aaSDon Lewis+ sa1 = st[c]; 720*0ae430aaSDon Lewis+ sda2 = sd2 ^ sa1; 721*0ae430aaSDon Lewis st[b] = Hacl_Impl_Chacha20_rotate_left(sda2, (uint32_t)7U); 722*0ae430aaSDon Lewis } 723*0ae430aaSDon Lewis 724*0ae430aaSDon Lewis@@ -90,14 +110,16 @@ 725*0ae430aaSDon Lewis inline static void 726*0ae430aaSDon Lewis Hacl_Impl_Chacha20_rounds(uint32_t *st) 727*0ae430aaSDon Lewis { 728*0ae430aaSDon Lewis- for (uint32_t i = (uint32_t)0U; i < (uint32_t)10U; i = i + (uint32_t)1U) 729*0ae430aaSDon Lewis+ uint32_t i; 730*0ae430aaSDon Lewis+ for (i = (uint32_t)0U; i < (uint32_t)10U; i = i + (uint32_t)1U) 731*0ae430aaSDon Lewis Hacl_Impl_Chacha20_double_round(st); 732*0ae430aaSDon Lewis } 733*0ae430aaSDon Lewis 734*0ae430aaSDon Lewis inline static void 735*0ae430aaSDon Lewis Hacl_Impl_Chacha20_sum_states(uint32_t *st, uint32_t *st_) 736*0ae430aaSDon Lewis { 737*0ae430aaSDon Lewis- for (uint32_t i = (uint32_t)0U; i < (uint32_t)16U; i = i + (uint32_t)1U) { 738*0ae430aaSDon Lewis+ uint32_t i; 739*0ae430aaSDon Lewis+ for (i = (uint32_t)0U; i < (uint32_t)16U; i = i + (uint32_t)1U) { 740*0ae430aaSDon Lewis uint32_t xi = st[i]; 741*0ae430aaSDon Lewis uint32_t yi = st_[i]; 742*0ae430aaSDon Lewis st[i] = xi + yi; 743*0ae430aaSDon Lewis@@ -150,9 +172,10 @@ 744*0ae430aaSDon Lewis uint32_t *k = b; 745*0ae430aaSDon Lewis uint32_t *ib = b + (uint32_t)16U; 746*0ae430aaSDon Lewis uint32_t *ob = b + (uint32_t)32U; 747*0ae430aaSDon Lewis+ uint32_t i; 748*0ae430aaSDon Lewis Hacl_Impl_Chacha20_chacha20_core(k, st, ctr); 749*0ae430aaSDon Lewis Hacl_Lib_LoadStore32_uint32s_from_le_bytes(ib, plain, (uint32_t)16U); 750*0ae430aaSDon Lewis- for (uint32_t i = (uint32_t)0U; i < (uint32_t)16U; i = i + (uint32_t)1U) { 751*0ae430aaSDon Lewis+ for (i = (uint32_t)0U; i < (uint32_t)16U; i = i + (uint32_t)1U) { 752*0ae430aaSDon Lewis uint32_t xi = ib[i]; 753*0ae430aaSDon Lewis uint32_t yi = k[i]; 754*0ae430aaSDon Lewis ob[i] = xi ^ yi; 755*0ae430aaSDon Lewis@@ -169,9 +192,11 @@ 756*0ae430aaSDon Lewis uint32_t ctr) 757*0ae430aaSDon Lewis { 758*0ae430aaSDon Lewis uint8_t block[64U] = { 0U }; 759*0ae430aaSDon Lewis+ uint8_t *mask; 760*0ae430aaSDon Lewis+ uint32_t i; 761*0ae430aaSDon Lewis Hacl_Impl_Chacha20_chacha20_block(block, st, ctr); 762*0ae430aaSDon Lewis- uint8_t *mask = block; 763*0ae430aaSDon Lewis- for (uint32_t i = (uint32_t)0U; i < len; i = i + (uint32_t)1U) { 764*0ae430aaSDon Lewis+ mask = block; 765*0ae430aaSDon Lewis+ for (i = (uint32_t)0U; i < len; i = i + (uint32_t)1U) { 766*0ae430aaSDon Lewis uint8_t xi = plain[i]; 767*0ae430aaSDon Lewis uint8_t yi = mask[i]; 768*0ae430aaSDon Lewis output[i] = xi ^ yi; 769*0ae430aaSDon Lewis@@ -186,7 +211,8 @@ 770*0ae430aaSDon Lewis uint32_t *st, 771*0ae430aaSDon Lewis uint32_t ctr) 772*0ae430aaSDon Lewis { 773*0ae430aaSDon Lewis- for (uint32_t i = (uint32_t)0U; i < num_blocks; i = i + (uint32_t)1U) { 774*0ae430aaSDon Lewis+ uint32_t i; 775*0ae430aaSDon Lewis+ for (i = (uint32_t)0U; i < num_blocks; i = i + (uint32_t)1U) { 776*0ae430aaSDon Lewis uint8_t *b = plain + (uint32_t)64U * i; 777*0ae430aaSDon Lewis uint8_t *o = output + (uint32_t)64U * i; 778*0ae430aaSDon Lewis Hacl_Impl_Chacha20_update(o, b, st, ctr + i); 779*0ae430aaSDon Lewisdiff -ur misc/nss-3.39/nss/lib/freebl/verified/Hacl_Chacha20.h misc/build/nss-3.39/nss/lib/freebl/verified/Hacl_Chacha20.h 780*0ae430aaSDon Lewis--- misc/nss-3.39/nss/lib/freebl/verified/Hacl_Chacha20.h 2018-08-31 05:55:53.000000000 -0700 781*0ae430aaSDon Lewis+++ misc/build/nss-3.39/nss/lib/freebl/verified/Hacl_Chacha20.h 2018-10-21 21:12:36.078858000 -0700 782*0ae430aaSDon Lewis@@ -13,6 +13,7 @@ 783*0ae430aaSDon Lewis * limitations under the License. 784*0ae430aaSDon Lewis */ 785*0ae430aaSDon Lewis 786*0ae430aaSDon Lewis+#include "secport.h" 787*0ae430aaSDon Lewis #include "kremlib.h" 788*0ae430aaSDon Lewis #ifndef __Hacl_Chacha20_H 789*0ae430aaSDon Lewis #define __Hacl_Chacha20_H 790*0ae430aaSDon Lewisdiff -ur misc/nss-3.39/nss/lib/freebl/verified/Hacl_Chacha20_Vec128.c misc/build/nss-3.39/nss/lib/freebl/verified/Hacl_Chacha20_Vec128.c 791*0ae430aaSDon Lewis--- misc/nss-3.39/nss/lib/freebl/verified/Hacl_Chacha20_Vec128.c 2018-08-31 05:55:53.000000000 -0700 792*0ae430aaSDon Lewis+++ misc/build/nss-3.39/nss/lib/freebl/verified/Hacl_Chacha20_Vec128.c 2018-10-21 22:13:55.130785000 -0700 793*0ae430aaSDon Lewis@@ -25,14 +25,18 @@ 794*0ae430aaSDon Lewis inline static void 795*0ae430aaSDon Lewis Hacl_Impl_Chacha20_Vec128_State_state_to_key_block(uint8_t *stream_block, vec *k) 796*0ae430aaSDon Lewis { 797*0ae430aaSDon Lewis+ uint8_t *a; 798*0ae430aaSDon Lewis+ uint8_t *b; 799*0ae430aaSDon Lewis+ uint8_t *c; 800*0ae430aaSDon Lewis+ uint8_t *d; 801*0ae430aaSDon Lewis vec k0 = k[0U]; 802*0ae430aaSDon Lewis vec k1 = k[1U]; 803*0ae430aaSDon Lewis vec k2 = k[2U]; 804*0ae430aaSDon Lewis vec k3 = k[3U]; 805*0ae430aaSDon Lewis- uint8_t *a = stream_block; 806*0ae430aaSDon Lewis- uint8_t *b = stream_block + (uint32_t)16U; 807*0ae430aaSDon Lewis- uint8_t *c = stream_block + (uint32_t)32U; 808*0ae430aaSDon Lewis- uint8_t *d = stream_block + (uint32_t)48U; 809*0ae430aaSDon Lewis+ a = stream_block; 810*0ae430aaSDon Lewis+ b = stream_block + (uint32_t)16U; 811*0ae430aaSDon Lewis+ c = stream_block + (uint32_t)32U; 812*0ae430aaSDon Lewis+ d = stream_block + (uint32_t)48U; 813*0ae430aaSDon Lewis vec_store_le(a, k0); 814*0ae430aaSDon Lewis vec_store_le(b, k1); 815*0ae430aaSDon Lewis vec_store_le(c, k2); 816*0ae430aaSDon Lewis@@ -42,21 +46,29 @@ 817*0ae430aaSDon Lewis inline static void 818*0ae430aaSDon Lewis Hacl_Impl_Chacha20_Vec128_State_state_setup(vec *st, uint8_t *k, uint8_t *n1, uint32_t c) 819*0ae430aaSDon Lewis { 820*0ae430aaSDon Lewis+ vec k0; 821*0ae430aaSDon Lewis+ vec k1; 822*0ae430aaSDon Lewis+ uint32_t n0; 823*0ae430aaSDon Lewis+ uint8_t *x00; 824*0ae430aaSDon Lewis+ uint32_t n10; 825*0ae430aaSDon Lewis+ uint8_t *x0; 826*0ae430aaSDon Lewis+ uint32_t n2; 827*0ae430aaSDon Lewis+ vec v1; 828*0ae430aaSDon Lewis st[0U] = 829*0ae430aaSDon Lewis vec_load_32x4((uint32_t)0x61707865U, 830*0ae430aaSDon Lewis (uint32_t)0x3320646eU, 831*0ae430aaSDon Lewis (uint32_t)0x79622d32U, 832*0ae430aaSDon Lewis (uint32_t)0x6b206574U); 833*0ae430aaSDon Lewis- vec k0 = vec_load128_le(k); 834*0ae430aaSDon Lewis- vec k1 = vec_load128_le(k + (uint32_t)16U); 835*0ae430aaSDon Lewis+ k0 = vec_load128_le(k); 836*0ae430aaSDon Lewis+ k1 = vec_load128_le(k + (uint32_t)16U); 837*0ae430aaSDon Lewis st[1U] = k0; 838*0ae430aaSDon Lewis st[2U] = k1; 839*0ae430aaSDon Lewis- uint32_t n0 = load32_le(n1); 840*0ae430aaSDon Lewis- uint8_t *x00 = n1 + (uint32_t)4U; 841*0ae430aaSDon Lewis- uint32_t n10 = load32_le(x00); 842*0ae430aaSDon Lewis- uint8_t *x0 = n1 + (uint32_t)8U; 843*0ae430aaSDon Lewis- uint32_t n2 = load32_le(x0); 844*0ae430aaSDon Lewis- vec v1 = vec_load_32x4(c, n0, n10, n2); 845*0ae430aaSDon Lewis+ n0 = load32_le(n1); 846*0ae430aaSDon Lewis+ x00 = n1 + (uint32_t)4U; 847*0ae430aaSDon Lewis+ n10 = load32_le(x00); 848*0ae430aaSDon Lewis+ x0 = n1 + (uint32_t)8U; 849*0ae430aaSDon Lewis+ n2 = load32_le(x0); 850*0ae430aaSDon Lewis+ v1 = vec_load_32x4(c, n0, n10, n2); 851*0ae430aaSDon Lewis st[3U] = v1; 852*0ae430aaSDon Lewis } 853*0ae430aaSDon Lewis 854*0ae430aaSDon Lewis@@ -68,27 +80,42 @@ 855*0ae430aaSDon Lewis vec sd0 = st[3U]; 856*0ae430aaSDon Lewis vec sa10 = vec_add(sa, sb0); 857*0ae430aaSDon Lewis vec sd10 = vec_rotate_left(vec_xor(sd0, sa10), (uint32_t)16U); 858*0ae430aaSDon Lewis+ vec sa0; 859*0ae430aaSDon Lewis+ vec sb1; 860*0ae430aaSDon Lewis+ vec sd2; 861*0ae430aaSDon Lewis+ vec sa11; 862*0ae430aaSDon Lewis+ vec sd11; 863*0ae430aaSDon Lewis+ vec sa2; 864*0ae430aaSDon Lewis+ vec sb2; 865*0ae430aaSDon Lewis+ vec sd3; 866*0ae430aaSDon Lewis+ vec sa12; 867*0ae430aaSDon Lewis+ vec sd12; 868*0ae430aaSDon Lewis+ vec sa3; 869*0ae430aaSDon Lewis+ vec sb; 870*0ae430aaSDon Lewis+ vec sd; 871*0ae430aaSDon Lewis+ vec sa1; 872*0ae430aaSDon Lewis+ vec sd1; 873*0ae430aaSDon Lewis st[0U] = sa10; 874*0ae430aaSDon Lewis st[3U] = sd10; 875*0ae430aaSDon Lewis- vec sa0 = st[2U]; 876*0ae430aaSDon Lewis- vec sb1 = st[3U]; 877*0ae430aaSDon Lewis- vec sd2 = st[1U]; 878*0ae430aaSDon Lewis- vec sa11 = vec_add(sa0, sb1); 879*0ae430aaSDon Lewis- vec sd11 = vec_rotate_left(vec_xor(sd2, sa11), (uint32_t)12U); 880*0ae430aaSDon Lewis+ sa0 = st[2U]; 881*0ae430aaSDon Lewis+ sb1 = st[3U]; 882*0ae430aaSDon Lewis+ sd2 = st[1U]; 883*0ae430aaSDon Lewis+ sa11 = vec_add(sa0, sb1); 884*0ae430aaSDon Lewis+ sd11 = vec_rotate_left(vec_xor(sd2, sa11), (uint32_t)12U); 885*0ae430aaSDon Lewis st[2U] = sa11; 886*0ae430aaSDon Lewis st[1U] = sd11; 887*0ae430aaSDon Lewis- vec sa2 = st[0U]; 888*0ae430aaSDon Lewis- vec sb2 = st[1U]; 889*0ae430aaSDon Lewis- vec sd3 = st[3U]; 890*0ae430aaSDon Lewis- vec sa12 = vec_add(sa2, sb2); 891*0ae430aaSDon Lewis- vec sd12 = vec_rotate_left(vec_xor(sd3, sa12), (uint32_t)8U); 892*0ae430aaSDon Lewis+ sa2 = st[0U]; 893*0ae430aaSDon Lewis+ sb2 = st[1U]; 894*0ae430aaSDon Lewis+ sd3 = st[3U]; 895*0ae430aaSDon Lewis+ sa12 = vec_add(sa2, sb2); 896*0ae430aaSDon Lewis+ sd12 = vec_rotate_left(vec_xor(sd3, sa12), (uint32_t)8U); 897*0ae430aaSDon Lewis st[0U] = sa12; 898*0ae430aaSDon Lewis st[3U] = sd12; 899*0ae430aaSDon Lewis- vec sa3 = st[2U]; 900*0ae430aaSDon Lewis- vec sb = st[3U]; 901*0ae430aaSDon Lewis- vec sd = st[1U]; 902*0ae430aaSDon Lewis- vec sa1 = vec_add(sa3, sb); 903*0ae430aaSDon Lewis- vec sd1 = vec_rotate_left(vec_xor(sd, sa1), (uint32_t)7U); 904*0ae430aaSDon Lewis+ sa3 = st[2U]; 905*0ae430aaSDon Lewis+ sb = st[3U]; 906*0ae430aaSDon Lewis+ sd = st[1U]; 907*0ae430aaSDon Lewis+ sa1 = vec_add(sa3, sb); 908*0ae430aaSDon Lewis+ sd1 = vec_rotate_left(vec_xor(sd, sa1), (uint32_t)7U); 909*0ae430aaSDon Lewis st[2U] = sa1; 910*0ae430aaSDon Lewis st[1U] = sd1; 911*0ae430aaSDon Lewis } 912*0ae430aaSDon Lewis@@ -96,17 +123,23 @@ 913*0ae430aaSDon Lewis inline static void 914*0ae430aaSDon Lewis Hacl_Impl_Chacha20_Vec128_double_round(vec *st) 915*0ae430aaSDon Lewis { 916*0ae430aaSDon Lewis+ vec r1; 917*0ae430aaSDon Lewis+ vec r20; 918*0ae430aaSDon Lewis+ vec r30; 919*0ae430aaSDon Lewis+ vec r10; 920*0ae430aaSDon Lewis+ vec r2; 921*0ae430aaSDon Lewis+ vec r3; 922*0ae430aaSDon Lewis Hacl_Impl_Chacha20_Vec128_round(st); 923*0ae430aaSDon Lewis- vec r1 = st[1U]; 924*0ae430aaSDon Lewis- vec r20 = st[2U]; 925*0ae430aaSDon Lewis- vec r30 = st[3U]; 926*0ae430aaSDon Lewis+ r1 = st[1U]; 927*0ae430aaSDon Lewis+ r20 = st[2U]; 928*0ae430aaSDon Lewis+ r30 = st[3U]; 929*0ae430aaSDon Lewis st[1U] = vec_shuffle_right(r1, (uint32_t)1U); 930*0ae430aaSDon Lewis st[2U] = vec_shuffle_right(r20, (uint32_t)2U); 931*0ae430aaSDon Lewis st[3U] = vec_shuffle_right(r30, (uint32_t)3U); 932*0ae430aaSDon Lewis Hacl_Impl_Chacha20_Vec128_round(st); 933*0ae430aaSDon Lewis- vec r10 = st[1U]; 934*0ae430aaSDon Lewis- vec r2 = st[2U]; 935*0ae430aaSDon Lewis- vec r3 = st[3U]; 936*0ae430aaSDon Lewis+ r10 = st[1U]; 937*0ae430aaSDon Lewis+ r2 = st[2U]; 938*0ae430aaSDon Lewis+ r3 = st[3U]; 939*0ae430aaSDon Lewis st[1U] = vec_shuffle_right(r10, (uint32_t)3U); 940*0ae430aaSDon Lewis st[2U] = vec_shuffle_right(r2, (uint32_t)2U); 941*0ae430aaSDon Lewis st[3U] = vec_shuffle_right(r3, (uint32_t)1U); 942*0ae430aaSDon Lewis@@ -153,8 +186,9 @@ 943*0ae430aaSDon Lewis inline static void 944*0ae430aaSDon Lewis Hacl_Impl_Chacha20_Vec128_chacha20_core(vec *k, vec *st) 945*0ae430aaSDon Lewis { 946*0ae430aaSDon Lewis+ uint32_t i; 947*0ae430aaSDon Lewis Hacl_Impl_Chacha20_Vec128_copy_state(k, st); 948*0ae430aaSDon Lewis- for (uint32_t i = (uint32_t)0U; i < (uint32_t)10U; i = i + (uint32_t)1U) 949*0ae430aaSDon Lewis+ for (i = (uint32_t)0U; i < (uint32_t)10U; i = i + (uint32_t)1U) 950*0ae430aaSDon Lewis Hacl_Impl_Chacha20_Vec128_double_round(k); 951*0ae430aaSDon Lewis Hacl_Impl_Chacha20_Vec128_sum_states(k, st); 952*0ae430aaSDon Lewis } 953*0ae430aaSDon Lewis@@ -188,8 +222,9 @@ 954*0ae430aaSDon Lewis inline static void 955*0ae430aaSDon Lewis Hacl_Impl_Chacha20_Vec128_chacha20_core3(vec *k0, vec *k1, vec *k2, vec *st) 956*0ae430aaSDon Lewis { 957*0ae430aaSDon Lewis+ uint32_t i; 958*0ae430aaSDon Lewis Hacl_Impl_Chacha20_Vec128_chacha20_incr3(k0, k1, k2, st); 959*0ae430aaSDon Lewis- for (uint32_t i = (uint32_t)0U; i < (uint32_t)10U; i = i + (uint32_t)1U) 960*0ae430aaSDon Lewis+ for (i = (uint32_t)0U; i < (uint32_t)10U; i = i + (uint32_t)1U) 961*0ae430aaSDon Lewis Hacl_Impl_Chacha20_Vec128_double_round3(k0, k1, k2); 962*0ae430aaSDon Lewis Hacl_Impl_Chacha20_Vec128_chacha20_sum3(k0, k1, k2, st); 963*0ae430aaSDon Lewis } 964*0ae430aaSDon Lewis@@ -197,9 +232,10 @@ 965*0ae430aaSDon Lewis inline static void 966*0ae430aaSDon Lewis Hacl_Impl_Chacha20_Vec128_chacha20_block(uint8_t *stream_block, vec *st) 967*0ae430aaSDon Lewis { 968*0ae430aaSDon Lewis- KRML_CHECK_SIZE(vec_zero(), (uint32_t)4U); 969*0ae430aaSDon Lewis vec k[4U]; 970*0ae430aaSDon Lewis- for (uint32_t _i = 0U; _i < (uint32_t)4U; ++_i) 971*0ae430aaSDon Lewis+ uint32_t _i; 972*0ae430aaSDon Lewis+ KRML_CHECK_SIZE(vec_zero(), (uint32_t)4U); 973*0ae430aaSDon Lewis+ for (_i = 0U; _i < (uint32_t)4U; ++_i) 974*0ae430aaSDon Lewis k[_i] = vec_zero(); 975*0ae430aaSDon Lewis Hacl_Impl_Chacha20_Vec128_chacha20_core(k, st); 976*0ae430aaSDon Lewis Hacl_Impl_Chacha20_Vec128_State_state_to_key_block(stream_block, k); 977*0ae430aaSDon Lewis@@ -215,9 +251,11 @@ 978*0ae430aaSDon Lewis Hacl_Impl_Chacha20_Vec128_update_last(uint8_t *output, uint8_t *plain, uint32_t len, vec *st) 979*0ae430aaSDon Lewis { 980*0ae430aaSDon Lewis uint8_t block[64U] = { 0U }; 981*0ae430aaSDon Lewis+ uint8_t *mask; 982*0ae430aaSDon Lewis+ uint32_t i; 983*0ae430aaSDon Lewis Hacl_Impl_Chacha20_Vec128_chacha20_block(block, st); 984*0ae430aaSDon Lewis- uint8_t *mask = block; 985*0ae430aaSDon Lewis- for (uint32_t i = (uint32_t)0U; i < len; i = i + (uint32_t)1U) { 986*0ae430aaSDon Lewis+ mask = block; 987*0ae430aaSDon Lewis+ for (i = (uint32_t)0U; i < len; i = i + (uint32_t)1U) { 988*0ae430aaSDon Lewis uint8_t xi = plain[i]; 989*0ae430aaSDon Lewis uint8_t yi = mask[i]; 990*0ae430aaSDon Lewis output[i] = xi ^ yi; 991*0ae430aaSDon Lewis@@ -252,9 +290,10 @@ 992*0ae430aaSDon Lewis static void 993*0ae430aaSDon Lewis Hacl_Impl_Chacha20_Vec128_update(uint8_t *output, uint8_t *plain, vec *st) 994*0ae430aaSDon Lewis { 995*0ae430aaSDon Lewis- KRML_CHECK_SIZE(vec_zero(), (uint32_t)4U); 996*0ae430aaSDon Lewis vec k[4U]; 997*0ae430aaSDon Lewis- for (uint32_t _i = 0U; _i < (uint32_t)4U; ++_i) 998*0ae430aaSDon Lewis+ uint32_t _i; 999*0ae430aaSDon Lewis+ KRML_CHECK_SIZE(vec_zero(), (uint32_t)4U); 1000*0ae430aaSDon Lewis+ for (_i = 0U; _i < (uint32_t)4U; ++_i) 1001*0ae430aaSDon Lewis k[_i] = vec_zero(); 1002*0ae430aaSDon Lewis Hacl_Impl_Chacha20_Vec128_chacha20_core(k, st); 1003*0ae430aaSDon Lewis Hacl_Impl_Chacha20_Vec128_xor_block(output, plain, k); 1004*0ae430aaSDon Lewis@@ -263,25 +302,32 @@ 1005*0ae430aaSDon Lewis static void 1006*0ae430aaSDon Lewis Hacl_Impl_Chacha20_Vec128_update3(uint8_t *output, uint8_t *plain, vec *st) 1007*0ae430aaSDon Lewis { 1008*0ae430aaSDon Lewis- KRML_CHECK_SIZE(vec_zero(), (uint32_t)4U); 1009*0ae430aaSDon Lewis vec k0[4U]; 1010*0ae430aaSDon Lewis- for (uint32_t _i = 0U; _i < (uint32_t)4U; ++_i) 1011*0ae430aaSDon Lewis+ uint32_t _i; 1012*0ae430aaSDon Lewis+ vec k1[4U]; 1013*0ae430aaSDon Lewis+ vec k2[4U]; 1014*0ae430aaSDon Lewis+ uint8_t *p0; 1015*0ae430aaSDon Lewis+ uint8_t *p1; 1016*0ae430aaSDon Lewis+ uint8_t *p2; 1017*0ae430aaSDon Lewis+ uint8_t *o0; 1018*0ae430aaSDon Lewis+ uint8_t *o1; 1019*0ae430aaSDon Lewis+ uint8_t *o2; 1020*0ae430aaSDon Lewis+ KRML_CHECK_SIZE(vec_zero(), (uint32_t)4U); 1021*0ae430aaSDon Lewis+ for (_i = 0U; _i < (uint32_t)4U; ++_i) 1022*0ae430aaSDon Lewis k0[_i] = vec_zero(); 1023*0ae430aaSDon Lewis KRML_CHECK_SIZE(vec_zero(), (uint32_t)4U); 1024*0ae430aaSDon Lewis- vec k1[4U]; 1025*0ae430aaSDon Lewis- for (uint32_t _i = 0U; _i < (uint32_t)4U; ++_i) 1026*0ae430aaSDon Lewis+ for (_i = 0U; _i < (uint32_t)4U; ++_i) 1027*0ae430aaSDon Lewis k1[_i] = vec_zero(); 1028*0ae430aaSDon Lewis KRML_CHECK_SIZE(vec_zero(), (uint32_t)4U); 1029*0ae430aaSDon Lewis- vec k2[4U]; 1030*0ae430aaSDon Lewis- for (uint32_t _i = 0U; _i < (uint32_t)4U; ++_i) 1031*0ae430aaSDon Lewis+ for (_i = 0U; _i < (uint32_t)4U; ++_i) 1032*0ae430aaSDon Lewis k2[_i] = vec_zero(); 1033*0ae430aaSDon Lewis Hacl_Impl_Chacha20_Vec128_chacha20_core3(k0, k1, k2, st); 1034*0ae430aaSDon Lewis- uint8_t *p0 = plain; 1035*0ae430aaSDon Lewis- uint8_t *p1 = plain + (uint32_t)64U; 1036*0ae430aaSDon Lewis- uint8_t *p2 = plain + (uint32_t)128U; 1037*0ae430aaSDon Lewis- uint8_t *o0 = output; 1038*0ae430aaSDon Lewis- uint8_t *o1 = output + (uint32_t)64U; 1039*0ae430aaSDon Lewis- uint8_t *o2 = output + (uint32_t)128U; 1040*0ae430aaSDon Lewis+ p0 = plain; 1041*0ae430aaSDon Lewis+ p1 = plain + (uint32_t)64U; 1042*0ae430aaSDon Lewis+ p2 = plain + (uint32_t)128U; 1043*0ae430aaSDon Lewis+ o0 = output; 1044*0ae430aaSDon Lewis+ o1 = output + (uint32_t)64U; 1045*0ae430aaSDon Lewis+ o2 = output + (uint32_t)128U; 1046*0ae430aaSDon Lewis Hacl_Impl_Chacha20_Vec128_xor_block(o0, p0, k0); 1047*0ae430aaSDon Lewis Hacl_Impl_Chacha20_Vec128_xor_block(o1, p1, k1); 1048*0ae430aaSDon Lewis Hacl_Impl_Chacha20_Vec128_xor_block(o2, p2, k2); 1049*0ae430aaSDon Lewis@@ -308,7 +354,8 @@ 1050*0ae430aaSDon Lewis uint32_t len, 1051*0ae430aaSDon Lewis vec *st) 1052*0ae430aaSDon Lewis { 1053*0ae430aaSDon Lewis- for (uint32_t i = (uint32_t)0U; i < len; i = i + (uint32_t)1U) 1054*0ae430aaSDon Lewis+ uint32_t i; 1055*0ae430aaSDon Lewis+ for (i = (uint32_t)0U; i < len; i = i + (uint32_t)1U) 1056*0ae430aaSDon Lewis Hacl_Impl_Chacha20_Vec128_update3_(output, plain, len, st, i); 1057*0ae430aaSDon Lewis } 1058*0ae430aaSDon Lewis 1059*0ae430aaSDon Lewis@@ -368,11 +415,13 @@ 1060*0ae430aaSDon Lewis uint8_t *n1, 1061*0ae430aaSDon Lewis uint32_t ctr) 1062*0ae430aaSDon Lewis { 1063*0ae430aaSDon Lewis- KRML_CHECK_SIZE(vec_zero(), (uint32_t)4U); 1064*0ae430aaSDon Lewis vec buf[4U]; 1065*0ae430aaSDon Lewis- for (uint32_t _i = 0U; _i < (uint32_t)4U; ++_i) 1066*0ae430aaSDon Lewis+ uint32_t _i; 1067*0ae430aaSDon Lewis+ vec *st; 1068*0ae430aaSDon Lewis+ KRML_CHECK_SIZE(vec_zero(), (uint32_t)4U); 1069*0ae430aaSDon Lewis+ for (_i = 0U; _i < (uint32_t)4U; ++_i) 1070*0ae430aaSDon Lewis buf[_i] = vec_zero(); 1071*0ae430aaSDon Lewis- vec *st = buf; 1072*0ae430aaSDon Lewis+ st = buf; 1073*0ae430aaSDon Lewis Hacl_Impl_Chacha20_Vec128_init(st, k, n1, ctr); 1074*0ae430aaSDon Lewis Hacl_Impl_Chacha20_Vec128_chacha20_counter_mode(output, plain, len, st); 1075*0ae430aaSDon Lewis } 1076*0ae430aaSDon Lewisdiff -ur misc/nss-3.39/nss/lib/freebl/verified/Hacl_Chacha20_Vec128.h misc/build/nss-3.39/nss/lib/freebl/verified/Hacl_Chacha20_Vec128.h 1077*0ae430aaSDon Lewis--- misc/nss-3.39/nss/lib/freebl/verified/Hacl_Chacha20_Vec128.h 2018-08-31 05:55:53.000000000 -0700 1078*0ae430aaSDon Lewis+++ misc/build/nss-3.39/nss/lib/freebl/verified/Hacl_Chacha20_Vec128.h 2018-10-21 21:52:15.090683000 -0700 1079*0ae430aaSDon Lewis@@ -13,6 +13,7 @@ 1080*0ae430aaSDon Lewis * limitations under the License. 1081*0ae430aaSDon Lewis */ 1082*0ae430aaSDon Lewis 1083*0ae430aaSDon Lewis+#include "secport.h" 1084*0ae430aaSDon Lewis #include "kremlib.h" 1085*0ae430aaSDon Lewis #ifndef __Hacl_Chacha20_Vec128_H 1086*0ae430aaSDon Lewis #define __Hacl_Chacha20_Vec128_H 1087*0ae430aaSDon Lewisdiff -ur misc/nss-3.39/nss/lib/freebl/verified/Hacl_Curve25519.c misc/build/nss-3.39/nss/lib/freebl/verified/Hacl_Curve25519.c 1088*0ae430aaSDon Lewis--- misc/nss-3.39/nss/lib/freebl/verified/Hacl_Curve25519.c 2018-08-31 05:55:53.000000000 -0700 1089*0ae430aaSDon Lewis+++ misc/build/nss-3.39/nss/lib/freebl/verified/Hacl_Curve25519.c 2018-10-21 22:57:57.044565000 -0700 1090*0ae430aaSDon Lewis@@ -129,6 +129,7 @@ 1091*0ae430aaSDon Lewis Hacl_Bignum_Fmul_shift_reduce(uint64_t *output) 1092*0ae430aaSDon Lewis { 1093*0ae430aaSDon Lewis uint64_t tmp = output[4U]; 1094*0ae430aaSDon Lewis+ uint64_t b0; 1095*0ae430aaSDon Lewis { 1096*0ae430aaSDon Lewis uint32_t ctr = (uint32_t)5U - (uint32_t)0U - (uint32_t)1U; 1097*0ae430aaSDon Lewis uint64_t z = output[ctr - (uint32_t)1U]; 1098*0ae430aaSDon Lewis@@ -150,13 +151,15 @@ 1099*0ae430aaSDon Lewis output[ctr] = z; 1100*0ae430aaSDon Lewis } 1101*0ae430aaSDon Lewis output[0U] = tmp; 1102*0ae430aaSDon Lewis- uint64_t b0 = output[0U]; 1103*0ae430aaSDon Lewis+ b0 = output[0U]; 1104*0ae430aaSDon Lewis output[0U] = (uint64_t)19U * b0; 1105*0ae430aaSDon Lewis } 1106*0ae430aaSDon Lewis 1107*0ae430aaSDon Lewis static void 1108*0ae430aaSDon Lewis Hacl_Bignum_Fmul_mul_shift_reduce_(FStar_UInt128_t *output, uint64_t *input, uint64_t *input21) 1109*0ae430aaSDon Lewis { 1110*0ae430aaSDon Lewis+ uint32_t i; 1111*0ae430aaSDon Lewis+ uint64_t input2i; 1112*0ae430aaSDon Lewis { 1113*0ae430aaSDon Lewis uint64_t input2i = input21[0U]; 1114*0ae430aaSDon Lewis Hacl_Bignum_Fproduct_sum_scalar_multiplication_(output, input, input2i); 1115*0ae430aaSDon Lewis@@ -177,8 +180,8 @@ 1116*0ae430aaSDon Lewis Hacl_Bignum_Fproduct_sum_scalar_multiplication_(output, input, input2i); 1117*0ae430aaSDon Lewis Hacl_Bignum_Fmul_shift_reduce(input); 1118*0ae430aaSDon Lewis } 1119*0ae430aaSDon Lewis- uint32_t i = (uint32_t)4U; 1120*0ae430aaSDon Lewis- uint64_t input2i = input21[i]; 1121*0ae430aaSDon Lewis+ i = (uint32_t)4U; 1122*0ae430aaSDon Lewis+ input2i = input21[i]; 1123*0ae430aaSDon Lewis Hacl_Bignum_Fproduct_sum_scalar_multiplication_(output, input, input2i); 1124*0ae430aaSDon Lewis } 1125*0ae430aaSDon Lewis 1126*0ae430aaSDon Lewis@@ -186,29 +189,35 @@ 1127*0ae430aaSDon Lewis Hacl_Bignum_Fmul_fmul(uint64_t *output, uint64_t *input, uint64_t *input21) 1128*0ae430aaSDon Lewis { 1129*0ae430aaSDon Lewis uint64_t tmp[5U] = { 0U }; 1130*0ae430aaSDon Lewis+ uint32_t _i; 1131*0ae430aaSDon Lewis+ FStar_UInt128_t b4; 1132*0ae430aaSDon Lewis+ FStar_UInt128_t b0; 1133*0ae430aaSDon Lewis+ FStar_UInt128_t b4_; 1134*0ae430aaSDon Lewis+ FStar_UInt128_t b0_; 1135*0ae430aaSDon Lewis+ FStar_UInt128_t t[5U]; 1136*0ae430aaSDon Lewis+ uint64_t i0; 1137*0ae430aaSDon Lewis+ uint64_t i1; 1138*0ae430aaSDon Lewis+ uint64_t i0_; 1139*0ae430aaSDon Lewis+ uint64_t i1_; 1140*0ae430aaSDon Lewis memcpy(tmp, input, (uint32_t)5U * sizeof input[0U]); 1141*0ae430aaSDon Lewis KRML_CHECK_SIZE(FStar_UInt128_uint64_to_uint128((uint64_t)0U), (uint32_t)5U); 1142*0ae430aaSDon Lewis- FStar_UInt128_t t[5U]; 1143*0ae430aaSDon Lewis- for (uint32_t _i = 0U; _i < (uint32_t)5U; ++_i) 1144*0ae430aaSDon Lewis+ for (_i = 0U; _i < (uint32_t)5U; ++_i) 1145*0ae430aaSDon Lewis t[_i] = FStar_UInt128_uint64_to_uint128((uint64_t)0U); 1146*0ae430aaSDon Lewis Hacl_Bignum_Fmul_mul_shift_reduce_(t, tmp, input21); 1147*0ae430aaSDon Lewis Hacl_Bignum_Fproduct_carry_wide_(t); 1148*0ae430aaSDon Lewis- FStar_UInt128_t b4 = t[4U]; 1149*0ae430aaSDon Lewis- FStar_UInt128_t b0 = t[0U]; 1150*0ae430aaSDon Lewis- FStar_UInt128_t 1151*0ae430aaSDon Lewis- b4_ = FStar_UInt128_logand(b4, FStar_UInt128_uint64_to_uint128((uint64_t)0x7ffffffffffffU)); 1152*0ae430aaSDon Lewis- FStar_UInt128_t 1153*0ae430aaSDon Lewis- b0_ = 1154*0ae430aaSDon Lewis- FStar_UInt128_add(b0, 1155*0ae430aaSDon Lewis+ b4 = t[4U]; 1156*0ae430aaSDon Lewis+ b0 = t[0U]; 1157*0ae430aaSDon Lewis+ b4_ = FStar_UInt128_logand(b4, FStar_UInt128_uint64_to_uint128((uint64_t)0x7ffffffffffffU)); 1158*0ae430aaSDon Lewis+ b0_ = FStar_UInt128_add(b0, 1159*0ae430aaSDon Lewis FStar_UInt128_mul_wide((uint64_t)19U, 1160*0ae430aaSDon Lewis FStar_UInt128_uint128_to_uint64(FStar_UInt128_shift_right(b4, (uint32_t)51U)))); 1161*0ae430aaSDon Lewis t[4U] = b4_; 1162*0ae430aaSDon Lewis t[0U] = b0_; 1163*0ae430aaSDon Lewis Hacl_Bignum_Fproduct_copy_from_wide_(output, t); 1164*0ae430aaSDon Lewis- uint64_t i0 = output[0U]; 1165*0ae430aaSDon Lewis- uint64_t i1 = output[1U]; 1166*0ae430aaSDon Lewis- uint64_t i0_ = i0 & (uint64_t)0x7ffffffffffffU; 1167*0ae430aaSDon Lewis- uint64_t i1_ = i1 + (i0 >> (uint32_t)51U); 1168*0ae430aaSDon Lewis+ i0 = output[0U]; 1169*0ae430aaSDon Lewis+ i1 = output[1U]; 1170*0ae430aaSDon Lewis+ i0_ = i0 & (uint64_t)0x7ffffffffffffU; 1171*0ae430aaSDon Lewis+ i1_ = i1 + (i0 >> (uint32_t)51U); 1172*0ae430aaSDon Lewis output[0U] = i0_; 1173*0ae430aaSDon Lewis output[1U] = i1_; 1174*0ae430aaSDon Lewis } 1175*0ae430aaSDon Lewis@@ -226,28 +235,28 @@ 1176*0ae430aaSDon Lewis uint64_t d2 = r2 * (uint64_t)2U * (uint64_t)19U; 1177*0ae430aaSDon Lewis uint64_t d419 = r4 * (uint64_t)19U; 1178*0ae430aaSDon Lewis uint64_t d4 = d419 * (uint64_t)2U; 1179*0ae430aaSDon Lewis- FStar_UInt128_t 1180*0ae430aaSDon Lewis- s0 = 1181*0ae430aaSDon Lewis+ FStar_UInt128_t s0; 1182*0ae430aaSDon Lewis+ FStar_UInt128_t s1; 1183*0ae430aaSDon Lewis+ FStar_UInt128_t s2; 1184*0ae430aaSDon Lewis+ FStar_UInt128_t s3; 1185*0ae430aaSDon Lewis+ FStar_UInt128_t s4; 1186*0ae430aaSDon Lewis+ s0 = 1187*0ae430aaSDon Lewis FStar_UInt128_add(FStar_UInt128_add(FStar_UInt128_mul_wide(r0, r0), 1188*0ae430aaSDon Lewis FStar_UInt128_mul_wide(d4, r1)), 1189*0ae430aaSDon Lewis FStar_UInt128_mul_wide(d2, r3)); 1190*0ae430aaSDon Lewis- FStar_UInt128_t 1191*0ae430aaSDon Lewis- s1 = 1192*0ae430aaSDon Lewis+ s1 = 1193*0ae430aaSDon Lewis FStar_UInt128_add(FStar_UInt128_add(FStar_UInt128_mul_wide(d0, r1), 1194*0ae430aaSDon Lewis FStar_UInt128_mul_wide(d4, r2)), 1195*0ae430aaSDon Lewis FStar_UInt128_mul_wide(r3 * (uint64_t)19U, r3)); 1196*0ae430aaSDon Lewis- FStar_UInt128_t 1197*0ae430aaSDon Lewis- s2 = 1198*0ae430aaSDon Lewis+ s2 = 1199*0ae430aaSDon Lewis FStar_UInt128_add(FStar_UInt128_add(FStar_UInt128_mul_wide(d0, r2), 1200*0ae430aaSDon Lewis FStar_UInt128_mul_wide(r1, r1)), 1201*0ae430aaSDon Lewis FStar_UInt128_mul_wide(d4, r3)); 1202*0ae430aaSDon Lewis- FStar_UInt128_t 1203*0ae430aaSDon Lewis- s3 = 1204*0ae430aaSDon Lewis+ s3 = 1205*0ae430aaSDon Lewis FStar_UInt128_add(FStar_UInt128_add(FStar_UInt128_mul_wide(d0, r3), 1206*0ae430aaSDon Lewis FStar_UInt128_mul_wide(d1, r2)), 1207*0ae430aaSDon Lewis FStar_UInt128_mul_wide(r4, d419)); 1208*0ae430aaSDon Lewis- FStar_UInt128_t 1209*0ae430aaSDon Lewis- s4 = 1210*0ae430aaSDon Lewis+ s4 = 1211*0ae430aaSDon Lewis FStar_UInt128_add(FStar_UInt128_add(FStar_UInt128_mul_wide(d0, r4), 1212*0ae430aaSDon Lewis FStar_UInt128_mul_wide(d1, r3)), 1213*0ae430aaSDon Lewis FStar_UInt128_mul_wide(r2, r2)); 1214*0ae430aaSDon Lewis@@ -261,24 +270,30 @@ 1215*0ae430aaSDon Lewis inline static void 1216*0ae430aaSDon Lewis Hacl_Bignum_Fsquare_fsquare_(FStar_UInt128_t *tmp, uint64_t *output) 1217*0ae430aaSDon Lewis { 1218*0ae430aaSDon Lewis+ FStar_UInt128_t b4; 1219*0ae430aaSDon Lewis+ FStar_UInt128_t b0; 1220*0ae430aaSDon Lewis+ FStar_UInt128_t b4_; 1221*0ae430aaSDon Lewis+ FStar_UInt128_t b0_; 1222*0ae430aaSDon Lewis+ uint64_t i0; 1223*0ae430aaSDon Lewis+ uint64_t i1; 1224*0ae430aaSDon Lewis+ uint64_t i0_; 1225*0ae430aaSDon Lewis+ uint64_t i1_; 1226*0ae430aaSDon Lewis Hacl_Bignum_Fsquare_fsquare__(tmp, output); 1227*0ae430aaSDon Lewis Hacl_Bignum_Fproduct_carry_wide_(tmp); 1228*0ae430aaSDon Lewis- FStar_UInt128_t b4 = tmp[4U]; 1229*0ae430aaSDon Lewis- FStar_UInt128_t b0 = tmp[0U]; 1230*0ae430aaSDon Lewis- FStar_UInt128_t 1231*0ae430aaSDon Lewis- b4_ = FStar_UInt128_logand(b4, FStar_UInt128_uint64_to_uint128((uint64_t)0x7ffffffffffffU)); 1232*0ae430aaSDon Lewis- FStar_UInt128_t 1233*0ae430aaSDon Lewis- b0_ = 1234*0ae430aaSDon Lewis+ b4 = tmp[4U]; 1235*0ae430aaSDon Lewis+ b0 = tmp[0U]; 1236*0ae430aaSDon Lewis+ b4_ = FStar_UInt128_logand(b4, FStar_UInt128_uint64_to_uint128((uint64_t)0x7ffffffffffffU)); 1237*0ae430aaSDon Lewis+ b0_ = 1238*0ae430aaSDon Lewis FStar_UInt128_add(b0, 1239*0ae430aaSDon Lewis FStar_UInt128_mul_wide((uint64_t)19U, 1240*0ae430aaSDon Lewis FStar_UInt128_uint128_to_uint64(FStar_UInt128_shift_right(b4, (uint32_t)51U)))); 1241*0ae430aaSDon Lewis tmp[4U] = b4_; 1242*0ae430aaSDon Lewis tmp[0U] = b0_; 1243*0ae430aaSDon Lewis Hacl_Bignum_Fproduct_copy_from_wide_(output, tmp); 1244*0ae430aaSDon Lewis- uint64_t i0 = output[0U]; 1245*0ae430aaSDon Lewis- uint64_t i1 = output[1U]; 1246*0ae430aaSDon Lewis- uint64_t i0_ = i0 & (uint64_t)0x7ffffffffffffU; 1247*0ae430aaSDon Lewis- uint64_t i1_ = i1 + (i0 >> (uint32_t)51U); 1248*0ae430aaSDon Lewis+ i0 = output[0U]; 1249*0ae430aaSDon Lewis+ i1 = output[1U]; 1250*0ae430aaSDon Lewis+ i0_ = i0 & (uint64_t)0x7ffffffffffffU; 1251*0ae430aaSDon Lewis+ i1_ = i1 + (i0 >> (uint32_t)51U); 1252*0ae430aaSDon Lewis output[0U] = i0_; 1253*0ae430aaSDon Lewis output[1U] = i1_; 1254*0ae430aaSDon Lewis } 1255*0ae430aaSDon Lewis@@ -286,17 +301,19 @@ 1256*0ae430aaSDon Lewis static void 1257*0ae430aaSDon Lewis Hacl_Bignum_Fsquare_fsquare_times_(uint64_t *input, FStar_UInt128_t *tmp, uint32_t count1) 1258*0ae430aaSDon Lewis { 1259*0ae430aaSDon Lewis+ uint32_t i; 1260*0ae430aaSDon Lewis Hacl_Bignum_Fsquare_fsquare_(tmp, input); 1261*0ae430aaSDon Lewis- for (uint32_t i = (uint32_t)1U; i < count1; i = i + (uint32_t)1U) 1262*0ae430aaSDon Lewis+ for (i = (uint32_t)1U; i < count1; i = i + (uint32_t)1U) 1263*0ae430aaSDon Lewis Hacl_Bignum_Fsquare_fsquare_(tmp, input); 1264*0ae430aaSDon Lewis } 1265*0ae430aaSDon Lewis 1266*0ae430aaSDon Lewis inline static void 1267*0ae430aaSDon Lewis Hacl_Bignum_Fsquare_fsquare_times(uint64_t *output, uint64_t *input, uint32_t count1) 1268*0ae430aaSDon Lewis { 1269*0ae430aaSDon Lewis- KRML_CHECK_SIZE(FStar_UInt128_uint64_to_uint128((uint64_t)0U), (uint32_t)5U); 1270*0ae430aaSDon Lewis FStar_UInt128_t t[5U]; 1271*0ae430aaSDon Lewis- for (uint32_t _i = 0U; _i < (uint32_t)5U; ++_i) 1272*0ae430aaSDon Lewis+ uint32_t _i; 1273*0ae430aaSDon Lewis+ KRML_CHECK_SIZE(FStar_UInt128_uint64_to_uint128((uint64_t)0U), (uint32_t)5U); 1274*0ae430aaSDon Lewis+ for (_i = 0U; _i < (uint32_t)5U; ++_i) 1275*0ae430aaSDon Lewis t[_i] = FStar_UInt128_uint64_to_uint128((uint64_t)0U); 1276*0ae430aaSDon Lewis memcpy(output, input, (uint32_t)5U * sizeof input[0U]); 1277*0ae430aaSDon Lewis Hacl_Bignum_Fsquare_fsquare_times_(output, t, count1); 1278*0ae430aaSDon Lewis@@ -305,9 +322,10 @@ 1279*0ae430aaSDon Lewis inline static void 1280*0ae430aaSDon Lewis Hacl_Bignum_Fsquare_fsquare_times_inplace(uint64_t *output, uint32_t count1) 1281*0ae430aaSDon Lewis { 1282*0ae430aaSDon Lewis- KRML_CHECK_SIZE(FStar_UInt128_uint64_to_uint128((uint64_t)0U), (uint32_t)5U); 1283*0ae430aaSDon Lewis FStar_UInt128_t t[5U]; 1284*0ae430aaSDon Lewis- for (uint32_t _i = 0U; _i < (uint32_t)5U; ++_i) 1285*0ae430aaSDon Lewis+ uint32_t _i; 1286*0ae430aaSDon Lewis+ KRML_CHECK_SIZE(FStar_UInt128_uint64_to_uint128((uint64_t)0U), (uint32_t)5U); 1287*0ae430aaSDon Lewis+ for (_i = 0U; _i < (uint32_t)5U; ++_i) 1288*0ae430aaSDon Lewis t[_i] = FStar_UInt128_uint64_to_uint128((uint64_t)0U); 1289*0ae430aaSDon Lewis Hacl_Bignum_Fsquare_fsquare_times_(output, t, count1); 1290*0ae430aaSDon Lewis } 1291*0ae430aaSDon Lewis@@ -319,6 +337,13 @@ 1292*0ae430aaSDon Lewis uint64_t *a = buf; 1293*0ae430aaSDon Lewis uint64_t *t00 = buf + (uint32_t)5U; 1294*0ae430aaSDon Lewis uint64_t *b0 = buf + (uint32_t)10U; 1295*0ae430aaSDon Lewis+ uint64_t *t01; 1296*0ae430aaSDon Lewis+ uint64_t *b1; 1297*0ae430aaSDon Lewis+ uint64_t *c0; 1298*0ae430aaSDon Lewis+ uint64_t *a0; 1299*0ae430aaSDon Lewis+ uint64_t *t0; 1300*0ae430aaSDon Lewis+ uint64_t *b; 1301*0ae430aaSDon Lewis+ uint64_t *c; 1302*0ae430aaSDon Lewis Hacl_Bignum_Fsquare_fsquare_times(a, z, (uint32_t)1U); 1303*0ae430aaSDon Lewis Hacl_Bignum_Fsquare_fsquare_times(t00, a, (uint32_t)2U); 1304*0ae430aaSDon Lewis Hacl_Bignum_Fmul_fmul(b0, t00, z); 1305*0ae430aaSDon Lewis@@ -326,9 +351,9 @@ 1306*0ae430aaSDon Lewis Hacl_Bignum_Fsquare_fsquare_times(t00, a, (uint32_t)1U); 1307*0ae430aaSDon Lewis Hacl_Bignum_Fmul_fmul(b0, t00, b0); 1308*0ae430aaSDon Lewis Hacl_Bignum_Fsquare_fsquare_times(t00, b0, (uint32_t)5U); 1309*0ae430aaSDon Lewis- uint64_t *t01 = buf + (uint32_t)5U; 1310*0ae430aaSDon Lewis- uint64_t *b1 = buf + (uint32_t)10U; 1311*0ae430aaSDon Lewis- uint64_t *c0 = buf + (uint32_t)15U; 1312*0ae430aaSDon Lewis+ t01 = buf + (uint32_t)5U; 1313*0ae430aaSDon Lewis+ b1 = buf + (uint32_t)10U; 1314*0ae430aaSDon Lewis+ c0 = buf + (uint32_t)15U; 1315*0ae430aaSDon Lewis Hacl_Bignum_Fmul_fmul(b1, t01, b1); 1316*0ae430aaSDon Lewis Hacl_Bignum_Fsquare_fsquare_times(t01, b1, (uint32_t)10U); 1317*0ae430aaSDon Lewis Hacl_Bignum_Fmul_fmul(c0, t01, b1); 1318*0ae430aaSDon Lewis@@ -337,10 +362,10 @@ 1319*0ae430aaSDon Lewis Hacl_Bignum_Fsquare_fsquare_times_inplace(t01, (uint32_t)10U); 1320*0ae430aaSDon Lewis Hacl_Bignum_Fmul_fmul(b1, t01, b1); 1321*0ae430aaSDon Lewis Hacl_Bignum_Fsquare_fsquare_times(t01, b1, (uint32_t)50U); 1322*0ae430aaSDon Lewis- uint64_t *a0 = buf; 1323*0ae430aaSDon Lewis- uint64_t *t0 = buf + (uint32_t)5U; 1324*0ae430aaSDon Lewis- uint64_t *b = buf + (uint32_t)10U; 1325*0ae430aaSDon Lewis- uint64_t *c = buf + (uint32_t)15U; 1326*0ae430aaSDon Lewis+ a0 = buf; 1327*0ae430aaSDon Lewis+ t0 = buf + (uint32_t)5U; 1328*0ae430aaSDon Lewis+ b = buf + (uint32_t)10U; 1329*0ae430aaSDon Lewis+ c = buf + (uint32_t)15U; 1330*0ae430aaSDon Lewis Hacl_Bignum_Fmul_fmul(c, t0, b); 1331*0ae430aaSDon Lewis Hacl_Bignum_Fsquare_fsquare_times(t0, c, (uint32_t)100U); 1332*0ae430aaSDon Lewis Hacl_Bignum_Fmul_fmul(t0, t0, c); 1333*0ae430aaSDon Lewis@@ -384,12 +409,17 @@ 1334*0ae430aaSDon Lewis Hacl_Bignum_fdifference(uint64_t *a, uint64_t *b) 1335*0ae430aaSDon Lewis { 1336*0ae430aaSDon Lewis uint64_t tmp[5U] = { 0U }; 1337*0ae430aaSDon Lewis+ uint64_t b0; 1338*0ae430aaSDon Lewis+ uint64_t b1; 1339*0ae430aaSDon Lewis+ uint64_t b2; 1340*0ae430aaSDon Lewis+ uint64_t b3; 1341*0ae430aaSDon Lewis+ uint64_t b4; 1342*0ae430aaSDon Lewis memcpy(tmp, b, (uint32_t)5U * sizeof b[0U]); 1343*0ae430aaSDon Lewis- uint64_t b0 = tmp[0U]; 1344*0ae430aaSDon Lewis- uint64_t b1 = tmp[1U]; 1345*0ae430aaSDon Lewis- uint64_t b2 = tmp[2U]; 1346*0ae430aaSDon Lewis- uint64_t b3 = tmp[3U]; 1347*0ae430aaSDon Lewis- uint64_t b4 = tmp[4U]; 1348*0ae430aaSDon Lewis+ b0 = tmp[0U]; 1349*0ae430aaSDon Lewis+ b1 = tmp[1U]; 1350*0ae430aaSDon Lewis+ b2 = tmp[2U]; 1351*0ae430aaSDon Lewis+ b3 = tmp[3U]; 1352*0ae430aaSDon Lewis+ b4 = tmp[4U]; 1353*0ae430aaSDon Lewis tmp[0U] = b0 + (uint64_t)0x3fffffffffff68U; 1354*0ae430aaSDon Lewis tmp[1U] = b1 + (uint64_t)0x3ffffffffffff8U; 1355*0ae430aaSDon Lewis tmp[2U] = b2 + (uint64_t)0x3ffffffffffff8U; 1356*0ae430aaSDon Lewis@@ -425,9 +455,14 @@ 1357*0ae430aaSDon Lewis inline static void 1358*0ae430aaSDon Lewis Hacl_Bignum_fscalar(uint64_t *output, uint64_t *b, uint64_t s) 1359*0ae430aaSDon Lewis { 1360*0ae430aaSDon Lewis- KRML_CHECK_SIZE(FStar_UInt128_uint64_to_uint128((uint64_t)0U), (uint32_t)5U); 1361*0ae430aaSDon Lewis FStar_UInt128_t tmp[5U]; 1362*0ae430aaSDon Lewis- for (uint32_t _i = 0U; _i < (uint32_t)5U; ++_i) 1363*0ae430aaSDon Lewis+ uint32_t _i; 1364*0ae430aaSDon Lewis+ FStar_UInt128_t b4; 1365*0ae430aaSDon Lewis+ FStar_UInt128_t b0; 1366*0ae430aaSDon Lewis+ FStar_UInt128_t b4_; 1367*0ae430aaSDon Lewis+ FStar_UInt128_t b0_; 1368*0ae430aaSDon Lewis+ KRML_CHECK_SIZE(FStar_UInt128_uint64_to_uint128((uint64_t)0U), (uint32_t)5U); 1369*0ae430aaSDon Lewis+ for (_i = 0U; _i < (uint32_t)5U; ++_i) 1370*0ae430aaSDon Lewis tmp[_i] = FStar_UInt128_uint64_to_uint128((uint64_t)0U); 1371*0ae430aaSDon Lewis { 1372*0ae430aaSDon Lewis uint64_t xi = b[0U]; 1373*0ae430aaSDon Lewis@@ -450,12 +485,10 @@ 1374*0ae430aaSDon Lewis tmp[4U] = FStar_UInt128_mul_wide(xi, s); 1375*0ae430aaSDon Lewis } 1376*0ae430aaSDon Lewis Hacl_Bignum_Fproduct_carry_wide_(tmp); 1377*0ae430aaSDon Lewis- FStar_UInt128_t b4 = tmp[4U]; 1378*0ae430aaSDon Lewis- FStar_UInt128_t b0 = tmp[0U]; 1379*0ae430aaSDon Lewis- FStar_UInt128_t 1380*0ae430aaSDon Lewis- b4_ = FStar_UInt128_logand(b4, FStar_UInt128_uint64_to_uint128((uint64_t)0x7ffffffffffffU)); 1381*0ae430aaSDon Lewis- FStar_UInt128_t 1382*0ae430aaSDon Lewis- b0_ = 1383*0ae430aaSDon Lewis+ b4 = tmp[4U]; 1384*0ae430aaSDon Lewis+ b0 = tmp[0U]; 1385*0ae430aaSDon Lewis+ b4_ = FStar_UInt128_logand(b4, FStar_UInt128_uint64_to_uint128((uint64_t)0x7ffffffffffffU)); 1386*0ae430aaSDon Lewis+ b0_ = 1387*0ae430aaSDon Lewis FStar_UInt128_add(b0, 1388*0ae430aaSDon Lewis FStar_UInt128_mul_wide((uint64_t)19U, 1389*0ae430aaSDon Lewis FStar_UInt128_uint128_to_uint64(FStar_UInt128_shift_right(b4, (uint32_t)51U)))); 1390*0ae430aaSDon Lewis@@ -492,9 +525,10 @@ 1391*0ae430aaSDon Lewis static void 1392*0ae430aaSDon Lewis Hacl_EC_Point_swap_conditional_(uint64_t *a, uint64_t *b, uint64_t swap1, uint32_t ctr) 1393*0ae430aaSDon Lewis { 1394*0ae430aaSDon Lewis+ uint32_t i; 1395*0ae430aaSDon Lewis if (!(ctr == (uint32_t)0U)) { 1396*0ae430aaSDon Lewis Hacl_EC_Point_swap_conditional_step(a, b, swap1, ctr); 1397*0ae430aaSDon Lewis- uint32_t i = ctr - (uint32_t)1U; 1398*0ae430aaSDon Lewis+ i = ctr - (uint32_t)1U; 1399*0ae430aaSDon Lewis Hacl_EC_Point_swap_conditional_(a, b, swap1, i); 1400*0ae430aaSDon Lewis } 1401*0ae430aaSDon Lewis } 1402*0ae430aaSDon Lewis@@ -538,6 +572,16 @@ 1403*0ae430aaSDon Lewis uint64_t *origxprime = buf + (uint32_t)5U; 1404*0ae430aaSDon Lewis uint64_t *xxprime0 = buf + (uint32_t)25U; 1405*0ae430aaSDon Lewis uint64_t *zzprime0 = buf + (uint32_t)30U; 1406*0ae430aaSDon Lewis+ uint64_t *origxprime0; 1407*0ae430aaSDon Lewis+ uint64_t *xx0; 1408*0ae430aaSDon Lewis+ uint64_t *zz0; 1409*0ae430aaSDon Lewis+ uint64_t *xxprime; 1410*0ae430aaSDon Lewis+ uint64_t *zzprime; 1411*0ae430aaSDon Lewis+ uint64_t *zzzprime; 1412*0ae430aaSDon Lewis+ uint64_t *zzz; 1413*0ae430aaSDon Lewis+ uint64_t *xx; 1414*0ae430aaSDon Lewis+ uint64_t *zz; 1415*0ae430aaSDon Lewis+ uint64_t scalar = (uint64_t)121665U; 1416*0ae430aaSDon Lewis memcpy(origx, x, (uint32_t)5U * sizeof x[0U]); 1417*0ae430aaSDon Lewis Hacl_Bignum_fsum(x, z); 1418*0ae430aaSDon Lewis Hacl_Bignum_fdifference(z, origx); 1419*0ae430aaSDon Lewis@@ -546,12 +590,12 @@ 1420*0ae430aaSDon Lewis Hacl_Bignum_fdifference(zprime, origxprime); 1421*0ae430aaSDon Lewis Hacl_Bignum_fmul(xxprime0, xprime, z); 1422*0ae430aaSDon Lewis Hacl_Bignum_fmul(zzprime0, x, zprime); 1423*0ae430aaSDon Lewis- uint64_t *origxprime0 = buf + (uint32_t)5U; 1424*0ae430aaSDon Lewis- uint64_t *xx0 = buf + (uint32_t)15U; 1425*0ae430aaSDon Lewis- uint64_t *zz0 = buf + (uint32_t)20U; 1426*0ae430aaSDon Lewis- uint64_t *xxprime = buf + (uint32_t)25U; 1427*0ae430aaSDon Lewis- uint64_t *zzprime = buf + (uint32_t)30U; 1428*0ae430aaSDon Lewis- uint64_t *zzzprime = buf + (uint32_t)35U; 1429*0ae430aaSDon Lewis+ origxprime0 = buf + (uint32_t)5U; 1430*0ae430aaSDon Lewis+ xx0 = buf + (uint32_t)15U; 1431*0ae430aaSDon Lewis+ zz0 = buf + (uint32_t)20U; 1432*0ae430aaSDon Lewis+ xxprime = buf + (uint32_t)25U; 1433*0ae430aaSDon Lewis+ zzprime = buf + (uint32_t)30U; 1434*0ae430aaSDon Lewis+ zzzprime = buf + (uint32_t)35U; 1435*0ae430aaSDon Lewis memcpy(origxprime0, xxprime, (uint32_t)5U * sizeof xxprime[0U]); 1436*0ae430aaSDon Lewis Hacl_Bignum_fsum(xxprime, zzprime); 1437*0ae430aaSDon Lewis Hacl_Bignum_fdifference(zzprime, origxprime0); 1438*0ae430aaSDon Lewis@@ -560,12 +604,11 @@ 1439*0ae430aaSDon Lewis Hacl_Bignum_fmul(z3, zzzprime, qx); 1440*0ae430aaSDon Lewis Hacl_Bignum_Fsquare_fsquare_times(xx0, x, (uint32_t)1U); 1441*0ae430aaSDon Lewis Hacl_Bignum_Fsquare_fsquare_times(zz0, z, (uint32_t)1U); 1442*0ae430aaSDon Lewis- uint64_t *zzz = buf + (uint32_t)10U; 1443*0ae430aaSDon Lewis- uint64_t *xx = buf + (uint32_t)15U; 1444*0ae430aaSDon Lewis- uint64_t *zz = buf + (uint32_t)20U; 1445*0ae430aaSDon Lewis+ zzz = buf + (uint32_t)10U; 1446*0ae430aaSDon Lewis+ xx = buf + (uint32_t)15U; 1447*0ae430aaSDon Lewis+ zz = buf + (uint32_t)20U; 1448*0ae430aaSDon Lewis Hacl_Bignum_fmul(x2, xx, zz); 1449*0ae430aaSDon Lewis Hacl_Bignum_fdifference(zz, xx); 1450*0ae430aaSDon Lewis- uint64_t scalar = (uint64_t)121665U; 1451*0ae430aaSDon Lewis Hacl_Bignum_fscalar(zzz, zz, scalar); 1452*0ae430aaSDon Lewis Hacl_Bignum_fsum(zzz, xx); 1453*0ae430aaSDon Lewis Hacl_Bignum_fmul(z2, zzz, zz); 1454*0ae430aaSDon Lewis@@ -581,9 +624,10 @@ 1455*0ae430aaSDon Lewis uint8_t byt) 1456*0ae430aaSDon Lewis { 1457*0ae430aaSDon Lewis uint64_t bit = (uint64_t)(byt >> (uint32_t)7U); 1458*0ae430aaSDon Lewis+ uint64_t bit0; 1459*0ae430aaSDon Lewis Hacl_EC_Point_swap_conditional(nq, nqpq, bit); 1460*0ae430aaSDon Lewis Hacl_EC_AddAndDouble_fmonty(nq2, nqpq2, nq, nqpq, q); 1461*0ae430aaSDon Lewis- uint64_t bit0 = (uint64_t)(byt >> (uint32_t)7U); 1462*0ae430aaSDon Lewis+ bit0 = (uint64_t)(byt >> (uint32_t)7U); 1463*0ae430aaSDon Lewis Hacl_EC_Point_swap_conditional(nq2, nqpq2, bit0); 1464*0ae430aaSDon Lewis } 1465*0ae430aaSDon Lewis 1466*0ae430aaSDon Lewis@@ -596,8 +640,9 @@ 1467*0ae430aaSDon Lewis uint64_t *q, 1468*0ae430aaSDon Lewis uint8_t byt) 1469*0ae430aaSDon Lewis { 1470*0ae430aaSDon Lewis+ uint8_t byt1; 1471*0ae430aaSDon Lewis Hacl_EC_Ladder_SmallLoop_cmult_small_loop_step(nq, nqpq, nq2, nqpq2, q, byt); 1472*0ae430aaSDon Lewis- uint8_t byt1 = byt << (uint32_t)1U; 1473*0ae430aaSDon Lewis+ byt1 = byt << (uint32_t)1U; 1474*0ae430aaSDon Lewis Hacl_EC_Ladder_SmallLoop_cmult_small_loop_step(nq2, nqpq2, nq, nqpq, q, byt1); 1475*0ae430aaSDon Lewis } 1476*0ae430aaSDon Lewis 1477*0ae430aaSDon Lewis@@ -613,8 +658,9 @@ 1478*0ae430aaSDon Lewis { 1479*0ae430aaSDon Lewis if (!(i == (uint32_t)0U)) { 1480*0ae430aaSDon Lewis uint32_t i_ = i - (uint32_t)1U; 1481*0ae430aaSDon Lewis+ uint8_t byt_; 1482*0ae430aaSDon Lewis Hacl_EC_Ladder_SmallLoop_cmult_small_loop_double_step(nq, nqpq, nq2, nqpq2, q, byt); 1483*0ae430aaSDon Lewis- uint8_t byt_ = byt << (uint32_t)2U; 1484*0ae430aaSDon Lewis+ byt_ = byt << (uint32_t)2U; 1485*0ae430aaSDon Lewis Hacl_EC_Ladder_SmallLoop_cmult_small_loop(nq, nqpq, nq2, nqpq2, q, byt_, i_); 1486*0ae430aaSDon Lewis } 1487*0ae430aaSDon Lewis } 1488*0ae430aaSDon Lewis@@ -731,12 +777,16 @@ 1489*0ae430aaSDon Lewis static void 1490*0ae430aaSDon Lewis Hacl_EC_Format_fcontract_second_carry_full(uint64_t *input) 1491*0ae430aaSDon Lewis { 1492*0ae430aaSDon Lewis+ uint64_t i0; 1493*0ae430aaSDon Lewis+ uint64_t i1; 1494*0ae430aaSDon Lewis+ uint64_t i0_; 1495*0ae430aaSDon Lewis+ uint64_t i1_; 1496*0ae430aaSDon Lewis Hacl_EC_Format_fcontract_second_carry_pass(input); 1497*0ae430aaSDon Lewis Hacl_Bignum_Modulo_carry_top(input); 1498*0ae430aaSDon Lewis- uint64_t i0 = input[0U]; 1499*0ae430aaSDon Lewis- uint64_t i1 = input[1U]; 1500*0ae430aaSDon Lewis- uint64_t i0_ = i0 & (uint64_t)0x7ffffffffffffU; 1501*0ae430aaSDon Lewis- uint64_t i1_ = i1 + (i0 >> (uint32_t)51U); 1502*0ae430aaSDon Lewis+ i0 = input[0U]; 1503*0ae430aaSDon Lewis+ i1 = input[1U]; 1504*0ae430aaSDon Lewis+ i0_ = i0 & (uint64_t)0x7ffffffffffffU; 1505*0ae430aaSDon Lewis+ i1_ = i1 + (i0 >> (uint32_t)51U); 1506*0ae430aaSDon Lewis input[0U] = i0_; 1507*0ae430aaSDon Lewis input[1U] = i1_; 1508*0ae430aaSDon Lewis } 1509*0ae430aaSDon Lewis@@ -817,22 +867,31 @@ 1510*0ae430aaSDon Lewis uint64_t buf0[10U] = { 0U }; 1511*0ae430aaSDon Lewis uint64_t *x0 = buf0; 1512*0ae430aaSDon Lewis uint64_t *z = buf0 + (uint32_t)5U; 1513*0ae430aaSDon Lewis+ uint64_t *q; 1514*0ae430aaSDon Lewis+ uint8_t e[32U] = { 0U }; 1515*0ae430aaSDon Lewis+ uint8_t e0; 1516*0ae430aaSDon Lewis+ uint8_t e31; 1517*0ae430aaSDon Lewis+ uint8_t e01; 1518*0ae430aaSDon Lewis+ uint8_t e311; 1519*0ae430aaSDon Lewis+ uint8_t e312; 1520*0ae430aaSDon Lewis+ uint8_t *scalar; 1521*0ae430aaSDon Lewis+ uint64_t buf[15U] = { 0U }; 1522*0ae430aaSDon Lewis+ uint64_t *nq; 1523*0ae430aaSDon Lewis+ uint64_t *x; 1524*0ae430aaSDon Lewis Hacl_EC_Format_fexpand(x0, basepoint); 1525*0ae430aaSDon Lewis z[0U] = (uint64_t)1U; 1526*0ae430aaSDon Lewis- uint64_t *q = buf0; 1527*0ae430aaSDon Lewis- uint8_t e[32U] = { 0U }; 1528*0ae430aaSDon Lewis+ q = buf0; 1529*0ae430aaSDon Lewis memcpy(e, secret, (uint32_t)32U * sizeof secret[0U]); 1530*0ae430aaSDon Lewis- uint8_t e0 = e[0U]; 1531*0ae430aaSDon Lewis- uint8_t e31 = e[31U]; 1532*0ae430aaSDon Lewis- uint8_t e01 = e0 & (uint8_t)248U; 1533*0ae430aaSDon Lewis- uint8_t e311 = e31 & (uint8_t)127U; 1534*0ae430aaSDon Lewis- uint8_t e312 = e311 | (uint8_t)64U; 1535*0ae430aaSDon Lewis+ e0 = e[0U]; 1536*0ae430aaSDon Lewis+ e31 = e[31U]; 1537*0ae430aaSDon Lewis+ e01 = e0 & (uint8_t)248U; 1538*0ae430aaSDon Lewis+ e311 = e31 & (uint8_t)127U; 1539*0ae430aaSDon Lewis+ e312 = e311 | (uint8_t)64U; 1540*0ae430aaSDon Lewis e[0U] = e01; 1541*0ae430aaSDon Lewis e[31U] = e312; 1542*0ae430aaSDon Lewis- uint8_t *scalar = e; 1543*0ae430aaSDon Lewis- uint64_t buf[15U] = { 0U }; 1544*0ae430aaSDon Lewis- uint64_t *nq = buf; 1545*0ae430aaSDon Lewis- uint64_t *x = nq; 1546*0ae430aaSDon Lewis+ scalar = e; 1547*0ae430aaSDon Lewis+ nq = buf; 1548*0ae430aaSDon Lewis+ x = nq; 1549*0ae430aaSDon Lewis x[0U] = (uint64_t)1U; 1550*0ae430aaSDon Lewis Hacl_EC_Ladder_cmult(nq, scalar, q); 1551*0ae430aaSDon Lewis Hacl_EC_Format_scalar_of_point(mypublic, nq); 1552*0ae430aaSDon Lewisdiff -ur misc/nss-3.39/nss/lib/freebl/verified/Hacl_Curve25519.h misc/build/nss-3.39/nss/lib/freebl/verified/Hacl_Curve25519.h 1553*0ae430aaSDon Lewis--- misc/nss-3.39/nss/lib/freebl/verified/Hacl_Curve25519.h 2018-08-31 05:55:53.000000000 -0700 1554*0ae430aaSDon Lewis+++ misc/build/nss-3.39/nss/lib/freebl/verified/Hacl_Curve25519.h 2018-10-21 22:18:23.286647000 -0700 1555*0ae430aaSDon Lewis@@ -13,6 +13,7 @@ 1556*0ae430aaSDon Lewis * limitations under the License. 1557*0ae430aaSDon Lewis */ 1558*0ae430aaSDon Lewis 1559*0ae430aaSDon Lewis+#include "secport.h" 1560*0ae430aaSDon Lewis #include "kremlib.h" 1561*0ae430aaSDon Lewis #ifndef __Hacl_Curve25519_H 1562*0ae430aaSDon Lewis #define __Hacl_Curve25519_H 1563*0ae430aaSDon Lewisdiff -ur misc/nss-3.39/nss/lib/freebl/verified/Hacl_Poly1305_32.c misc/build/nss-3.39/nss/lib/freebl/verified/Hacl_Poly1305_32.c 1564*0ae430aaSDon Lewis--- misc/nss-3.39/nss/lib/freebl/verified/Hacl_Poly1305_32.c 2018-08-31 05:55:53.000000000 -0700 1565*0ae430aaSDon Lewis+++ misc/build/nss-3.39/nss/lib/freebl/verified/Hacl_Poly1305_32.c 2018-10-22 00:58:55.601973000 -0700 1566*0ae430aaSDon Lewis@@ -47,7 +47,8 @@ 1567*0ae430aaSDon Lewis inline static void 1568*0ae430aaSDon Lewis Hacl_Bignum_Fproduct_copy_from_wide_(uint32_t *output, uint64_t *input) 1569*0ae430aaSDon Lewis { 1570*0ae430aaSDon Lewis- for (uint32_t i = (uint32_t)0U; i < (uint32_t)5U; i = i + (uint32_t)1U) { 1571*0ae430aaSDon Lewis+ uint32_t i; 1572*0ae430aaSDon Lewis+ for (i = (uint32_t)0U; i < (uint32_t)5U; i = i + (uint32_t)1U) { 1573*0ae430aaSDon Lewis uint64_t xi = input[i]; 1574*0ae430aaSDon Lewis output[i] = (uint32_t)xi; 1575*0ae430aaSDon Lewis } 1576*0ae430aaSDon Lewis@@ -56,7 +57,8 @@ 1577*0ae430aaSDon Lewis inline static void 1578*0ae430aaSDon Lewis Hacl_Bignum_Fproduct_sum_scalar_multiplication_(uint64_t *output, uint32_t *input, uint32_t s) 1579*0ae430aaSDon Lewis { 1580*0ae430aaSDon Lewis- for (uint32_t i = (uint32_t)0U; i < (uint32_t)5U; i = i + (uint32_t)1U) { 1581*0ae430aaSDon Lewis+ uint32_t i; 1582*0ae430aaSDon Lewis+ for (i = (uint32_t)0U; i < (uint32_t)5U; i = i + (uint32_t)1U) { 1583*0ae430aaSDon Lewis uint64_t xi = output[i]; 1584*0ae430aaSDon Lewis uint32_t yi = input[i]; 1585*0ae430aaSDon Lewis uint64_t x_wide = (uint64_t)yi; 1586*0ae430aaSDon Lewis@@ -68,7 +70,8 @@ 1587*0ae430aaSDon Lewis inline static void 1588*0ae430aaSDon Lewis Hacl_Bignum_Fproduct_carry_wide_(uint64_t *tmp) 1589*0ae430aaSDon Lewis { 1590*0ae430aaSDon Lewis- for (uint32_t i = (uint32_t)0U; i < (uint32_t)4U; i = i + (uint32_t)1U) { 1591*0ae430aaSDon Lewis+ uint32_t i; 1592*0ae430aaSDon Lewis+ for (i = (uint32_t)0U; i < (uint32_t)4U; i = i + (uint32_t)1U) { 1593*0ae430aaSDon Lewis uint32_t ctr = i; 1594*0ae430aaSDon Lewis uint64_t tctr = tmp[ctr]; 1595*0ae430aaSDon Lewis uint64_t tctrp1 = tmp[ctr + (uint32_t)1U]; 1596*0ae430aaSDon Lewis@@ -82,7 +85,8 @@ 1597*0ae430aaSDon Lewis inline static void 1598*0ae430aaSDon Lewis Hacl_Bignum_Fproduct_carry_limb_(uint32_t *tmp) 1599*0ae430aaSDon Lewis { 1600*0ae430aaSDon Lewis- for (uint32_t i = (uint32_t)0U; i < (uint32_t)4U; i = i + (uint32_t)1U) { 1601*0ae430aaSDon Lewis+ uint32_t i; 1602*0ae430aaSDon Lewis+ for (i = (uint32_t)0U; i < (uint32_t)4U; i = i + (uint32_t)1U) { 1603*0ae430aaSDon Lewis uint32_t ctr = i; 1604*0ae430aaSDon Lewis uint32_t tctr = tmp[ctr]; 1605*0ae430aaSDon Lewis uint32_t tctrp1 = tmp[ctr + (uint32_t)1U]; 1606*0ae430aaSDon Lewis@@ -97,7 +101,8 @@ 1607*0ae430aaSDon Lewis Hacl_Bignum_Fmul_shift_reduce(uint32_t *output) 1608*0ae430aaSDon Lewis { 1609*0ae430aaSDon Lewis uint32_t tmp = output[4U]; 1610*0ae430aaSDon Lewis- for (uint32_t i = (uint32_t)0U; i < (uint32_t)4U; i = i + (uint32_t)1U) { 1611*0ae430aaSDon Lewis+ uint32_t i; 1612*0ae430aaSDon Lewis+ for (i = (uint32_t)0U; i < (uint32_t)4U; i = i + (uint32_t)1U) { 1613*0ae430aaSDon Lewis uint32_t ctr = (uint32_t)5U - i - (uint32_t)1U; 1614*0ae430aaSDon Lewis uint32_t z = output[ctr - (uint32_t)1U]; 1615*0ae430aaSDon Lewis output[ctr] = z; 1616*0ae430aaSDon Lewis@@ -109,13 +114,15 @@ 1617*0ae430aaSDon Lewis static void 1618*0ae430aaSDon Lewis Hacl_Bignum_Fmul_mul_shift_reduce_(uint64_t *output, uint32_t *input, uint32_t *input2) 1619*0ae430aaSDon Lewis { 1620*0ae430aaSDon Lewis- for (uint32_t i = (uint32_t)0U; i < (uint32_t)4U; i = i + (uint32_t)1U) { 1621*0ae430aaSDon Lewis+ uint32_t i; 1622*0ae430aaSDon Lewis+ uint32_t input2i; 1623*0ae430aaSDon Lewis+ for (i = (uint32_t)0U; i < (uint32_t)4U; i = i + (uint32_t)1U) { 1624*0ae430aaSDon Lewis uint32_t input2i = input2[i]; 1625*0ae430aaSDon Lewis Hacl_Bignum_Fproduct_sum_scalar_multiplication_(output, input, input2i); 1626*0ae430aaSDon Lewis Hacl_Bignum_Fmul_shift_reduce(input); 1627*0ae430aaSDon Lewis } 1628*0ae430aaSDon Lewis- uint32_t i = (uint32_t)4U; 1629*0ae430aaSDon Lewis- uint32_t input2i = input2[i]; 1630*0ae430aaSDon Lewis+ i = (uint32_t)4U; 1631*0ae430aaSDon Lewis+ input2i = input2[i]; 1632*0ae430aaSDon Lewis Hacl_Bignum_Fproduct_sum_scalar_multiplication_(output, input, input2i); 1633*0ae430aaSDon Lewis } 1634*0ae430aaSDon Lewis 1635*0ae430aaSDon Lewis@@ -123,16 +130,20 @@ 1636*0ae430aaSDon Lewis Hacl_Bignum_Fmul_fmul(uint32_t *output, uint32_t *input, uint32_t *input2) 1637*0ae430aaSDon Lewis { 1638*0ae430aaSDon Lewis uint32_t tmp[5U] = { 0U }; 1639*0ae430aaSDon Lewis- memcpy(tmp, input, (uint32_t)5U * sizeof input[0U]); 1640*0ae430aaSDon Lewis uint64_t t[5U] = { 0U }; 1641*0ae430aaSDon Lewis+ uint32_t i0; 1642*0ae430aaSDon Lewis+ uint32_t i1; 1643*0ae430aaSDon Lewis+ uint32_t i0_; 1644*0ae430aaSDon Lewis+ uint32_t i1_; 1645*0ae430aaSDon Lewis+ memcpy(tmp, input, (uint32_t)5U * sizeof input[0U]); 1646*0ae430aaSDon Lewis Hacl_Bignum_Fmul_mul_shift_reduce_(t, tmp, input2); 1647*0ae430aaSDon Lewis Hacl_Bignum_Fproduct_carry_wide_(t); 1648*0ae430aaSDon Lewis Hacl_Bignum_Modulo_carry_top_wide(t); 1649*0ae430aaSDon Lewis Hacl_Bignum_Fproduct_copy_from_wide_(output, t); 1650*0ae430aaSDon Lewis- uint32_t i0 = output[0U]; 1651*0ae430aaSDon Lewis- uint32_t i1 = output[1U]; 1652*0ae430aaSDon Lewis- uint32_t i0_ = i0 & (uint32_t)0x3ffffffU; 1653*0ae430aaSDon Lewis- uint32_t i1_ = i1 + (i0 >> (uint32_t)26U); 1654*0ae430aaSDon Lewis+ i0 = output[0U]; 1655*0ae430aaSDon Lewis+ i1 = output[1U]; 1656*0ae430aaSDon Lewis+ i0_ = i0 & (uint32_t)0x3ffffffU; 1657*0ae430aaSDon Lewis+ i1_ = i1 + (i0 >> (uint32_t)26U); 1658*0ae430aaSDon Lewis output[0U] = i0_; 1659*0ae430aaSDon Lewis output[1U] = i1_; 1660*0ae430aaSDon Lewis } 1661*0ae430aaSDon Lewis@@ -140,7 +151,8 @@ 1662*0ae430aaSDon Lewis inline static void 1663*0ae430aaSDon Lewis Hacl_Bignum_AddAndMultiply_add_and_multiply(uint32_t *acc, uint32_t *block, uint32_t *r) 1664*0ae430aaSDon Lewis { 1665*0ae430aaSDon Lewis- for (uint32_t i = (uint32_t)0U; i < (uint32_t)5U; i = i + (uint32_t)1U) { 1666*0ae430aaSDon Lewis+ uint32_t i; 1667*0ae430aaSDon Lewis+ for (i = (uint32_t)0U; i < (uint32_t)5U; i = i + (uint32_t)1U) { 1668*0ae430aaSDon Lewis uint32_t xi = acc[i]; 1669*0ae430aaSDon Lewis uint32_t yi = block[i]; 1670*0ae430aaSDon Lewis acc[i] = xi + yi; 1671*0ae430aaSDon Lewis@@ -175,13 +187,15 @@ 1672*0ae430aaSDon Lewis uint32_t r2 = i2 >> (uint32_t)4U & (uint32_t)0x3ffffffU; 1673*0ae430aaSDon Lewis uint32_t r3 = i3 >> (uint32_t)6U & (uint32_t)0x3ffffffU; 1674*0ae430aaSDon Lewis uint32_t r4 = i4 >> (uint32_t)8U; 1675*0ae430aaSDon Lewis+ uint32_t b4; 1676*0ae430aaSDon Lewis+ uint32_t b4_; 1677*0ae430aaSDon Lewis tmp[0U] = r0; 1678*0ae430aaSDon Lewis tmp[1U] = r1; 1679*0ae430aaSDon Lewis tmp[2U] = r2; 1680*0ae430aaSDon Lewis tmp[3U] = r3; 1681*0ae430aaSDon Lewis tmp[4U] = r4; 1682*0ae430aaSDon Lewis- uint32_t b4 = tmp[4U]; 1683*0ae430aaSDon Lewis- uint32_t b4_ = (uint32_t)0x1000000U | b4; 1684*0ae430aaSDon Lewis+ b4 = tmp[4U]; 1685*0ae430aaSDon Lewis+ b4_ = (uint32_t)0x1000000U | b4; 1686*0ae430aaSDon Lewis tmp[4U] = b4_; 1687*0ae430aaSDon Lewis Hacl_Bignum_AddAndMultiply_add_and_multiply(acc, tmp, r5); 1688*0ae430aaSDon Lewis } 1689*0ae430aaSDon Lewis@@ -209,15 +223,19 @@ 1690*0ae430aaSDon Lewis uint32_t r2 = i2 >> (uint32_t)4U & (uint32_t)0x3ffffffU; 1691*0ae430aaSDon Lewis uint32_t r3 = i3 >> (uint32_t)6U & (uint32_t)0x3ffffffU; 1692*0ae430aaSDon Lewis uint32_t r4 = i4 >> (uint32_t)8U; 1693*0ae430aaSDon Lewis+ Hacl_Impl_Poly1305_32_State_poly1305_state scrut0; 1694*0ae430aaSDon Lewis+ uint32_t *h; 1695*0ae430aaSDon Lewis+ Hacl_Impl_Poly1305_32_State_poly1305_state scrut; 1696*0ae430aaSDon Lewis+ uint32_t *r; 1697*0ae430aaSDon Lewis tmp[0U] = r0; 1698*0ae430aaSDon Lewis tmp[1U] = r1; 1699*0ae430aaSDon Lewis tmp[2U] = r2; 1700*0ae430aaSDon Lewis tmp[3U] = r3; 1701*0ae430aaSDon Lewis tmp[4U] = r4; 1702*0ae430aaSDon Lewis- Hacl_Impl_Poly1305_32_State_poly1305_state scrut0 = st; 1703*0ae430aaSDon Lewis- uint32_t *h = scrut0.h; 1704*0ae430aaSDon Lewis- Hacl_Impl_Poly1305_32_State_poly1305_state scrut = st; 1705*0ae430aaSDon Lewis- uint32_t *r = scrut.r; 1706*0ae430aaSDon Lewis+ scrut0 = st; 1707*0ae430aaSDon Lewis+ h = scrut0.h; 1708*0ae430aaSDon Lewis+ scrut = st; 1709*0ae430aaSDon Lewis+ r = scrut.r; 1710*0ae430aaSDon Lewis Hacl_Bignum_AddAndMultiply_add_and_multiply(h, tmp, r); 1711*0ae430aaSDon Lewis } 1712*0ae430aaSDon Lewis 1713*0ae430aaSDon Lewis@@ -228,12 +246,15 @@ 1714*0ae430aaSDon Lewis uint64_t rem_) 1715*0ae430aaSDon Lewis { 1716*0ae430aaSDon Lewis uint8_t zero1 = (uint8_t)0U; 1717*0ae430aaSDon Lewis- KRML_CHECK_SIZE(zero1, (uint32_t)16U); 1718*0ae430aaSDon Lewis uint8_t block[16U]; 1719*0ae430aaSDon Lewis- for (uint32_t _i = 0U; _i < (uint32_t)16U; ++_i) 1720*0ae430aaSDon Lewis+ uint32_t _i; 1721*0ae430aaSDon Lewis+ uint32_t i0; 1722*0ae430aaSDon Lewis+ uint32_t i; 1723*0ae430aaSDon Lewis+ KRML_CHECK_SIZE(zero1, (uint32_t)16U); 1724*0ae430aaSDon Lewis+ for (_i = 0U; _i < (uint32_t)16U; ++_i) 1725*0ae430aaSDon Lewis block[_i] = zero1; 1726*0ae430aaSDon Lewis- uint32_t i0 = (uint32_t)rem_; 1727*0ae430aaSDon Lewis- uint32_t i = (uint32_t)rem_; 1728*0ae430aaSDon Lewis+ i0 = (uint32_t)rem_; 1729*0ae430aaSDon Lewis+ i = (uint32_t)rem_; 1730*0ae430aaSDon Lewis memcpy(block, m, i * sizeof m[0U]); 1731*0ae430aaSDon Lewis block[i0] = (uint8_t)1U; 1732*0ae430aaSDon Lewis Hacl_Impl_Poly1305_32_poly1305_process_last_block_(block, st, m, rem_); 1733*0ae430aaSDon Lewis@@ -242,69 +263,116 @@ 1734*0ae430aaSDon Lewis static void 1735*0ae430aaSDon Lewis Hacl_Impl_Poly1305_32_poly1305_last_pass(uint32_t *acc) 1736*0ae430aaSDon Lewis { 1737*0ae430aaSDon Lewis+ uint32_t t0; 1738*0ae430aaSDon Lewis+ uint32_t t10; 1739*0ae430aaSDon Lewis+ uint32_t t20; 1740*0ae430aaSDon Lewis+ uint32_t t30; 1741*0ae430aaSDon Lewis+ uint32_t t40; 1742*0ae430aaSDon Lewis+ uint32_t t1_; 1743*0ae430aaSDon Lewis+ uint32_t mask_261; 1744*0ae430aaSDon Lewis+ uint32_t t0_; 1745*0ae430aaSDon Lewis+ uint32_t t2_; 1746*0ae430aaSDon Lewis+ uint32_t t1__; 1747*0ae430aaSDon Lewis+ uint32_t t3_; 1748*0ae430aaSDon Lewis+ uint32_t t2__; 1749*0ae430aaSDon Lewis+ uint32_t t4_; 1750*0ae430aaSDon Lewis+ uint32_t t3__; 1751*0ae430aaSDon Lewis+ uint32_t t00; 1752*0ae430aaSDon Lewis+ uint32_t t1; 1753*0ae430aaSDon Lewis+ uint32_t t2; 1754*0ae430aaSDon Lewis+ uint32_t t3; 1755*0ae430aaSDon Lewis+ uint32_t t4; 1756*0ae430aaSDon Lewis+ uint32_t t1_0; 1757*0ae430aaSDon Lewis+ uint32_t t0_0; 1758*0ae430aaSDon Lewis+ uint32_t t2_0; 1759*0ae430aaSDon Lewis+ uint32_t t1__0; 1760*0ae430aaSDon Lewis+ uint32_t t3_0; 1761*0ae430aaSDon Lewis+ uint32_t t2__0; 1762*0ae430aaSDon Lewis+ uint32_t t4_0; 1763*0ae430aaSDon Lewis+ uint32_t t3__0; 1764*0ae430aaSDon Lewis+ uint32_t i0; 1765*0ae430aaSDon Lewis+ uint32_t i1; 1766*0ae430aaSDon Lewis+ uint32_t i0_; 1767*0ae430aaSDon Lewis+ uint32_t i1_; 1768*0ae430aaSDon Lewis+ uint32_t a0; 1769*0ae430aaSDon Lewis+ uint32_t a1; 1770*0ae430aaSDon Lewis+ uint32_t a2; 1771*0ae430aaSDon Lewis+ uint32_t a3; 1772*0ae430aaSDon Lewis+ uint32_t a4; 1773*0ae430aaSDon Lewis+ uint32_t mask0; 1774*0ae430aaSDon Lewis+ uint32_t mask1; 1775*0ae430aaSDon Lewis+ uint32_t mask2; 1776*0ae430aaSDon Lewis+ uint32_t mask3; 1777*0ae430aaSDon Lewis+ uint32_t mask4; 1778*0ae430aaSDon Lewis+ uint32_t mask; 1779*0ae430aaSDon Lewis+ uint32_t a0_; 1780*0ae430aaSDon Lewis+ uint32_t a1_; 1781*0ae430aaSDon Lewis+ uint32_t a2_; 1782*0ae430aaSDon Lewis+ uint32_t a3_; 1783*0ae430aaSDon Lewis+ uint32_t a4_; 1784*0ae430aaSDon Lewis Hacl_Bignum_Fproduct_carry_limb_(acc); 1785*0ae430aaSDon Lewis Hacl_Bignum_Modulo_carry_top(acc); 1786*0ae430aaSDon Lewis- uint32_t t0 = acc[0U]; 1787*0ae430aaSDon Lewis- uint32_t t10 = acc[1U]; 1788*0ae430aaSDon Lewis- uint32_t t20 = acc[2U]; 1789*0ae430aaSDon Lewis- uint32_t t30 = acc[3U]; 1790*0ae430aaSDon Lewis- uint32_t t40 = acc[4U]; 1791*0ae430aaSDon Lewis- uint32_t t1_ = t10 + (t0 >> (uint32_t)26U); 1792*0ae430aaSDon Lewis- uint32_t mask_261 = (uint32_t)0x3ffffffU; 1793*0ae430aaSDon Lewis- uint32_t t0_ = t0 & mask_261; 1794*0ae430aaSDon Lewis- uint32_t t2_ = t20 + (t1_ >> (uint32_t)26U); 1795*0ae430aaSDon Lewis- uint32_t t1__ = t1_ & mask_261; 1796*0ae430aaSDon Lewis- uint32_t t3_ = t30 + (t2_ >> (uint32_t)26U); 1797*0ae430aaSDon Lewis- uint32_t t2__ = t2_ & mask_261; 1798*0ae430aaSDon Lewis- uint32_t t4_ = t40 + (t3_ >> (uint32_t)26U); 1799*0ae430aaSDon Lewis- uint32_t t3__ = t3_ & mask_261; 1800*0ae430aaSDon Lewis+ t0 = acc[0U]; 1801*0ae430aaSDon Lewis+ t10 = acc[1U]; 1802*0ae430aaSDon Lewis+ t20 = acc[2U]; 1803*0ae430aaSDon Lewis+ t30 = acc[3U]; 1804*0ae430aaSDon Lewis+ t40 = acc[4U]; 1805*0ae430aaSDon Lewis+ t1_ = t10 + (t0 >> (uint32_t)26U); 1806*0ae430aaSDon Lewis+ mask_261 = (uint32_t)0x3ffffffU; 1807*0ae430aaSDon Lewis+ t0_ = t0 & mask_261; 1808*0ae430aaSDon Lewis+ t2_ = t20 + (t1_ >> (uint32_t)26U); 1809*0ae430aaSDon Lewis+ t1__ = t1_ & mask_261; 1810*0ae430aaSDon Lewis+ t3_ = t30 + (t2_ >> (uint32_t)26U); 1811*0ae430aaSDon Lewis+ t2__ = t2_ & mask_261; 1812*0ae430aaSDon Lewis+ t4_ = t40 + (t3_ >> (uint32_t)26U); 1813*0ae430aaSDon Lewis+ t3__ = t3_ & mask_261; 1814*0ae430aaSDon Lewis acc[0U] = t0_; 1815*0ae430aaSDon Lewis acc[1U] = t1__; 1816*0ae430aaSDon Lewis acc[2U] = t2__; 1817*0ae430aaSDon Lewis acc[3U] = t3__; 1818*0ae430aaSDon Lewis acc[4U] = t4_; 1819*0ae430aaSDon Lewis Hacl_Bignum_Modulo_carry_top(acc); 1820*0ae430aaSDon Lewis- uint32_t t00 = acc[0U]; 1821*0ae430aaSDon Lewis- uint32_t t1 = acc[1U]; 1822*0ae430aaSDon Lewis- uint32_t t2 = acc[2U]; 1823*0ae430aaSDon Lewis- uint32_t t3 = acc[3U]; 1824*0ae430aaSDon Lewis- uint32_t t4 = acc[4U]; 1825*0ae430aaSDon Lewis- uint32_t t1_0 = t1 + (t00 >> (uint32_t)26U); 1826*0ae430aaSDon Lewis- uint32_t t0_0 = t00 & (uint32_t)0x3ffffffU; 1827*0ae430aaSDon Lewis- uint32_t t2_0 = t2 + (t1_0 >> (uint32_t)26U); 1828*0ae430aaSDon Lewis- uint32_t t1__0 = t1_0 & (uint32_t)0x3ffffffU; 1829*0ae430aaSDon Lewis- uint32_t t3_0 = t3 + (t2_0 >> (uint32_t)26U); 1830*0ae430aaSDon Lewis- uint32_t t2__0 = t2_0 & (uint32_t)0x3ffffffU; 1831*0ae430aaSDon Lewis- uint32_t t4_0 = t4 + (t3_0 >> (uint32_t)26U); 1832*0ae430aaSDon Lewis- uint32_t t3__0 = t3_0 & (uint32_t)0x3ffffffU; 1833*0ae430aaSDon Lewis+ t00 = acc[0U]; 1834*0ae430aaSDon Lewis+ t1 = acc[1U]; 1835*0ae430aaSDon Lewis+ t2 = acc[2U]; 1836*0ae430aaSDon Lewis+ t3 = acc[3U]; 1837*0ae430aaSDon Lewis+ t4 = acc[4U]; 1838*0ae430aaSDon Lewis+ t1_0 = t1 + (t00 >> (uint32_t)26U); 1839*0ae430aaSDon Lewis+ t0_0 = t00 & (uint32_t)0x3ffffffU; 1840*0ae430aaSDon Lewis+ t2_0 = t2 + (t1_0 >> (uint32_t)26U); 1841*0ae430aaSDon Lewis+ t1__0 = t1_0 & (uint32_t)0x3ffffffU; 1842*0ae430aaSDon Lewis+ t3_0 = t3 + (t2_0 >> (uint32_t)26U); 1843*0ae430aaSDon Lewis+ t2__0 = t2_0 & (uint32_t)0x3ffffffU; 1844*0ae430aaSDon Lewis+ t4_0 = t4 + (t3_0 >> (uint32_t)26U); 1845*0ae430aaSDon Lewis+ t3__0 = t3_0 & (uint32_t)0x3ffffffU; 1846*0ae430aaSDon Lewis acc[0U] = t0_0; 1847*0ae430aaSDon Lewis acc[1U] = t1__0; 1848*0ae430aaSDon Lewis acc[2U] = t2__0; 1849*0ae430aaSDon Lewis acc[3U] = t3__0; 1850*0ae430aaSDon Lewis acc[4U] = t4_0; 1851*0ae430aaSDon Lewis Hacl_Bignum_Modulo_carry_top(acc); 1852*0ae430aaSDon Lewis- uint32_t i0 = acc[0U]; 1853*0ae430aaSDon Lewis- uint32_t i1 = acc[1U]; 1854*0ae430aaSDon Lewis- uint32_t i0_ = i0 & (uint32_t)0x3ffffffU; 1855*0ae430aaSDon Lewis- uint32_t i1_ = i1 + (i0 >> (uint32_t)26U); 1856*0ae430aaSDon Lewis+ i0 = acc[0U]; 1857*0ae430aaSDon Lewis+ i1 = acc[1U]; 1858*0ae430aaSDon Lewis+ i0_ = i0 & (uint32_t)0x3ffffffU; 1859*0ae430aaSDon Lewis+ i1_ = i1 + (i0 >> (uint32_t)26U); 1860*0ae430aaSDon Lewis acc[0U] = i0_; 1861*0ae430aaSDon Lewis acc[1U] = i1_; 1862*0ae430aaSDon Lewis- uint32_t a0 = acc[0U]; 1863*0ae430aaSDon Lewis- uint32_t a1 = acc[1U]; 1864*0ae430aaSDon Lewis- uint32_t a2 = acc[2U]; 1865*0ae430aaSDon Lewis- uint32_t a3 = acc[3U]; 1866*0ae430aaSDon Lewis- uint32_t a4 = acc[4U]; 1867*0ae430aaSDon Lewis- uint32_t mask0 = FStar_UInt32_gte_mask(a0, (uint32_t)0x3fffffbU); 1868*0ae430aaSDon Lewis- uint32_t mask1 = FStar_UInt32_eq_mask(a1, (uint32_t)0x3ffffffU); 1869*0ae430aaSDon Lewis- uint32_t mask2 = FStar_UInt32_eq_mask(a2, (uint32_t)0x3ffffffU); 1870*0ae430aaSDon Lewis- uint32_t mask3 = FStar_UInt32_eq_mask(a3, (uint32_t)0x3ffffffU); 1871*0ae430aaSDon Lewis- uint32_t mask4 = FStar_UInt32_eq_mask(a4, (uint32_t)0x3ffffffU); 1872*0ae430aaSDon Lewis- uint32_t mask = (((mask0 & mask1) & mask2) & mask3) & mask4; 1873*0ae430aaSDon Lewis- uint32_t a0_ = a0 - ((uint32_t)0x3fffffbU & mask); 1874*0ae430aaSDon Lewis- uint32_t a1_ = a1 - ((uint32_t)0x3ffffffU & mask); 1875*0ae430aaSDon Lewis- uint32_t a2_ = a2 - ((uint32_t)0x3ffffffU & mask); 1876*0ae430aaSDon Lewis- uint32_t a3_ = a3 - ((uint32_t)0x3ffffffU & mask); 1877*0ae430aaSDon Lewis- uint32_t a4_ = a4 - ((uint32_t)0x3ffffffU & mask); 1878*0ae430aaSDon Lewis+ a0 = acc[0U]; 1879*0ae430aaSDon Lewis+ a1 = acc[1U]; 1880*0ae430aaSDon Lewis+ a2 = acc[2U]; 1881*0ae430aaSDon Lewis+ a3 = acc[3U]; 1882*0ae430aaSDon Lewis+ a4 = acc[4U]; 1883*0ae430aaSDon Lewis+ mask0 = FStar_UInt32_gte_mask(a0, (uint32_t)0x3fffffbU); 1884*0ae430aaSDon Lewis+ mask1 = FStar_UInt32_eq_mask(a1, (uint32_t)0x3ffffffU); 1885*0ae430aaSDon Lewis+ mask2 = FStar_UInt32_eq_mask(a2, (uint32_t)0x3ffffffU); 1886*0ae430aaSDon Lewis+ mask3 = FStar_UInt32_eq_mask(a3, (uint32_t)0x3ffffffU); 1887*0ae430aaSDon Lewis+ mask4 = FStar_UInt32_eq_mask(a4, (uint32_t)0x3ffffffU); 1888*0ae430aaSDon Lewis+ mask = (((mask0 & mask1) & mask2) & mask3) & mask4; 1889*0ae430aaSDon Lewis+ a0_ = a0 - ((uint32_t)0x3fffffbU & mask); 1890*0ae430aaSDon Lewis+ a1_ = a1 - ((uint32_t)0x3ffffffU & mask); 1891*0ae430aaSDon Lewis+ a2_ = a2 - ((uint32_t)0x3ffffffU & mask); 1892*0ae430aaSDon Lewis+ a3_ = a3 - ((uint32_t)0x3ffffffU & mask); 1893*0ae430aaSDon Lewis+ a4_ = a4 - ((uint32_t)0x3ffffffU & mask); 1894*0ae430aaSDon Lewis acc[0U] = a0_; 1895*0ae430aaSDon Lewis acc[1U] = a1_; 1896*0ae430aaSDon Lewis acc[2U] = a2_; 1897*0ae430aaSDon Lewis@@ -315,7 +383,10 @@ 1898*0ae430aaSDon Lewis static Hacl_Impl_Poly1305_32_State_poly1305_state 1899*0ae430aaSDon Lewis Hacl_Impl_Poly1305_32_mk_state(uint32_t *r, uint32_t *h) 1900*0ae430aaSDon Lewis { 1901*0ae430aaSDon Lewis- return ((Hacl_Impl_Poly1305_32_State_poly1305_state){.r = r, .h = h }); 1902*0ae430aaSDon Lewis+ Hacl_Impl_Poly1305_32_State_poly1305_state ret; 1903*0ae430aaSDon Lewis+ ret.r = r; 1904*0ae430aaSDon Lewis+ ret.h = h; 1905*0ae430aaSDon Lewis+ return (ret); 1906*0ae430aaSDon Lewis } 1907*0ae430aaSDon Lewis 1908*0ae430aaSDon Lewis static void 1909*0ae430aaSDon Lewis@@ -327,8 +398,9 @@ 1910*0ae430aaSDon Lewis if (!(len1 == (uint64_t)0U)) { 1911*0ae430aaSDon Lewis uint8_t *block = m; 1912*0ae430aaSDon Lewis uint8_t *tail1 = m + (uint32_t)16U; 1913*0ae430aaSDon Lewis+ uint64_t len2; 1914*0ae430aaSDon Lewis Hacl_Impl_Poly1305_32_poly1305_update(st, block); 1915*0ae430aaSDon Lewis- uint64_t len2 = len1 - (uint64_t)1U; 1916*0ae430aaSDon Lewis+ len2 = len1 - (uint64_t)1U; 1917*0ae430aaSDon Lewis Hacl_Standalone_Poly1305_32_poly1305_blocks(st, tail1, len2); 1918*0ae430aaSDon Lewis } 1919*0ae430aaSDon Lewis } 1920*0ae430aaSDon Lewis@@ -363,14 +435,17 @@ 1921*0ae430aaSDon Lewis uint32_t 1922*0ae430aaSDon Lewis r4 = 1923*0ae430aaSDon Lewis (uint32_t)FStar_UInt128_uint128_to_uint64(FStar_UInt128_shift_right(k_clamped, (uint32_t)104U)) & (uint32_t)0x3ffffffU; 1924*0ae430aaSDon Lewis+ Hacl_Impl_Poly1305_32_State_poly1305_state scrut0; 1925*0ae430aaSDon Lewis+ uint32_t *h; 1926*0ae430aaSDon Lewis+ uint32_t *x00; 1927*0ae430aaSDon Lewis x0[0U] = r0; 1928*0ae430aaSDon Lewis x0[1U] = r1; 1929*0ae430aaSDon Lewis x0[2U] = r2; 1930*0ae430aaSDon Lewis x0[3U] = r3; 1931*0ae430aaSDon Lewis x0[4U] = r4; 1932*0ae430aaSDon Lewis- Hacl_Impl_Poly1305_32_State_poly1305_state scrut0 = st; 1933*0ae430aaSDon Lewis- uint32_t *h = scrut0.h; 1934*0ae430aaSDon Lewis- uint32_t *x00 = h; 1935*0ae430aaSDon Lewis+ scrut0 = st; 1936*0ae430aaSDon Lewis+ h = scrut0.h; 1937*0ae430aaSDon Lewis+ x00 = h; 1938*0ae430aaSDon Lewis x00[0U] = (uint32_t)0U; 1939*0ae430aaSDon Lewis x00[1U] = (uint32_t)0U; 1940*0ae430aaSDon Lewis x00[2U] = (uint32_t)0U; 1941*0ae430aaSDon Lewis@@ -391,12 +466,15 @@ 1942*0ae430aaSDon Lewis uint64_t rem16 = len1 & (uint64_t)0xfU; 1943*0ae430aaSDon Lewis uint8_t *part_input = m; 1944*0ae430aaSDon Lewis uint8_t *last_block = m + (uint32_t)((uint64_t)16U * len16); 1945*0ae430aaSDon Lewis+ Hacl_Impl_Poly1305_32_State_poly1305_state scrut; 1946*0ae430aaSDon Lewis+ uint32_t *h; 1947*0ae430aaSDon Lewis+ uint32_t *acc; 1948*0ae430aaSDon Lewis Hacl_Standalone_Poly1305_32_poly1305_partial(st, part_input, len16, kr); 1949*0ae430aaSDon Lewis if (!(rem16 == (uint64_t)0U)) 1950*0ae430aaSDon Lewis Hacl_Impl_Poly1305_32_poly1305_process_last_block(st, last_block, rem16); 1951*0ae430aaSDon Lewis- Hacl_Impl_Poly1305_32_State_poly1305_state scrut = st; 1952*0ae430aaSDon Lewis- uint32_t *h = scrut.h; 1953*0ae430aaSDon Lewis- uint32_t *acc = h; 1954*0ae430aaSDon Lewis+ scrut = st; 1955*0ae430aaSDon Lewis+ h = scrut.h; 1956*0ae430aaSDon Lewis+ acc = h; 1957*0ae430aaSDon Lewis Hacl_Impl_Poly1305_32_poly1305_last_pass(acc); 1958*0ae430aaSDon Lewis } 1959*0ae430aaSDon Lewis 1960*0ae430aaSDon Lewis@@ -410,20 +488,31 @@ 1961*0ae430aaSDon Lewis uint32_t buf[10U] = { 0U }; 1962*0ae430aaSDon Lewis uint32_t *r = buf; 1963*0ae430aaSDon Lewis uint32_t *h = buf + (uint32_t)5U; 1964*0ae430aaSDon Lewis+ uint8_t *key_s; 1965*0ae430aaSDon Lewis+ Hacl_Impl_Poly1305_32_State_poly1305_state scrut; 1966*0ae430aaSDon Lewis+ uint32_t *h5; 1967*0ae430aaSDon Lewis+ uint32_t *acc; 1968*0ae430aaSDon Lewis+ FStar_UInt128_t k_; 1969*0ae430aaSDon Lewis+ uint32_t h0; 1970*0ae430aaSDon Lewis+ uint32_t h1; 1971*0ae430aaSDon Lewis+ uint32_t h2; 1972*0ae430aaSDon Lewis+ uint32_t h3; 1973*0ae430aaSDon Lewis+ uint32_t h4; 1974*0ae430aaSDon Lewis+ FStar_UInt128_t acc_; 1975*0ae430aaSDon Lewis+ FStar_UInt128_t mac_; 1976*0ae430aaSDon Lewis Hacl_Impl_Poly1305_32_State_poly1305_state st = Hacl_Impl_Poly1305_32_mk_state(r, h); 1977*0ae430aaSDon Lewis- uint8_t *key_s = k1 + (uint32_t)16U; 1978*0ae430aaSDon Lewis+ key_s = k1 + (uint32_t)16U; 1979*0ae430aaSDon Lewis Hacl_Standalone_Poly1305_32_poly1305_complete(st, input, len1, k1); 1980*0ae430aaSDon Lewis- Hacl_Impl_Poly1305_32_State_poly1305_state scrut = st; 1981*0ae430aaSDon Lewis- uint32_t *h5 = scrut.h; 1982*0ae430aaSDon Lewis- uint32_t *acc = h5; 1983*0ae430aaSDon Lewis- FStar_UInt128_t k_ = load128_le(key_s); 1984*0ae430aaSDon Lewis- uint32_t h0 = acc[0U]; 1985*0ae430aaSDon Lewis- uint32_t h1 = acc[1U]; 1986*0ae430aaSDon Lewis- uint32_t h2 = acc[2U]; 1987*0ae430aaSDon Lewis- uint32_t h3 = acc[3U]; 1988*0ae430aaSDon Lewis- uint32_t h4 = acc[4U]; 1989*0ae430aaSDon Lewis- FStar_UInt128_t 1990*0ae430aaSDon Lewis- acc_ = 1991*0ae430aaSDon Lewis+ scrut = st; 1992*0ae430aaSDon Lewis+ h5 = scrut.h; 1993*0ae430aaSDon Lewis+ acc = h5; 1994*0ae430aaSDon Lewis+ k_ = load128_le(key_s); 1995*0ae430aaSDon Lewis+ h0 = acc[0U]; 1996*0ae430aaSDon Lewis+ h1 = acc[1U]; 1997*0ae430aaSDon Lewis+ h2 = acc[2U]; 1998*0ae430aaSDon Lewis+ h3 = acc[3U]; 1999*0ae430aaSDon Lewis+ h4 = acc[4U]; 2000*0ae430aaSDon Lewis+ acc_ = 2001*0ae430aaSDon Lewis FStar_UInt128_logor(FStar_UInt128_shift_left(FStar_UInt128_uint64_to_uint128((uint64_t)h4), 2002*0ae430aaSDon Lewis (uint32_t)104U), 2003*0ae430aaSDon Lewis FStar_UInt128_logor(FStar_UInt128_shift_left(FStar_UInt128_uint64_to_uint128((uint64_t)h3), 2004*0ae430aaSDon Lewis@@ -433,7 +522,7 @@ 2005*0ae430aaSDon Lewis FStar_UInt128_logor(FStar_UInt128_shift_left(FStar_UInt128_uint64_to_uint128((uint64_t)h1), 2006*0ae430aaSDon Lewis (uint32_t)26U), 2007*0ae430aaSDon Lewis FStar_UInt128_uint64_to_uint128((uint64_t)h0))))); 2008*0ae430aaSDon Lewis- FStar_UInt128_t mac_ = FStar_UInt128_add_mod(acc_, k_); 2009*0ae430aaSDon Lewis+ mac_ = FStar_UInt128_add_mod(acc_, k_); 2010*0ae430aaSDon Lewis store128_le(output, mac_); 2011*0ae430aaSDon Lewis } 2012*0ae430aaSDon Lewis 2013*0ae430aaSDon Lewis@@ -485,14 +574,17 @@ 2014*0ae430aaSDon Lewis uint32_t 2015*0ae430aaSDon Lewis r4 = 2016*0ae430aaSDon Lewis (uint32_t)FStar_UInt128_uint128_to_uint64(FStar_UInt128_shift_right(k_clamped, (uint32_t)104U)) & (uint32_t)0x3ffffffU; 2017*0ae430aaSDon Lewis+ Hacl_Impl_Poly1305_32_State_poly1305_state scrut0; 2018*0ae430aaSDon Lewis+ uint32_t *h; 2019*0ae430aaSDon Lewis+ uint32_t *x00; 2020*0ae430aaSDon Lewis x0[0U] = r0; 2021*0ae430aaSDon Lewis x0[1U] = r1; 2022*0ae430aaSDon Lewis x0[2U] = r2; 2023*0ae430aaSDon Lewis x0[3U] = r3; 2024*0ae430aaSDon Lewis x0[4U] = r4; 2025*0ae430aaSDon Lewis- Hacl_Impl_Poly1305_32_State_poly1305_state scrut0 = st; 2026*0ae430aaSDon Lewis- uint32_t *h = scrut0.h; 2027*0ae430aaSDon Lewis- uint32_t *x00 = h; 2028*0ae430aaSDon Lewis+ scrut0 = st; 2029*0ae430aaSDon Lewis+ h = scrut0.h; 2030*0ae430aaSDon Lewis+ x00 = h; 2031*0ae430aaSDon Lewis x00[0U] = (uint32_t)0U; 2032*0ae430aaSDon Lewis x00[1U] = (uint32_t)0U; 2033*0ae430aaSDon Lewis x00[2U] = (uint32_t)0U; 2034*0ae430aaSDon Lewis@@ -529,11 +621,14 @@ 2035*0ae430aaSDon Lewis uint8_t *m, 2036*0ae430aaSDon Lewis uint32_t len1) 2037*0ae430aaSDon Lewis { 2038*0ae430aaSDon Lewis+ Hacl_Impl_Poly1305_32_State_poly1305_state scrut; 2039*0ae430aaSDon Lewis+ uint32_t *h; 2040*0ae430aaSDon Lewis+ uint32_t *acc; 2041*0ae430aaSDon Lewis if (!((uint64_t)len1 == (uint64_t)0U)) 2042*0ae430aaSDon Lewis Hacl_Impl_Poly1305_32_poly1305_process_last_block(st, m, (uint64_t)len1); 2043*0ae430aaSDon Lewis- Hacl_Impl_Poly1305_32_State_poly1305_state scrut = st; 2044*0ae430aaSDon Lewis- uint32_t *h = scrut.h; 2045*0ae430aaSDon Lewis- uint32_t *acc = h; 2046*0ae430aaSDon Lewis+ scrut = st; 2047*0ae430aaSDon Lewis+ h = scrut.h; 2048*0ae430aaSDon Lewis+ acc = h; 2049*0ae430aaSDon Lewis Hacl_Impl_Poly1305_32_poly1305_last_pass(acc); 2050*0ae430aaSDon Lewis } 2051*0ae430aaSDon Lewis 2052*0ae430aaSDon Lewisdiff -ur misc/nss-3.39/nss/lib/freebl/verified/Hacl_Poly1305_32.h misc/build/nss-3.39/nss/lib/freebl/verified/Hacl_Poly1305_32.h 2053*0ae430aaSDon Lewis--- misc/nss-3.39/nss/lib/freebl/verified/Hacl_Poly1305_32.h 2018-08-31 05:55:53.000000000 -0700 2054*0ae430aaSDon Lewis+++ misc/build/nss-3.39/nss/lib/freebl/verified/Hacl_Poly1305_32.h 2018-10-22 00:11:45.152423000 -0700 2055*0ae430aaSDon Lewis@@ -13,6 +13,7 @@ 2056*0ae430aaSDon Lewis * limitations under the License. 2057*0ae430aaSDon Lewis */ 2058*0ae430aaSDon Lewis 2059*0ae430aaSDon Lewis+#include "secport.h" 2060*0ae430aaSDon Lewis #include "kremlib.h" 2061*0ae430aaSDon Lewis #ifndef __Hacl_Poly1305_32_H 2062*0ae430aaSDon Lewis #define __Hacl_Poly1305_32_H 2063*0ae430aaSDon Lewisdiff -ur misc/nss-3.39/nss/lib/freebl/verified/kremlib_base.h misc/build/nss-3.39/nss/lib/freebl/verified/kremlib_base.h 2064*0ae430aaSDon Lewis--- misc/nss-3.39/nss/lib/freebl/verified/kremlib_base.h 2018-08-31 05:55:53.000000000 -0700 2065*0ae430aaSDon Lewis+++ misc/build/nss-3.39/nss/lib/freebl/verified/kremlib_base.h 2018-10-21 20:56:12.848112000 -0700 2066*0ae430aaSDon Lewis@@ -16,9 +16,26 @@ 2067*0ae430aaSDon Lewis #ifndef __KREMLIB_BASE_H 2068*0ae430aaSDon Lewis #define __KREMLIB_BASE_H 2069*0ae430aaSDon Lewis 2070*0ae430aaSDon Lewis-#include <inttypes.h> 2071*0ae430aaSDon Lewis+#if defined(_MSC_VER) && _MSC_VER < 1800 2072*0ae430aaSDon Lewis+ #define PRIx8 "x" 2073*0ae430aaSDon Lewis+ #define PRIx16 "x" 2074*0ae430aaSDon Lewis+ #define PRIx32 "x" 2075*0ae430aaSDon Lewis+ #ifdef _WIN64 2076*0ae430aaSDon Lewis+ #define PRIx64 "lx" 2077*0ae430aaSDon Lewis+ #else 2078*0ae430aaSDon Lewis+ #define PRIx64 "llx" 2079*0ae430aaSDon Lewis+ #endif 2080*0ae430aaSDon Lewis+#else 2081*0ae430aaSDon Lewis+ #include <inttypes.h> 2082*0ae430aaSDon Lewis+#endif 2083*0ae430aaSDon Lewis #include <limits.h> 2084*0ae430aaSDon Lewis-#include <stdbool.h> 2085*0ae430aaSDon Lewis+#if defined(_MSC_VER) && _MSC_VER < 1600 2086*0ae430aaSDon Lewis+ #define false 0 2087*0ae430aaSDon Lewis+ #define true 1 2088*0ae430aaSDon Lewis+typedef int bool; 2089*0ae430aaSDon Lewis+#else 2090*0ae430aaSDon Lewis+ #include <stdbool.h> 2091*0ae430aaSDon Lewis+#endif 2092*0ae430aaSDon Lewis #include <stdio.h> 2093*0ae430aaSDon Lewis #include <stdlib.h> 2094*0ae430aaSDon Lewis #include <string.h> 2095*0ae430aaSDon Lewis@@ -47,6 +64,9 @@ 2096*0ae430aaSDon Lewis 2097*0ae430aaSDon Lewis #ifdef __GNUC__ 2098*0ae430aaSDon Lewis #define inline __inline__ 2099*0ae430aaSDon Lewis+#endif 2100*0ae430aaSDon Lewis+#if defined(_MSC_VER) 2101*0ae430aaSDon Lewis+#define inline __inline 2102*0ae430aaSDon Lewis #endif 2103*0ae430aaSDon Lewis 2104*0ae430aaSDon Lewis /* GCC-specific attribute syntax; everyone else gets the standard C inline 2105*0ae430aaSDon Lewisdiff -ur misc/nss-3.39/nss/lib/pk11wrap/pk11skey.c misc/build/nss-3.39/nss/lib/pk11wrap/pk11skey.c 2106*0ae430aaSDon Lewis--- misc/nss-3.39/nss/lib/pk11wrap/pk11skey.c 2018-08-31 05:55:53.000000000 -0700 2107*0ae430aaSDon Lewis+++ misc/build/nss-3.39/nss/lib/pk11wrap/pk11skey.c 2018-10-22 01:25:27.313788000 -0700 2108*0ae430aaSDon Lewis@@ -2217,12 +2217,13 @@ 2109*0ae430aaSDon Lewis /* old PKCS #11 spec was ambiguous on what needed to be passed, 2110*0ae430aaSDon Lewis * try this again with an encoded public key */ 2111*0ae430aaSDon Lewis if (crv != CKR_OK) { 2112*0ae430aaSDon Lewis+ SECItem *pubValue; 2113*0ae430aaSDon Lewis /* For curves that only use X as public value and no encoding we don't 2114*0ae430aaSDon Lewis * have to try again. (Currently only Curve25519) */ 2115*0ae430aaSDon Lewis if (pk11_ECGetPubkeyEncoding(pubKey) == ECPoint_XOnly) { 2116*0ae430aaSDon Lewis goto loser; 2117*0ae430aaSDon Lewis } 2118*0ae430aaSDon Lewis- SECItem *pubValue = SEC_ASN1EncodeItem(NULL, NULL, 2119*0ae430aaSDon Lewis+ pubValue = SEC_ASN1EncodeItem(NULL, NULL, 2120*0ae430aaSDon Lewis &pubKey->u.ec.publicValue, 2121*0ae430aaSDon Lewis SEC_ASN1_GET(SEC_OctetStringTemplate)); 2122*0ae430aaSDon Lewis if (pubValue == NULL) { 2123*0ae430aaSDon Lewisdiff -ur misc/nss-3.39/nss/lib/pkcs7/p7create.c misc/build/nss-3.39/nss/lib/pkcs7/p7create.c 2124*0ae430aaSDon Lewis--- misc/nss-3.39/nss/lib/pkcs7/p7create.c 2018-08-31 05:55:53.000000000 -0700 2125*0ae430aaSDon Lewis+++ misc/build/nss-3.39/nss/lib/pkcs7/p7create.c 2018-10-22 10:00:01.127657000 -0700 2126*0ae430aaSDon Lewis@@ -1263,6 +1263,7 @@ 2127*0ae430aaSDon Lewis SECAlgorithmID *algid; 2128*0ae430aaSDon Lewis SEC_PKCS7EncryptedData *enc_data; 2129*0ae430aaSDon Lewis SECStatus rv; 2130*0ae430aaSDon Lewis+ SECAlgorithmID *pbe_algid; 2131*0ae430aaSDon Lewis 2132*0ae430aaSDon Lewis PORT_Assert(SEC_PKCS5IsAlgorithmPBEAlgTag(pbe_algorithm)); 2133*0ae430aaSDon Lewis 2134*0ae430aaSDon Lewis@@ -1274,7 +1275,6 @@ 2135*0ae430aaSDon Lewis enc_data = cinfo->content.encryptedData; 2136*0ae430aaSDon Lewis algid = &(enc_data->encContentInfo.contentEncAlg); 2137*0ae430aaSDon Lewis 2138*0ae430aaSDon Lewis- SECAlgorithmID *pbe_algid; 2139*0ae430aaSDon Lewis pbe_algid = PK11_CreatePBEV2AlgorithmID(pbe_algorithm, 2140*0ae430aaSDon Lewis cipher_algorithm, 2141*0ae430aaSDon Lewis prf_algorithm, 2142*0ae430aaSDon Lewisdiff -ur misc/nss-3.39/nss/lib/softoken/pkcs11c.c misc/build/nss-3.39/nss/lib/softoken/pkcs11c.c 2143*0ae430aaSDon Lewis--- misc/nss-3.39/nss/lib/softoken/pkcs11c.c 2018-08-31 05:55:53.000000000 -0700 2144*0ae430aaSDon Lewis+++ misc/build/nss-3.39/nss/lib/softoken/pkcs11c.c 2018-10-22 01:08:34.274286000 -0700 2145*0ae430aaSDon Lewis@@ -5125,8 +5125,9 @@ 2146*0ae430aaSDon Lewis crv = sftk_AddAttributeType(publicKey, CKA_EC_POINT, 2147*0ae430aaSDon Lewis sftk_item_expand(&ecPriv->publicValue)); 2148*0ae430aaSDon Lewis } else { 2149*0ae430aaSDon Lewis+ SECItem *pubValue; 2150*0ae430aaSDon Lewis PORT_FreeArena(ecParams->arena, PR_TRUE); 2151*0ae430aaSDon Lewis- SECItem *pubValue = SEC_ASN1EncodeItem(NULL, NULL, 2152*0ae430aaSDon Lewis+ pubValue = SEC_ASN1EncodeItem(NULL, NULL, 2153*0ae430aaSDon Lewis &ecPriv->publicValue, 2154*0ae430aaSDon Lewis SEC_ASN1_GET(SEC_OctetStringTemplate)); 2155*0ae430aaSDon Lewis if (!pubValue) { 2156*0ae430aaSDon Lewisdiff -ur misc/nss-3.39/nss/lib/softoken/sdb.c misc/build/nss-3.39/nss/lib/softoken/sdb.c 2157*0ae430aaSDon Lewis--- misc/nss-3.39/nss/lib/softoken/sdb.c 2018-08-31 05:55:53.000000000 -0700 2158*0ae430aaSDon Lewis+++ misc/build/nss-3.39/nss/lib/softoken/sdb.c 2018-10-22 01:18:14.220773000 -0700 2159*0ae430aaSDon Lewis@@ -206,12 +206,13 @@ 2160*0ae430aaSDon Lewis sdb_chmod(const char *filename, int pmode) 2161*0ae430aaSDon Lewis { 2162*0ae430aaSDon Lewis int result; 2163*0ae430aaSDon Lewis+ wchar_t *filenameWide; 2164*0ae430aaSDon Lewis 2165*0ae430aaSDon Lewis if (!filename) { 2166*0ae430aaSDon Lewis return -1; 2167*0ae430aaSDon Lewis } 2168*0ae430aaSDon Lewis 2169*0ae430aaSDon Lewis- wchar_t *filenameWide = _NSSUTIL_UTF8ToWide(filename); 2170*0ae430aaSDon Lewis+ filenameWide = _NSSUTIL_UTF8ToWide(filename); 2171*0ae430aaSDon Lewis if (!filenameWide) { 2172*0ae430aaSDon Lewis return -1; 2173*0ae430aaSDon Lewis } 2174*0ae430aaSDon Lewisdiff -ur misc/nss-3.39/nss/lib/ssl/dtls13con.c misc/build/nss-3.39/nss/lib/ssl/dtls13con.c 2175*0ae430aaSDon Lewis--- misc/nss-3.39/nss/lib/ssl/dtls13con.c 2018-08-31 05:55:53.000000000 -0700 2176*0ae430aaSDon Lewis+++ misc/build/nss-3.39/nss/lib/ssl/dtls13con.c 2018-10-22 01:31:19.795730000 -0700 2177*0ae430aaSDon Lewis@@ -64,7 +64,7 @@ 2178*0ae430aaSDon Lewis } DTLSHandshakeRecordEntry; 2179*0ae430aaSDon Lewis 2180*0ae430aaSDon Lewis /* Combine the epoch and sequence number into a single value. */ 2181*0ae430aaSDon Lewis-static inline sslSequenceNumber 2182*0ae430aaSDon Lewis+static __inline sslSequenceNumber 2183*0ae430aaSDon Lewis dtls_CombineSequenceNumber(DTLSEpoch epoch, sslSequenceNumber seqNum) 2184*0ae430aaSDon Lewis { 2185*0ae430aaSDon Lewis PORT_Assert(seqNum <= RECORD_SEQ_MAX); 2186*0ae430aaSDon Lewisdiff -ur misc/nss-3.39/nss/lib/ssl/selfencrypt.c misc/build/nss-3.39/nss/lib/ssl/selfencrypt.c 2187*0ae430aaSDon Lewis--- misc/nss-3.39/nss/lib/ssl/selfencrypt.c 2018-08-31 05:55:53.000000000 -0700 2188*0ae430aaSDon Lewis+++ misc/build/nss-3.39/nss/lib/ssl/selfencrypt.c 2018-10-22 03:36:02.726686000 -0700 2189*0ae430aaSDon Lewis@@ -193,6 +193,14 @@ 2190*0ae430aaSDon Lewis PRUint8 *out, unsigned int *outLen, unsigned int maxOutLen) 2191*0ae430aaSDon Lewis { 2192*0ae430aaSDon Lewis sslReader reader = SSL_READER(in, inLen); 2193*0ae430aaSDon Lewis+ sslReadBuffer ivBuffer = { 0 }; 2194*0ae430aaSDon Lewis+ PRUint64 cipherTextLen = 0; 2195*0ae430aaSDon Lewis+ sslReadBuffer cipherTextBuffer = { 0 }; 2196*0ae430aaSDon Lewis+ unsigned int bytesToMac; 2197*0ae430aaSDon Lewis+ sslReadBuffer encodedMacBuffer = { 0 }; 2198*0ae430aaSDon Lewis+ unsigned char computedMac[SHA256_LENGTH]; 2199*0ae430aaSDon Lewis+ unsigned int computedMacLen = 0; 2200*0ae430aaSDon Lewis+ SECItem ivItem = { siBuffer, (unsigned char *)ivBuffer.buf, AES_BLOCK_SIZE }; 2201*0ae430aaSDon Lewis 2202*0ae430aaSDon Lewis sslReadBuffer encodedKeyNameBuffer = { 0 }; 2203*0ae430aaSDon Lewis SECStatus rv = sslRead_Read(&reader, SELF_ENCRYPT_KEY_NAME_LEN, 2204*0ae430aaSDon Lewis@@ -201,26 +209,22 @@ 2205*0ae430aaSDon Lewis return SECFailure; 2206*0ae430aaSDon Lewis } 2207*0ae430aaSDon Lewis 2208*0ae430aaSDon Lewis- sslReadBuffer ivBuffer = { 0 }; 2209*0ae430aaSDon Lewis rv = sslRead_Read(&reader, AES_BLOCK_SIZE, &ivBuffer); 2210*0ae430aaSDon Lewis if (rv != SECSuccess) { 2211*0ae430aaSDon Lewis return SECFailure; 2212*0ae430aaSDon Lewis } 2213*0ae430aaSDon Lewis 2214*0ae430aaSDon Lewis- PRUint64 cipherTextLen = 0; 2215*0ae430aaSDon Lewis rv = sslRead_ReadNumber(&reader, 2, &cipherTextLen); 2216*0ae430aaSDon Lewis if (rv != SECSuccess) { 2217*0ae430aaSDon Lewis return SECFailure; 2218*0ae430aaSDon Lewis } 2219*0ae430aaSDon Lewis 2220*0ae430aaSDon Lewis- sslReadBuffer cipherTextBuffer = { 0 }; 2221*0ae430aaSDon Lewis rv = sslRead_Read(&reader, (unsigned int)cipherTextLen, &cipherTextBuffer); 2222*0ae430aaSDon Lewis if (rv != SECSuccess) { 2223*0ae430aaSDon Lewis return SECFailure; 2224*0ae430aaSDon Lewis } 2225*0ae430aaSDon Lewis- unsigned int bytesToMac = reader.offset; 2226*0ae430aaSDon Lewis+ bytesToMac = reader.offset; 2227*0ae430aaSDon Lewis 2228*0ae430aaSDon Lewis- sslReadBuffer encodedMacBuffer = { 0 }; 2229*0ae430aaSDon Lewis rv = sslRead_Read(&reader, SHA256_LENGTH, &encodedMacBuffer); 2230*0ae430aaSDon Lewis if (rv != SECSuccess) { 2231*0ae430aaSDon Lewis return SECFailure; 2232*0ae430aaSDon Lewis@@ -240,8 +244,6 @@ 2233*0ae430aaSDon Lewis } 2234*0ae430aaSDon Lewis 2235*0ae430aaSDon Lewis /* 2. Check the MAC */ 2236*0ae430aaSDon Lewis- unsigned char computedMac[SHA256_LENGTH]; 2237*0ae430aaSDon Lewis- unsigned int computedMacLen = 0; 2238*0ae430aaSDon Lewis rv = ssl_MacBuffer(macKey, CKM_SHA256_HMAC, in, bytesToMac, 2239*0ae430aaSDon Lewis computedMac, &computedMacLen, sizeof(computedMac)); 2240*0ae430aaSDon Lewis if (rv != SECSuccess) { 2241*0ae430aaSDon Lewis@@ -254,7 +256,6 @@ 2242*0ae430aaSDon Lewis } 2243*0ae430aaSDon Lewis 2244*0ae430aaSDon Lewis /* 3. OK, it verifies, now decrypt. */ 2245*0ae430aaSDon Lewis- SECItem ivItem = { siBuffer, (unsigned char *)ivBuffer.buf, AES_BLOCK_SIZE }; 2246*0ae430aaSDon Lewis rv = PK11_Decrypt(encKey, CKM_AES_CBC_PAD, &ivItem, 2247*0ae430aaSDon Lewis out, outLen, maxOutLen, cipherTextBuffer.buf, cipherTextLen); 2248*0ae430aaSDon Lewis if (rv != SECSuccess) { 2249*0ae430aaSDon Lewisdiff -ur misc/nss-3.39/nss/lib/ssl/ssl3con.c misc/build/nss-3.39/nss/lib/ssl/ssl3con.c 2250*0ae430aaSDon Lewis--- misc/nss-3.39/nss/lib/ssl/ssl3con.c 2018-08-31 05:55:53.000000000 -0700 2251*0ae430aaSDon Lewis+++ misc/build/nss-3.39/nss/lib/ssl/ssl3con.c 2018-10-22 01:44:48.945390000 -0700 2252*0ae430aaSDon Lewis@@ -5718,6 +5718,7 @@ 2253*0ae430aaSDon Lewis SECStatus rv = SECFailure; 2254*0ae430aaSDon Lewis SECItem enc_pms = { siBuffer, NULL, 0 }; 2255*0ae430aaSDon Lewis PRBool isTLS; 2256*0ae430aaSDon Lewis+ unsigned int svrPubKeyBits; 2257*0ae430aaSDon Lewis 2258*0ae430aaSDon Lewis PORT_Assert(ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss)); 2259*0ae430aaSDon Lewis PORT_Assert(ss->opt.noLocks || ssl_HaveXmitBufLock(ss)); 2260*0ae430aaSDon Lewis@@ -5734,7 +5735,7 @@ 2261*0ae430aaSDon Lewis } 2262*0ae430aaSDon Lewis 2263*0ae430aaSDon Lewis /* Get the wrapped (encrypted) pre-master secret, enc_pms */ 2264*0ae430aaSDon Lewis- unsigned int svrPubKeyBits = SECKEY_PublicKeyStrengthInBits(svrPubKey); 2265*0ae430aaSDon Lewis+ svrPubKeyBits = SECKEY_PublicKeyStrengthInBits(svrPubKey); 2266*0ae430aaSDon Lewis enc_pms.len = (svrPubKeyBits + 7) / 8; 2267*0ae430aaSDon Lewis /* Check that the RSA key isn't larger than 8k bit. */ 2268*0ae430aaSDon Lewis if (svrPubKeyBits > SSL_MAX_RSA_KEY_BITS) { 2269*0ae430aaSDon Lewis@@ -8123,6 +8124,7 @@ 2270*0ae430aaSDon Lewis ssl_GenerateServerRandom(sslSocket *ss) 2271*0ae430aaSDon Lewis { 2272*0ae430aaSDon Lewis SECStatus rv = ssl3_GetNewRandom(ss->ssl3.hs.server_random); 2273*0ae430aaSDon Lewis+ PRUint8 *downgradeSentinel; 2274*0ae430aaSDon Lewis if (rv != SECSuccess) { 2275*0ae430aaSDon Lewis return SECFailure; 2276*0ae430aaSDon Lewis } 2277*0ae430aaSDon Lewis@@ -8154,7 +8156,7 @@ 2278*0ae430aaSDon Lewis * 2279*0ae430aaSDon Lewis * 44 4F 57 4E 47 52 44 00 2280*0ae430aaSDon Lewis */ 2281*0ae430aaSDon Lewis- PRUint8 *downgradeSentinel = 2282*0ae430aaSDon Lewis+ downgradeSentinel = 2283*0ae430aaSDon Lewis ss->ssl3.hs.server_random + 2284*0ae430aaSDon Lewis SSL3_RANDOM_LENGTH - sizeof(tls13_downgrade_random); 2285*0ae430aaSDon Lewis 2286*0ae430aaSDon Lewis@@ -11986,11 +11988,13 @@ 2287*0ae430aaSDon Lewis } 2288*0ae430aaSDon Lewis 2289*0ae430aaSDon Lewis for (i = 0; i < toCheck; i++) { 2290*0ae430aaSDon Lewis+ unsigned char mask; 2291*0ae430aaSDon Lewis+ unsigned char b; 2292*0ae430aaSDon Lewis t = paddingLength - i; 2293*0ae430aaSDon Lewis /* If i <= paddingLength then the MSB of t is zero and mask is 2294*0ae430aaSDon Lewis * 0xff. Otherwise, mask is 0. */ 2295*0ae430aaSDon Lewis- unsigned char mask = DUPLICATE_MSB_TO_ALL(~t); 2296*0ae430aaSDon Lewis- unsigned char b = plaintext->buf[plaintext->len - 1 - i]; 2297*0ae430aaSDon Lewis+ mask = DUPLICATE_MSB_TO_ALL(~t); 2298*0ae430aaSDon Lewis+ b = plaintext->buf[plaintext->len - 1 - i]; 2299*0ae430aaSDon Lewis /* The final |paddingLength+1| bytes should all have the value 2300*0ae430aaSDon Lewis * |paddingLength|. Therefore the XOR should be zero. */ 2301*0ae430aaSDon Lewis good &= ~(mask & (paddingLength ^ b)); 2302*0ae430aaSDon Lewis@@ -12532,6 +12536,7 @@ 2303*0ae430aaSDon Lewis } 2304*0ae430aaSDon Lewis 2305*0ae430aaSDon Lewis if (rv != SECSuccess) { 2306*0ae430aaSDon Lewis+ int errCode; 2307*0ae430aaSDon Lewis ssl_ReleaseSpecReadLock(ss); /***************************/ 2308*0ae430aaSDon Lewis 2309*0ae430aaSDon Lewis SSL_DBG(("%d: SSL3[%d]: decryption failed", SSL_GETPID(), ss->fd)); 2310*0ae430aaSDon Lewis@@ -12562,7 +12567,7 @@ 2311*0ae430aaSDon Lewis return SECSuccess; 2312*0ae430aaSDon Lewis } 2313*0ae430aaSDon Lewis 2314*0ae430aaSDon Lewis- int errCode = PORT_GetError(); 2315*0ae430aaSDon Lewis+ errCode = PORT_GetError(); 2316*0ae430aaSDon Lewis SSL3_SendAlert(ss, alert_fatal, alert); 2317*0ae430aaSDon Lewis /* Reset the error code in case SSL3_SendAlert called 2318*0ae430aaSDon Lewis * PORT_SetError(). */ 2319*0ae430aaSDon Lewisdiff -ur misc/nss-3.39/nss/lib/ssl/ssl3exthandle.c misc/build/nss-3.39/nss/lib/ssl/ssl3exthandle.c 2320*0ae430aaSDon Lewis--- misc/nss-3.39/nss/lib/ssl/ssl3exthandle.c 2018-08-31 05:55:53.000000000 -0700 2321*0ae430aaSDon Lewis+++ misc/build/nss-3.39/nss/lib/ssl/ssl3exthandle.c 2018-10-22 02:03:24.559698000 -0700 2322*0ae430aaSDon Lewis@@ -1915,6 +1915,8 @@ 2323*0ae430aaSDon Lewis sslBuffer *buf, PRBool *added) 2324*0ae430aaSDon Lewis { 2325*0ae430aaSDon Lewis PRUint32 maxLimit; 2326*0ae430aaSDon Lewis+ PRUint32 limit; 2327*0ae430aaSDon Lewis+ SECStatus rv; 2328*0ae430aaSDon Lewis if (ss->sec.isServer) { 2329*0ae430aaSDon Lewis maxLimit = (ss->version >= SSL_LIBRARY_VERSION_TLS_1_3) 2330*0ae430aaSDon Lewis ? (MAX_FRAGMENT_LENGTH + 1) 2331*0ae430aaSDon Lewis@@ -1924,8 +1926,8 @@ 2332*0ae430aaSDon Lewis ? (MAX_FRAGMENT_LENGTH + 1) 2333*0ae430aaSDon Lewis : MAX_FRAGMENT_LENGTH; 2334*0ae430aaSDon Lewis } 2335*0ae430aaSDon Lewis- PRUint32 limit = PR_MIN(ss->opt.recordSizeLimit, maxLimit); 2336*0ae430aaSDon Lewis- SECStatus rv = sslBuffer_AppendNumber(buf, limit, 2); 2337*0ae430aaSDon Lewis+ limit = PR_MIN(ss->opt.recordSizeLimit, maxLimit); 2338*0ae430aaSDon Lewis+ rv = sslBuffer_AppendNumber(buf, limit, 2); 2339*0ae430aaSDon Lewis if (rv != SECSuccess) { 2340*0ae430aaSDon Lewis return SECFailure; 2341*0ae430aaSDon Lewis } 2342*0ae430aaSDon Lewisdiff -ur misc/nss-3.39/nss/lib/ssl/sslbloom.c misc/build/nss-3.39/nss/lib/ssl/sslbloom.c 2343*0ae430aaSDon Lewis--- misc/nss-3.39/nss/lib/ssl/sslbloom.c 2018-08-31 05:55:53.000000000 -0700 2344*0ae430aaSDon Lewis+++ misc/build/nss-3.39/nss/lib/ssl/sslbloom.c 2018-10-22 01:50:48.294197000 -0700 2345*0ae430aaSDon Lewis@@ -10,7 +10,7 @@ 2346*0ae430aaSDon Lewis #include "prnetdb.h" 2347*0ae430aaSDon Lewis #include "secport.h" 2348*0ae430aaSDon Lewis 2349*0ae430aaSDon Lewis-static inline unsigned int 2350*0ae430aaSDon Lewis+static __inline unsigned int 2351*0ae430aaSDon Lewis sslBloom_Size(unsigned int bits) 2352*0ae430aaSDon Lewis { 2353*0ae430aaSDon Lewis return (bits >= 3) ? (1 << (bits - 3)) : 1; 2354*0ae430aaSDon Lewisdiff -ur misc/nss-3.39/nss/lib/ssl/sslencode.c misc/build/nss-3.39/nss/lib/ssl/sslencode.c 2355*0ae430aaSDon Lewis--- misc/nss-3.39/nss/lib/ssl/sslencode.c 2018-08-31 05:55:53.000000000 -0700 2356*0ae430aaSDon Lewis+++ misc/build/nss-3.39/nss/lib/ssl/sslencode.c 2018-10-22 01:55:55.317356000 -0700 2357*0ae430aaSDon Lewis@@ -214,6 +214,8 @@ 2358*0ae430aaSDon Lewis SECStatus 2359*0ae430aaSDon Lewis sslRead_ReadNumber(sslReader *reader, unsigned int bytes, PRUint64 *num) 2360*0ae430aaSDon Lewis { 2361*0ae430aaSDon Lewis+ unsigned int i; 2362*0ae430aaSDon Lewis+ PRUint64 number = 0; 2363*0ae430aaSDon Lewis if (!reader || !num) { 2364*0ae430aaSDon Lewis PORT_SetError(SEC_ERROR_INVALID_ARGS); 2365*0ae430aaSDon Lewis return SECFailure; 2366*0ae430aaSDon Lewis@@ -224,8 +226,6 @@ 2367*0ae430aaSDon Lewis PORT_SetError(SEC_ERROR_BAD_DATA); 2368*0ae430aaSDon Lewis return SECFailure; 2369*0ae430aaSDon Lewis } 2370*0ae430aaSDon Lewis- unsigned int i; 2371*0ae430aaSDon Lewis- PRUint64 number = 0; 2372*0ae430aaSDon Lewis for (i = 0; i < bytes; i++) { 2373*0ae430aaSDon Lewis number = (number << 8) + reader->buf.buf[i + reader->offset]; 2374*0ae430aaSDon Lewis } 2375*0ae430aaSDon Lewisdiff -ur misc/nss-3.39/nss/lib/ssl/sslnonce.c misc/build/nss-3.39/nss/lib/ssl/sslnonce.c 2376*0ae430aaSDon Lewis--- misc/nss-3.39/nss/lib/ssl/sslnonce.c 2018-08-31 05:55:53.000000000 -0700 2377*0ae430aaSDon Lewis+++ misc/build/nss-3.39/nss/lib/ssl/sslnonce.c 2018-10-22 02:55:25.098750000 -0700 2378*0ae430aaSDon Lewis@@ -439,6 +439,10 @@ 2379*0ae430aaSDon Lewis ssl_DecodeResumptionToken(sslSessionID *sid, const PRUint8 *encodedToken, 2380*0ae430aaSDon Lewis PRUint32 encodedTokenLen) 2381*0ae430aaSDon Lewis { 2382*0ae430aaSDon Lewis+ sslReader reader; 2383*0ae430aaSDon Lewis+ PRUint64 tmpInt = 0; 2384*0ae430aaSDon Lewis+ sslReadBuffer readerBuffer = { 0 }; 2385*0ae430aaSDon Lewis+ 2386*0ae430aaSDon Lewis PORT_Assert(encodedTokenLen); 2387*0ae430aaSDon Lewis PORT_Assert(encodedToken); 2388*0ae430aaSDon Lewis PORT_Assert(sid); 2389*0ae430aaSDon Lewis@@ -454,10 +458,11 @@ 2390*0ae430aaSDon Lewis } 2391*0ae430aaSDon Lewis 2392*0ae430aaSDon Lewis /* These variables are used across macros. Don't use them outside. */ 2393*0ae430aaSDon Lewis- sslReader reader = SSL_READER(encodedToken, encodedTokenLen); 2394*0ae430aaSDon Lewis+ // sslReader reader = SSL_READER(encodedToken, encodedTokenLen); 2395*0ae430aaSDon Lewis+ reader.buf.buf = encodedToken; 2396*0ae430aaSDon Lewis+ reader.buf.len = encodedTokenLen; 2397*0ae430aaSDon Lewis+ reader.offset = 0; 2398*0ae430aaSDon Lewis reader.offset += 1; // We read the version already. Skip the first byte. 2399*0ae430aaSDon Lewis- sslReadBuffer readerBuffer = { 0 }; 2400*0ae430aaSDon Lewis- PRUint64 tmpInt = 0; 2401*0ae430aaSDon Lewis 2402*0ae430aaSDon Lewis if (sslRead_ReadNumber(&reader, 8, &tmpInt) != SECSuccess) { 2403*0ae430aaSDon Lewis return SECFailure; 2404*0ae430aaSDon Lewis@@ -494,9 +499,13 @@ 2405*0ae430aaSDon Lewis return SECFailure; 2406*0ae430aaSDon Lewis } 2407*0ae430aaSDon Lewis if (readerBuffer.len) { 2408*0ae430aaSDon Lewis+ SECItem tempItem; 2409*0ae430aaSDon Lewis PORT_Assert(!sid->peerCert); 2410*0ae430aaSDon Lewis- SECItem tempItem = { siBuffer, (unsigned char *)readerBuffer.buf, 2411*0ae430aaSDon Lewis- readerBuffer.len }; 2412*0ae430aaSDon Lewis+ // tempItem = { siBuffer, (unsigned char *)readerBuffer.buf, 2413*0ae430aaSDon Lewis+ // readerBuffer.len }; 2414*0ae430aaSDon Lewis+ tempItem.type = siBuffer; 2415*0ae430aaSDon Lewis+ tempItem.data = (unsigned char *)readerBuffer.buf; 2416*0ae430aaSDon Lewis+ tempItem.len = readerBuffer.len; 2417*0ae430aaSDon Lewis sid->peerCert = CERT_NewTempCertificate(NULL, /* dbHandle */ 2418*0ae430aaSDon Lewis &tempItem, 2419*0ae430aaSDon Lewis NULL, PR_FALSE, PR_TRUE); 2420*0ae430aaSDon Lewis@@ -510,12 +519,16 @@ 2421*0ae430aaSDon Lewis return SECFailure; 2422*0ae430aaSDon Lewis } 2423*0ae430aaSDon Lewis if (readerBuffer.len) { 2424*0ae430aaSDon Lewis+ SECItem tempItem; 2425*0ae430aaSDon Lewis SECITEM_AllocArray(NULL, &sid->peerCertStatus, 1); 2426*0ae430aaSDon Lewis if (!sid->peerCertStatus.items) { 2427*0ae430aaSDon Lewis return SECFailure; 2428*0ae430aaSDon Lewis } 2429*0ae430aaSDon Lewis- SECItem tempItem = { siBuffer, (unsigned char *)readerBuffer.buf, 2430*0ae430aaSDon Lewis- readerBuffer.len }; 2431*0ae430aaSDon Lewis+ // SECItem tempItem = { siBuffer, (unsigned char *)readerBuffer.buf, 2432*0ae430aaSDon Lewis+ // readerBuffer.len }; 2433*0ae430aaSDon Lewis+ tempItem.type = siBuffer; 2434*0ae430aaSDon Lewis+ tempItem.data = (unsigned char *)readerBuffer.buf; 2435*0ae430aaSDon Lewis+ tempItem.len = readerBuffer.len; 2436*0ae430aaSDon Lewis SECITEM_CopyItem(NULL, &sid->peerCertStatus.items[0], &tempItem); 2437*0ae430aaSDon Lewis } 2438*0ae430aaSDon Lewis 2439*0ae430aaSDon Lewis@@ -545,9 +558,13 @@ 2440*0ae430aaSDon Lewis return SECFailure; 2441*0ae430aaSDon Lewis } 2442*0ae430aaSDon Lewis if (readerBuffer.len) { 2443*0ae430aaSDon Lewis+ SECItem tempItem; 2444*0ae430aaSDon Lewis PORT_Assert(!sid->localCert); 2445*0ae430aaSDon Lewis- SECItem tempItem = { siBuffer, (unsigned char *)readerBuffer.buf, 2446*0ae430aaSDon Lewis- readerBuffer.len }; 2447*0ae430aaSDon Lewis+ //SECItem tempItem = { siBuffer, (unsigned char *)readerBuffer.buf, 2448*0ae430aaSDon Lewis+ // readerBuffer.len }; 2449*0ae430aaSDon Lewis+ tempItem.type = siBuffer; 2450*0ae430aaSDon Lewis+ tempItem.data = (unsigned char *)readerBuffer.buf; 2451*0ae430aaSDon Lewis+ tempItem.len = readerBuffer.len; 2452*0ae430aaSDon Lewis sid->localCert = CERT_NewTempCertificate(NULL, /* dbHandle */ 2453*0ae430aaSDon Lewis &tempItem, 2454*0ae430aaSDon Lewis NULL, PR_FALSE, PR_TRUE); 2455*0ae430aaSDon Lewis@@ -706,13 +723,15 @@ 2456*0ae430aaSDon Lewis PRBool 2457*0ae430aaSDon Lewis ssl_IsResumptionTokenValid(sslSocket *ss) 2458*0ae430aaSDon Lewis { 2459*0ae430aaSDon Lewis+ sslSessionID *sid; 2460*0ae430aaSDon Lewis+ PRTime endTime = 0; 2461*0ae430aaSDon Lewis+ NewSessionTicket *ticket; 2462*0ae430aaSDon Lewis PORT_Assert(ss); 2463*0ae430aaSDon Lewis- sslSessionID *sid = ss->sec.ci.sid; 2464*0ae430aaSDon Lewis+ sid = ss->sec.ci.sid; 2465*0ae430aaSDon Lewis PORT_Assert(sid); 2466*0ae430aaSDon Lewis 2467*0ae430aaSDon Lewis // Check that the ticket didn't expire. 2468*0ae430aaSDon Lewis- PRTime endTime = 0; 2469*0ae430aaSDon Lewis- NewSessionTicket *ticket = &sid->u.ssl3.locked.sessionTicket; 2470*0ae430aaSDon Lewis+ ticket = &sid->u.ssl3.locked.sessionTicket; 2471*0ae430aaSDon Lewis if (ticket->ticket_lifetime_hint != 0) { 2472*0ae430aaSDon Lewis endTime = ticket->received_timestamp + 2473*0ae430aaSDon Lewis (PRTime)(ticket->ticket_lifetime_hint * PR_USEC_PER_SEC); 2474*0ae430aaSDon Lewis@@ -746,6 +765,9 @@ 2475*0ae430aaSDon Lewis static SECStatus 2476*0ae430aaSDon Lewis ssl_EncodeResumptionToken(sslSessionID *sid, sslBuffer *encodedTokenBuf) 2477*0ae430aaSDon Lewis { 2478*0ae430aaSDon Lewis+ SECStatus rv; 2479*0ae430aaSDon Lewis+ PRUint64 len; 2480*0ae430aaSDon Lewis+ 2481*0ae430aaSDon Lewis PORT_Assert(encodedTokenBuf); 2482*0ae430aaSDon Lewis PORT_Assert(sid); 2483*0ae430aaSDon Lewis if (!sid || !sid->u.ssl3.locked.sessionTicket.ticket.len || 2484*0ae430aaSDon Lewis@@ -760,7 +782,7 @@ 2485*0ae430aaSDon Lewis * SECItems are prepended with a 64-bit length field followed by the bytes. 2486*0ae430aaSDon Lewis * Optional bytes are encoded as a 0-length item if not present. 2487*0ae430aaSDon Lewis */ 2488*0ae430aaSDon Lewis- SECStatus rv = sslBuffer_AppendNumber(encodedTokenBuf, 2489*0ae430aaSDon Lewis+ rv = sslBuffer_AppendNumber(encodedTokenBuf, 2490*0ae430aaSDon Lewis SSLResumptionTokenVersion, 1); 2491*0ae430aaSDon Lewis if (rv != SECSuccess) { 2492*0ae430aaSDon Lewis return SECFailure; 2493*0ae430aaSDon Lewis@@ -843,7 +865,7 @@ 2494*0ae430aaSDon Lewis } 2495*0ae430aaSDon Lewis } 2496*0ae430aaSDon Lewis 2497*0ae430aaSDon Lewis- PRUint64 len = sid->peerID ? strlen(sid->peerID) : 0; 2498*0ae430aaSDon Lewis+ len = sid->peerID ? strlen(sid->peerID) : 0; 2499*0ae430aaSDon Lewis if (len > PR_UINT8_MAX) { 2500*0ae430aaSDon Lewis // This string really shouldn't be that long. 2501*0ae430aaSDon Lewis PORT_SetError(SEC_ERROR_LIBRARY_FAILURE); 2502*0ae430aaSDon Lewis@@ -1052,8 +1074,11 @@ 2503*0ae430aaSDon Lewis void 2504*0ae430aaSDon Lewis ssl_CacheExternalToken(sslSocket *ss) 2505*0ae430aaSDon Lewis { 2506*0ae430aaSDon Lewis+ sslSessionID *sid; 2507*0ae430aaSDon Lewis+ sslBuffer encodedToken = SSL_BUFFER_EMPTY; 2508*0ae430aaSDon Lewis+ 2509*0ae430aaSDon Lewis PORT_Assert(ss); 2510*0ae430aaSDon Lewis- sslSessionID *sid = ss->sec.ci.sid; 2511*0ae430aaSDon Lewis+ sid = ss->sec.ci.sid; 2512*0ae430aaSDon Lewis PORT_Assert(sid); 2513*0ae430aaSDon Lewis PORT_Assert(sid->cached == never_cached); 2514*0ae430aaSDon Lewis PORT_Assert(ss->resumptionTokenCallback); 2515*0ae430aaSDon Lewis@@ -1083,8 +1108,6 @@ 2516*0ae430aaSDon Lewis sid->expirationTime = sid->creationTime + ssl3_sid_timeout; 2517*0ae430aaSDon Lewis } 2518*0ae430aaSDon Lewis 2519*0ae430aaSDon Lewis- sslBuffer encodedToken = SSL_BUFFER_EMPTY; 2520*0ae430aaSDon Lewis- 2521*0ae430aaSDon Lewis if (ssl_EncodeResumptionToken(sid, &encodedToken) != SECSuccess) { 2522*0ae430aaSDon Lewis SSL_TRC(3, ("SSL [%d]: encoding resumption token failed", ss->fd)); 2523*0ae430aaSDon Lewis return; 2524*0ae430aaSDon Lewis@@ -1127,11 +1150,12 @@ 2525*0ae430aaSDon Lewis void 2526*0ae430aaSDon Lewis ssl_UncacheSessionID(sslSocket *ss) 2527*0ae430aaSDon Lewis { 2528*0ae430aaSDon Lewis+ sslSecurityInfo *sec; 2529*0ae430aaSDon Lewis if (ss->opt.noCache) { 2530*0ae430aaSDon Lewis return; 2531*0ae430aaSDon Lewis } 2532*0ae430aaSDon Lewis 2533*0ae430aaSDon Lewis- sslSecurityInfo *sec = &ss->sec; 2534*0ae430aaSDon Lewis+ sec = &ss->sec; 2535*0ae430aaSDon Lewis PORT_Assert(sec); 2536*0ae430aaSDon Lewis 2537*0ae430aaSDon Lewis if (sec->ci.sid) { 2538*0ae430aaSDon Lewisdiff -ur misc/nss-3.39/nss/lib/ssl/sslsnce.c misc/build/nss-3.39/nss/lib/ssl/sslsnce.c 2539*0ae430aaSDon Lewis--- misc/nss-3.39/nss/lib/ssl/sslsnce.c 2018-08-31 05:55:53.000000000 -0700 2540*0ae430aaSDon Lewis+++ misc/build/nss-3.39/nss/lib/ssl/sslsnce.c 2018-10-22 03:10:53.707928000 -0700 2541*0ae430aaSDon Lewis@@ -732,11 +732,11 @@ 2542*0ae430aaSDon Lewis void 2543*0ae430aaSDon Lewis ssl_ServerCacheSessionID(sslSessionID *sid) 2544*0ae430aaSDon Lewis { 2545*0ae430aaSDon Lewis- PORT_Assert(sid); 2546*0ae430aaSDon Lewis- 2547*0ae430aaSDon Lewis sidCacheEntry sce; 2548*0ae430aaSDon Lewis PRUint32 now = 0; 2549*0ae430aaSDon Lewis cacheDesc *cache = &globalCache; 2550*0ae430aaSDon Lewis+ 2551*0ae430aaSDon Lewis+ PORT_Assert(sid); 2552*0ae430aaSDon Lewis 2553*0ae430aaSDon Lewis if (sid->u.ssl3.sessionIDLength == 0) { 2554*0ae430aaSDon Lewis return; 2555*0ae430aaSDon Lewisdiff -ur misc/nss-3.39/nss/lib/ssl/sslsock.c misc/build/nss-3.39/nss/lib/ssl/sslsock.c 2556*0ae430aaSDon Lewis--- misc/nss-3.39/nss/lib/ssl/sslsock.c 2018-08-31 05:55:53.000000000 -0700 2557*0ae430aaSDon Lewis+++ misc/build/nss-3.39/nss/lib/ssl/sslsock.c 2018-10-22 03:26:21.638950000 -0700 2558*0ae430aaSDon Lewis@@ -53,38 +53,38 @@ 2559*0ae430aaSDon Lewis ** default settings for socket enables 2560*0ae430aaSDon Lewis */ 2561*0ae430aaSDon Lewis static sslOptions ssl_defaults = { 2562*0ae430aaSDon Lewis- .nextProtoNego = { siBuffer, NULL, 0 }, 2563*0ae430aaSDon Lewis- .maxEarlyDataSize = 1 << 16, 2564*0ae430aaSDon Lewis- .recordSizeLimit = MAX_FRAGMENT_LENGTH + 1, 2565*0ae430aaSDon Lewis- .useSecurity = PR_TRUE, 2566*0ae430aaSDon Lewis- .useSocks = PR_FALSE, 2567*0ae430aaSDon Lewis- .requestCertificate = PR_FALSE, 2568*0ae430aaSDon Lewis- .requireCertificate = SSL_REQUIRE_FIRST_HANDSHAKE, 2569*0ae430aaSDon Lewis- .handshakeAsClient = PR_FALSE, 2570*0ae430aaSDon Lewis- .handshakeAsServer = PR_FALSE, 2571*0ae430aaSDon Lewis- .noCache = PR_FALSE, 2572*0ae430aaSDon Lewis- .fdx = PR_FALSE, 2573*0ae430aaSDon Lewis- .detectRollBack = PR_TRUE, 2574*0ae430aaSDon Lewis- .noLocks = PR_FALSE, 2575*0ae430aaSDon Lewis- .enableSessionTickets = PR_FALSE, 2576*0ae430aaSDon Lewis- .enableDeflate = PR_FALSE, 2577*0ae430aaSDon Lewis- .enableRenegotiation = SSL_RENEGOTIATE_REQUIRES_XTN, 2578*0ae430aaSDon Lewis- .requireSafeNegotiation = PR_FALSE, 2579*0ae430aaSDon Lewis- .enableFalseStart = PR_FALSE, 2580*0ae430aaSDon Lewis- .cbcRandomIV = PR_TRUE, 2581*0ae430aaSDon Lewis- .enableOCSPStapling = PR_FALSE, 2582*0ae430aaSDon Lewis- .enableALPN = PR_TRUE, 2583*0ae430aaSDon Lewis- .reuseServerECDHEKey = PR_TRUE, 2584*0ae430aaSDon Lewis- .enableFallbackSCSV = PR_FALSE, 2585*0ae430aaSDon Lewis- .enableServerDhe = PR_TRUE, 2586*0ae430aaSDon Lewis- .enableExtendedMS = PR_FALSE, 2587*0ae430aaSDon Lewis- .enableSignedCertTimestamps = PR_FALSE, 2588*0ae430aaSDon Lewis- .requireDHENamedGroups = PR_FALSE, 2589*0ae430aaSDon Lewis- .enable0RttData = PR_FALSE, 2590*0ae430aaSDon Lewis- .enableTls13CompatMode = PR_FALSE, 2591*0ae430aaSDon Lewis- .enableDtlsShortHeader = PR_FALSE, 2592*0ae430aaSDon Lewis- .enableHelloDowngradeCheck = PR_FALSE, 2593*0ae430aaSDon Lewis- .enableV2CompatibleHello = PR_FALSE 2594*0ae430aaSDon Lewis+ /* .nextProtoNego = */ { siBuffer, NULL, 0 }, 2595*0ae430aaSDon Lewis+ /* .recordSizeLimit = */ MAX_FRAGMENT_LENGTH + 1, 2596*0ae430aaSDon Lewis+ /* .maxEarlyDataSize = */ 1 << 16, 2597*0ae430aaSDon Lewis+ /* .useSecurity = */ PR_TRUE, 2598*0ae430aaSDon Lewis+ /* .useSocks = */ PR_FALSE, 2599*0ae430aaSDon Lewis+ /* .requestCertificate = */ PR_FALSE, 2600*0ae430aaSDon Lewis+ /* .requireCertificate = */ SSL_REQUIRE_FIRST_HANDSHAKE, 2601*0ae430aaSDon Lewis+ /* .handshakeAsClient = */ PR_FALSE, 2602*0ae430aaSDon Lewis+ /* .handshakeAsServer = */ PR_FALSE, 2603*0ae430aaSDon Lewis+ /* .noCache = */ PR_FALSE, 2604*0ae430aaSDon Lewis+ /* .fdx = */ PR_FALSE, 2605*0ae430aaSDon Lewis+ /* .detectRollBack = */ PR_TRUE, 2606*0ae430aaSDon Lewis+ /* .noLocks = */ PR_FALSE, 2607*0ae430aaSDon Lewis+ /* .enableSessionTickets = */ PR_FALSE, 2608*0ae430aaSDon Lewis+ /* .enableDeflate = */ PR_FALSE, 2609*0ae430aaSDon Lewis+ /* .enableRenegotiation = */ SSL_RENEGOTIATE_REQUIRES_XTN, 2610*0ae430aaSDon Lewis+ /* .requireSafeNegotiation = */ PR_FALSE, 2611*0ae430aaSDon Lewis+ /* .enableFalseStart = */ PR_FALSE, 2612*0ae430aaSDon Lewis+ /* .cbcRandomIV = */ PR_TRUE, 2613*0ae430aaSDon Lewis+ /* .enableOCSPStapling = */ PR_FALSE, 2614*0ae430aaSDon Lewis+ /* .enableALPN = */ PR_TRUE, 2615*0ae430aaSDon Lewis+ /* .reuseServerECDHEKey = */ PR_TRUE, 2616*0ae430aaSDon Lewis+ /* .enableFallbackSCSV = */ PR_FALSE, 2617*0ae430aaSDon Lewis+ /* .enableServerDhe = */ PR_TRUE, 2618*0ae430aaSDon Lewis+ /* .enableExtendedMS = */ PR_FALSE, 2619*0ae430aaSDon Lewis+ /* .enableSignedCertTimestamps = */ PR_FALSE, 2620*0ae430aaSDon Lewis+ /* .requireDHENamedGroups = */ PR_FALSE, 2621*0ae430aaSDon Lewis+ /* .enable0RttData = */ PR_FALSE, 2622*0ae430aaSDon Lewis+ /* .enableTls13CompatMode = */ PR_FALSE, 2623*0ae430aaSDon Lewis+ /* .enableDtlsShortHeader = */ PR_FALSE, 2624*0ae430aaSDon Lewis+ /* .enableHelloDowngradeCheck = */ PR_FALSE, 2625*0ae430aaSDon Lewis+ /* .enableV2CompatibleHello = */ PR_FALSE 2626*0ae430aaSDon Lewis }; 2627*0ae430aaSDon Lewis 2628*0ae430aaSDon Lewis /* 2629*0ae430aaSDon Lewis@@ -2032,6 +2032,7 @@ 2630*0ae430aaSDon Lewis unsigned int length) 2631*0ae430aaSDon Lewis { 2632*0ae430aaSDon Lewis sslSocket *ss; 2633*0ae430aaSDon Lewis+ size_t firstLen; 2634*0ae430aaSDon Lewis 2635*0ae430aaSDon Lewis ss = ssl_FindSocket(fd); 2636*0ae430aaSDon Lewis if (!ss) { 2637*0ae430aaSDon Lewis@@ -2050,7 +2051,7 @@ 2638*0ae430aaSDon Lewis ssl_GetSSL3HandshakeLock(ss); 2639*0ae430aaSDon Lewis SECITEM_FreeItem(&ss->opt.nextProtoNego, PR_FALSE); 2640*0ae430aaSDon Lewis SECITEM_AllocItem(NULL, &ss->opt.nextProtoNego, length); 2641*0ae430aaSDon Lewis- size_t firstLen = data[0] + 1; 2642*0ae430aaSDon Lewis+ firstLen = data[0] + 1; 2643*0ae430aaSDon Lewis /* firstLen <= length is ensured by ssl3_ValidateAppProtocol. */ 2644*0ae430aaSDon Lewis PORT_Memcpy(ss->opt.nextProtoNego.data + (length - firstLen), data, firstLen); 2645*0ae430aaSDon Lewis PORT_Memcpy(ss->opt.nextProtoNego.data, data + firstLen, length - firstLen); 2646*0ae430aaSDon Lewis@@ -4079,6 +4080,7 @@ 2647*0ae430aaSDon Lewis unsigned int len) 2648*0ae430aaSDon Lewis { 2649*0ae430aaSDon Lewis sslSocket *ss = ssl_FindSocket(fd); 2650*0ae430aaSDon Lewis+ SECStatus rv; 2651*0ae430aaSDon Lewis 2652*0ae430aaSDon Lewis if (!ss) { 2653*0ae430aaSDon Lewis SSL_DBG(("%d: SSL[%d]: bad socket in SSL_SetResumptionToken", 2654*0ae430aaSDon Lewis@@ -4109,7 +4111,7 @@ 2655*0ae430aaSDon Lewis } 2656*0ae430aaSDon Lewis 2657*0ae430aaSDon Lewis /* Populate NewSessionTicket values */ 2658*0ae430aaSDon Lewis- SECStatus rv = ssl_DecodeResumptionToken(ss->sec.ci.sid, token, len); 2659*0ae430aaSDon Lewis+ rv = ssl_DecodeResumptionToken(ss->sec.ci.sid, token, len); 2660*0ae430aaSDon Lewis if (rv != SECSuccess) { 2661*0ae430aaSDon Lewis // If decoding fails, we assume the token is bad. 2662*0ae430aaSDon Lewis PORT_SetError(SSL_ERROR_BAD_RESUMPTION_TOKEN_ERROR); 2663*0ae430aaSDon Lewis@@ -4163,13 +4165,14 @@ 2664*0ae430aaSDon Lewis SSLExp_GetResumptionTokenInfo(const PRUint8 *tokenData, unsigned int tokenLen, 2665*0ae430aaSDon Lewis SSLResumptionTokenInfo *tokenOut, PRUintn len) 2666*0ae430aaSDon Lewis { 2667*0ae430aaSDon Lewis+ sslSessionID sid = { 0 }; 2668*0ae430aaSDon Lewis+ SSLResumptionTokenInfo token; 2669*0ae430aaSDon Lewis+ 2670*0ae430aaSDon Lewis if (!tokenData || !tokenOut || !tokenLen || 2671*0ae430aaSDon Lewis len > sizeof(SSLResumptionTokenInfo)) { 2672*0ae430aaSDon Lewis PORT_SetError(SEC_ERROR_INVALID_ARGS); 2673*0ae430aaSDon Lewis return SECFailure; 2674*0ae430aaSDon Lewis } 2675*0ae430aaSDon Lewis- sslSessionID sid = { 0 }; 2676*0ae430aaSDon Lewis- SSLResumptionTokenInfo token; 2677*0ae430aaSDon Lewis 2678*0ae430aaSDon Lewis /* Populate sid values */ 2679*0ae430aaSDon Lewis if (ssl_DecodeResumptionToken(&sid, tokenData, tokenLen) != SECSuccess) { 2680*0ae430aaSDon Lewisdiff -ur misc/nss-3.39/nss/lib/ssl/tls13exthandle.c misc/build/nss-3.39/nss/lib/ssl/tls13exthandle.c 2681*0ae430aaSDon Lewis--- misc/nss-3.39/nss/lib/ssl/tls13exthandle.c 2018-08-31 05:55:53.000000000 -0700 2682*0ae430aaSDon Lewis+++ misc/build/nss-3.39/nss/lib/ssl/tls13exthandle.c 2018-10-22 03:41:59.569200000 -0700 2683*0ae430aaSDon Lewis@@ -773,6 +773,7 @@ 2684*0ae430aaSDon Lewis sslBuffer *buf, PRBool *added) 2685*0ae430aaSDon Lewis { 2686*0ae430aaSDon Lewis SECStatus rv; 2687*0ae430aaSDon Lewis+ PRUint16 ver; 2688*0ae430aaSDon Lewis 2689*0ae430aaSDon Lewis if (ss->version < SSL_LIBRARY_VERSION_TLS_1_3) { 2690*0ae430aaSDon Lewis return SECSuccess; 2691*0ae430aaSDon Lewis@@ -781,7 +782,7 @@ 2692*0ae430aaSDon Lewis SSL_TRC(3, ("%d: TLS13[%d]: server send supported_versions extension", 2693*0ae430aaSDon Lewis SSL_GETPID(), ss->fd)); 2694*0ae430aaSDon Lewis 2695*0ae430aaSDon Lewis- PRUint16 ver = tls13_EncodeDraftVersion(SSL_LIBRARY_VERSION_TLS_1_3, 2696*0ae430aaSDon Lewis+ ver = tls13_EncodeDraftVersion(SSL_LIBRARY_VERSION_TLS_1_3, 2697*0ae430aaSDon Lewis ss->protocolVariant); 2698*0ae430aaSDon Lewis rv = sslBuffer_AppendNumber(buf, ver, 2); 2699*0ae430aaSDon Lewis if (rv != SECSuccess) { 2700*0ae430aaSDon Lewisdiff -ur misc/nss-3.39/nss/lib/ssl/tls13hashstate.c misc/build/nss-3.39/nss/lib/ssl/tls13hashstate.c 2701*0ae430aaSDon Lewis--- misc/nss-3.39/nss/lib/ssl/tls13hashstate.c 2018-08-31 05:55:53.000000000 -0700 2702*0ae430aaSDon Lewis+++ misc/build/nss-3.39/nss/lib/ssl/tls13hashstate.c 2018-10-22 04:03:39.133885000 -0700 2703*0ae430aaSDon Lewis@@ -95,6 +95,9 @@ 2704*0ae430aaSDon Lewis PRUint64 group; 2705*0ae430aaSDon Lewis const sslNamedGroupDef *selectedGroup; 2706*0ae430aaSDon Lewis PRUint64 appTokenLen; 2707*0ae430aaSDon Lewis+ sslReader reader = SSL_READER(plaintext, plaintextLen); 2708*0ae430aaSDon Lewis+ sslReadBuffer appTokenReader = { 0 }; 2709*0ae430aaSDon Lewis+ unsigned int hashLen; 2710*0ae430aaSDon Lewis 2711*0ae430aaSDon Lewis rv = ssl_SelfEncryptUnprotect(ss, cookie, cookieLen, 2712*0ae430aaSDon Lewis plaintext, &plaintextLen, sizeof(plaintext)); 2713*0ae430aaSDon Lewis@@ -102,7 +105,10 @@ 2714*0ae430aaSDon Lewis return SECFailure; 2715*0ae430aaSDon Lewis } 2716*0ae430aaSDon Lewis 2717*0ae430aaSDon Lewis- sslReader reader = SSL_READER(plaintext, plaintextLen); 2718*0ae430aaSDon Lewis+ // reader = SSL_READER(plaintext, plaintextLen); 2719*0ae430aaSDon Lewis+ reader.buf.buf = plaintext; 2720*0ae430aaSDon Lewis+ reader.buf.len = plaintextLen; 2721*0ae430aaSDon Lewis+ reader.offset = 0; 2722*0ae430aaSDon Lewis 2723*0ae430aaSDon Lewis /* Should start with 0xff. */ 2724*0ae430aaSDon Lewis rv = sslRead_ReadNumber(&reader, 1, &sentinel); 2725*0ae430aaSDon Lewis@@ -138,7 +144,6 @@ 2726*0ae430aaSDon Lewis return SECFailure; 2727*0ae430aaSDon Lewis } 2728*0ae430aaSDon Lewis ss->xtnData.applicationToken.len = appTokenLen; 2729*0ae430aaSDon Lewis- sslReadBuffer appTokenReader = { 0 }; 2730*0ae430aaSDon Lewis rv = sslRead_Read(&reader, appTokenLen, &appTokenReader); 2731*0ae430aaSDon Lewis if (rv != SECSuccess) { 2732*0ae430aaSDon Lewis FATAL_ERROR(ss, SSL_ERROR_RX_MALFORMED_CLIENT_HELLO, illegal_parameter); 2733*0ae430aaSDon Lewis@@ -148,7 +153,7 @@ 2734*0ae430aaSDon Lewis PORT_Memcpy(ss->xtnData.applicationToken.data, appTokenReader.buf, appTokenLen); 2735*0ae430aaSDon Lewis 2736*0ae430aaSDon Lewis /* The remainder is the hash. */ 2737*0ae430aaSDon Lewis- unsigned int hashLen = SSL_READER_REMAINING(&reader); 2738*0ae430aaSDon Lewis+ hashLen = SSL_READER_REMAINING(&reader); 2739*0ae430aaSDon Lewis if (hashLen != tls13_GetHashSize(ss)) { 2740*0ae430aaSDon Lewis FATAL_ERROR(ss, SSL_ERROR_RX_MALFORMED_CLIENT_HELLO, illegal_parameter); 2741*0ae430aaSDon Lewis return SECFailure; 2742*0ae430aaSDon Lewisdiff -ur misc/nss-3.39/nss/lib/util/quickder.c misc/build/nss-3.39/nss/lib/util/quickder.c 2743*0ae430aaSDon Lewis--- misc/nss-3.39/nss/lib/util/quickder.c 2018-08-31 05:55:53.000000000 -0700 2744*0ae430aaSDon Lewis+++ misc/build/nss-3.39/nss/lib/util/quickder.c 2018-09-10 17:24:47.548844000 -0700 2745*0ae430aaSDon Lewis@@ -408,11 +408,12 @@ 2746*0ae430aaSDon Lewis { 2747*0ae430aaSDon Lewis const SEC_ASN1Template* ptrTemplate = 2748*0ae430aaSDon Lewis SEC_ASN1GetSubtemplate(templateEntry, dest, PR_FALSE); 2749*0ae430aaSDon Lewis+ void* subdata; 2750*0ae430aaSDon Lewis if (!ptrTemplate) { 2751*0ae430aaSDon Lewis PORT_SetError(SEC_ERROR_INVALID_ARGS); 2752*0ae430aaSDon Lewis return SECFailure; 2753*0ae430aaSDon Lewis } 2754*0ae430aaSDon Lewis- void* subdata = PORT_ArenaZAlloc(arena, ptrTemplate->size); 2755*0ae430aaSDon Lewis+ subdata = PORT_ArenaZAlloc(arena, ptrTemplate->size); 2756*0ae430aaSDon Lewis *(void**)((char*)dest + templateEntry->offset) = subdata; 2757*0ae430aaSDon Lewis if (subdata) { 2758*0ae430aaSDon Lewis return DecodeItem(subdata, ptrTemplate, src, arena, checkTag); 2759*0ae430aaSDon Lewisdiff -ur misc/nss-3.39/nss/lib/util/secport.c misc/build/nss-3.39/nss/lib/util/secport.c 2760*0ae430aaSDon Lewis--- misc/nss-3.39/nss/lib/util/secport.c 2018-08-31 05:55:53.000000000 -0700 2761*0ae430aaSDon Lewis+++ misc/build/nss-3.39/nss/lib/util/secport.c 2018-10-21 01:46:42.919736000 -0700 2762*0ae430aaSDon Lewis@@ -21,7 +21,23 @@ 2763*0ae430aaSDon Lewis #include "prenv.h" 2764*0ae430aaSDon Lewis #include "prinit.h" 2765*0ae430aaSDon Lewis 2766*0ae430aaSDon Lewis-#include <stdint.h> 2767*0ae430aaSDon Lewis+#if defined(_MSC_VER) && _MSC_VER < 1600 2768*0ae430aaSDon Lewis+ #ifdef _WIN64 2769*0ae430aaSDon Lewis+typedef unsigned __int64 uintptr_t; 2770*0ae430aaSDon Lewis+ #else 2771*0ae430aaSDon Lewis+typedef unsigned int uintptr_t; 2772*0ae430aaSDon Lewis+ #endif 2773*0ae430aaSDon Lewis+typedef unsigned char uint8_t; 2774*0ae430aaSDon Lewis+typedef unsigned short uint16_t; 2775*0ae430aaSDon Lewis+typedef unsigned int uint32_t; 2776*0ae430aaSDon Lewis+typedef unsigned __int64 uint64_t; 2777*0ae430aaSDon Lewis+#define UINT8_MAX 0xff 2778*0ae430aaSDon Lewis+#define UINT16_MAX 0xffff 2779*0ae430aaSDon Lewis+#define UINT32_MAX 0xffffffffu 2780*0ae430aaSDon Lewis+#define UINT64_MAX 0xffffffffffffffffU 2781*0ae430aaSDon Lewis+#else 2782*0ae430aaSDon Lewis+ #include <stdint.h> 2783*0ae430aaSDon Lewis+#endif 2784*0ae430aaSDon Lewis 2785*0ae430aaSDon Lewis #ifdef DEBUG 2786*0ae430aaSDon Lewis #define THREADMARK 2787*0ae430aaSDon Lewis@@ -150,13 +166,14 @@ 2788*0ae430aaSDon Lewis void * 2789*0ae430aaSDon Lewis PORT_ZAllocAlignedOffset(size_t size, size_t alignment, size_t offset) 2790*0ae430aaSDon Lewis { 2791*0ae430aaSDon Lewis+ void *mem = NULL; 2792*0ae430aaSDon Lewis+ void *v; 2793*0ae430aaSDon Lewis PORT_Assert(offset < size); 2794*0ae430aaSDon Lewis if (offset > size) { 2795*0ae430aaSDon Lewis return NULL; 2796*0ae430aaSDon Lewis } 2797*0ae430aaSDon Lewis 2798*0ae430aaSDon Lewis- void *mem = NULL; 2799*0ae430aaSDon Lewis- void *v = PORT_ZAllocAligned(size, alignment, &mem); 2800*0ae430aaSDon Lewis+ v = PORT_ZAllocAligned(size, alignment, &mem); 2801*0ae430aaSDon Lewis if (!v) { 2802*0ae430aaSDon Lewis return NULL; 2803*0ae430aaSDon Lewis } 2804*0ae430aaSDon Lewisdiff -ur misc/nss-3.39/nss/lib/util/secport.h misc/build/nss-3.39/nss/lib/util/secport.h 2805*0ae430aaSDon Lewis--- misc/nss-3.39/nss/lib/util/secport.h 2018-08-31 05:55:53.000000000 -0700 2806*0ae430aaSDon Lewis+++ misc/build/nss-3.39/nss/lib/util/secport.h 2018-10-21 20:43:01.473838000 -0700 2807*0ae430aaSDon Lewis@@ -45,7 +45,30 @@ 2808*0ae430aaSDon Lewis #include <string.h> 2809*0ae430aaSDon Lewis #include <stddef.h> 2810*0ae430aaSDon Lewis #include <stdlib.h> 2811*0ae430aaSDon Lewis-#include <stdint.h> 2812*0ae430aaSDon Lewis+#if defined(_MSC_VER) && _MSC_VER < 1600 2813*0ae430aaSDon Lewis+ #ifdef _WIN64 2814*0ae430aaSDon Lewis+typedef unsigned __int64 uintptr_t; 2815*0ae430aaSDon Lewis+ #else 2816*0ae430aaSDon Lewis+typedef unsigned int uintptr_t; 2817*0ae430aaSDon Lewis+ #endif 2818*0ae430aaSDon Lewis+typedef unsigned char uint8_t; 2819*0ae430aaSDon Lewis+typedef unsigned short uint16_t; 2820*0ae430aaSDon Lewis+typedef unsigned int uint32_t; 2821*0ae430aaSDon Lewis+typedef unsigned __int64 uint64_t; 2822*0ae430aaSDon Lewis+typedef char int8_t; 2823*0ae430aaSDon Lewis+typedef short int16_t; 2824*0ae430aaSDon Lewis+typedef int int32_t; 2825*0ae430aaSDon Lewis+typedef __int64 int64_t; 2826*0ae430aaSDon Lewis+#define UINT8_MAX 0xff 2827*0ae430aaSDon Lewis+#define UINT16_MAX 0xffff 2828*0ae430aaSDon Lewis+#define UINT32_MAX 0xffffffffu 2829*0ae430aaSDon Lewis+#define UINT64_MAX 0xffffffffffffffffU 2830*0ae430aaSDon Lewis+#define UINT64_C(x) ((x) + (UINT64_MAX - UINT64_MAX)) 2831*0ae430aaSDon Lewis+#define INT32_MIN (-0x7fffffff - 1) 2832*0ae430aaSDon Lewis+#define INT32_MAX 0x7fffffff 2833*0ae430aaSDon Lewis+#else 2834*0ae430aaSDon Lewis+ #include <stdint.h> 2835*0ae430aaSDon Lewis+#endif 2836*0ae430aaSDon Lewis #include "prtypes.h" 2837*0ae430aaSDon Lewis #include "prlog.h" /* for PR_ASSERT */ 2838*0ae430aaSDon Lewis #include "plarena.h" 2839*0ae430aaSDon Lewisdiff -ur misc/nss-3.39/nss/lib/util/utilmod.c misc/build/nss-3.39/nss/lib/util/utilmod.c 2840*0ae430aaSDon Lewis--- misc/nss-3.39/nss/lib/util/utilmod.c 2018-08-31 05:55:53.000000000 -0700 2841*0ae430aaSDon Lewis+++ misc/build/nss-3.39/nss/lib/util/utilmod.c 2018-09-11 01:58:56.505884000 -0700 2842*0ae430aaSDon Lewis@@ -75,12 +75,13 @@ 2843*0ae430aaSDon Lewis os_open(const char *filename, int oflag, int pmode) 2844*0ae430aaSDon Lewis { 2845*0ae430aaSDon Lewis int fd; 2846*0ae430aaSDon Lewis+ wchar_t *filenameWide; 2847*0ae430aaSDon Lewis 2848*0ae430aaSDon Lewis if (!filename) { 2849*0ae430aaSDon Lewis return -1; 2850*0ae430aaSDon Lewis } 2851*0ae430aaSDon Lewis 2852*0ae430aaSDon Lewis- wchar_t *filenameWide = _NSSUTIL_UTF8ToWide(filename); 2853*0ae430aaSDon Lewis+ filenameWide = _NSSUTIL_UTF8ToWide(filename); 2854*0ae430aaSDon Lewis if (!filenameWide) { 2855*0ae430aaSDon Lewis return -1; 2856*0ae430aaSDon Lewis } 2857*0ae430aaSDon Lewis@@ -94,12 +95,13 @@ 2858*0ae430aaSDon Lewis os_stat(const char *path, os_stat_type *buffer) 2859*0ae430aaSDon Lewis { 2860*0ae430aaSDon Lewis int result; 2861*0ae430aaSDon Lewis+ wchar_t *pathWide; 2862*0ae430aaSDon Lewis 2863*0ae430aaSDon Lewis if (!path) { 2864*0ae430aaSDon Lewis return -1; 2865*0ae430aaSDon Lewis } 2866*0ae430aaSDon Lewis 2867*0ae430aaSDon Lewis- wchar_t *pathWide = _NSSUTIL_UTF8ToWide(path); 2868*0ae430aaSDon Lewis+ pathWide = _NSSUTIL_UTF8ToWide(path); 2869*0ae430aaSDon Lewis if (!pathWide) { 2870*0ae430aaSDon Lewis return -1; 2871*0ae430aaSDon Lewis } 2872*0ae430aaSDon Lewis@@ -113,16 +115,18 @@ 2873*0ae430aaSDon Lewis os_fopen(const char *filename, const char *mode) 2874*0ae430aaSDon Lewis { 2875*0ae430aaSDon Lewis FILE *fp; 2876*0ae430aaSDon Lewis+ wchar_t *filenameWide; 2877*0ae430aaSDon Lewis+ wchar_t *modeWide; 2878*0ae430aaSDon Lewis 2879*0ae430aaSDon Lewis if (!filename || !mode) { 2880*0ae430aaSDon Lewis return NULL; 2881*0ae430aaSDon Lewis } 2882*0ae430aaSDon Lewis 2883*0ae430aaSDon Lewis- wchar_t *filenameWide = _NSSUTIL_UTF8ToWide(filename); 2884*0ae430aaSDon Lewis+ filenameWide = _NSSUTIL_UTF8ToWide(filename); 2885*0ae430aaSDon Lewis if (!filenameWide) { 2886*0ae430aaSDon Lewis return NULL; 2887*0ae430aaSDon Lewis } 2888*0ae430aaSDon Lewis- wchar_t *modeWide = _NSSUTIL_UTF8ToWide(mode); 2889*0ae430aaSDon Lewis+ modeWide = _NSSUTIL_UTF8ToWide(mode); 2890*0ae430aaSDon Lewis if (!modeWide) { 2891*0ae430aaSDon Lewis PORT_Free(filenameWide); 2892*0ae430aaSDon Lewis return NULL; 2893*0ae430aaSDon Lewis@@ -138,12 +142,13 @@ 2894*0ae430aaSDon Lewis _NSSUTIL_Access(const char *path, PRAccessHow how) 2895*0ae430aaSDon Lewis { 2896*0ae430aaSDon Lewis int result; 2897*0ae430aaSDon Lewis+ int mode; 2898*0ae430aaSDon Lewis+ wchar_t *pathWide; 2899*0ae430aaSDon Lewis 2900*0ae430aaSDon Lewis if (!path) { 2901*0ae430aaSDon Lewis return PR_FAILURE; 2902*0ae430aaSDon Lewis } 2903*0ae430aaSDon Lewis 2904*0ae430aaSDon Lewis- int mode; 2905*0ae430aaSDon Lewis switch (how) { 2906*0ae430aaSDon Lewis case PR_ACCESS_WRITE_OK: 2907*0ae430aaSDon Lewis mode = 2; 2908*0ae430aaSDon Lewis@@ -158,7 +163,7 @@ 2909*0ae430aaSDon Lewis return PR_FAILURE; 2910*0ae430aaSDon Lewis } 2911*0ae430aaSDon Lewis 2912*0ae430aaSDon Lewis- wchar_t *pathWide = _NSSUTIL_UTF8ToWide(path); 2913*0ae430aaSDon Lewis+ pathWide = _NSSUTIL_UTF8ToWide(path); 2914*0ae430aaSDon Lewis if (!pathWide) { 2915*0ae430aaSDon Lewis return PR_FAILURE; 2916*0ae430aaSDon Lewis } 2917*0ae430aaSDon Lewis@@ -172,12 +177,13 @@ 2918*0ae430aaSDon Lewis nssutil_Delete(const char *name) 2919*0ae430aaSDon Lewis { 2920*0ae430aaSDon Lewis BOOL result; 2921*0ae430aaSDon Lewis+ wchar_t *nameWide; 2922*0ae430aaSDon Lewis 2923*0ae430aaSDon Lewis if (!name) { 2924*0ae430aaSDon Lewis return PR_FAILURE; 2925*0ae430aaSDon Lewis } 2926*0ae430aaSDon Lewis 2927*0ae430aaSDon Lewis- wchar_t *nameWide = _NSSUTIL_UTF8ToWide(name); 2928*0ae430aaSDon Lewis+ nameWide = _NSSUTIL_UTF8ToWide(name); 2929*0ae430aaSDon Lewis if (!nameWide) { 2930*0ae430aaSDon Lewis return PR_FAILURE; 2931*0ae430aaSDon Lewis } 2932*0ae430aaSDon Lewis@@ -191,16 +197,18 @@ 2933*0ae430aaSDon Lewis nssutil_Rename(const char *from, const char *to) 2934*0ae430aaSDon Lewis { 2935*0ae430aaSDon Lewis BOOL result; 2936*0ae430aaSDon Lewis+ wchar_t *fromWide; 2937*0ae430aaSDon Lewis+ wchar_t *toWide; 2938*0ae430aaSDon Lewis 2939*0ae430aaSDon Lewis if (!from || !to) { 2940*0ae430aaSDon Lewis return PR_FAILURE; 2941*0ae430aaSDon Lewis } 2942*0ae430aaSDon Lewis 2943*0ae430aaSDon Lewis- wchar_t *fromWide = _NSSUTIL_UTF8ToWide(from); 2944*0ae430aaSDon Lewis+ fromWide = _NSSUTIL_UTF8ToWide(from); 2945*0ae430aaSDon Lewis if (!fromWide) { 2946*0ae430aaSDon Lewis return PR_FAILURE; 2947*0ae430aaSDon Lewis } 2948*0ae430aaSDon Lewis- wchar_t *toWide = _NSSUTIL_UTF8ToWide(to); 2949*0ae430aaSDon Lewis+ toWide = _NSSUTIL_UTF8ToWide(to); 2950*0ae430aaSDon Lewis if (!toWide) { 2951*0ae430aaSDon Lewis PORT_Free(fromWide); 2952*0ae430aaSDon Lewis return PR_FAILURE; 2953